Penetration Testing mailing list archives
RE: Pen Test vs. Health Check
From: "Robert E. Lee" <robert () isecom org>
Date: Sun, 25 Jan 2004 21:50:33 -0800
A Pen Test is only as good as the testers and is only a snapshot.
I can not argue that the test is only as good as the tester/analyst team, but the output if prepared and analyzed properly the results can far outlast the time value of "snapshots" I've seen delivered. A snapshot might uncover a set of patches the customer didn't have installed, but might miss the fact that there may be a security concern with the patch management policy of the tested organization. Obviously you can not talk about a new vulnerability in application XYZ before it becomes known, but you can find out the purpose of the application, who needs access, who shouldn't have access, and help suggest changes to the ACL accordingly. When I talk about a pen-test it is only to act as a proof of concept for what might be possible if a real attack were to occur. My goal in that case is maximum damage... find as many trophy's (client list, ssn/financial db, root access, etc) as possible. This type of test can serve as a wake up call, but doesn't provide any other lasting value. Restated a pen-test's goal is to find the weakest link and the maximum exposure possible. A security test is the tedious methodical process of discovering, analyzing, documenting, and solving as many security problems as possible. While it is required to have the creativity of the "hacker" mind, security testing is not hacking, ethical or otherwise.
IMHO a more efficient and thorough method to conduct a security test is the holistic approach, where the tester looks inside the network first from a privileged account, identifying problems and offering solutions, if
need be, he/she can then attempt to exploit said vulnerabilities as a demonstration to the client. This method greatly cuts down on the time taken to "scope the joint" externally.
This method may also cause the testing team to make improper assumptions. I think it is better to go black box first, and then privileged knowledge/access afterwards to have a sane test.
Also, does anyone have any good analogies to vindicate the holistic approach over the Pen Test?
A penetration test is taking your bag of tricks, throwing it at the network and hoping something sticks. It's the difference between taking a used car to a local car mechanic to "once over" and the 120-point inspection you get from a certified used car. If you're doing your job as a security tester, you're not just looking for symptoms, you're performing a thorough test of everything you have access to. Robert Robert E. Lee Co-Chairman of the Board The Institute for Security & Open Methodologies (http://www.isecom.org) Creators of the OSSTMM Security Testing Manual (http://www.osstmm.org) --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Pen Test vs. Health Check Andy Cuff (Jan 25)
- Re: Pen Test vs. Health Check Nexus (Jan 25)
- RE: Pen Test vs. Health Check Robert E. Lee (Jan 26)
- Re: Pen Test vs. Health Check Ivan Arce (Jan 29)
- RE: Pen Test vs. Health Check Rob Shein (Jan 26)
- Re: Pen Test vs. Health Check danielrm26 (Jan 27)
- Re: Pen Test vs. Health Check Clint Bodungen (Jan 27)
- Re: Pen Test vs. Health Check danielrm26 (Jan 28)
- Re: Pen Test vs. Health Check Clint Bodungen (Jan 28)
- Re: Pen Test vs. Health Check danielrm26 (Jan 27)
- Re: Pen Test vs. Health Check Ivan Arce (Jan 29)
- <Possible follow-ups>
- Re: Pen Test vs. Health Check Don Parker (Jan 26)
- RE: Pen Test vs. Health Check Yvan Boily (Jan 26)
- RE: Pen Test vs. Health Check Thompson, Jimi (Jan 26)