Hello all,
Though i'd say the most value i see for my customers comes from option
A, we sometimes are faced with clients that conduct a VA but are
reluctant or hesitant to take remediation actions based on the results.
It is then that we propose a pen-test to demonstrate how easy/hard it is
for an attacker to gain control of critical servers. The result from a
pen-test are then used to perform a "root-cause-analysis" to determine
the factors contributing to increased security risk. This is to help
management understand the impact of risks such as inadequate patching
procedures or standards which could translate into regulatory compliance
issues.
As far as option B and C are concerned.. I am of the opinion that
attackers would only be interested in a single exploitable
vulnerability.. so 5 or 7 wouldnt make much of a difference.. except
probably demonstrate that time to "own" for the server with more vulns
is much less than the one with fewer ones. Having said that, a diligent
security consultant needs to find and report atleast all known
exploitable vulnerabilities :)
Regards,
Amit Deshmukh
Senior Security Consultant
Security-Assessment.com
Sydney, Australia
cbc wrote:
Hi All,
My comments on these are:
A pentest which is useful and is able to add value to
a company who pays the service is only if the results
and finding are tally with the goal and expectation
established during the initiation of the exercise.
It is meaningless to judge which scenarios is the best
as if my goal of a pentest is to find as many as
vulnerabilites you can and exploit it, then I will say
scenario C is the best. But if my goal is to find
which vulnerbailities would impact my business most,
then scenario A is a better candidate.
In summary, ensuring a proper goal and expectation is
achieved during the planning stage is very vital. You
will find the evaluation and management process more
manageable by doing so!
Regards,
Boon Chin,
Senior Security Consultant, Singapore
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
######################################################################
CONFIDENTIALITY NOTICE:
This message and any attachment(s) are confidential and proprietary.
They may also be privileged or otherwise protected from disclosure. If
you are not the intended recipient, advise the sender and delete this
message and any attachment from your system. If you are not the
intended recipient, you are not authorised to use or copy this message
or attachment or disclose the contents to any other person. Views
expressed are not necessarily endorsed by Security-Assessment.com
Limited. Please note that this communication does not designate an
information system for the purposes of the New Zealand Electronic
Transactions Act 2003.
######################################################################
