Home page logo

pen-test logo Penetration Testing mailing list archives

Re: Pen Test vs. Health Check
From: "Clint Bodungen" <clint () secureconsulting com>
Date: Tue, 27 Jan 2004 14:20:44 -0600

If you leave out the hacker/cracker verbiage, point of view B.S.,
"professional" vs "non-professional", and focus on logical definitions and
apply them to the subject you have your answer.  It's amazing how logical
facts can elevate so much objective discussion:

To assess is to put an estimated value to something (qualitative or
quantitative) based on given information applied to actuary statistics...
(In this case we are assessing the likelihood of vulnerabilities, exposure,
and exploitation on a given system/network by comparing what we know about
the network in question to what we know about network security.)  Standard
statistical analysis.  In order to gather more accurate and actuary data
(and improve the accuracy and results of our assessment and future
assessments), we perform tests.

Therefore, "penetration" testing is (or should be) _part of_ a complete
vulnerability assessment.

I am by no means an expert in this subject, but it seems to me that one
major difference between a pen-test and a vulnerability assessment is
the pen-test is designed to come from a cracker's perspective, and the
tester is encouraged to actually attempt to enter systems using real
exploits.  In a vulnerability assessment, on the other hand, the touch
seems to be lighter -- with the focus being on a report of the various
areas that need improvement. An illustration:

Pen-Test Guy: "Look what I could have done to your network." // more
Vulnerabilty Assessment Guy: "Here are some areas you need to work on."
// more academic

In short, pen-tests are more cutting edge and sexier.  They are asked
for when the company is *very* serious about their security and have a
vested interest in knowing what an attacker could potentially do on
their network from the outside.  I should also note that I think that
the pen-test requires quite a bit more skill than a vulnerability
assessment.  I, for example, could probably do a decent vunlerabilty
assessment for a small to medium sized company, but I don't feel my
skills are far enough along to do pen-testing yet.




  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]