Penetration testing via shrinkware

Stout, Bill (StoutBpios.com)
Wed, 02 Sep 1998 19:22:34 -0400

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
• Next message: Ryan Russell: "Re: Re[2]: password aging"
• Previous message: Firewalls: "New one: Securing an HTTP server"
• Next in thread: Bennett Todd: "Re: Penetration testing via shrinkware"
• Reply: Bennett Todd: "Re: Penetration testing via shrinkware"
• Maybe reply: Ryan Russell: "Re: Penetration testing via shrinkware"
• Maybe reply: McEwen, Don: "RE: Penetration testing via shrinkware"
• Maybe reply: Gary Crumrine: "RE: Penetration testing via shrinkware"
• Maybe reply: Bill_Roydspch.gc.ca: "Re: Penetration testing via shrinkware"
• Reply: depends on who's writing: "Re: Penetration testing via shrinkware"
• Maybe reply: Gary Crumrine: "RE: Penetration testing via shrinkware"
• Maybe reply: Stout, Bill: "RE: Penetration testing via shrinkware"
• Reply: Stephen P. Berry: "Re: Penetration testing via shrinkware"
• Maybe reply: John McDermott: "Re: Penetration testing via shrinkware"
• Maybe reply: Ryan Russell: "Re: Penetration testing via shrinkware"
• Maybe reply: John McDermott: "Re: Penetration testing via shrinkware"
• Maybe reply: John McDermott: "Re: Penetration testing via shrinkware"
• Maybe reply: Richard Christie: "Re[2]: Penetration testing via shrinkware"
• Maybe reply: John Grillo: "Re: Penetration testing via shrinkware"
• Maybe reply: Bill_Roydspch.gc.ca: "Re: Penetration testing via shrinkware"

What are the opinions on the thoroughness of shrinkwrap software
penetration testing? Is today's shrinkware more capable for penetration
testing (a single machine) than a human?

I'll take one example of a tool, Internet Security Scanner. It can do a
complete external scan of the currently known vulnerabilities of a
machine or subnet. ISS is very consciensious of keeping up to date with
vulnerabilities.

Some counter-points I have are:
  o The human needs to do data collection about the target through
whois, nslookup, search engines, anonymous or spoofed phone calls, etc.
  o The human element still needs to select the targets, the connection
path (dial-up, X.25, Internet, hops via private links, etc), the social
engineering, the password crackers, etc.
  o The human also needs to define the D.O.S. threshold of the target,
and limits on brute force efforts.
  o The tests won't detect sniffers installed at the target's ISP.

Say someone wants to do penetration testing and security auditing for a
company, and use various types of shrinkware to do it. Any comments?

Bill Stout

• Next message: Ryan Russell: "Re: Re[2]: password aging"
• Previous message: Firewalls: "New one: Securing an HTTP server"
• Next in thread: Bennett Todd: "Re: Penetration testing via shrinkware"
• Reply: Bennett Todd: "Re: Penetration testing via shrinkware"
• Maybe reply: Ryan Russell: "Re: Penetration testing via shrinkware"
• Maybe reply: McEwen, Don: "RE: Penetration testing via shrinkware"
• Maybe reply: Gary Crumrine: "RE: Penetration testing via shrinkware"
• Maybe reply: Bill_Roydspch.gc.ca: "Re: Penetration testing via shrinkware"
• Reply: depends on who's writing: "Re: Penetration testing via shrinkware"
• Maybe reply: Gary Crumrine: "RE: Penetration testing via shrinkware"
• Maybe reply: Stout, Bill: "RE: Penetration testing via shrinkware"
• Reply: Stephen P. Berry: "Re: Penetration testing via shrinkware"
• Maybe reply: John McDermott: "Re: Penetration testing via shrinkware"
• Maybe reply: Ryan Russell: "Re: Penetration testing via shrinkware"
• Maybe reply: John McDermott: "Re: Penetration testing via shrinkware"
• Maybe reply: John McDermott: "Re: Penetration testing via shrinkware"
• Maybe reply: Richard Christie: "Re[2]: Penetration testing via shrinkware"
• Maybe reply: John Grillo: "Re: Penetration testing via shrinkware"
• Maybe reply: Bill_Roydspch.gc.ca: "Re: Penetration testing via shrinkware"

This archive was generated by hypermail 2.0b3 on Sat Jul 17 1999 - 07:11:46 CDT