PDA

View Full Version : Vulnerability Assessment and Penetration Testing



arunsivadasan
06-20-2011, 05:22 PM
Hi guys,

A colleague recently asked me a question that left me stumped.

His client told him: 'we only need to do penetration testing and not vulnerability assessment. Since I am preventing threats coming in from outside using PT, I dont need to do VA.. Even if there are vulnerabilities inside, since no threat can come inside, I dont have to worry.'

I asked him convey the example of a virus spreading through an infected USB. Its able to spread havoc because internal vulnerabilities remain unaddressed.

Do you guys have any real life examples that can be used to convince his client?

Anant Shrivastava
06-20-2011, 05:26 PM
just give to him a case study on how insiders are bigger threat then outsiders.

also vulnerability assessment is about things that do exist on the network... PT is about real life exploitation (was suppose to be)

If a team or group of people can't penetrate a vulnerability identified then that doesn't limit the danger's of vulnerability that just shows the limitation at the teams end.

hope this can help.

b0nd
06-20-2011, 06:40 PM
The points here (http://www.garage4hackers.com/showthread.php?444-The-Difference-Between-a-Vulnerability-Assessment-and-a-Penetration-Test) might help.

Punter
06-20-2011, 08:51 PM
u should tel them really whats the insider threats can be also recent attacks happend on RSA ,google hackers targeted internal employees and then those impacts were high i think evry 1 knows that its like i have Firewall on my perimiter so it doesnt mean they r secure .

acr0n
06-21-2011, 08:01 PM
I think Operation Aurora ( Google China hack) is the best example .. some good resources -- > http://www.cert.org/insider_threat/

swatantra
06-23-2011, 10:54 PM
Pentest Vs Vulnerability Asssesment
One of the best article I ever read...

Good comparison!

http://www.tns.com/PenTestvsVScan.asp