RE: Pentesting vs VA - was Pentesting tool - Commercial

["Ramki B" <bramkie () gmail com>]

Considering the Bank example Dave has provided, I wonder 

a) How safe is it to outsource network management to an MSP, most of them
use site-to-site tunnels, SSL and SNMP V2? 
b) If we can say that SNMP V3 is secure enough for use on a corporate
network? 

Thanks
Ramki


-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On
Behalf Of dcdave () att net
Sent: Tuesday, March 04, 2008 7:11 PM
To: Trygve Aasheim; robert () outpost24 com
Cc: Pentest Mailinglist
Subject: Re: Pentesting vs VA - was Pentesting tool - Commercial


Perspectives are important in pen-testing.

The Internet Hacker gets one view of a network, the disgruntled (where does
that word come from, anyway?) employee gets another view, and the  corporate
spy-paid sysadmin gets another view. I have seent hem all and more in doing
both vulnerability assessment and penetration testing.

Penetration testing menas simply finding one avenue into a business which
works for the purpose of showing the money people that the enterprise is
vulnerable.

Vulnerability assessment means finding all avenues for the purpose of
mitigating them and protecting the enterprise.

Yes, I have used most of the tools both proffessional and otherwise, with
the exception of Core Impact - they would not provide me with a demo copy.

I think essential outside views include discovery tools for BGP, IP packet
crafting, ICMP, proxy, and SNMP. It is amazing how much network discovery
you can get from SNMP!

I went head to head against someone hacking a bank (at the bank's request,
of course). The code hacker owned the sysadmin acount on the network within
two days. 

I owned the money transactions server within two hours.

I did that by discovering the network with SNMP (sandstorm's version)(SNMP
accidentally or on purpose allowed through the firewall), guessing at the
naming convention, and using Superscan (freeware) to discover an open port
with no password, and HTTP tunnelling into a trusted machine first...

Dave Druitt
--
CSO
InfoSec Group
703-626-6516            
        
    
-------------- Original message ----------------------
From: Trygve Aasheim <trygve () pogostick net>
> The first question should be if they can be compared.
>
> We use these two different categories of tools for two different 
> categories of projects.
> As you say, the vulnerability tools are for identifying new 
> vulnerabilities, retesting and store trend data.
>
> The penetration testing tools and projects are aimed at finding what the 
> consequences of a successful "pwn" in an area of our infrastructure 
> would actually mean.
> Does our security countermeasures detect the compromise? Is the attacker 
> allowed to move through the infrastructure? What can be reached? Are 
> there any configuration mistakes that opens up the infrastructure even 
> more, when you're already in? Can the countermeasures be reconfigured to 
> detect the attack at an earlier stage?
>
> All the stuff that should have been taken care of, and you want to see 
> if it works in real life.
>
> T
>
> Robert E. Lee wrote:
> > On Wed, 2008-02-27 at 16:48 -0700, Andre Gironda wrote:
> >   
> > > Using exploits on production or IT networks is unethical.  This isn't
> > > the wild west.  You're overpaying by about $19K-$26K for what you need
> > > when you go with Core Impact.  I don't know about ya'll, but the idea
> > > of propagating a pseudo-worm through a corporate network seems about
> > > as good of an idea as asking the power company to shut off electricity
> > > to a hospital for "just a minute, to see what will happen".
> > >     
> >
> > When using exploits against production systems, in the best case
> > scenario you've altered the running state of production software.  In
> > the worst case, you've corrupted data or caused a loss of service.  Most
> > of us have accepted these potential outcomes as normal during a manual
> > penetration test.
> >
> > The concern companies should have with the exploit frameworks is that
> > many of their users don't understand what the tool is doing.  The users
> > also don't understand what the exploit is affecting.  These tools can be
> > disastrous in the wrong hands.
> >
> > A better use of time for most companies would be to use a thorough
> > vulnerability assessment and management solution.  VAM solutions can:
> > * Identify new vulnerabilities - far more than an exploit framework
> > * Assign vulnerability related tasks to the responsible Sys Admins
> > * Allow for retesting of the device/vulnerability to ensure the it was 
> >   properly mitigated
> > * Show trending over time
> >
> > Our customers value their ability to actually improve their situation
> > over their ability "Pwn" the systems they already own.
> >
> > Robert
> >
> >   
>
> ------------------------------------------------------------------------
> This list is sponsored by: Cenzic
>
> Need to secure your web apps NOW?
> Cenzic finds more, "real" vulnerabilities fast.
> Click to try it, buy it or download a solution FREE today!
>
> http://www.cenzic.com/downloads
> ------------------------------------------------------------------------




------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------


------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------