I think the subject of this mail was what Criteria should you use when
selecting a Penetration Testing Team.
There are many procedural aspects to a Penetration Test. If I missed any
out for the sake of brevity I appologise.
In actual fact a full IP Penetration Test should include
0. Assessment of the value of business assets
1. A test externally with out knowledge of the target system
2. A internal test (& Security Audit)
3. Another external test with Knowledge
4. Report on testing. - This is probably the most important stage as it
is the delverable.
Of Course the TOR for the project may also include other phases such as
those mentioned...
Have a look at http://www.cesg.gov.uk/services/industry.htm.
Liam.
> ----------
> From: Bernd Eckenfels
> Sent: 16 February 2001 02:44
> To: [EMAIL PROTECTED]
> Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]
> Subject: Re: Penetration
>
> On Thu, Feb 15, 2001 at 04:22:44PM -0000, [EMAIL PROTECTED]
> wrote:
> > A good Penetration Testing Team should not need any more information
> > from you other than the company name unless you want a more focused
> test
> > to be performed.
>
> Actually Tiger Teams for penetration testing are good to detect
> problems
> like social engeneering, general policy problems, physical security
> problems, trust on unsecure external or internal systems and so on.
> Therefore they are good, but I dont think you need them very often. In
> a two
> step process I would allow them for a blind attack first and after
> that give
> them any information they want (like network topology and server
> configuration). That way you cover both cases, blind intruders and
> informed
> (internal) intruders.
>
> Also a security audit is more effective than a blind peentration
> testing.
> You should start with that. After you have done that (i.e. review
> policy and
> implementation (aka firewall rules)) you might think of penetration
> testing,
> not before.
>
> Greetings
> Bernd
> --
> (OO) -- [EMAIL PROTECTED] --
> ( .. ) ecki@{inka.de,linux.de,debian.org}
> http://home.pages.de/~eckes/
> o--o *plush* 2048/93600EFD eckes@irc +497257930613 BE5-RIPE
> (O____O) When cryptography is outlawed, bayl bhgynjf jvyy unir
> cevinpl!
>
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
