Dailydave mailing list archives
RE: New presentation is up: 0days: How hacking reallyworks
From: "Maynor, David \(ISS Atlanta\)" <dmaynor () iss net>
Date: Tue, 1 Feb 2005 17:34:01 -0500
I'm not suggesting that you guys should quit your jobs, or that deep pen-testing isn't value adding. I just think that these guys who come in, start their automated scanning tool (which is usually rebranded nessus), get drunk while its running, and collect money are kind of worthless. They kept the admins in check before, but with Dave's future of universally patched systems, they won't be helping at all. They may own my network with a few of their 0days, but like I said, it doesn't really matter.
I totally agree that network architecture and design flaw based auditing and testing is still very valid, and I'm not arguing against that, I'm arguing for it in place of the current "turn on the scanner and get drunk" style of pentesting that I see today and in the past.
That doesn't sound like a pentest. It sounds more like a site assessment. A lot of people try to get away with selling assessments as pentests. A pentest and a site assessment generally require different skill sets and have much different deliveries. A pentest by nature is designed to show what a single, or team, of determined and skillful attackers can gain from your network. A site assesment is more of the run the scanner, interprets results and such, review the policy kind of thing. When I did pentests the client would outline the concern that brought me there; it could have been an exposed peoplesoft application or a webserver that handles credit card info or to verify newly deployed security products are working. My efforts would be directed at proving or disproving their concerns and note any gaps between coverage and exposure that could be improved. In my experience it is a rare a customer just says "have at it; I just want to see if you can get in and how deep you can go." Rare, although I have had a couple of gigs that shaped up like that, mostly because the customer had a serious compromise and they didn't know where to start. In that case I evaluated the type of business and attempted to remotely determine what would cost them the most money and cause the largest amount of lost productivity and targeted it. If your pentester is just running a scanner, you are getting ripped off. As far as a universally patched system, I use to have to deal with this problem a lot. I found that during the policy development if you keep open services to a minimum it became a lot less of a problem. This is more of the "block everything except what is explicitly needed" school of thought. Laptops, in my experience, have been the largest vector of getting attacks or worms in an environment. If the departments are properly locked down from each other you may get one department infected but that is far better than the whole company. This often causes backlash because several departments need to access resources offered by other departments. I haven't really run into a case where such services can't be securely offered while minimizing the exposure of the whole department. Just my thoughts though.... _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com https://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- RE: New presentation is up: 0days: How hacking reallyworks, (continued)
- RE: New presentation is up: 0days: How hacking reallyworks Maynor, David (ISS Atlanta) (Feb 01)
- Re: New presentation is up: 0days: How hacking reallyworks Kevin Ponds (Feb 01)
- Re: New presentation is up: 0days: How hacking reallyworks Ron Gula (Feb 01)
- Re: New presentation is up: 0days: How hacking reallyworks Kevin Ponds (Feb 01)
- Re: New presentation is up: 0days: How hacking reallyworks Ron Gula (Feb 01)
- Re: New presentation is up: 0days: How hacking reallyworks Hamid . K (Feb 01)
- Message not available
- Re: New presentation is up: 0days: How hacking reallyworks David Stein (Feb 02)
- Re: New presentation is up: 0days: How hacking reallyworks Holden Williamson (Feb 05)
- Re: New presentation is up: 0days: How hacking reallyworks Holden Williamson (Feb 05)
- Re: New presentation is up: 0days: How hacking reallyworks Anthony Zboralski (Feb 06)
- Re: New presentation is up: 0days: How hacking reallyworks Kevin Ponds (Feb 01)
- RE: New presentation is up: 0days: How hacking reallyworks Maynor, David (ISS Atlanta) (Feb 01)