Home page logo

pen-test logo Penetration Testing mailing list archives

Re: Pen Test vs. Health Check
From: "Nexus" <nexus () patrol i-way co uk>
Date: Mon, 26 Jan 2004 00:29:14 -0000

----- Original Message -----
From: "Andy Cuff" <lists () securitywizardry com>
To: <pen-test () securityfocus com>
Sent: Sunday, January 25, 2004 3:38 PM
Subject: Pen Test vs. Health Check


IMHO a more efficient and thorough method to conduct a security test is
holistic approach, where the tester looks inside the network first from a
privileged account, identifying
problems and offering solutions, if need be, he/she can then attempt to
exploit said vulnerabilities as a demonstration to the client.  This
greatly cuts down on the time taken to "scope the joint"

True, but the actual test requirement can vary greatly - from the clients
perspective it could be a 'tick in the box' type requirement, specific
threat models (rogue intenal user, internet attacker etc), analysis of a 3rd
party provider / application or a general 'where are the gotcha's ?' test.
An intensive internal audit with priveledges would be time intensive (at
consultancy day rates) and require some fairly major effort to coordinate
everything within the client's organisation.
Internal politics and domains of responsibility will be the main issues



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]