On Thu, Feb 15, 2001 at 04:22:44PM -0000, [EMAIL PROTECTED] wrote:
> A good Penetration Testing Team should not need any more information
> from you other than the company name unless you want a more focused test
> to be performed.
Actually Tiger Teams for penetration testing are good to detect problems
like social engeneering, general policy problems, physical security
problems, trust on unsecure external or internal systems and so on.
Therefore they are good, but I dont think you need them very often. In a two
step process I would allow them for a blind attack first and after that give
them any information they want (like network topology and server
configuration). That way you cover both cases, blind intruders and informed
(internal) intruders.
Also a security audit is more effective than a blind peentration testing.
You should start with that. After you have done that (i.e. review policy and
implementation (aka firewall rules)) you might think of penetration testing,
not before.
Greetings
Bernd
--
(OO) -- [EMAIL PROTECTED] --
( .. ) ecki@{inka.de,linux.de,debian.org} http://home.pages.de/~eckes/
o--o *plush* 2048/93600EFD eckes@irc +497257930613 BE5-RIPE
(O____O) When cryptography is outlawed, bayl bhgynjf jvyy unir cevinpl!
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
