|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: Penetration testing via shrinkware
depends on who's writing (shsrms
erols.com)
Thu, 03 Sep 1998 19:35:53 -0400
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
- Next message: Gary Crumrine: "RE: Penetration testing via shrinkware"
- Previous message: Bill_Roydspch.gc.ca: "Re: Penetration testing via shrinkware"
- Maybe in reply to: Stout, Bill: "Penetration testing via shrinkware"
- Next in thread: Gary Crumrine: "RE: Penetration testing via shrinkware"
Stout, Bill wrote:
>
> What are the opinions on the thoroughness of shrinkwrap software
> penetration testing? Is today's shrinkware more capable for penetration
> testing (a single machine) than a human?
I would like to take a step back. Your ref to various tools seems to
ignore teh basic conept: These are tools. A good tool can help a less
skilled tool operator do more, faster, and better than that same
operator without the tool.
>
> I'll take one example of a tool,
<<SNIP>> sounds like an add for any tool company.
>
> Some counter-points I have are:
> o The human needs to do data collection about the target through
> whois, nslookup, search engines, anonymous or spoofed phone calls, etc.
> o The human element still needs to select the targets, the connection
> path (dial-up, X.25, Internet, hops via private links, etc), the social
> engineering, the password crackers, etc.
> o The human also needs to define the D.O.S. threshold of the target,
> and limits on brute force efforts.
> o The tests won't detect sniffers installed at the target's ISP.
OR: the tool operator should have a selection of tools to choose from,
the skill and knowledge to apply the right tool to the job, and that can
actually come with experience.
This is not like building a house. this is not like doing body work on
a real steel car. One tool does not preclude the use of another.
>
> Say someone wants to do penetration testing and security auditing for a
> company, and use various types of shrinkware to do it. Any comments?
I recommend using various tools. Much like our language, develop an
idiom of tools that might give you indications that you might need to do
more.
There is no perfect tool. There are no perfect systems. Hopefully, the
tool operator will learn what tools to use!
just my two cents. Opinions are like arm pits, most folks have at least
two,
bob
>
> Bill Stout
-- real address is shsrms at erols dot com The Herbal Gypsy and the Tinker.
- Next message: Gary Crumrine: "RE: Penetration testing via shrinkware"
- Previous message: Bill_Roydspch.gc.ca: "Re: Penetration testing via shrinkware"
- Maybe in reply to: Stout, Bill: "Penetration testing via shrinkware"
- Next in thread: Gary Crumrine: "RE: Penetration testing via shrinkware"
This archive was generated by hypermail 2.0b3 on Sat Jul 17 1999 - 07:11:46 CDT