Home page logo
/

pen-test logo Penetration Testing mailing list archives

Re: Pen Test vs. Health Check
From: "Nexus" <nexus () patrol i-way co uk>
Date: Mon, 26 Jan 2004 00:29:14 -0000


----- Original Message -----
From: "Andy Cuff" <lists () securitywizardry com>
To: <pen-test () securityfocus com>
Sent: Sunday, January 25, 2004 3:38 PM
Subject: Pen Test vs. Health Check

[snip]

IMHO a more efficient and thorough method to conduct a security test is
the
holistic approach, where the tester looks inside the network first from a
privileged account, identifying
problems and offering solutions, if need be, he/she can then attempt to
exploit said vulnerabilities as a demonstration to the client.  This
method
greatly cuts down on the time taken to "scope the joint"
externally.

True, but the actual test requirement can vary greatly - from the clients
perspective it could be a 'tick in the box' type requirement, specific
threat models (rogue intenal user, internet attacker etc), analysis of a 3rd
party provider / application or a general 'where are the gotcha's ?' test.
An intensive internal audit with priveledges would be time intensive (at
consultancy day rates) and require some fairly major effort to coordinate
everything within the client's organisation.
Internal politics and domains of responsibility will be the main issues
there.

Cheers.


---------------------------------------------------------------------------
----------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault