Penetration Testing mailing list archives
RE: 3rd party vuln assesment firms
From: "Nathan" <nouellette () comcast net>
Date: Wed, 28 Dec 2005 11:03:51 -0500
I agree with Erin on this point. If the message to your client is one of providing a hacker's perspective, that's not necessarily that far off. One thing I always attempt to educate people on is the fact that hackers aren't necessarily highly skilled technologists who are part of an organized crime unit looking to harvest credit card numbers or other personally identifiable information. In fact, I would lump the casual employee looking around the network, the disgruntled user who knows just so much and the elite hacker all into the same category..."unauthorized access". If you step back and look at other aspects of a company's security posture, they might not have the desktop locked down at all. Users could very well be Power Users, or worst yet, Local Admins. They can then execute most programs and might have a complete lack of content security in place, giving them free range to poke around Google and download whatever tools they want. If the networks aren't segmented and the end user population can ping/see every critical production server in and out of the DMZ, you have a perfect scenario for someone internally to stumble their way through using the exact tools you're talking about, NMAP, Nessus and Metasploit. So by performing a VA and PT using commercially available or free tools, you are doing some sort of proof-of-concept for your client. You are showing them exactly what a casual or disgruntled user just might see from the inside. I know this is a fundamental explanation for security folks, but to a client who is attempting to assess risk from a system and network perspective, I think it's incredibly useful information, regardless of the tools you use. I believe the value of the engagement comes from the consultant (who clearly has to know what their doing in terms of scanning and testing) who performs the service and who can break down the results intelligently and make good recommendations that are pertinent to the client, regardless of the tools used. -Nathan -----Original Message----- From: Erin Carroll [mailto:amoeba () amoebazone com] Sent: Wednesday, December 28, 2005 1:16 AM To: 'InfoSecBOFH'; 'Michael Weber' Cc: rklemaster () hotmail com; pen-test () securityfocus com Subject: RE: 3rd party vuln assesment firms
I love it when vendors make claims such as this; "A Hacker's Eye View of Your Network" and even better; "We use the same tools hackers bring to bear against your systems. However, instead of exploiting those vulnerabilities, we compile vulnerability results with easy to understand explanations and links to the needed patches and updates, and then deliver the reports to your desktop on a regular basis. " So in other words they run NMap and/or Nessus. Yup... h4x0rs eye view. ROFL.
Nmap.. Okay you have a point as it realy only identifies what is open. Nessus on the other hand is a happy medium where you can poke at the openings to see what happens. Not all organizations have the in-house security expertise to perform security audits and Nessus (along with other similar tools such as the Metasploit framework, Core Impact, etc) is one of the better tools out there to perform relatively in-depth scans of your infrastructure. No, it doesn't take a lot of skill to run a tool but interpreting the results, winnowing out the false positives, and knowing which of the issues found is relevant and important (and how to address them) is where the skill and knowledge is important. Is it truly a hacker's view of your network? Sure... for a certain level of hacker. Is it Uber l337? No. However, not many businesses need (or can afford) the kind of in-depth analysis and expertise you'd find at the upper level of the industry. Code auditing, custom-written NASL exploit packages, deep understanding of the intricate details of each application... These are great if you can afford it or absolutely must have it. But past a certain point you face diminishing returns and you have to decide at which point it is secure "enough". The more experience I've gained in security, the more I need to learn. Looking back I can see how naïve my concept of security was when I started and I can only imagine what I'll think of my skills now in 10 years. At some point we were all script kiddies using tools written by others. Eventually you learn to write your own and use the existing tools out there to their fullest potential. But the old adage still remains true: The only truly secure system is one encased in cement and sunk to the botom of the ocean... And even then I'm making no guarantees. :) -Erin Carroll Moderator SecurityFocus pen-test list
On 12/27/05, Michael Weber <mweber () alliednational com> wrote:Happy New Year! I have been using both the internal and external vuln. assessment products from NetChecker. They use an array of standardtools, alongwith some custom code and human analysis. I like the product, the price, and the results. www.netchecker.net is their web site. -Michael<rklemaster () hotmail com> 12/23 11:27 AM >>>I'm looking for a firm to conduct annual 3rd party vulnerability assesments for a nationwide carrier ISP. If anyone has anyreferencesor stories to share, I'd like to hear about them. thanks! E-MAIL CONFIDENTIALITY NOTICE: This communication and any associated file(s) may contain privileged, confidential or proprietary information or be protected from disclosure under law("ConfidentialInformation"). Any use or disclosure of this Confidential Information, or taking any action in reliance thereon, by any individual/entity other than the intended recipient(s) is strictly prohibited. This Confidential Information is intendedsolely for theuse of the individual(s) addressed. If you are not an intended recipient, you have received this Confidential Information in error and have an obligation to promptly inform the sender and permanentlydestroy, inits entirety, this Confidential Information (and all copiesthereof).E-mail is handled in the strictest of confidence by AlliedNational,however, unless sent encrypted, it is not a secure communication method and may have been intercepted, edited or altered during transmission and therefore is not guaranteed.------------------------------------------------------------------------------ Audit your website security with Acunetix WebVulnerabilityScanner: Hackers are concentrating their efforts on attackingapplications onyour website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web applicationhacking. Checkyour website for vulnerabilities to SQL injection, Crosssite scripting and other web attacks before hackers do!Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831--------------------------------------------------------------------------------------------------------------------------------------------- ---------------- Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------- ----------------- -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.1.371 / Virus Database: 267.14.8/215 - Release Date: 12/27/2005
-- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.371 / Virus Database: 267.14.8/215 - Release Date: 12/27/2005 ------------------------------------------------------------------------ ------ Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 ------------------------------------------------------------------------ ------- ------------------------------------------------------------------------------ Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------------------------
Current thread:
- Re: 3rd party vuln assesment firms, (continued)
- Re: 3rd party vuln assesment firms Ivan Arce (Dec 23)
- Re: 3rd party vuln assesment firms neal wise (Dec 24)
- Re: 3rd party vuln assesment firms raven (Dec 27)
- Re: 3rd party vuln assesment firms Roland Dobbins (Dec 27)
- RE: 3rd party vuln assesment firms Chris Serafin (Dec 28)
- Re: 3rd party vuln assesment firms Ivan Arce (Dec 23)
- Re: 3rd party vuln assesment firms Byron Sonne (Dec 23)
- RE: 3rd party vuln assesment firms Wray, Donald W (Dec 26)
- Re: 3rd party vuln assesment firms Michael Weber (Dec 27)
- Re: 3rd party vuln assesment firms InfoSecBOFH (Dec 27)
- RE: 3rd party vuln assesment firms Erin Carroll (Dec 27)
- RE: 3rd party vuln assesment firms Nathan (Dec 28)
- Re: 3rd party vuln assesment firms InfoSecBOFH (Dec 27)
- RE: 3rd party vuln assesment firms Erin Carroll (Dec 27)
- Re: FW: 3rd party vuln assesment firms Peter Wood (Dec 29)