RE: Why Penetration Test?

From: DUBRAWSKY, IDO (CALLISMA) (id3878@sbc.com)
Date: Fri Jun 10 2005 - 16:47:08 EDT


 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

If you're looking at it from a strict technical perspective, a
penetration test is more detailed than a vulnerability assessment. A
vulnerability assessment can provide a surface level view of issues
within the network but a penetration test can take it further by
validating the vulnerability and demonstrating the extent of the
potential risk involved by not remediating. In fact a pen-test, many
times, includes an initial vulnerability assessment.

Consider that a typical VA may identify a vulnerability in an
application, but that the exploit used requires a reverse telnet
shell to be shoveled to the application. A VA tool may flag the
vulnerability as a high risk, but if the customer is also doing
outbound filtering and is able to block the reverse telnet back to
the attacker's box then this needs to be accounted for in the
evaluation of the risk level in the network. A VA typically does not
see this...a pen-test should.

Additionally a pen-test could be used to look at the data on the
systems being attacked to determine the sensitivity of that data. A
VA doesn't look at that information.

Now, these are very simplistic examples and there are more factors
that come into play as well but it kind of exemplifies some of the
differences between a VA and a pen-test. It all depends on the
customer and what they're comfortable with (an exploit used in a
pen-test may well cause a critical service to fail thus causing a
denial-of-service that needs to be dealt with -- a VA typically won't
cause such a situation -- it may, but it is, in my experience, rare)
and how good the consultant is.

I believe that scenario C as you describe it is the most useful.
Even with a vulnerability assessment, it's value is also tied into
the skill and capabilities of the consultant.

Ido
- --
Ido Dubrawsky, CISSP
Senior Security Consultant
SBC/Callisma
(571) 633-9500 (Office)
(202) 213-9029 (Mobile)

> -----Original Message-----
> From: tarunthenut@gmail.com [mailto:tarunthenut@gmail.com]
> Sent: Thursday, June 02, 2005 2:30 AM
> To: pen-test@securityfocus.com
> Subject: Why Penetration Test?
>
>
> I was wondering the usefulness of a penetration testing
> against vulnerability assessment for a company.
>
> Scenario A
> Cosultant "A is employed to perform a vulnerability
> assessment and the result is tabulated based on the business
> risk these vulnerabilities pose.
>
> Scenario B
> Cosultant "B is employed to perform a Penetration Test,
> discovers 10 vulnerabilities and is able to show exploit of 5
> vulnerabilities.
>
> Scenario C
> Cosultant "C" is employed to perform a Penetration Test,
> discovers 10 vulnerabilities and is able to show exploit of 7
> vulnerabilities.
>
> Which scenario would have more usefulness to the company? it
> is ovbious that the result of a PT would depend and vary from
> skill of a consultant to another?
>

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0.2

iQA/AwUBQqn8TGmsDscGuNcHEQIhXwCgzAAs7+QejMDHyQR2A1X/ikKbelwAnivD
+B8YanOqyuw8HjJ0t5pL1gPC
=yHV9
-----END PGP SIGNATURE-----



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:24 EDT