Security Basics mailing list archives

Re: NASA Security Audit

From: Eric <eric () sandpile net>
Date: Wed, 08 Oct 2003 21:57:21 -0500

/Black box vs. crystal box./ In a "black box" test, the intrusiontesters approach the test as an outsider, with no insider knowledge ofthe target environment. They will be running scanners and trying to seewhat is "visible". This is comparable to an attack from an anonymous(usually external) hacker.

In a "crystal box" test, the intrusion testers KNOW what they areattacking and what they expect to find. They may even be provided withmany, if not all of the network diagrams and names, IP addresses,platforms, services and critical data for each and every device on thenetwork. This is akin to a "disgruntled network engineer" attack, wherethey do not really have much access to the systems on the network, butwhere they KNOW what the systems are, where they're located, what theydo and possibly even how they are configured.

As for your setup. It seems reasonable enough. I think they mightappreciate the FTP access through the firewall though. :-)


Eric Hagen



---------------------------------------------------------------------------
----------------------------------------------------------------------------

Current thread:

NASA Security Audit Gregory M. Brown (Oct 08)
- Re: NASA Security Audit Roger A. Grimes (Oct 09)
  - PIX introduction Daniel Cid (Oct 09)
- RE: NASA Security Audit Byron Copeland (Oct 09)
- Re: NASA Security Audit Eric (Oct 09)
- Re: NASA Security Audit Steve (Oct 09)
- Re: NASA Security Audit Marcos E. Rodriguez (Oct 10)
- <Possible follow-ups>
- Re: NASA Security Audit KoRe MeLtDoWn (Oct 09)
  - Re: NASA Security Audit Anders Reed-Mohn (Oct 10)
- RE: NASA Security Audit Simons, Rick (Oct 09)
- RE: NASA Security Audit Raymer, Dan (Oct 09)
- RE: NASA Security Audit Johnson, Kevin (Oct 09)
  - RE: NASA Security Audit Mike (Oct 10)
- Re: NASA Security Audit Cl Clay (Oct 09)
  - Re: NASA Security Audit Meritt James (Oct 10)

(Thread continues...)