Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Pen-Test
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Why Penetration Test?

from [Rob Havelt] Network Security [Permanent Link]
Subject: Re: Why Penetration Test?
Date: Sat, 11 Jun 2005 03:30:11 -0400
I'd submit that these scenarios offer very different data sets, meant to address two distinctly different concerns within an organization. Put simply, they answer different questions. (I'm assuming the most common definitions of VA and PT here - as the meaning of "Vulnerability Assessment" varies wildly from organization to organization).

But given that scenario A, and B/C would produce different data they can both be useful, and they both answer a specific question. How useful they are would depend almost solely on the data that is most needed by the organization commissioning the test at that point in time.

So I'd further submit that real value that a consultant can add to the process is to help the organization understand the subtile differences, and identify the real questions that they need answered. For example - has the organization in question started to look at threats in the context of risk to the business, end to end security for business processes, and so on... perhaps they have done this extensively, and as a result of this they've decided to put security to the test. In this case, scenario A wouldn't be answering the question. But perhaps the organization has not taken a realistic look at the business in terms of risk. They are not aware of all the threats, and they don't have a plan in place. Scenario A might provide some real value this this case, possibly more than B or C.

so I guess my answer to this would be a big "it depends on the company", but it really does - not every organization is at the same point in the security cycle. The most useful thing would be to try to understand where the organization is, and possibly to help them understand where they are right out of the gate.

-Rob


At 06:29 AM 6/2/2005 +0000, you wrote:
I was wondering the usefulness of a penetration testing against vulnerability assessment for a company.

Scenario A
Cosultant "A is employed to perform a vulnerability assessment and the result is tabulated based on the business risk these vulnerabilities pose.

Scenario B
Cosultant "B is employed to perform a Penetration Test, discovers 10 vulnerabilities and is able to show exploit of 5 vulnerabilities.

Scenario C
Cosultant "C" is employed to perform a Penetration Test, discovers 10 vulnerabilities and is able to show exploit of 7 vulnerabilities.

Which scenario would have more usefulness to the company? it is ovbious that the result of a PT would depend and vary from skill of a consultant to another?

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Snort-users] Unrecognized attack patterns against IIS, TPanaitescu
Next by Date:  Re: Why Penetration Test?, Daniel Reynaud-Plantey
Previous by Thread:  Re: Why Penetration Test?, Amit
Next by Thread:  Re: Why Penetration Test?, Petr . Kazil
Indexes:  [Date] [Thread] [Top] [All Lists]