Penetration Testing mailing list archives
Pen test vs Vulnerabilty Assessment (was Re: win2k pentest - what can i do?)
From: Alex Butcher <alex () s3 integralis co uk>
Date: Wed, 11 Jul 2001 09:49:42 +0100
Ryan Permeh wrote:
as a side, it occurs to me to ask the following of this group: what level of pentration do you perform in an average test? do you penetrate completely? use this to leverage access across a network?
Depends on the level of service commissioned. Our entry-level service (Level 1 Interrogate) is purely a vulnerability scan; we enumerate /possible/ vulnerabilities (taking great care to try to avoid both false positives and negatives) and report on them and how they may be used to gain further access. Our premium service (Infiltrate) is (virtually) "no holds barred" penetration testing. We allow both classes of customers to rule some actions out of bounds, such as DoS (even though it may be necessary for spoofing attacks used in Infiltrate). Essentially, we consider Interrogate to be a "breadth-first" search for vulnerabilities, whilst Infiltrate is a "depth-first" search and we'll try to get as deep as we can.
what "trophy" do you use to prove access?
The minimum necessary. If \BOOT.INI proves our point, that'll do. No need to drag (potentially) sensitive material unencrypted across the Internet...
How do you spell out your level of penetration to your customers?
We charge more for Infiltrate. :)
do they understand the difference between "vulnerability assesment" and penetration analysis?
Hopefully. :)
just curious how everyone else chooses to do this.... Signed, Ryan Permeh eEye Digital Security Team
Best Regards, Alex. -- Alex Butcher PGP/GnuPG Key IDs: Consultant, S3 Systems Security Services alex@s3 B7709088 PGP: http://www.s3.integralis.co.uk/pgp/alex.pgp alex.butcher@ 885BA6CE ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
Current thread:
- win2k pentest - what can i do? Matt Andreko (Jul 06)
- Re: win2k pentest - what can i do? Mike DeGraw-Bertsch (Jul 06)
- Re: win2k pentest - what can i do? Jonathan Rickman (Jul 06)
- Re: win2k pentest - what can i do? John Tannahill (Jul 06)
- Re: win2k pentest - what can i do? Ryan Permeh (Jul 06)
- Pen test vs Vulnerabilty Assessment (was Re: win2k pentest - what can i do?) Alex Butcher (Jul 11)
- <Possible follow-ups>
- RE: win2k pentest - what can i do? Jeff Seely (Jul 06)
- Re: win2k pentest - what can i do? Paul Rathborn (Jul 07)