I agree with most of what you're saying except I thinking you're mixing up vulnerability scanning with pen testing. A good pen tester will actually demonstrate the vulnerability and can find new issues in your custom web app code. The one benefit of pen testing would be convincing decision makers that the steps you outlined are necessary. On Jan 18, 2010, at 12:32 PM, Nick Nassar <nassar@alum.wpi.edu> wrote:
Don't bother. It's security theater.
It easy to run automated tests, but the chance it will actually catch something that you wouldn't know about by reading the proper security mailing lists is negligible.
These days most malware gets in through end users doing stupid things. China hacked Google with a phishing attack. There's no completely technical solution for that. Educate users as best you can. If there's sensitive data on your network, make sure only people who need access have access.
Assume that your network will be compromised. Have a strategy to restore things quickly when that happens.
Tal Cohen <wlug@cohen123.com> wrote:
I need a penetration tester (individual or firm) to run some tests against my network.
Anyone have any recommendations they care to share?
Thanks!
Tal
_______________________________________________ Wlug mailing list Wlug@mail.wlug.org http://mail.wlug.org/mailman/listinfo/wlug
Wlug mailing list Wlug@mail.wlug.org http://mail.wlug.org/mailman/listinfo/wlug