RE: Pen Test vs. Health Check

From: Robert E. Lee (robert@isecom.org)
Date: Mon Jan 26 2004 - 00:50:33 EST


> A Pen Test is only as good as the testers and is only a snapshot.

I can not argue that the test is only as good as the tester/analyst team,
but the output if prepared and analyzed properly the results can far outlast
the time value of "snapshots" I've seen delivered. A snapshot might uncover
a set of patches the customer didn't have installed, but might miss the fact
that there may be a security concern with the patch management policy of the
tested organization. Obviously you can not talk about a new vulnerability
in application XYZ before it becomes known, but you can find out the purpose
of the application, who needs access, who shouldn't have access, and help
suggest changes to the ACL accordingly.

When I talk about a pen-test it is only to act as a proof of concept for
what might be possible if a real attack were to occur. My goal in that case
is maximum damage... find as many trophy's (client list, ssn/financial db,
root access, etc) as possible. This type of test can serve as a wake up
call, but doesn't provide any other lasting value. Restated a pen-test's
goal is to find the weakest link and the maximum exposure possible.

A security test is the tedious methodical process of discovering, analyzing,
documenting, and solving as many security problems as possible. While it is
required to have the creativity of the "hacker" mind, security testing is
not hacking, ethical or otherwise.

> IMHO a more efficient and thorough method to conduct a security test is
> the holistic approach, where the tester looks inside the network first
> from a privileged account, identifying problems and offering solutions, if

> need be, he/she can then attempt to exploit said vulnerabilities as a
> demonstration to the client. This method greatly cuts down on the time
> taken to "scope the joint" externally.

This method may also cause the testing team to make improper assumptions. I
think it is better to go black box first, and then privileged
knowledge/access afterwards to have a sane test.

> Also, does anyone have any good analogies to vindicate the holistic
> approach over the Pen Test?

A penetration test is taking your bag of tricks, throwing it at the network
and hoping something sticks. It's the difference between taking a used car
to a local car mechanic to "once over" and the 120-point inspection you get
from a certified used car. If you're doing your job as a security tester,
you're not just looking for symptoms, you're performing a thorough test of
everything you have access to.

Robert

Robert E. Lee
Co-Chairman of the Board
The Institute for Security & Open Methodologies (http://www.isecom.org)
Creators of the OSSTMM Security Testing Manual (http://www.osstmm.org)

---------------------------------------------------------------------------
----------------------------------------------------------------------------



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:46 EDT