To all, From comments I've received via email, I think this discussion has been very beneficial to a great many people. I'd like to thank everyone for contributing opposing or complimentary views, and I'd like to thank the moderator for allowing the posts through. I'd like to progress the discussion a bit by going a step or two beyond the actual vulnerability assessment/verification testing engagement. There are a limited number of ways to collect the information necessary for an assessment, so the key business differentiator for any consulting company is the analysis done on that information. Consulting companies and their clients need to understand that security is never perfect. Since a vulnerability assessment is a snapshot of the infrastructure, the analysis and recommendations provided by the consulting firm need to follow a "protect and detect" model...provide recommendations that are cost-effective and meet the client's business needs, doing what can be done to protect (ie, patches, updated apps and configurations, etc) against known and future vulnerabilities, and then detect (ie, monitoring)any new, unknown vulnerabilities that may occur. The security goal for the client will be to make it difficult for someone, attacking either externally or internally, to cause a security incident to come to fruition without being detected. Security consulting firms should have this as their goal, as well, with respect to their clients. This being said, what has been referred to as a "blind pen test" quickly drops out of the picture all together as a method of reaching this goal. A vulnerability assessment of the overall infrastructure examines the configurations of hosts within that infrastructure, the relationship between the hosts, and the processes and procedures used by the admins. The assessment gets into every nook and cranny and peeks into the deep, dark corners. Verification testing (ie, "full disclosure pen test") can be done once recommended changes have been put in place. Attempting to break in blindly using no more information than a domain name is not something that can be completed in a week or two for larger infrastructures, and leaves many items unchecked. However, a "blind pen test" can be used at a later date to test the effectiveness of detection, as well as incident response procedures. At that point, conducting such a test with full knowledge of the infrastructure would definitely be very beneficial. Thanks for your time. Thoughts/comments appreciated. Carv __________________________________________________ Terrorist Attacks on U.S. - How can you help? Donate cash, emergency relief information http://dailynews.yahoo.com/fc/US/Emergency_Information/ ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
This archive was generated by hypermail 2b30 : Thu Sep 13 2001 - 12:55:23 PDT