Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Pen-Test
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Why Penetration Test?

from [Williamson, Clyde] Network Security [Permanent Link]
Subject: RE: Why Penetration Test?
Date: Tue, 21 Jun 2005 10:28:00 -0400 
I tend to consider it in the terms of a drill. We might have all the fire
exits clearly marked, but a drill would seem to provide a good test as to
the viability of the escape plan. 

I would wager that mosbunall companies that kept offices in the WTC run
regular disaster recovery drills, it appears that many of them had disaster
recovery plans... But had never proven the plan.

I think penetration testing works in a similar fashion.

-----Original Message-----
From: Matt Curtin [mailto:cmcurtin@interhack.net] 
Sent: Friday, June 17, 2005 9:13 AM
To: tarunthenut@gmail.com
Cc: pen-test@securityfocus.com
Subject: Re: Why Penetration Test?

tarunthenut@gmail.com writes:


I was wondering the usefulness of a penetration testing against 
vulnerability assessment for a company.


It's a good question, and while there are plenty who disagree with me on
this, I maintain that penetration testing is useful for determining whether
an organization's ability to detect and to respond to attack is in line with
its expectations.

Risk assessment will consider things like threats, vulnerabilities, and
assets, looking at the likelihood and impact of various threats exploiting
vulnerabilities to damage assets.  The objective here is to determine which
risks are best accepted as a cost of doing business, which are best
transferred, and which are best mitigated against.

Technical evaluation will perform validation of the controls put in place,
whether they are working as expected.  Many people (mistakenly, in my view)
call this "penetration testing").

Penetration testing, understood in this context, is very useful indeed.  For
example, if your staff notices and responds to something that your risk
assessment said you're not going to worry about, it shows that you're
spending too much time and money looking at stuff in detail, or that your
risk management policy needs to be updated to reflect what is happening in
reality.  On the other hand, if a penetration is attempted, noticed, and
responded to appropriately, that will show whether the policy, technology,
and people are doing all of what they should.

--
Matt Curtin,  author of  Brute Force: Cracking the Data Encryption Standard
Founder of Interhack Corporation  +1 614 545 4225 http://web.interhack.com/
Forensic Computing | Information Assurance | Managed Information Technology
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: wireless WEP crack., Michael Sierchio
Next by Date:  RE: wireless WEP crack., Sbc Global
Previous by Thread:  Re: Why Penetration Test?, Pete Herzog
Next by Thread:  [Snort-users] Unrecognized attack patterns against IIS, Michael Scheidell
Indexes:  [Date] [Thread] [Top] [All Lists]