Penetration Testing mailing list archives
Re: we are security critics was: Re: Using 0days as part of pen-test?
From: David Howe <DaveHowe.Pentest () googlemail com>
Date: Thu, 15 Jan 2009 17:07:39 +0000
Pete Herzog wrote:
Hi,0-day tests, by definition, cannot test anything other than the quality of the anomaly-based detection system.I'm unaware of this definition and I think it may be flawed. A 0-day, we can say is an undocumented vulnerability and as such not widely known. Without thorough testing, we err on the side that every piece of software may have undocumented vulnerabilities which may or may not currently be known to someone.
I suppose a lot depends on the "goal" of the pentest. If the goal is to penetrate the network (which would of course be the goal of a real attacker) then everything is fair game. If the goal is to evaluate the security posture of the network for compliance purposes, then what you are really testing is that best common practice and regular patching is taking place - and given an 0day by definition can't be guarded against by that process, it would give different results to what is desired. If you consider both those to be extreme positions (and of course they are) then a valuable lesson can be learned from the use of an 0day - the use and watching of logs, the general security posture to defend against single points of failure, the reaction of the staff to attack... And yet, many professional pentests are unrealistic in this regard anyhow; they demand exemption from IDS/IDP systems, special passage though firewalls normally granted only to specific ips, high speed access to the outside interface of security boundaries normally only accessible via internet bandwidth, and so forth. The point made earlier (that by the process of Responsible Disclosure, the white-hat holder of an 0day feels obliged to not spread knowledge of it further until the vendor has had an opportunity to patch) is also an issue - if you use your 0day for testing, you are risking analysis of the logfiles showing what you did and the knowledge escaping that way.
Current thread:
- Using 0days as part of pen-test? ArcSighter Elite (Jan 12)
- Re: Using 0days as part of pen-test? Chris Griffin (Jan 13)
- Re: Using 0days as part of pen-test? Pete Herzog (Jan 13)
- Re: Using 0days as part of pen-test? purdy (Jan 14)
- Re: Using 0days as part of pen-test? Oliver Schad (Jan 15)
- Re: Using 0days as part of pen-test? David Howe (Jan 15)
- we are security critics was: Re: Using 0days as part of pen-test? Pete Herzog (Jan 15)
- Re: we are security critics was: Re: Using 0days as part of pen-test? David Howe (Jan 17)
- Re: Using 0days as part of pen-test? purdy (Jan 14)
- Re: Using 0days as part of pen-test? Oliver Schad (Jan 15)
- Re: Using 0days as part of pen-test? Pete Herzog (Jan 17)
- Re: Using 0days as part of pen-test? David Howe (Jan 17)
- Re: Using 0days as part of pen-test? Oliver Schad (Jan 17)
- Re: Using 0days as part of pen-test? David Howe (Jan 20)
- Re: Using 0days as part of pen-test? ArcSighter Elite (Jan 13)
- Re: Using 0days as part of pen-test? ArcSighter Elite (Jan 13)