RE: Email Pen-testing

From: Frank Knobbe (frank@knobbe.us)
Date: Wed Mar 24 2004 - 02:10:00 EST


On Tue, 2004-03-23 at 10:01, AJ Butcher, Information Systems and
Computing wrote:
> IMHO, regular vulnerability assessment is usually the most useful approach
> as it can identify the critical vulnerabilities that require fixing. Viewed
> in such a light, penetration testing is probably only useful for proving a
> political point (e.g. that someone is or isn't doing their job competently,
> or that their budget is adequate or insufficient).

Penetration tests not only test the technical defenses, but also the
processes and people around it. One variation of a Penetration Test is
an Incident Response Exercise to test the response capabilities of a
client. You are less concerned about getting root but instead try to
operate stealthy or in an otherwise defined pattern, attempting to
penetrate, but allowing others to take notes of the response procedures
of the clients incident response team.

Pentests do sometimes occur only to prove a point with management. But
more often than not, they are a valuable educational exercise, an
eye-opener. Less political, but more along the lines of "oh, we didn't
think about that". Anything that broadens and increases security
awareness of a client is a good thing.

Pentests are valuable, but as you correctly identified, they are useful
to uncover things in depth, not in breadth. First-action pentests are
almost always for political/funding or regulatory requirement purposes.
They should be followed by vulnerability studies, otherwise not much
will have been gained. Just like you, I prefer to do a vulnerability
assessment first, raise the security posture, but then do a pentest to
uncover those "things we haven't thought of" (from a client perspective)
and to find weaks point in your defenses, and polish up the security
posture. Repeat periodically.

Pentests, vuln studies, incident response exercises, security awareness
training and exercises, risk assessments, those are pretty much ongoing
developments. I mean, a document classification system, or initial IR
capability setup, you typically develop once, and then just tweak them
over time. But assessments and exercises need to be done periodically.
That's all part of the "security is a process" cycle. And the more we
can educate and teach our clients along the way, the better.
 
(I'm gonna shut up now since I'm probably preaching to the choir...)

Regards,
Frank





This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:51 EDT