Of course, and Paul's later statements on the issues, he was the individual that Ben was quoting, go further. Paul's assesment is: [SNIP] ben nagy; > need to be perfect - one just needs to know quite accurately how imperfect > they are. Paul D. Robertson: I'm not sure you can know that accurately when blind. That's actually probably my biggest problem with blind tests- the tester doesn't get to see the configuration file that could contain the backdoor from hell. I'll give you an example. Let's say that a company's administrator is attending a local university, and to make life easier, allows access to the administrative ports of his infrastructure (routers, switches and firewalls) from the university's lab so that when his pager goes off, he can fix things without missing too much class time. A blind test won't find that. A configuration check can. The full discuassion is quite well done, and a danged good read. I recommend others here look at the firewalls list archives of the past few days. Thanks, Ron DuFresne On Wed, 12 Sep 2001, H C wrote: > For the most part, I agree with Ben's comments. For > completeness, a system can be as secure as possible if > a vulnerability assessment of that system is > conducted, and that information is then used to launch > a "full disclosure pen-test" or perhaps more > appropriately, a "verification analysis". > > However, like anything else, this is only a snapshot > of the system in time. We then get into the change > control/management process, and where verification > testing fits in such a process. > > > But any "analysis" process should include external > > verification - ie that > > the box is doing what you told it to do, right? > > > > This is quite distinct from the traditional pen-test > > in that it isn't blind. > > > > I think that to create the most secure system > > possible, blind pen-testing is > > a waste of time - > > > __________________________________________________ > Do You Yahoo!? > Get email alerts & NEW webcam video instant messaging with Yahoo! Messenger > http://im.yahoo.com > -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ admin & senior consultant: darkstar.sysinfo.com http://darkstar.sysinfo.com "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart testing, only testing, and damn good at it too! ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
This archive was generated by hypermail 2b30 : Thu Sep 13 2001 - 12:39:33 PDT