Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email email@example.com
From: R. DuFresne (dufresnesysinfo.com)
Date: Thu Sep 13 2001 - 01:11:03 CDT
Of course, and Paul's later statements on the issues, he was the
individual that Ben was quoting, go further. Paul's assesment is:
> need to be perfect - one just needs to know quite accurately how
> they are.
Paul D. Robertson:
I'm not sure you can know that accurately when blind. That's actually
probably my biggest problem with blind tests- the tester doesn't get to
see the configuration file that could contain the backdoor from hell.
I'll give you an example. Let's say that a company's administrator is
attending a local university, and to make life easier, allows access to
the administrative ports of his infrastructure (routers, switches and
firewalls) from the university's lab so that when his pager goes off, he
can fix things without missing too much class time. A blind test won't
find that. A configuration check can.
The full discuassion is quite well done, and a danged good read. I
recommend others here look at the firewalls list archives of the past few
On Wed, 12 Sep 2001, H C wrote:
> For the most part, I agree with Ben's comments. For
> completeness, a system can be as secure as possible if
> a vulnerability assessment of that system is
> conducted, and that information is then used to launch
> a "full disclosure pen-test" or perhaps more
> appropriately, a "verification analysis".
> However, like anything else, this is only a snapshot
> of the system in time. We then get into the change
> control/management process, and where verification
> testing fits in such a process.
> > But any "analysis" process should include external
> > verification - ie that
> > the box is doing what you told it to do, right?
> > This is quite distinct from the traditional pen-test
> > in that it isn't blind.
> > I think that to create the most secure system
> > possible, blind pen-testing is
> > a waste of time -
> Do You Yahoo!?
> Get email alerts & NEW webcam video instant messaging with Yahoo! Messenger
-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ admin & senior consultant: darkstar.sysinfo.com http://darkstar.sysinfo.com
"Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart
testing, only testing, and damn good at it too!
---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/