Thursday, May 29, 2003

Gunter Ollmann Doesn't Like Hacking Exposed

This article by Gunter Ollmann of ISS takes a swipe at readers of the best-selling Hacking Exposed book series. Gunter manages to offend both prospective clients and those who perform his so-called "blind penetration tests," which apparently are inferior to his "crystal box penetration tests." From the article:


I call such prospective clients HE-men (after the Hacking Exposed line of books). They are proof that a little knowledge in the wrong hands really can do a lot of damage...a ‘blind’ penetration test will take considerably longer to discover the same number of security flaws. When conducting a full-knowledge (i.e. ‘crystal-box’) penetration test, it is a simple process to indicate within a report what information was necessary to make the security findings and what level of skill or knowledge an attacker would need to exploit any vulnerabilities. Thus, a full-knowledge penetration test provides the same, or greater, level of security information for less time and cost. I would question anyone trying to sell a ‘blind’ penetration test for less than the cost of a full-knowledge penetration test.


-- end quote --


It sounds like Gunter doesn't understand the difference between a vulnerability assessment and a penetration test. He uses the latter term but describes the former. A vulnerability assessment involves discovering and documenting vulnerabilities, whether with "blind" or "crystal box" knowledge of the target. A penetration test moves beyond discovery to actual compromise, where the analyst exploits targets to gain greater access to the victim network and implement a real-world intrusion scenario. This usually tests the client's response and remediation processes. This opinion isn't just mine -- Google produced this Red Hat Security Guide and I read a recent Rik Farrow article as well.

No comments: