Tarun The Nut wrote:
when i mentioned vulnerabilities that are exploitable, i meant not
only being able to "exploit" the vulnerability but also map all the
possible paths of attack.
Also by plugging a vulnerability does not necessarily means "patching"
but taking all possible steps (patches/tools/processes blah blah) that
can help mitigating a possible exploit of the vulnerability.
Yes that's correct, the 'onion' approach, any vulnerability discovered
must be mitigated against, including any vector which renders the
vulnerability exploitable. It's something like risk assessment and
business impact analysis, 'pen-test' itself tends to just conjour images
of technical testing, 'ethical hacking' or whatever you want to call it.
The VA part would identify the vulnerability, the risks associated and
the impact to the business, this can then lead to how to fix the
problem, mitigate the risk and if the expenditure required to do this is
worth it. Sometimes not only a patch will do it, but that's all that's
affordable, and will mitigate the vulnerability to an acceptable level
of risk.
The question still remains: Pen Test will always depend on the skill
set of the company/individual contracted to do Pen Test and results
will vary from person to person (or company to company).
That's a given, for any kind of consultancy,
results/methodology/expertise varies from company to company and even
consultant to consultant. But they are all trying to achive the same end
result.
A parallel example is Business Continuity Planning, there are guildeines
given by the BCI and the DRII, but there are no set standards for say
Business Impact Analysis, so exact results and method differs from
company to company as they all use proprietory methods, but the end
results will generally be the same, and the objective is definately the
same.
Thankx to Pete Herzog for bringing it out. It skipped my mind to
include that in my previous mails.
Is it not feasible to assume that the real attacker will be able to
exploit the vulnerability using any one of the numerous attack paths
and go about ensuring the vulnerability is "plugged" based on the
phased approach described in one of my mails earlier?
Yes this is reasonable to assume. But your method is very complete, the
problem is most companies are not willing to spend enough to engage
quality consultants for the time span it would take to complete the
project in this manner. Things like this are usually done on a best
effort basis.
My approach is generally:
1) Do a technical VA on the segments/servers outlined within the scope
1a) Do a non-technical RA of the premises (staff awareness, physical
security, policy state (do they exist, are they good? are they enforced?)
2) Identify all 'critical' vulnerabilities
3) Report on these vulnerabilities with preventative measures
4) Patching and Mitigation stage where we handhold the client through
fixing the machines/reconfiguring securely
5) Re-test to establish risk has been reduced to a level acceptable by
the client (it can never be eradicated)
6) Suggest further measure to improve the overall architecture (addition
of security devices/policies/staff education etc.)
Something along those lines anyway.
Cheers
--
Gareth Davies
Manager - Security Practice
Network Security Solutions MSC Sdn. Bhd.
Suite E-07-21, Block E, Plaza Mont' Kiara, No. 2 Jalan Kiara,
Mont’ Kiara, 50480
Kuala Lumpur, Malaysia
Phone: +603-6203 5303
www.mynetsec.com
