This page is powered by Blogger. Isn't yours?

 Feedblitz email:
 RSS: http://linkingintegrity.blogspot.com/atom.xml



Integrity - use of values or principles to guide action in the situation at hand.

Below are links and discussion related to the values of freedom, hope, trust, privacy, responsibility, safety, and well-being, within business and government situations arising in the areas of security, privacy, technology, corporate governance, sustainability, and CSR.

Using Penetration Testing to Identify Management Issues, 15.5.04


After managing the performance of over 20,000 infrastructure and application penetration tests and vulnerability assessment exercises, I have come to realize the importance of technical testing and provision of information security assurance. The purpose for conducting the tens of thousands of penetration tests during my 20-plus years working in information systems security was 'to identify technical vulnerabilities in the tested system in order to correct the vulnerability or mitigate any risk posed by it.' In my opinion, this is a clear, concise, and perfectly wrong reason to conduct penetration testing.

Vulnerabilities and exposures in most environments come about by poor system management -- patches not installed in a timely fashion, weak password policy, poor access control, et al. Therefore, the principal reason and objective behind penetration testing should be to identify and correct the underlying systems management process failures that produced the vulnerability detected by the test. The most common of these systems management process failures exist in the following areas:

  • System software configuration
  • Applications software configuration
  • Software maintenance
  • User management and administration

    Unfortunately, many IT security consultants provide detailed lists of specific test findings, and never attempt the higher order analysis needed to answer the question of "why." This failure to identify and correct the underlying management cause of the test findings assures that, when the consultant returns to test the client again in 6 months, a whole new set of findings will appear.


  • Comments

    Post a Comment



    Integrity Incorporated

    Site Feed

     Feedblitz email:

     RSS: http://linkingintegrity.blogspot.com/atom.xml


    "We shall need compromises in the days ahead, to be sure. But these will be, or should be, compromises of issues, not principles. We can compromise our political positions, but not ourselves. We can resolve the clash of interests without conceding our ideals. And even the necessity for the right kind of compromise does not eliminate the need for those idealists and reformers who keep our compromises moving ahead, who prevent all political situations from meeting the description supplied by Shaw: "smirched with compromise, rotted with opportunism, mildewed by expedience, stretched out of shape with wirepulling and putrefied with permeation.
    Compromise need not mean cowardice. .."

    John Fitzgerald Kennedy, "Profiles in Courage"


    07.03   08.03   09.03   10.03   11.03   12.03   01.04   02.04   03.04   04.04   05.04   06.04   07.04   08.04   09.04   10.04   11.04   12.04   01.05   02.05   03.05   04.05   05.05   06.05   07.05   08.05   09.05   10.05   11.05   12.05   01.06   02.06   03.06   04.06   05.06   06.06   08.06   09.06   10.06   11.06   01.07   02.07   03.07   04.07   07.07   08.07   09.07   10.07   05.08   06.08