Penetration Testing mailing list archives
Re: Why Penetration Test?
From: Marco Ivaldi <raptor () 0xdeadbeef info>
Date: Wed, 29 Jun 2005 18:34:05 +0200 (CEST)
I was wondering the usefulness of a penetration testing against vulnerability assessment for a company.
Hey pen-testers, First of all, i apologize for coming so late to the party -- i've been far from the Internet for a couple of weeks lately... Just wanted to point out something crucial to me that surprisingly enough has not been mentioned yet in this discussion: a security professional must always remember that there are some attack vectors that are hard (if not impossible) to spot and test thoroughly using automated VA tools. Yeah, not all attacks come from the IP infrastructure: instead, in my personal and professional experience i witnessed that most dangerous attacks come very often through PBX, RAS connected to a PSTN, backup ISDN lines connected to routers, good old X.25 networks, etc. Also, not all attacks can be easily reproduced using automated VA tools: just think about common technologies as WLANs and (web) applications in general, an automated testing approach would definitely miss some attack paths. Not to mention social engineering, physical intrusions, dumpster diving, and other popular ways to fool your expensive security measures. In short, my point is: depending on the complexity of my operational environment, i'd be very careful before deciding to rely _only_ on the common IP infrastructure vulnerability assessments done with popular automated scanning tools to secure my information. There's more outta here that must be tested to ensure you get a 360 degrees vision of your organization's security posture and IMHO a good consultant should tell you before selling you yet another superficial VA. Just my 2 euro-cents;) Cheers, -- Marco Ivaldi Antifork Research, Inc. http://0xdeadbeef.info/ 3B05 C9C5 A2DE C3D7 4233 0394 EF85 2008 DBFD B707
Current thread:
- Re: Why Penetration Test?, (continued)
- Re: Why Penetration Test? Gareth Davies (Jun 14)
- Re: Why Penetration Test? intel96 (Jun 16)
- AW: Why Penetration Test? Jörg Maaß (Jun 16)
- Re: Why Penetration Test? R. DuFresne (Jun 16)
- Re: Why Penetration Test? rmeijer (Jun 17)
- Message not available
- Re: Why Penetration Test? Pete Herzog (Jun 16)
- RE: Why Penetration Test? Erin Carroll (Jun 16)
- Re: Why Penetration Test? Pete Herzog (Jun 13)
- Re: Why Penetration Test? intel96 (Jun 30)