> LARGE number of consultants out there feeding at the trough of
> "penetration testing" commodity firewalls.
>
> Those who ask should be gently informed why they don't want that kind of
> test. If they insist, they get to pay through the nose for it..
>
And just because you can't get in (in the time alloted) doesn't mean
THEY can't get in.
OTOH, it helps to get "hands on" and take a look at things from an
outsider's perspective. Not penetration testing, just looking at what's
really there, not what a site has documented as being there.
For example - I just took a look at a client network that ran a vertical
database app that was supposedly secure. There were a number of "joe"
accounts on the system, the database consisted of a series of flat files
with the data avail. in plain ol' ASCII, and permissions were 777
throughout the app's directory structure. It does help to look around a
bit, and fix what you find. Just don't fall into the trap of thinking
that since nothing was found, everything is secure.
- r.w.
--------------------------------------------------------------------
Rabid Wombat wombat @
mcfeely .
bsfs .
org
- To defeat the gopher, you must look like the gopher, think like the
gopher, smell like the gopher ...
- Bill Murray, Caddyshack
--------------------------------------------------------------------
|
|
