Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Pen-Test
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Why Penetration Test?

from [intel96] Network Security [Permanent Link]
Subject: Re: Why Penetration Test?
Date: Tue, 14 Jun 2005 21:11:59 -0400
One question I have not seen yet concerning is why PenTest is: To justify your job and a budget. On one project a customer had a harden Internet router, a Cisco PIX firewall, and IDS from ISS and an IPS from TippingPoint. All scanning (NMAP, Nessus, etc.) was pointless, everything was bocked except port 80 and 443. Most web logins required SecurID tokens (brute forcing these right..!!) I was able to used SQL injections to create local accounts, upload files, but not download, because all outbound requested went through a proxy. The customer even reconfigured the network each day to see if they could catch.

Now the biggest questions that I get from the customer is how did you bypass by filters (IDS, IPS) and I need you to rewrite the final report so I can obtain more funding.........to buy more security and hire more people.....the biggest hole that I found was the lack of security internal process. These things require leadership to fix not more funding!!!!!!!!! How do you state that in a report?

So IMHO every project is different based on the customer's needs (more funding and more head count). The other issue is how to set the clowns apart from the professionals, which is becoming harder to do because there are more clowns and not enough professional and the clowns are hurting the rest of us....

Thanks,

Intel96



Tarun The Nut wrote:

when i mentioned vulnerabilities that are exploitable, i meant not
only being able to "exploit" the vulnerability but also map all the
possible paths of attack.

Also by plugging a vulnerability does not necessarily means "patching"
but taking all possible steps (patches/tools/processes blah blah) that
can help mitigating a possible exploit of the vulnerability.

The question still remains: Pen Test will always depend on the skill
set of the company/individual contracted to do Pen Test and results
will vary from person to person (or company to company).

Thankx to Pete Herzog for bringing it out. It skipped my mind to
include that in my previous mails.

Is it not feasible to assume that the real attacker will be able to
exploit the vulnerability using any one of the numerous attack paths
and go about ensuring the vulnerability is "plugged" based on the
phased approach described in one of my mails earlier?

Regards


On 6/14/05, Gareth Davies <gareth.davies@mynetsec.com> wrote:


tarunthenut@gmail.com wrote:



hi,
thanx to everyone for brain-stroming on this point.

i asked this question cause i failed to understand why certain clients are bent 
on penetration testing cause the results totally depend on the skill set of the 
person/company performing the penetration testing.





Yeah that's pretty much how I see it too.

Most clients request a pen test because they don't know what it is, it
sounds more exciting.

What they actually want is a VA, I've had this issue a few times.

When it comes down to it, they don't want you to actually exploit their
servers, as the machines are live and they can't face the possibility of
downtime.

They don't mind snapshots of passive intrusion (through non passworded
services, or weak/default u/p combinations, open root shares,
unprotected NFS mounts and so on).

IMHO a full pen-test consists of a VA but it goes one step further, into
the realm of actually confirming the exploits will work (as an example,
sendmail is often pegged as being vulnerable, but many OS's update the
service without changing the banner, so according to the banner it's
vulnerable, in reality it's not).

I generally like to strike a balance somewhere in between where possible.

Cheers

--
Gareth Davies

Manager - Security Practice

Network Security Solutions MSC Sdn. Bhd.
Suite E-07-21, Block E, Plaza Mont' Kiara, No. 2 Jalan Kiara,
Mont' Kiara, 50480
Kuala Lumpur, Malaysia
Phone: +603-6203 5303

www.mynetsec.com









[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Book Review: "Apache Security" By O'Reilly, zeno
Next by Date:  Pen-testing AS400 DB2 LANSA, eoin . keary
Previous by Thread:  Re: Why Penetration Test?, Gareth Davies
Next by Thread:  AW: Why Penetration Test?, Jörg Maaß
Indexes:  [Date] [Thread] [Top] [All Lists]