|
|
April 28, 2003
A client recently told me his company planned to hire a firm specializing in networking to run a vulnerability scan on the company firewall. He called this process "penetration testing," which left me appalled, as my concept of the term is very different.
I've never performed "formal" penetration tests-I believe these are best
accomplished by groups of professionals with varying specialties. I have,
however, performed less formal tests for clients and friends using port scans
and tests of services open at particular ports. But after checking with other
security consultants, I discovered many would refer to what I'd been doing as
penetration testing. And the notion of paying someone to run a vulnerability
scanner against a site isn't as farfetched as I'd first thought, although other
experts in the field recommend doing a lot more than just running a tool and
handing over the results to the client.
>Penetration testing provides real value for organizations interested in
enhancing network security. But finding the right company to perform a
penetration test isn't easy, and you have to work closely with the individual or
company that performs the testing.
Joining Forces
My image of penetration testers was created by the movie "Sneakers," in which
a group of security experts used a variety of techniques to penetrate a bank,
and then a security company. Their techniques involved social engineering, a
video camera with a telescopic lens to capture passwords as they were being
typed, wiretapping, theft, and technical tricks. Of course, the real world of
penetration testing doesn't quite work that way.
Penetration testing provides a mechanism for proving that your network
defenses work as intended. Let's assume that your organization regularly updates
policies and procedures, keeps systems patched, and uses tools such as
vulnerability scanners to help ensure all patches are being applied. If you're
already doing these things, why would you want an outside party to perform an
audit or penetration test? The answer is because penetration testing provides an
independent examination of your security strategy-in other words, a second set
of eyes. And the people conducting this testing are folks whose professional
lives revolve around looking for flaws in the security of networked systems.
Penetration testing is sometimes conducted as part of an external audit. This
type of testing involves probing systems to identify the operating system and
any network services, and checking these network services for vulnerabilities.
You can do these things with a vulnerability scanner, but third parties can use
different tools than what you may have access to, and they're typically more
familiar with these alternative tools.
Part of the art of penetration testing lies in interpreting the results of
tools used during the probing process. Anyone who owns a vulnerability scanner
can run the tool against your firewall, or portions of a network. But few people
are able to thoroughly understand the results of a vulnerability scanner, much
less perform additional tests to verify the accuracy of the vulnerability
scanner's report.
Story continues...
| |
|
Article Source
Network Magazine |
 | |
|
|
|
 |
|
No Comments Allowed for Anonymous, please register |
|
| |
|
Login |
|
 |
|
|
|
|
· New User? · Click here to create a registered account.
|
|
|
Article Rating |
|
|
|
|
|
|
Average Score: 0
Votes: 0
|
|
|
