|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: Penetration testing via shrinkware
Ryan Russell (ryanr
sybase.com)
Thu, 3 Sep 1998 10:12:16 -0700
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
- Next message: Jim Wamsley 303-673-8163: "Network Traffic Violations"
- Previous message: Bennett Todd: "Re: Penetration testing via shrinkware"
- In reply to: Stout, Bill: "Penetration testing via shrinkware"
- Next in thread: McEwen, Don: "RE: Penetration testing via shrinkware"
>What are the opinions on the thoroughness of shrinkwrap software
>penetration testing? Is today's shrinkware more capable for penetration
>testing (a single machine) than a human?
Depends on the human. Even when compared to a really good human,
the software will often find a hole the human didn't think to check for,
didn't
know about, or didn't care about.
I think they're actually good for different things... You want a person
driving a penetration
test, who can do all the things you've mentioned, and use their head, and
correlate
information a program couldn't begin to. From the case studies I've read,
it seems
human penetration tests tend to be "I got root, game over." In other
words, the point
is to prove there is at least one way in, not neccessarily to enumerate ALL
the ways
in.
You want to use the software to do mass checking of hosts and problems.
Unlike
the human who tend to want to find the one big hack, the software is happy
to report
small things, potential problems, and things that aren't "broken" exactly,
but
just don't follow policy. An example would be ISS's ability to check that
NT hosts
enforce the minimum password length that you want users to use. I see the
software
as being more useful that a person when trying to close down as many holes
as
possible on many hosts.
Another point of discussion about the software is that it tends to *find*
holes,
and not neccessarily *exploit* them. The software vendors do this
intentionally
to prevent liability to some degree. (I think the next big Internet worm
will be
a customized SATAN or SAINT that performs the attacks it checks for, and
then installs itself to go after the next host.)
Of course, what you really want is a really good human armed with the
software.
Ryan
- Next message: Jim Wamsley 303-673-8163: "Network Traffic Violations"
- Previous message: Bennett Todd: "Re: Penetration testing via shrinkware"
- In reply to: Stout, Bill: "Penetration testing via shrinkware"
- Next in thread: McEwen, Don: "RE: Penetration testing via shrinkware"
This archive was generated by hypermail 2.0b3 on Sat Jul 17 1999 - 07:11:46 CDT