Re: Why Penetration Test?

From: Matt Curtin (cmcurtin@interhack.net)
Date: Fri Jun 17 2005 - 09:12:45 EDT


tarunthenut@gmail.com writes:

> I was wondering the usefulness of a penetration testing against
> vulnerability assessment for a company.

It's a good question, and while there are plenty who disagree with me
on this, I maintain that penetration testing is useful for determining
whether an organization's ability to detect and to respond to attack
is in line with its expectations.

Risk assessment will consider things like threats, vulnerabilities,
and assets, looking at the likelihood and impact of various threats
exploiting vulnerabilities to damage assets. The objective here is to
determine which risks are best accepted as a cost of doing business,
which are best transferred, and which are best mitigated against.

Technical evaluation will perform validation of the controls put in
place, whether they are working as expected. Many people (mistakenly,
in my view) call this "penetration testing").

Penetration testing, understood in this context, is very useful
indeed. For example, if your staff notices and responds to something
that your risk assessment said you're not going to worry about, it
shows that you're spending too much time and money looking at stuff in
detail, or that your risk management policy needs to be updated to
reflect what is happening in reality. On the other hand, if a
penetration is attempted, noticed, and responded to appropriately,
that will show whether the policy, technology, and people are doing
all of what they should.

-- 
Matt Curtin,  author of  Brute Force: Cracking the Data Encryption Standard
Founder of Interhack Corporation  +1 614 545 4225 http://web.interhack.com/
Forensic Computing | Information Assurance | Managed Information Technology


This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:25 EDT