Penetration Testing mailing list archives
Re: They will protect me (won't they?)
From: Sat Jagat Singh <flyingdervish () yahoo com>
Date: Wed, 11 Feb 2009 12:54:44 -0800 (PST)
I enjoy throwing out the "alternative" perspective whenever possible to stimulate a little thinking. So, here's the $0.02. Penetration testing is one security control that should be done. I spend most of my working time doing penetration tests as part of project scope. But in some cases penetration testing is not the most important control that needs to be applied in the many-layered defense onion. As a simplified example, given limited resources, should we focus more on doing patching or doing a penetration test that tells us we're not getting patching done? If we are actually following up on our patching efforts, making sure that the patches got applied properly and tracking patch status and vulnerabilities for all of our installed products, applications, embedded systems, etc. as well as operating systems, then we will be a lot more secure than if we spend all our time and resources on penetration testing. A penetration tester will turn up a lot of things that an auditor won't and by the same token an auditor will turn up a lot of issues that a penetration tester won't. Penetration testing may reveal that there are no vulnerabilities to be found on a system because the admin just happened to patch it the day before the pentest project began while the auditor reveals that patching methodology is in an overall lousy state applied inconsistently with no testing of patches before hand and without proper verification of correct application. Obviously I am simplifying again because there are lot of configuration related issues and undisclosed coding bugs that a skilled penetration tester may find but which will not be addressed with a patch. The auditor here is not concerned with whether or not a given host is vulnerable on a given day, but whether a pentest was performed recently enough by a qualified tester and that the noted vulnerabilities were addressed in a proper and timely manner. So, do vendors need to do pentests to satisfy an ethical obligation to their customers? They should, but that probably isn't the security control that will give them the biggest bang for the buck. What about following secure coding practices? Do they even bother training developers on secure coding practices? How do they maintain development vs. testing vs. production code libraries? Do they have external code reviews done? I would suggest that pentests are a lot more important for vendors that provide outsourcing or hosted services, because now they're playing with the customer's data. Short-sightedness aside, businesses will apparently not exercise reasonable caution over information security until 1) $ losses leave them no choice or 2) some government regulation requires it. I hold out no hope for number 1 to have much effect or we would have had a completely revamped electronic payments system long ago. It seems like the losses there should be prompting some change, but instead it's considered a cost of doing business. Performing due diligence in vendor selection has been a requirement for financial institutions for several years but examiners have only been really pushing this issue hard in the last year or so. Exercising due diligence in vendor and product selection is simply not a requirement of NERC CIPs, the chemical industry CFATS or most other CIP regulations. I'm not sure if it could be a part of NRC regs as I don't work in that realm, but I would doubt it. Face it, Adriel, there will be no change of behavior by the vendors on applying penetration testing or any other security control until their customers demand it and the customers won't demand it unless they are mandated to by some federal regulation. Even with regulatory oversight, the most that financial institutions typically do is to request a copy of a SAS 70 audit, which has really nothing to do with security at all. It seems that neither the examiners nor the compliance officers have bothered to check the truth behind that. They just do it because that's what other organizations have found they can do to put a check in the box on their security procedure. Keep your money in bullion, dig a well and get off the grid. Otherwise I'm afraid we're doomed. Peace --- On Wed, 2/11/09, Adriel T. Desautels <ad_lists () netragard com> wrote:
From: Adriel T. Desautels <ad_lists () netragard com> Subject: Re: They will protect me (won't they?) To: "Jamie Riden" <jamie.riden () gmail com> Cc: "pen-test list" <pen-test () securityfocus com> Date: Wednesday, February 11, 2009, 4:13 AM Woha... First, it sounds like there is a definition problem. Why are people always so unclear about definitions in this industry? So lets start with two basic definitions: Vulnerability Assessment: An assessment of a target for the purposes of identifying weaknesses or risks in the target without ever attempting to penetrate or exploit those weaknesses. (white-box or black-box) Penetration Test: An assessment of a target for the purposes of identifying weaknesses or risks in the target and includes attempted penetration or exploitation of those weaknesses. (white-box or black-box) When you start talking about white-box or black-box testing those are methods for augmenting a penetration test or a vulnerability assessment and those services can be either black or white. There are potentially endless ways to augment the testing. With respect to your comment, an auditor will never, ever be able to produce the same results as a penetration tester. If the auditor does then he's doing penetration testing. On Feb 11, 2009, at 2:36 AM, Jamie Riden wrote:Hi Adriel, Marcus Ranum for one disagrees -http://www.ranum.com/security/computer_security/editorials/point-counterpoint/pentesting.html- so I think it's a little bit misleading to saythat all seasonedsecurity professionals think pen-test is necessary. Idon't agree withMarcus by the way. Fresh perspective is good, but it's also possibleto get a freshperspective by getting an external auditor - ie. awhite-box test -rather than pen-test (black box). I'm obviously going to agree with your main pointthat everyone needsto secure their infrastructures! cheers, Jamie 2009/2/11 Adriel T. Desautels<ad_lists () netragard com>:Jamie, I understand your perspective but its notthe perspective of any wellseasoned security professional. The fact of thematter is that thatexternal teams will always identify risks andprovide new perspective thatyou would not get from your internal team.Internal teams get stale.There's a lot more to what I'm saying thanwhat I've just written, but ifyou read between the lines I hope you understandwhere I'm coming from.--Jamie Riden / jamesr () europe com /jamie () honeynet org ukhttp://www.ukhoneynet.org/members/jamie/Adriel T. Desautels ad_lists () netragard com -------------------------------------- Subscribe to our blog http://snosoft.blogspot.com
Current thread:
- They will protect me (won't they?) Adriel T. Desautels (Feb 10)
- Re: They will protect me (won't they?) Jamie Riden (Feb 11)
- Re: They will protect me (won't they?) Adriel T. Desautels (Feb 11)
- Re: They will protect me (won't they?) Jamie Riden (Feb 11)
- Re: They will protect me (won't they?) Adriel T. Desautels (Feb 11)
- Re: They will protect me (won't they?) Sat Jagat Singh (Feb 11)
- Re: They will protect me (won't they?) Adriel T. Desautels (Feb 11)
- Re: They will protect me (won't they?) Jamie Riden (Feb 11)
- Re: They will protect me (won't they?) Adriel T. Desautels (Feb 11)
- Re: They will protect me (won't they?) Dotzero (Feb 11)
- Re: They will protect me (won't they?) Adriel T. Desautels (Feb 11)
- Message not available
- Message not available
- Fwd: They will protect me (won't they?) Dotzero (Feb 11)