Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Pen-Test
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Vulnerability Assessment

from [Pete Herzog] Network Security [Permanent Link]
Subject: Re: Vulnerability Assessment
Date: Wed, 25 Jul 2007 17:58:48 +0200 
Hi Dave,

A final point is that concentric layers of protection have to be understood from a risk perspective; in that a vulnerability which requires local login to exploit, or physical presence (ALMOST ANY MACHINE) may be more or less at risk if the employees are trusted and trustable, and the physical access is more ore less controlled. In other words, if a Financial Server or Top Secret Server is running an MS Operating system (already a questionable practice <smile>), and is protected behind umpteen firewalls, AV, IDS/IPS, it may be more vulnerable if any joe could just walk up to it physically and do something like boot it up on CD (BackTrax it) or less vulnerable if there is no unauthorized physical access and the keyboard and monitor are controlled.

Your points before this one are well taken and I do hope some people learn from the DoS mistake of yours you mentioned.

Risk is a concept for choosing security and controls. Testing, however, is verifying to what level that security or those controls exist. To test, you don't make a risk assessment. Doing so would restrict your findings. You make a thorough test of everything within the business requirements, policy, regulations, etc. Remember, you're there to make sure they didn't forget anything. You can't do that if you're making the same guesses they are. That's why the OSSTMM can help you not miss anything.

In terms of analysis, where you need to trust employees or not, I think you make a good point about risk but it's the wrong thing to do. Even the most loyal employee can send the wrong mail by accident to the wrong person or be fooled into clicking on the phisher's link. You need to treat every interaction on the network as one of a business perspective where security provides a means to efficiency, less accidents, and a quicker reaction to mistakes. In that case it's not about who you trust inside or out but what you need to keep the business running efficiently. If locking down all the desktops means less help desk hassles (it doesn't) versus the cost of employee turn-over from unhappy employees, then make your decision that way. Not whether or not you trust Alice or Jack. If you really think we can make good trust choices as human beings, just watch a few daytime talk shows ;)

-pete.

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------

[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Pentest automated tool, Fyodor
Next by Date:  Re: Port Scanning Issues, krymson
Previous by Thread:  Re: Vulnerability Assessment, dcdave
Next by Thread:  Re: Vulnerability Assessment, holger . reichert
Indexes:  [Date] [Thread] [Top] [All Lists]