Re: Penetration Testing or Vulnerability Scanning?

From: the___CIA___ (the___CIA___@hotmail.com)
Date: Fri Jul 04 2003 - 11:12:24 EDT


Osioke

I disagree with the FFIEC explanation as to what is an Assessment and what
is a penetration test, etc. As there is no "official" agreed explanation,
the FFIEC has attempted to explain them for the uneducated banking staff to
provide them some sort of guidance. The excerpt is shown previously within
this email thread.

Just because the FFIEC classified them in this way does not indicate that
any "Security" company that you may be considering for testing work on your
network will agree to the FFIEC definitions. It is more important to take
away from the explanations what the differences in testing may be. Then
again companies wishing to work in the financial vertical market should be
aware of the FFIEC explanations and any differences to their own approach.

Vuln vs penetration.
Performed with knowledge, or without.
Performed with standards or without.
Etc...

You can find the handbook here:
http://www.ffiec.gov/ffiecinfobase/booklets/information_secruity/information
_security.pdf

And an overview PDF here:
http://www.ffiec.gov/ffiecinfobase/presentations/overview_presntation.pdf

Good Luck!

On 7/3/03 2:25, "Osiokegbhai Ojior" <oojior@worldspan.com> wrote:

> In-Reply-To: <1047256692.1211.29.camel@localhost>
>
> I did a search on Google for FFIEC Information Security booklet and I'm
> coming up short on this item. Could you please provide a link to a pdf or
> information on how to get a copy of this booklet?
>
> This topic is right on the money and I am in the process of re-documenting
> a formal understanding of what this all is for my company so that we're
> all on the same page.
>
> Thanks.
>
> -Osioke
>
>>
>> I like the explanation in the new FFIEC Information Security booklet:
>>
>> "Penetration tests, audits, and assessments can use the same set of
>> tools in their methodologies. The nature of the tests, however, is
>> decidedly different. Additionally, the definitions of penetration test
>> and assessment, in particular, are not universally held and have changed
>> over time.
>>
>> Penetration Tests. A penetration test subjects a system to the
>> real-world attacks selected and conducted by the testing personnel. The
>> benefit of a penetration test is to identify the extent to which a
>> system can be compromised before the attack is identified and assess the
>> response mechanism=92s effectiveness. Penetration tests generally are not
>> a comprehensive test of the system=92s security and should be combined
>> with other independent diagnostic tests to validate the effectiveness of
>> the security process.
>>
>> Audits. Auditing compares current practices against a set of standards.
>> Industry groups or institution management may create those standards.
>> Institution management is responsible for demonstrating that the
>> standards they adopt are appropriate for their institution.
>>
>> Assessments. An assessment is a study to locate security vulnerabilities
>> and identify corrective actions. An assessment differs from an audit by
>> not having a set of standards to test against. It differs from a
>> penetration test by providing the tester with full access to the systems
>> being tested. Assessments may be focused on the security process or the
>> information system. They may also focus on different aspects of the
>> information system, such as one or more hosts or networks."
>>
>> -- Doug
>>
>
> ---------------------------------------------------------------------------
> Latest attack techniques.
>
> You're a pen tester, but is google.com still your R&D team? Now you can get
> trustworthy commercial-grade exploits and the latest techniques from a
> world-class research group.
>
> Visit us at: www.coresecurity.com/promos/sf_ept1
> or call 617-399-6980
> ----------------------------------------------------------------------------
>

---------------------------------------------------------------------------
Latest attack techniques.

You're a pen tester, but is google.com still your R&D team? Now you can get
trustworthy commercial-grade exploits and the latest techniques from a
world-class research group.

Visit us at: www.coresecurity.com/promos/sf_ept1
or call 617-399-6980
----------------------------------------------------------------------------



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:35 EDT