Re: Security Audit

[H C <keydet89 () yahoo com>]

John,

I appreciate your addition to the discussion. 
However, I must say that I disagree with the idea of a
"blind" anything, for several reasons.

and foremost, it isn't safe.  What I mean by that is
that if you're conducting a "blind" external pen test,
and you have no idea what you're dealing with, with
regards to the overall infrastructure, you could very
well take down a mission-critical system.  

Second, conducting a "blind" external pen test and
telling the client that "I got in through this hole in
that server" and telling him what patch to apply is
doing him a disservice.  Doing so doesn't take a
complete look at the overall infrastructure...you're
only addressing one hole on one server.  The overall
security of the entire infrastructure depends on a lot
more than the sum of all the holes in all of the
systems.  For example, when I look at an
infrastructure with many NT systems, I'll take a look
at the patch levels on each one.  Then, I'll analyze
that information in the context of the entire
infrastructure...what does it mean if the patch levels
are all different?  How about if the patch levels are
all the same, but they're all SP 4?  Doing so
addresses the REAL security issues of the
infrastructure.

Third, a "blind" internal pen test provides as little
meaningful information to the customer as an external
one.  If you provide a list of holes on a list of
systems, and what to do for each one (a la an ISS
Internet Scanner report), you do nothing for your
client that he couldn't do for himself...therefore,
you add no value.  What are the real issues of the
infrastructure?  A lack of staffing?  Is training
needed?  Is it a lack of guidance or leadership from
management.

My point is simply this...customers pay consultants to
provide a service.  That service should provide value,
as well.  Anyone can purchase a commercial scanning
product, and amortize the overall cost of the product
and licensing over several clients.  The business
differentiator for consulting firms is the analysis
they provide.  In order to provide an analysis that is
meaningful to and adds values to the customer, the
consulting firm must understand the infrastructure as
completely as possible.  This not only includes the
technical aspects, but the day-to-day business
processes, as well.  Pen tests do not provide this
information.  

Further, pen tests attempt to emulate a 'real world'
attack, to some degree.  The attacker or pen tester
will generally compromise a system with the first
vulnerability that they successfully exploit.  If the
pen tester finds a hole to get in, does he then go
back and find all of the other possible holes?  Not
likely.  So telling the customer how he got in and how
to patch that hole does the customer little good. 
They patch the hole and think they're safe.  Even if
the consulting firm does a more comprehensive scan,
and provides all of the holes they found that could be
exploited, this is only a snapshot.  Instructing the
customer to patch the holes adds no value.  A
vulnerability assessment requires the consultant to
understand the business processes, so that the
recommendation can be provided in terms that describe
security as a process.

> Since we are all professionals, we 
> usually gain access from the outside.  

Of all of the statements you made, this one concerned
me the most.  I'm not sure how being a professional
equates to gaining access. 
 
> When we walk into the CIO's office 
> and hand him the administrative passwords we
> instantly gain credibility 
> while making the threat more tangible.  This
> tangibility is part of the package. 

What you're talking about here is really shock value. 
You can obtain the same information in other
ways...timing how long it takes for L0phtcrack to
crack a certain percentage of the hashes in the SAM,
for example.  

Besides, what does it do to your credibility if you
weren't able to gain access, let alone get admin
passwords?   Do you, as a consultant, or your company
offer a guarantee that you'll get in?  I'm just
curious...

Thanks,

Carv






__________________________________________________
Terrorist Attacks on U.S. - How can you help?
Donate cash, emergency relief information
http://dailynews.yahoo.com/fc/US/Emergency_Information/

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/