> Difference in definition. To clarify my definition - a penetration
> usually involves going out to achieve a predefined set of goals,
> whether it
> is to obtain administrator or root access on a particular machine, or
> to
> retrieve information off a database that is supposed to be
> confidential, et
> al. Sometimes penetration tests can include physical aspets as well,
> or
> social engineering. The scope of acceptable options may be extremely
> narror or broad, but in my opinion, the end result of a penetration
> test
> is (hopefully) the attainment of some goal.
>
OK, differences in definition aside between the UK and ZA this is really
an issue of the Scope of the Project and the Terms of Reference. If the
customer would like you to try and modify a particular file on a system
then thats what you try to do. The real goal though is to identify the
vulnerabilities not only in particular applications, services etc, but
also those inherent in the system due to its design and implementation.
Furthermore the goal is to provide good advice.
> A technical vulnerability assessment will take snapshot of that
> organisations security status at that time. Two variables come
> into play that I see - one, newly installed systems running
> the latest releases may result in fewer known vulnerabilities
> discovered, even though the organisation may not maintain a
> similar level of protection.
>
I don't see the relevance here. It would be true to say that choosing
the latest versions of particular software may result in fewer
vulnerabilities found in software. However, vulnerabilities are not just
identified in software. Design, implementation, configuration, etc..
another reason why scanners are inadequate...
> Secondly, I would say that a company's security posture *is*
> subject to change.
>
Yes, but not the second after the penetration test has been performed.
It is subject to change governed by procedures (change control) which ,
as you have said, may be initiated by the results of the testing
performed.
> If, as a result of the vulnerability assessment
> , or other work you have performed, a company realises that further
> investigation is warranted, you would persue further consulting with
> a client to either institute or improve the supporting structures for
> protecting their information security.
>
>
That is what I am alluding to here.
> > In fact it is the Security Policy(s) and Procedures which seek to
> keep
> > the bar high enough. Part of the Penetration Test's Job is to
> > Verify and
> > Validate these Policies and Procedures.
> >
> > Good Luck to you too.
>
> My apologies - I realise that may have come across as sarcastic. I
> originally meant to direct that comment at our friend who originally
> asked for advice on selecting an automated vulnerability scanner. ;)
>
No Drama 80)
> Take care,
> Andrew
>
Cheers,Liam.
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
