Showing posts from June, 2011

Vulnerability scanning <> penetration testing

It is fair to say that vulnerability scanning / port scaning is a component of any penetration test, however many companies are relying purely on the results of these scans to assess their security, often carrying out these assessments themselves or using automated services.

The role as a pen tester is a continuous learning curve and the use of tools can greatly simplify the bulk of the task, however many of the issues I find are through manual testing and verification as tools alone cannot always pinpoint these issues.

Testing your own systems also has it's disadvantages due to the fact that tests are undertaken against known targets using expected input. A third party testing the same target will approach this from a different angle as they do not always know what is expected and will vary the attack in order to glean different responses. Interpreting these errors and modifying the approach can often lead to uncovering new vulnerabilities in the systems. On many occasions it m…

SecurID was responsible for Lockheed Martin breach