Re: Pen Test vs. Health Check

From: Don Parker (dparker@rigelksecurity.com)
Date: Sun Jan 25 2004 - 21:40:46 EST


Hi Andy, well I have a few thoughts I would like to share here actually. The two (pen
test and holistic approach) should remain separate as indicated. To that end though the
pen test should still done. As we all know there are different attacks that are
performed as a trusted member of the lan (physical access) vice that of the pen tester
which is normally done remotely.

Doing both of these actually in my mind highlights the various dangers to the client.
The holistic approach will also show that the client must attempt to safeguard the
internal lan from potentially disgruntled employee's and the such. This is done through
hardening the internal lan in a variety of ways. It is also important though to show the
normal external threats as well via a pen test. Doing the two gives a far more complete
picture of the clients security posture.

Hope this is what you had in mind for feedback :-)

Cheers

-------------------------------------------
Don Parker, GCIA
Intrusion Detection Specialist
Rigel Kent Security & Advisory Services Inc
www.rigelksecurity.com
ph :613.249.8340
fax:613.249.8319
--------------------------------------------

On Jan 25, "Andy Cuff" <lists@securitywizardry.com> wrote:

Hi Folks,
Last week Mark Teicher brought up a valid point regarding ethical
hacking not solving the underlying issue of an insecure network.
Addressing the symptom rather than the cause.

I personally don't like the term ethical hacking when referring to a Pen
Test, however as you probably noticed think, the term will remain where
training is concerned that introduces the student to the techniques and
methodology used by a hacker. I do not think that an ethical hacking
course will make a security tester. OK, no more about training, honest!

A Pen Test is only as good as the testers and is only a snapshot.
However, a network that has been secured from the inside out, with a
solid secure foundation should stand the test of time, even if it is
compromised the attacker may not be able to roam freely and all their
actions should be recorded.

IMHO a more efficient and thorough method to conduct a security test is the
holistic approach, where the tester looks inside the network first from a
privileged account, identifying
problems and offering solutions, if need be, he/she can then attempt to
exploit said vulnerabilities as a demonstration to the client. This method
greatly cuts down on the time taken to "scope the joint"
externally.

Firstly, what are the members thoughts on the above, and what are the
downsides in what I have said. Also, does anyone have any good
analogies to vindicate the holistic approach over the Pen Test?

-andy

Talisker Security Tools Directory
<a href='http://www.securitywizardry.com'>http://www.securitywizardry.com>

---------------------------------------------------------------------------
----------------------------------------------------------------------------

---------------------------------------------------------------------------
----------------------------------------------------------------------------



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:46 EDT