-
Tiger Shark: Going back to the topic of VA vs. PT. I'm not sure I understand where you're coming from. I'm on a VA team for the government and we do full blown assessments of ALL assets, not just specific resources. We are not allowed to "pen test". There are other teams that can do this for a specific target, our goal is more broad. We look for vulnerabilities. If you were looking at the wireless side you could use ISS wireless scanner. Now, no one scanner or tool will catch everything, you will need to use a variety of tools, and yes you must watch for false pos/negs, VA is very close to penetration. Normally, a vulnerability assessment would simply be part of a penetration test, where the tool or service would identify vulnerabilities across a network and provide information on how to plug them. Frequently, the actual penetration test focuses on exploiting vulnerabilities, both technical and non-technical, to leverage access to critical data through a certain subset of the network under some kind of time deadline, he notes. Vulnerability assessments are a bit more comprehensive and penetration tests engage more manual processes to find the path of least resistance in getting to that all-important intellectual property.
-
Meloncholy: I aplogize if I did not entirely understand your post. What you wrote implied to me that you were regarding VA as a one dimensional effort based around tools such as Nessus which tend to be quite one dimensional. Clearly your impression of VA is multi-dimensional. At the time I didn't want others to think that a uni-dimensional VA would be anything like as effective as a complete PT which will try to find holes in the walls of your building to gain access if it can....... ;)
-
hack IT is good and gives you a some tools like a spilt nix and win eviroment :)
