From: Pete Herzog (lists@isecom.org)
Date: Mon Jun 13 2005 - 13:08:06 EDT
I was under the impression a successful pen-test would map the paths of
attack and not just to verify attacks are possible. Verification is
required in vulnerability assessments to clean up false positives and
reintroduce tests where analysis has determined the possibility of false
negatives. Vuln testing is not about determining patches/fixes - for
that, the good ol' sys admin could set his systems to DL and install all
patches, failing where one is already installed. A vuln tested isn't
needed for that. Patch is not the opposite of Vulnerability. Vuln
tests are for determining parts of a vulnerable network so the analysis
can focus on "why" or "whatever".
A pen test is about creatively (and methodically) determining new
avenues of attack, new paths to expolit, and new tricks to pull from
sleeves. This pen tester thinks in new ways and can change the rules of
the game in new ways that the defensive folks haven't thought about yet.
The zero day and social engineering are such a clever and valid tools
for the pen tester for exactly this reason-- they nullify what the
Defense thought they had as solid gridiron, hitting their underground
shelter like a bomb that can burrow. It says, "hey there, how are ya,
didn't think about your defenses from here because ya didn't think I
could get here, did ya?" But they aren't valid tools for the vuln
tester. Therefore, a pen test is only as good as the tester, the
tester's tools, the tester's support group, and in part on the tester's
good night sleep. Somewhere it changed into this vuln assessment
support group stuff because hacking like a hacker was made to look so
powerful and cool (cause it is) that everyone wanted to say they could
do it and actually started to believe they could do it because they
changed the definition of it. But that's like saying everyone can be a
great artist when it's clearly not true because the delivery is so
subjective.
But selling vuln tests as pen tests is a valid marketing tick because it
poduces valid income. Right? Regardless, in our industry each has its
place in an assessment if the client's goals are met. But then since
when does the client know more about security then the security
professional? Imagine the accountant who balances the books because
that's what the client wants but doesn't adhere to professional,
ethical, and integral accounting practices? Wait, don't imagine, just
read almost any newspaper from the last 5 years. And it's happening in
our industry now all the time.
Why Pen Test? Because it's maybe the right answer to the right
question. But ya gotta figure out both the question and the answer for
yourself.
-pete.
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:24 EDT