Home page logo

pen-test logo Penetration Testing mailing list archives

RE: Pen Test vs. Health Check
From: "Thompson, Jimi" <JimiT () mail cox smu edu>
Date: Mon, 26 Jan 2004 15:46:54 -0600


Doing both of these actually in my mind highlights the various dangers to
the client. 
The holistic approach will also show that the client must attempt to
safeguard the 
internal lan from potentially disgruntled employee's and the such. This is
done through 
hardening the internal lan in a variety of ways. It is also important though
to show the 
normal external threats as well via a pen test. Doing the two gives a far
more complete 
picture of the clients security posture. 

Imagine for a moment that you've built a fabulous car.  You've just built
and it sits in your garage idling.  If you never drive it, there's a lot
about your car you'll never know.  You'll never know what the top speed is.
You'll never know what it takes to red-line the engine.  You'll never know
if you need to adjust the suspension to get it to corner better.  You'll
never know if you need different rear end gears to get it accelerate faster.
You'll never know if what the gas mileage is like.  All you know is that it
looks good.  The engine sounds good and you worked really hard to build it.
Never doing a pen-test on your network is like never driving the car.
You'll never know for sure how much hammering it can take from a hacker and
what weak points you need to shore up unless you put it to the test.  The
rubber has to meet the road somewhere.  If it's not me or someone like me
who's getting paid to do it, it's going to be some hacker that still lives
in his mother's basement. The question boils down to who would you rather
trust? Me - a paid professional with a long history of maintaining client
confidentiality or BlackHat - someone who lives on "owning" you and posting
things like the CEO's salaries to your company email distribution lists. 

On the other hand, doing a pen-test without the rest of the audit is rather
like going to the doctor for a physical and finding out that he plans to do
exploratory surgery so that he can look at your internal organs to see if
there's anything wrong with you.  It's an invasive procedure that can break
things and have unintended consequences.  It should not be attempted by the
inexperienced or without reason (i.e. someone in management read about it in
"Red Herring"/"Fast Company"/"Business 2.0" and has now decided that this
"must" be done).  It should be part of an overall security initiative.

Just as you must periodically have unpleasant things done at the doctor's
behest once you reach a certain age (colonoscopy, mammogram, etc.), networks
need the same thing, but only once they reach a certain size.  Just as most
children don't need those kinds of procedures, many smaller companies don't
need pen testing either.  A simple security audit will suffice.  However,
most mid-size companies and larger need this on a regular basis.  IMHO, the
size of the network and its growth rate should determine the frequency.
Think of it as a colonoscopy for your network :) - potentially embarrassing,
uncomfortable and perhaps even painful but necessary for continued good

2 cents,



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]