RE: Bank pen test

["Craig Wright" <cwright () bdosyd com au>]

Hello,
Cost. This is the magic factor that is always ignored on this list. The bank will be working to Risk. If you want to 
make a piont it needs to be in real terms. A vulnerability on an internal system is not always a large risk.
 
You need to consider the threat and cost. Look at the cost of exploitation v impact and exposure.
 
Finding a vulnerability is just that - a vulnerability. What threat is there? Is this an internal or external issue. 
Are the mitigating controls associated with the vulnerability? What is the cost to patch the 4,000 systems vs loss. 
Have you seen the ALE, system valuations, risk expectancy or anything else associated with the system?
 
Some banks will not care if the percieved anualised risk is less than $1 million per year. Have you looked at a return 
of security investment for the bank? In fact patching all 4,000 servers to a level that everyone is happy with may cost 
the bank upwards of $2-5 million to achieve.
 
How are you going to justify the bank spending more than the risk - this would be foolish - to mitigate it. If the bank 
sees that an internal breach is likely to occur 10x pa with a average cost per incident of $150,000 they are not going 
to spend $2 million to save $1.5 million in risk.
 
If you want to add value and gve the bank something they can use, stop with the I need to do a pen test bit. Expand 
this to the real world. Stop focusing on FUD. Look to how you can make a real improvement. Sell on terms that people at 
the bank understand. 
 
I do assure you that banks understand risk! This is the core business they are in. They understand finance and they 
understand vulnerability. They also know of threat and impact and unless you can make your case with a focus on risk 
you are wasting both your time and theirs.
 
Regards,
Craig
 

        -----Original Message----- 
        From: mystic33 [mailto:mystic33 () comcast net] 
        Sent: Fri 3/03/2006 3:59 PM 
        To: 'Noe Espinoza Mancillas'; pen-test () securityfocus com 
        Cc: 
        Subject: RE: Bank pen test
        
        

        Hi
        
        First:
        If they want a pen test of only 20 servers there is no way to know if the
        servers that you haven't tested have the same vulnerabilities unless the 20
        are a sample of one of each system down to the os version patch level,
        application version patch level etc.
        
        Second:
        Core Impact is in my opinion a good tool, but be aware of your selected
        exploits. Do you really want to risk running buffer overflow etc. I would
        always run a least 2 tools if possible.
        
        Third:
        Running a tool is just one step in diligent pen test. You may also do some
        manual checking and poking around to verify what the tool has reported.
        
        Last and very important:
        Make sure you are specific in your test plan and have the company sign off.
        CYA is extremely important.
        
        Hope this is helpful,
        
        Sharon
        
        
        
        -----Original Message-----
        From: Noe Espinoza Mancillas [mailto:nespinoza () grupowissen com]
        Sent: Thursday, March 02, 2006 5:57 PM
        To: pen-test () securityfocus com
        Cc: nespinoza () grupowissen com
        Subject: Bank pen test
        
        hello all!
        
        now i'm still wait to start an internal penetration test in a bank .. they
        have a lot of servers.. HP Ux, Win, Sun, Linux , etc.  and now they are
        using ISS (scanner) to find vulnerabilitys and then they make a remedation
        with some scripts and other comercial tools... so..
        now they need help becouse the ISS scanner every time that are running found
        the same vulnerabilitys after patchs the servers. I told them that is really
        importan to use some other diferents scanners and make an penetration test
        to review if the vulnerabilities are really risk for the bussines!!.. and
        they don`t accept it ..
        
        buy they need it.. need to make a remediation of all the vulnerabilities in
        all the 4000 servers!
        
        so.. they ask for a pent test for only 20 servers.. and i don`t know how can
        i select the number of servers that i need to test to be sure that all the
        rest of the servers have the same vulnerabilitis!!.. ?
        
        and what kind of tools can i use to make that!?
        
        i never been in that kind of penetration test :(..
        
        i think to use Core Ipact!
        
        any sugestions?
        
        
        regards
        
        noe
        
        
        
        ----------------------------------------------------------------------------
        --
        This List Sponsored by: Lancope
        
        "Discover the Security Benefits of Cisco NetFlow"
        Learn how Cisco NetFlow enables cost-effective security across distributed
        enterprise networks. StealthWatch, the veteran Network Behavior Analysis
        (NBA)
        and Response solution, leverages Cisco NetFlow to provide scalable,
        internal network security.
        Download FREE Whitepaper "Role of Network Behavior Analysis (NBA) and
        Response
        Systems in the Enterprise."
        
        http://www.lancope.com/resource/
        ----------------------------------------------------------------------------
        --
        
        
        
        
        ------------------------------------------------------------------------------
        This List Sponsored by: Lancope
        
        "Discover the Security Benefits of Cisco NetFlow"
        Learn how Cisco NetFlow enables cost-effective security across distributed
        enterprise networks. StealthWatch, the veteran Network Behavior Analysis (NBA)
        and Response solution, leverages Cisco NetFlow to provide scalable,
        internal network security.
        Download FREE Whitepaper "Role of Network Behavior Analysis (NBA) and Response
        Systems in the Enterprise."
        
        http://www.lancope.com/resource/
        ------------------------------------------------------------------------------
        
        


Liability limited by a scheme approved under Professional Standards Legislation in respect of matters arising within 
those States and Territories of Australia where such legislation exists.

DISCLAIMER
The information contained in this email and any attachments is confidential. If you are not the intended recipient, you 
must not use or disclose the information. If you have received this email in error, please inform us promptly by reply 
email or by telephoning +61 2 9286 5555. Please delete the email and destroy any printed copy.  

Any views expressed in this message are those of the individual sender. You may not rely on this message as advice 
unless it has been electronically signed by a Partner of BDO or it is subsequently confirmed by letter or fax signed by 
a Partner of BDO.

BDO accepts no liability for any damage caused by this email or its attachments due to viruses, interference, 
interception, corruption or unauthorised access.