Comments on: Pick the Right Tool for the Job: Penetration Tests, Vulnerability Assessment and IT Security Audits

By: Kevin Lam (IMPACTA)

Kevin Lam (IMPACTA) — Wed, 25 Feb 2009 08:29:14 +0000

Hi Bill, thanks for reaching out and asking about the book. When I wrote the book I was a full time employee at Microsoft, and now that I left not sure if that’s possible. I’ve been wanting to write another book so who knows …

@All: One day I’ll get around to writing another book, so if you’re interested in getting updates in the future, send an email to info@impactalabs.com and I’ll get you on the list. Thanks!

–Kevin

By: Bill Wildprett

Bill Wildprett — Wed, 25 Feb 2009 07:07:25 +0000

Hi Kevin,
I’m interested in your book as I am just finishing ‘Counterhack Reloaded’ by Ed Skoudis & Tom Liston.

Since your book was published a while back and includes a CD with tools and scripts, do you have plans to release an updated edition with a revised CD?

Thanks!

By: A Tip for Getting the Assessing Network Security Book « Impacta Blog

A Tip for Getting the Assessing Network Security Book « Impacta Blog — Fri, 09 Jan 2009 22:55:09 +0000

[...] everyone, I got several emails recently (in response to this blog posting) regarding how you can get a hold of a copy of Assessing Network Security (ISBN: 9780735620339, [...]

By: Kevin Lam (IMPACTA)

Kevin Lam (IMPACTA) — Tue, 30 Dec 2008 20:25:52 +0000

Hi Philip, thanks for sharing your thoughts and taking the time to post a comment. Indeed, the goal of a pentest does not necessarily have to be to gain administrative privileges. From a broader perspective, the goal really is to be to use an application in some fashion that was not intended by the designers and developers of the application — gaining administrative privileges through that application is but only one instance of that broader goal. Actual goals will differ from organization to organization.

–Kevin

By: Philip Werner

Philip Werner — Tue, 30 Dec 2008 17:12:12 +0000

I work in a SaaS company and carve up the scanning/penetration world a bit differently. For example, I don’t consider the goal of pen testing a web-based application to be able to gain administrative privileges. You don’t need to be an admin to exploit sql injection or phishing vulnerabilities.

By: Kevin Lam (IMPACTA)

Kevin Lam (IMPACTA) — Tue, 23 Dec 2008 04:28:05 +0000

Lou,

You’re quite correct in your observation — lots of things can go wrong to diminish the overall value of penetration tests. That’s unfortunate. Thanks for taking the time to comment!

–Kevin

By: Lou Spahn

Lou Spahn — Mon, 22 Dec 2008 21:10:32 +0000

Pen testing also must be scoped correctly. All too often testing is limited to focusing on certain systems, and the full consequence of certain mistakes/errors does not bubble to the top. It is then up to the clients staff to realize this revelation and take action. In the event the client company is very compartmentalized, some results will never be shared and the skill level to understand these consequences is not leveraged since typically testers are not part of this process. If this happens, the overall value to the test is greatly diminished.

By: Kevin Lam (IMPACTA)

Kevin Lam (IMPACTA) — Mon, 15 Dec 2008 20:41:13 +0000

Craig, these are great points — thanks for sharing!

–Kevin

By: Craig Balding

Craig Balding — Mon, 15 Dec 2008 19:27:40 +0000

Good post – thanks. I’d add 2 small tweaks (perhaps they are already in your book :).

1. Goal of a pen-test should be defined by business objectives; e.g. figure out how to print cheques or modify AP etc. Gaining admin rights is often part of that but demonstrating sufficient application/process knowledge to show the screen where you can affect a business process directly tends to have more impact in the report out.

2. I tend to see IT audits as ‘top down’ approaches whereas pen-testing is more ‘bottom up’. Thus the two complement each other nicely.

Cheers,

Craig