审计网络安全2.pdfVIP

Auditing Network Security Defining The Scope © 2005 Protiviti Inc. EOE Definition: Penetration Testing • What can an external party do to your organization with minimal knowledge about your organization? • The target organization has no warning that the attack is coming as the intent is to test the true security posture of the organization with all defenses in place and operating as they do normally. • Generally, the attacking party is only required to find a way into your network to have achieved the objective of the test. Defining The Scope 2 Definition: Vulnerability Assessment • Interactive method of testing with the subject participating throughout the analysis. • Discovery and validation of findings is performed in an iterative fashion with both the tester and the target of the test possessing full knowledge of the approach being followed and the security measures that are in place. Defining The Scope 3 Pen Testing vs. Vulnerability Assessment Issue Penetration Vulnerability Testing Assessment Level of upfront knowledge Low High Completeness of coverage Low High Measure response capability High Low Shock value High Medium Defendability High Medium Internal resource requirements Low Medium External resource requirements High High Pricing