Is this a plug?
Automated Vulnerability Scanning is not substitute for a Penetration
Test.
All a good scanner ( perhaps Nessus - probably the best one ) will show
you is what a script kiddie might find wrong with your site or network.
All a script kiddie will do is run automated scanners and exploit
scripts. Its a no brainer. Its takes no experience, no knowledge and no
understanding.
If you want help in dealing with the threats and risks to your
Technological Space ( and perhaps you company's physical space)
commission a good penetration testing team.
Criteria for choosing a Penetration Testing Team.
A good Penetration Testing Team should not need any more information
from you other than the company name unless you want a more focused test
to be performed. You may want a specific hosted e-commerce webserver to
be tested rather than every host belonging to the company. This sort of
thing should be covered in a Scoping Excercise and documented in a Terms
of Reference Document.
Whilst there are not many real qualifications to look for regarding
Penetration Testing there is one in the UK called CHECK.. There is a
hands on test by which budding CHECK Certified Team Leaders seek to
prove their worth, which is reviewed every year. The CHECK scheme is a
determined attempt to create Penetration Testing Teams that strive for
excellence in this field. It is rumoured that over 50% of the engineers
taking the test are failed. So the standards I think are quite high.
Hope you find the right team ( product ) for you and your company.
Liam.
> ----------
> From: [EMAIL PROTECTED]
> Sent: 15 February 2001 14:21
> To: Zodiac Mars; [EMAIL PROTECTED]
> Subject: Re: Penetration
>
> http://www.securityspace.com/
> You could at least have regular scans performed, and a lot less
> expensive
> than a full blown penetration test.
>
> ----- Original Message -----
> From: "Zodiac Mars" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Thursday, February 15, 2001 7:21 AM
> Subject: Penetration
>
>
> > We are a large financial institution, we are looking
> > for doing a regular external penetration test from the
> > internet to the DMZ servers. Could you help in
> > recommending/suggestions in the criteria that we
> > select the right vendor(s). Also I appreciate if you
> > can recommend vendor(s)that you have experience with.
> >
> > Thanks for your advice.
> >
> > Zodiac
> > Systems Administrator
> >
> >
> > __________________________________________________
> > Do You Yahoo!?
> > Get personalized email addresses from Yahoo! Mail - only $35
> > a year! http://personal.mail.yahoo.com/
> > -
> > [To unsubscribe, send mail to [EMAIL PROTECTED] with
> > "unsubscribe firewalls" in the body of the message.]
> >
>
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
>
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
