Penetration Testing mailing list archives

Re: Why Penetration Test?

From: Terry Vernon <tvernon24 () comcast net>
Date: Mon, 13 Jun 2005 14:37:43 +0000

That's a good way to do it. Not only do you find out whatvulnerabilities exist and need to be addressed you also find out if theIntrusion Prevention you have spent oodles of money on is doing it's job.



tarunthenut () gmail com wrote:

hi,
thanx to everyone for brain-stroming on this point.

i asked this question cause i failed to understand why certain clients are bent on penetration testing cause the 
results totally depend on the skill set of the person/company performing the penetration testing.

I am of the opine that the companyx should get a two vulnerability assessments (not penetration testing) done.

Scan 1: With its preventive and reactive controls switched off (IPS/IDS/HIPS etc). Results ranked not on technical 
ranking (most tools/VA companies  tabulate on tech rankings) but on business impact ranking.

Scan 2: with the preventive and detective controls switched on (IPS/IDS/HIPS etc). Again results ranked on business 
impact rankings.

The second result with test the effectiveness of security controls in place. Based on the two scans, the companyx 
should go about plugging those vulnerabilities in phased manner:

Phase I: Plug those which could be "identified" (not necessarily exploited) inspite of security controls switched on 
and have high business impact.

Phase II: Plug those which could be "identified" (not necessarily exploited) inspite of security controls switched on 
and have medium or low business impact.

Phase III: Plug those which could be "identified" (not necessarily exploited) when security controls were switched off 
and have high business impact.
(To ensure "safety" even when any preventive or detective control fails)

Phase IV: Plug those which could be "identified" (not necessarily exploited) when security controls were switched off and have 
medium or low business impact. (To ensure "safety" even when any preventive or detective control fails)

What say ppl. Does this approach make any sense into the chaos?

Regards

Current thread:

Re: Why Penetration Test?, (continued)
- Re: Why Penetration Test? Brahman Thiyagalingham (Jun 10)
  - Re: Why Penetration Test? cbc (Jun 10)
    - Re: Why Penetration Test? Daniel Reynaud-Plantey (Jun 11)
    - Re: Why Penetration Test? Amit (Jun 12)
- Re: Why Penetration Test? Rob Havelt (Jun 11)
- Re: Why Penetration Test? Petr . Kazil (Jun 11)
- Re: Why Penetration Test? Matt Curtin (Jun 20)
- RE: Why Penetration Test? DUBRAWSKY, IDO (CALLISMA) (Jun 10)
- RE: Why Penetration Test? Tony Tulio (Jun 10)
- Re: Re: Why Penetration Test? tarunthenut (Jun 13)
  - Re: Why Penetration Test? Terry Vernon (Jun 13)
  - Re: Why Penetration Test? Gareth Davies (Jun 13)
    - Re: Why Penetration Test? Tarun The Nut (Jun 14)
    - Re: Why Penetration Test? Gareth Davies (Jun 14)
    - Re: Why Penetration Test? intel96 (Jun 16)
    - AW: Why Penetration Test? Jörg Maaß (Jun 16)
    - Re: Why Penetration Test? R. DuFresne (Jun 16)
    - Re: Why Penetration Test? rmeijer (Jun 17)
    - Message not available
    - Re: Why Penetration Test? Pete Herzog (Jun 16)
    - RE: Why Penetration Test? Erin Carroll (Jun 16)
- RE: Why Penetration Test? vince (Jun 13)

(Thread continues...)