In Brief
Penetration Testing: Shortcuts to a Good Test
Penetration Testing: Shortcuts to a Good Test
By Michael Fitzgerald
July 01, 2006 — CSO —
Giving consultants three days to hack a system is no way to replicate what a hacker might do, argues Peiter "Mudge" Zatko, a well-known hacker and consultant who is now a division scientist at BBN Technologies.
"Somebody on the outside can take as much time as they wanttheyll eventually stumble across something," he says.
Companies cant pay consultants to hack at will for months on end. But they can open up things like the configuration files from the routers, the firewall rules and the network maps to give the consultant a head start. It will also help the consultant understand how a company views security in light of its business.
"It will save you time and money," says Zatko. In fact, he says that if the consultants find things in this document phase, the company can fix them, and then let the penetration testing begin.
Zatko says companies should combine external pen tests with internal ones, to see what might already be compromised inside the perimeterinformation that wont appear in a pen test.
M.F.
Data Center Directions Virtual Conference
Attend this free, 100% online event exploring tools and techniques for making your data center deliver for today and tomorrow.
The Surest Path to Effective and Efficient Compliance
In this webcast, we explore why and how with best practices, practical tips and solutions that work to ease your compliance challenge.



