Re: Pen Test vs. Health Check

[Ivan Arce <ivan.arce () coresecurity com>]

Rob Shein wrote:

> > A Pen Test is only as good as the testers and is only a 
> > snapshot. However, a network that has been secured from the 
> > inside out, with a solid secure foundation should stand the 
> > test of time, even if it is compromised the attacker may not 
> > be able to roam freely and all their actions should be recorded.
>
>
> There's another factor, which is the way that a pen-tester becomes engaged
> by a weak point.  In an assessment, a vulnerability is noted, and the tester
> moves on, but in a pen-test, they engage that vulnerability, and follow it
> like the beginning of a path into the network.  Later, they can go back to
> the starting point and find another path, but it's still like trying to map
> the paths through the woods on foot; it's possible to miss one.  On the
> other hand, an assessment is more like mapping them from a low-flying
> aircraft.

Right, or in other words,

A penetration test gives you depth, you understand how a small set of
vulnerabilities can be linked together into an attack and the implications 
of that particular attack to your organization, but you dont learn about
ALL possible paths of attack.

A vulnerability assement gives you breath, you map and identify ALL 
(hopefully) vulnerabilities in your network but you do not undersand how 
they relate to each other and how an attack could link a given subset of
them together in order to achieve a specific goal.

Iterating both processes can give you more breath in the first case and
more depth in the second.

Doing a penetration test constantly is quite expensive today hence the
perceived shortcoming of just identifing one or a few attack paths.

Doing constant vuln. scanning is, perhaps, not as expensive if you
do so from a single or a few attack points in your network topology but
will quickly become cumbersome and expensive if you want to achieve
the level of depth a pen-test provides. And there is still a need
to correlate results and construct possible attack scenerarios out
of them. The overall cost of this also increases if you consider
(as it should be) a vulnerability assesment something much more
comprehensive than just vulnerability scanning.

I suspect that the right balance for each organization is unique
to its specific needs, skillsets, budget, business practices and
core business.

-ivan

---
To strive, to seek, to find, and not to yield.
- Alfred, Lord Tennyson Ulysses,1842

Ivan Arce
CTO
CORE SECURITY TECHNOLOGIES

46 Farnsworth Street
Boston, MA 02210
Ph: 617-399-6980
Fax: 617-399-6987
ivan.arce () coresecurity com
www.coresecurity.com

PGP Fingerprint: C7A8 ED85 8D7B 9ADC 6836  B25D 207B E78E 2AD1 F65A



---------------------------------------------------------------------------
----------------------------------------------------------------------------