Email Security - Pentesters take...

[cribbar <crib.bar () hotmail co uk>]

I have used this forum once before and had some excellent feedback from some
very knowledgeable folk, so I wanted to run something by you all again….

I am not over tech but have an understanding on IT and Business/IT alliance,
however I’ve recently been scanning the major pen testers offerings and
typically web apps, voip, wireless, firewall rules, database etc come up
time and again, but from the sample of 12 or so, many of whom are
CHECK/CREST accredited, I have never seen any offerings about email
penetration testing…

To me email is a real business critical system and potentially a compromise
of someone’s (i.e. director of a company) email account whether from an
internal employee or an external hacker could be catastrophic. Or bringing
down an email system (MS Exchange) could also be a disaster to a company….
You also see stuff in the press on an almost daily basis on leaked email or
hacked email so I imagine journalists aren’t exactly squeaky clean when it
comes to how the gather “intelligence” for their stories…

But the fact nobody seems to be selling an email penetration test in their
standard catalogue of offerings got me thinking as to perhaps other folk
doesn’t see it as a high risk area? Or perhaps modern off the shelf email
packages (MS Exchange with an OWA Service exposed to the world) and what not
are pretty secure “out the box” so to speak (I find that hard to believe)… 

My questions to you professional pen testers who offer external services:

Is “email security” a sought after pen test by companies? Are companies
coming to you asking for quotes for a pen test of their email
infra-structure, reviewing risks both internal (employees trying to get at
each others mailboxes) and external? 

Where does email rank in sought after pen tests, i.e. is it typically well
down the pecking order? Out of interest what sort of pen tests are folk
coming to you from, i.e. a top 3 (web apps, voip, wireless etc)? 

If you are providing email pen tests, are there common weaknesses and
vulnerabilities you are keep coming across in most cases you test? Can you
provide some details… Alternatively if you are coming across relatively
secure email systems and limited findings I’d be interested to hear that
from you lot…

A bit of topic, but finally, I am interested in the role of internal IT
Auditors in organisations, and what exactly they do or don’t do when it
comes to pen testing or auditing their own IT Systems. Are they responsible
for checking that the low hanging fruit is not available to attackers (i.e.
the IT admin has followed best practice and is applying patches and what
not) and then the pen testers come in with your whole armoury of tools to
check for more advanced attacks? I just can’t really see the point in IT
Auditors if all folk are doing is bringing in pen testers for real
assurance? Is it because the internal IT Auditor is not up to the skill set
of the pen tester? I got a bit confused as to whether they duplicate the
same role so please clarify if you may….


-- 
View this message in context: http://old.nabble.com/Email-Security---Pentesters-take...-tp30169671p30169671.html
Sent from the Penetration Testing mailing list archive at Nabble.com.


------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------