Re: Penetration Testing or Vulnerability Scanning?

From: Osiokegbhai Ojior (oojior@worldspan.com)
Date: Thu Jul 03 2003 - 02:25:34 EDT


('binary' encoding is not supported, stored as-is) In-Reply-To: <1047256692.1211.29.camel@localhost>

I did a search on Google for FFIEC Information Security booklet and I'm
coming up short on this item. Could you please provide a link to a pdf or
information on how to get a copy of this booklet?

This topic is right on the money and I am in the process of re-documenting
a formal understanding of what this all is for my company so that we're
all on the same page.

Thanks.

-Osioke

>
>I like the explanation in the new FFIEC Information Security booklet:
>
>"Penetration tests, audits, and assessments can use the same set of
>tools in their methodologies. The nature of the tests, however, is
>decidedly different. Additionally, the definitions of penetration test
>and assessment, in particular, are not universally held and have changed
>over time.
>
>Penetration Tests. A penetration test subjects a system to the
>real-world attacks selected and conducted by the testing personnel. The
>benefit of a penetration test is to identify the extent to which a
>system can be compromised before the attack is identified and assess the
>response mechanism=92s effectiveness. Penetration tests generally are not
>a comprehensive test of the system=92s security and should be combined
>with other independent diagnostic tests to validate the effectiveness of
>the security process.
>
>Audits. Auditing compares current practices against a set of standards.
>Industry groups or institution management may create those standards.
>Institution management is responsible for demonstrating that the
>standards they adopt are appropriate for their institution.
>
>Assessments. An assessment is a study to locate security vulnerabilities
>and identify corrective actions. An assessment differs from an audit by
>not having a set of standards to test against. It differs from a
>penetration test by providing the tester with full access to the systems
>being tested. Assessments may be focused on the security process or the
>information system. They may also focus on different aspects of the
>information system, such as one or more hosts or networks."
>
>-- Doug
>

---------------------------------------------------------------------------
Latest attack techniques.

You're a pen tester, but is google.com still your R&D team? Now you can get
trustworthy commercial-grade exploits and the latest techniques from a
world-class research group.

Visit us at: www.coresecurity.com/promos/sf_ept1
or call 617-399-6980
----------------------------------------------------------------------------



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:35 EDT