Penetration Testing mailing list archives
Re: Why Penetration Test?
From: rmeijer () xs4all nl
Date: Fri, 17 Jun 2005 10:47:56 +0200 (CEST)
One question I have not seen yet concerning is why PenTest is: To justify your job and a budget. On one project a customer had a harden Internet router, a Cisco PIX firewall, and IDS from ISS and an IPS from TippingPoint. All scanning (NMAP, Nessus, etc.) was pointless, everything was bocked except port 80 and 443. Most web logins required SecurID tokens (brute forcing these right..!!) I was able to used SQL injections to create local accounts, upload files, but not download, because all outbound requested went through a proxy. The customer even reconfigured the network each day to see if they could catch. Now the biggest questions that I get from the customer is how did you bypass by filters (IDS, IPS) and I need you to rewrite the final report so I can obtain more funding.........to buy more security and hire more people.....the biggest hole that I found was the lack of security internal process. These things require leadership to fix not more funding!!!!!!!!! How do you state that in a report?
I think, from a pentest point of view, sugesting anything that does directly require funding would be bad. Just list possible measures, their impact on the security level, and if suitable and available their projected costs (either financial or time resources of existing staff). This as I think that budgetary measures must always remain small relative to the diverted risk, and you as penetration tester mostly have no true notion of the financial footprint of the risk diverted by the technical measures sugested. Further I have seen so litle real (the statistics/stochastics type) risk analysis based security pollicies, that sugesting to hire a statistician to do a risk analysis in order to determine suitable security measures, could be one exeption to this rule of not directly sugesting any unconditional resource allocation. Rob
Current thread:
- RE: Why Penetration Test?, (continued)
- RE: Why Penetration Test? DUBRAWSKY, IDO (CALLISMA) (Jun 10)
- RE: Why Penetration Test? Tony Tulio (Jun 10)
- Re: Re: Why Penetration Test? tarunthenut (Jun 13)
- Re: Why Penetration Test? Terry Vernon (Jun 13)
- Re: Why Penetration Test? Gareth Davies (Jun 13)
- Re: Why Penetration Test? Tarun The Nut (Jun 14)
- Re: Why Penetration Test? Gareth Davies (Jun 14)
- Re: Why Penetration Test? intel96 (Jun 16)
- AW: Why Penetration Test? Jörg Maaß (Jun 16)
- Re: Why Penetration Test? R. DuFresne (Jun 16)
- Re: Why Penetration Test? rmeijer (Jun 17)
- Message not available
- Re: Why Penetration Test? Pete Herzog (Jun 16)
- RE: Why Penetration Test? Erin Carroll (Jun 16)
- Re: Why Penetration Test? Pete Herzog (Jun 13)
- Re: Why Penetration Test? intel96 (Jun 30)