Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Pen-Test
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Why Penetration Test?

from [Pete Herzog] Network Security [Permanent Link]
Subject: Re: Why Penetration Test?
Date: Mon, 13 Jun 2005 19:08:06 +0200 
I was under the impression a successful pen-test would map the paths of
attack and not just to verify attacks are possible.  Verification is
required in vulnerability assessments to clean up false positives and
reintroduce tests where analysis has determined the possibility of false
negatives.  Vuln testing is not about determining patches/fixes - for
that, the good ol' sys admin could set his systems to DL and install all
patches, failing where one is already installed.  A vuln tested isn't
needed for that.  Patch is not the opposite of Vulnerability.  Vuln
tests are for determining parts of a vulnerable network so the analysis
can focus on "why" or "whatever".

A pen test is about creatively (and methodically) determining new
avenues of attack, new paths to expolit, and new tricks to pull from
sleeves.  This pen tester thinks in new ways and can change the rules of
the game in new ways that the defensive folks haven't thought about yet.
The zero day and social engineering are such a clever and valid tools
for the pen tester for exactly this reason-- they nullify what the
Defense thought they had as solid gridiron, hitting their underground
shelter like a bomb that can burrow.  It says, "hey there, how are ya,
didn't think about your defenses from here because ya didn't think I
could get here, did ya?"  But they aren't valid tools for the vuln
tester.  Therefore, a pen test is only as good as the tester, the
tester's tools, the tester's support group, and in part on the tester's
good night sleep.  Somewhere it changed into this vuln assessment
support group stuff because hacking like a hacker was made to look so
powerful and cool (cause it is) that everyone wanted to say they could
do it and actually started to believe they could do it because they
changed the definition of it.  But that's like saying everyone can be a
great artist when it's clearly not true because the delivery is so
subjective. 

But selling vuln tests as pen tests is a valid marketing tick because it
poduces valid income. Right?  Regardless, in our industry each has its
place in an assessment if the client's goals are met.  But then since
when does the client know more about security then the security
professional?  Imagine the accountant who balances the books because
that's what the client wants but doesn't adhere to professional,
ethical, and integral accounting practices?  Wait, don't imagine, just
read almost any newspaper from the last 5 years.  And it's happening in
our industry now all the time.

Why Pen Test?  Because it's maybe the right answer to the right
question.  But ya gotta figure out both the question and the answer for
yourself.

-pete.
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Pentesting a SONUS / SIP Network, Mihai Amarandei
Next by Date:  Re: Why Penetration Test?, Terry Vernon
Previous by Thread:  RE: Why Penetration Test?, vince
Next by Thread:  RE: Why Penetration Test?, Williamson, Clyde
Indexes:  [Date] [Thread] [Top] [All Lists]