Hello,
Unfortunately, there is no peer review process associated with industry
magazines. In the case of this one I note that you are the editor which also
makes review less likely. However there are some points the article I would
like to point out.
To start with, the terminology that you have grouped together (ethical hacking,
penetration testing, intrusion testing and red teaming), are all different. It
may be true that are overlaps between each of these, but they're not the same.
This is a common misconception and one that I will hopefully response. Common
mistakes to nomenclature, even when made by many people, do not make them
correct.
Of most important note is the fallacy that you have that ethical attackers are
actually testing system security. This is not correct. In fact it is being
constantly shown (references available on request) that ethical attacks to far
less to categorically qualify security risks than many other forms of testing.
They do not for instance take note of internal controls. In fact, many
potential vulnerabilities cannot be discovered in a penetration test by the
nature of the testing. Next it needs to be remembered that there is an
economic cost associated with penetration testing. The Ethical attacker is
constrained by a budget of time and thus money.
Blind testing by its very nature will take longer than auditing a site with
knowledge. The review undertaken by the ethical attacker is thus hobbled from
the start. It is infeasible to state that the contractor will have more
knowledge at the end of a review if it is done as an ethical attack with
limited knowledge over a systems review with full information.
Red teaming has been used by both government and business for many decades in a
variety of areas including physical and logical based testing. At its simplest
it's a peer review concept. Another way to look at it is a method of assessing
vulnerabilities. In cases where red teaming refers to the provision of
adversarial perspectives, and the design of the red team is not hampered in the
matter is that ethical attacks are. There is a little correlation between a
red team exercise and an ethical attack in any sense of the word.
The formation of red cells is a situation unlikely to occur in any ethical
attack. Further, internal intelligence is unlikely to be gathered as part of
an ethical attack. In this instance is more likely that the ethical attack
will consist of beating away at the Internet gateway. An engagement to read
team is wider in scope, areas including internal subversion and associated
control checks cannot be ignored in this type of test. It is unlikely that
they would even cross the mind of the ethical attacker.
Next, a vulnerability assessment and ethical attack differ significantly.
Moderate or the assessments are part of a complete risk analysis program.
Ethical attacks do not in themselves form part of this measure and process
although they may be used as a single phase within one of these processes.
Vulnerability assessments involve the cataloguing of assets and capabilities.
The lack of internal knowledge provided in the typical ethical attack process
precludes this phase. Next, honourably assessments work on the basis of
assigning value to the asset that is being attested by this process. This is a
quantifiable value which is determined through this process.
Subsequently, vulnerabilities, and potentially threats to these resources are
determined. In this process is not limited to external attacks. This process
needs to take into account not only external attacks and even internal attacks,
but a necessarily must also consider physical threats and many other test
outside the reach of the ethical attack.
The lack of foreknowledge as to the qualification of value associated with any
particular asset negates the possible assessment of a vulnerability status by
an ethical attack process.
Further, although it is commonly called a vulnerability, and unpatched system
or "hole" is not in itself make a vulnerability. What the ethical attacker is
noting is a potential vulnerability. Other information needs to be associated
with this potential vulnerability before it may be classified as a
vulnerability. There is great difference between a potential vulnerability and
a vulnerability. Before this determination can be made it is necessary to
understand the system being tested. The limited knowledge provided in blind
testing or other black box test processes are seldom adequate to provide this
information. Although the ethical attacker or even penetration tester may
stumble across a vulnerability with serious consequences, it is rarely likely
that they will be old to determine this without additional internal information.
Although many people do not seem to realise the difference between these types
of processes, ethical attacks are not vulnerability assessments, nor are they
read teaming exercises.
Hence the value in peer reviews before publishing.
Regards,
Craig S Wright
-----Original Message-----
From: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com] On
Behalf Of Steve Fletcher
Sent: Wednesday, 21 February 2007 1:18 PM
To: pen-test@securityfocus.com
Subject: Ethical hacker article published
For anyone who is interested, my recent article on ethical hackers has been
published. You can find it at
http://www.certmag.com/articles/templates/CM_gen_Article_template.asp?articl
eid=2652&zoneid=225 or in the March issue of Certification Magazine.
Thanks again to everyone who provided helpful information. Unfortunately,
they edited out the sentence giving credit to those to provided information.
:(
If anyone has any feedback (good or bad), please let me know for future
articles.
Steve Fletcher
MCSE (NT4/Win2k), MCSE: Security (Win2k), HP Master ASE, Security+
Email: safletcher@insightbb.com
Web: http://safletcher.home.insightbb.com
------------------------------------------------------------------------
This List Sponsored by: Cenzic
Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------
Liability limited by a scheme approved under Professional Standards Legislation
in respect of matters arising within those States and Territories of Australia
where such legislation exists.
DISCLAIMER
The information contained in this email and any attachments is confidential. If
you are not the intended recipient, you must not use or disclose the
information. If you have received this email in error, please inform us
promptly by reply email or by telephoning +61 2 9286 5555. Please delete the
email and destroy any printed copy.
Any views expressed in this message are those of the individual sender. You may
not rely on this message as advice unless it has been electronically signed by
a Partner of BDO or it is subsequently confirmed by letter or fax signed by a
Partner of BDO.
BDO accepts no liability for any damage caused by this email or its attachments
due to viruses, interference, interception, corruption or unauthorised access.
------------------------------------------------------------------------
This List Sponsored by: Cenzic
Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------
|