Re: Formal audit background for the penetration tester?

[Aarón Mizrachi <unmanarc () gmail com>]

On Viernes 29 Mayo 2009 10:48:52 lister () lihim org escribió:
> Has anyone transitioned from a purely technical background in InfoSec to
> the Audit field?
>
> What trends are emerging with increased regulatory scrutiny on the rise. 
> Govt/PCI requirements.
>
> As I am not familiar with the CISA certification or the audit field of
> work, I'm not sure if this would be a step backward or beneficial to a
> penetration tester or someone with purely technical skills in InfoSec.
CISA is more for a formal audit process. 

CISA would be appreciated for many companies since helps the auditor to do it 
well (documentation and process), but is not a limitation for pentesting... 
specially when pentesting require more technical skills rather than 
formalisms...

An audit well done, could be sufficient without a pentest. But, "well done" is 
extremly expensive for most companies.

Pentesting have three main pourporses:

1- Demonstrate that your network is vulnerable and require a more formal 
audit: Some companies are vulnerable and dont want to spend budget on 
Information Security... They think that the network are not vulnerable because 
they have a firewall, or something like (Sometimes, some companies told me that 
they are not vulnerable since they have Antivirus...).

In such cases, sometimes, the company must be challenged, and... most times, 
they accept the challenge.

The challenge consist in a blackbox audit (mostly pentesting or ethical 
hacking) that demonstrate that they have vulnerabilities. This challlenge is 
only to demonstrate and open the budget. 

This pentest or ethical hacking is generally showed with an impact and risk 
study...

2- Another goal of pentesting is to complement the audit when you need to 
reduce costs... As i said, audit as sole could be extremly expensive since if 
you need to assure something, you will need to review everything, and 
sometimes, with an ethical hacking you could determine what do you need 
fastly. Certainly is not fully accurate, but, sometimes, companies with 
hundred of servers prefers secure it fast rather than secure it well.

3. Validate the formal auditor job. After audit, a third party pentesting 
could be done to validate the accuracy of audit. (I think that is more 
psychological effect needed by some CEO's to be happy about their investment on 
security)

------------------------

How accurate is a pentester?

A good pentester could determine many of the things determined on a fully 
audit. By example, in some webserver with a CMS, the pentester would make 
emphasis on updates, on install some HIDS/HIPS for future unknown attacks, on 
password policy, and sometimes in fix policies.

A pentester must determine what policies are harmful, and sometimes it will 
miss some policy recommendations because, since this is a blackbox testing, 
the pentester couldnot determine some internal policies.

I give you an example:

The webserver have php with register globals on, but the attacker could not 
determine it right now... Time ago, a new exploit in a new brach of the CMS 
software is only explotable if the "register_globals" are on (happen many 
times)... 

Then, the pentester could make a final recomendations about hardening php, but 
not related directly with the pentest flags.

---------------------------

Having all of this in mind. let resume the problem.

If you have to reduce costs and time accepting some risk, the audit process 
could be complemented with pentesting. But "a well pentester" are determined 
by skills rather than a fine documentation and audit know how (that could be 
apreciated, but is not determinant). 

- Some specific certifications exist for pentesting... by example, CEH. 
- For auditing: CISA, ISO27001, etc
- For security managment: CISSP, GIAC
- Another specific certs are useful in another branches.
- Another specific postgrades are useful also

-----------------------

PCI and another requirements should be done by formal auditing... After or 
before that, pentesting (not the audit) are reflecting the blackbox reality, 
exposed also in wild. 

I think that is a paradox that a ethical hacker would be limited by some 
rules, when a real attacker not. The only rules that apply to ethical hacking 
is to be ethical.


> ------------------------------------------------------------------------
> This list is sponsored by: Information Assurance Certification Review Board
>
> Prove to peers and potential employers without a doubt that you can
> actually do a proper penetration test. IACRB CPT and CEPT certs require a
> full practical examination in order to become certified.
>
> http://www.iacertification.org
> ------------------------------------------------------------------------

-- 
Ing. Aaron G. Mizrachi P.    

http://www.unmanarc.com
Mobil 1: + 58 416-6143543
Mobil 2: + 58 424-2412503
BBPIN: 0x 247066C1

Attachment: signature.asc
Description: This is a digitally signed message part.