Penetration Testing mailing list archives
Re: Internal Penetration Testing
From: christopher.riley () r-it at
Date: Tue, 16 Jun 2009 09:04:02 +0200
Steve, I can see your point. However I think you're not taking all the possible variables into consideration. Not all testing should be carried out as a blackbox test, infact you will find a lot more possible security issues using a whitebox methodology. Although this gives an internal penetration tester more knowledge than an attacker, it doesn't remove the validity of the restults. Taking a basis example, an internal penetration tester my be able to find (through manual testing or source code analysis) a Cross-Site Scripting vulnerability on the primary website of the company. By using knowledge of the product and access to more information than an attacker he can find this vulnerability in a fraction of the time it would take an external company performing a blackbox test. In this case the knowledge the penetration tester has of the systems doesn't reduce the value of the findings, however it does speed up the process. Also, as somebody who works as an internal penetration tester for a bank, I can say that there are far more applications and systems in a large company than you'd think. It's also not left to the designers, programmers, or support staff of these applications to perfom security tests (penetration testing, or vulnerability scanning). Having a completely seperate team to handle this means that we require no specialy permissions to the application. It's not like we turn up to do a test and already know what the Administrator password for the system is. That takes a few minutes.... ;) Chris John Riley listbounce () securityfocus com@inet wrote on 15.06.2009 23:52:43:
I question the validity of "internal pen testing." After all, as an insider you should have access to all manner of information that an attacker would not. If you have the skills to perform a legitimate "black box" pen test then you should have no problem doing whatever you want as an inside "pen tester" even if you try to play by a predetermined set of rules wherein you pretend not to have insider knowledge (good luck). I guess I don't understand the purpose. If it is to demonstrate that having someone with a moderate to high amount of skill "go rogue" inside your network is a "bad thing", that just seems redundant to me. The best use for "internal pen testing" in my opinion would be simply to see if anyone noticed via your IDS/log management solution/etc. If nobody is watching then an internal pen test is doubly pointless. Steve Mullins On Thu, Jun 11, 2009 at 8:10 AM, pma111<pmaneedham () hotmail com> wrote:Can anybody recommend any good books, or ideally free online
references to
start learning the techniques of internal penetration testing? I.e.
getting
onto (access to) network shares, private network drives, internal
servers,
systems, from inside the Network that someone is not authorised to do?
I
wont ask for specific pointers just some good online guides so I can
begin
to identify the techniques that give rise to the "threat from within"
etc.
Regards, -- View this message in context:
http://www.nabble.com/Internal-Penetration-
Testing-tp23980128p23980128.htmlSent from the Penetration Testing mailing list archive at Nabble.com.
------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review
Board
Prove to peers and potential employers without a doubt that you can
actually
do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.http://www.iacertification.org
------------------------------------------------------------------------
------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review
Board
Prove to peers and potential employers without a doubt that you can
actually
do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
---------------------------------------- Raiffeisen Informatik GmbH, Firmenbuchnr. 88239p, Handelsgericht Wien, DVR 0486809, UID ATU 16351908 Der Austausch von Nachrichten mit oben angefuehrtem Absender via E-Mail dient ausschliesslich Informationszwecken. Rechtsgeschaeftliche Erklaerungen duerfen ueber dieses Medium nicht ausgetauscht werden. Correspondence with above mentioned sender via e-mail is only for information purposes. This medium may not be used for exchange of legally-binding communications. ---------------------------------------- ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- Internal Penetration Testing pma111 (Jun 12)
- Re: Internal Penetration Testing Stephen Mullins (Jun 15)
- RE: Internal Penetration Testing Dr David Scholefield (Jun 16)
- Re: Internal Penetration Testing Adriel T. Desautels (Jun 16)
- Re: Internal Penetration Testing Gichuki John (Jun 17)
- Re: Internal Penetration Testing Stephen Mullins (Jun 18)
- Re: Internal Penetration Testing Adriel T. Desautels (Jun 18)
- RE: Internal Penetration Testing Mark van der Meulen (Jun 19)
- Re: Internal Penetration Testing Stephen Mullins (Jun 15)
- RE: Internal Penetration Testing Gorgon Beast (Jun 15)
- <Possible follow-ups>
- Re: Internal Penetration Testing christopher . riley (Jun 16)