From: Clint Bodungen (clint@secureconsulting.com)
Date: Tue Jan 27 2004 - 15:20:44 EST
If you leave out the hacker/cracker verbiage, point of view B.S.,
"professional" vs "non-professional", and focus on logical definitions and
apply them to the subject you have your answer. It's amazing how logical
facts can elevate so much objective discussion:
To assess is to put an estimated value to something (qualitative or
quantitative) based on given information applied to actuary statistics...
(In this case we are assessing the likelihood of vulnerabilities, exposure,
and exploitation on a given system/network by comparing what we know about
the network in question to what we know about network security.) Standard
statistical analysis. In order to gather more accurate and actuary data
(and improve the accuracy and results of our assessment and future
assessments), we perform tests.
Therefore, "penetration" testing is (or should be) _part of_ a complete
vulnerability assessment.
> I am by no means an expert in this subject, but it seems to me that one
> major difference between a pen-test and a vulnerability assessment is
> the pen-test is designed to come from a cracker's perspective, and the
> tester is encouraged to actually attempt to enter systems using real
> exploits. In a vulnerability assessment, on the other hand, the touch
> seems to be lighter -- with the focus being on a report of the various
> areas that need improvement. An illustration:
>
> Pen-Test Guy: "Look what I could have done to your network." // more
> inflamitory
> Vulnerabilty Assessment Guy: "Here are some areas you need to work on."
> // more academic
>
> In short, pen-tests are more cutting edge and sexier. They are asked
> for when the company is *very* serious about their security and have a
> vested interest in knowing what an attacker could potentially do on
> their network from the outside. I should also note that I think that
> the pen-test requires quite a bit more skill than a vulnerability
> assessment. I, for example, could probably do a decent vunlerabilty
> assessment for a small to medium sized company, but I don't feel my
> skills are far enough along to do pen-testing yet.
>
> Regards,
>
> -danielrm26
>
---------------------------------------------------------------------------
----------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:47 EDT