One question I have not seen yet concerning is why PenTest is: To
justify your job and a budget. On one project a customer had a harden
Internet router, a Cisco PIX firewall, and IDS from ISS and an IPS from
TippingPoint. All scanning (NMAP, Nessus, etc.) was pointless,
everything was bocked except port 80 and 443. Most web logins required
SecurID tokens (brute forcing these right..!!) I was able to used SQL
injections to create local accounts, upload files, but not download,
because all outbound requested went through a proxy. The customer even
reconfigured the network each day to see if they could catch.
Now the biggest questions that I get from the customer is how did you
bypass by filters (IDS, IPS) and I need you to rewrite the final report
so I can obtain more funding.........to buy more security and hire more
people.....the biggest hole that I found was the lack of security
internal process. These things require leadership to fix not more
funding!!!!!!!!! How do you state that in a report?
I think, from a pentest point of view, sugesting anything that does
directly require funding would be bad. Just list possible measures,
their impact on the security level, and if suitable and available their
projected costs (either financial or time resources of existing staff).
This as I think that budgetary measures must always remain small relative
to the diverted risk, and you as penetration tester mostly have no true
notion of the financial footprint of the risk diverted by the technical
measures sugested.
Further I have seen so litle real (the statistics/stochastics type) risk
analysis based security pollicies, that sugesting to hire a statistician
to do a risk analysis in order to determine suitable security measures,
could be one exeption to this rule of not directly sugesting any
unconditional resource allocation.
Rob
