RE: Info collection

From: Frank Knobbe (frank@knobbe.us)
Date: Mon Aug 09 2004 - 19:56:47 EDT


On Mon, 2004-08-09 at 13:21, Jeff Gercken wrote:
> [...] By starting on the box and working outward you can evaluate the
> successive layers of security providing for a systematic and
> comprehensive evaluation.

But isn't that considered a vulnerability assessment? A penetration test
seems to be always from the outside in, with or without knowledge of
systems involved. But a host review, network review and such are part of
vulnerability assessments, not penetration tests.

I see this mixed up in a lot of threads and am wondering why there is
still such an amount of confusion between the two. Perhaps this might be
a nice topic for an aspiring author, to develop a book that contrasts
these two exercises.

Anyway, on a personal note (and not picking on Jeff), I question how
much information you really need to gather and present (during a
vulnerability assessment, not a pentest ;) I mean, if you run a bunch
of scripts on, say 50 DMZ servers, you end up with a mountain of data
that the client gets lost in. Instead of listing the configuration
specifics, I prefer to list an opinion, or evaluated value of quality. I
still list detailed recommendation (and am guilty at times to
"over-recommend"), but a qualitative statement about a host is more
worth than a bunch of appendices with configuration specs (imho).

Especially with systems becoming more complex and having more
configuration options, it should be job of the reviewer to evaluate and
summarize the state of security. I argue that a manual review with a
good eye often results in more useful information than running a bunch
of scripts (to gather Reg settings, file ACL's and such). We should
strive to summarize and qualify, not just collect and deliver.

Regards,
Frank





This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:58 EDT