RE: VA vs PT tool

["Cirelli, Keith(LBS)" <Keith.Cirelli () LibertyMutual com>]

This may sound like the long way of doing things and may be just my philosophy on VA & PT but, I've seen Security 
people get complacent about "real" security. 
Some tend to think just running a 'canned' tool is enough and that these tools "find everything" and/or if it finds 
nothing..."ok..we're safe".

I use my own array tools(not necessarily written by me..but I possess them)to do those types of tasks, and find it to 
be quite through.
I've found many holes or exploitable/rootable vulnerabilities with my own bag of goodies, that expensive commercial 
'audit' tools never found.
Not always, not usually...but more than half a dozen times over the last 2 years...for me anyway.


What I want to say is this...

IMHO, a Security Engineer should have his/her own "tool bag" of sorts. There are many open source tools, avail scripts, 
exploits, DoS codes available all over the internet from reputable sources
that are not plagued with bogus code, or full of hidden trojans and the like(some are, you need to analyze the code 
before you run it). 

My point, for me, many tools of the trade are indeed the exploits themselves. Any malicious attempt to gain access to 
your network will most likely be done with the "tools/available exploits or home grown code" that I am referencing 
anyway. Think of it for a minute, some script kiddie that downloads a SMURF or TEARDROP script(or any of a plethora of 
others)...and launches it at you(as a for instance). Most likely these days many script kiddies are behind a cable 
modem or even larger bandwidth connections and can be quite dangerous.

In order to see if your safe you need to test your devices against these potential threats, using the same code 
available to the twits that may try to compromise your network...in any way. 
Your obviously doing it in a controlled and ethical manner(riiiiiight?).

IMHO, to be on top of the issue, having a few dozen of your own goodies..either 'borrowed' or home grown. Your own 
script that automates the process of running them isn't a bad idea either...to test or attempt to penetrate your 
outward facing network presense(at least). You obviously have to stay on top of keep the newest, latest, greatest OS or 
APPLIANCE patches or upgrades as well as exploits/DoS code(s) and stay updated with the newest stuff, probably 
constantly modifying your script to accommodate the revolving door your tool box would most probably would be.


I honestly do not know if there are widely accepted 'canned' PT tools on the market these days. I'd guess there are 
somewhere...but if there good, reputable and/or well known, they're probably not cheap. Cyber Cop used to 'launch' 
partial exploits on devices if told to, (many times bombing devices or hosts in the process of vulnerability scans) but 
I think they don't write that anymore
and any available updates you could find would probably be grossly outdated.

My 2 cents. Hope it helps you.

KC
CCNA/CCDA/CISSP/Geek


-----Original Message-----
From: SimonChan () lifeisgreat com sg [mailto:SimonChan () lifeisgreat com sg]
Sent: Thursday, June 12, 2003 10:08 PM
To: security-basics () securityfocus com
Subject: VA vs PT tool


Hi,

i posted some time on the list a couple of months back for some
recommendations on a good VA tool.

The bulk of the responses pointed to ISS, NetRecon and Vigilante.

However, a VA tool is limited, in that it only stops at the vulnerability.

I'm looking at a Pen Test tool that not only does the VA functionality but
also exploit the vulnerability thus
defining it as a real THREAT and not just a vulnerability.

Is there a widely accepted tool on the market right now ?



Rgds,

Simon Chan,   MCP/MCSA/CCNA/CCSA/WCSP
Senior Security Engineer

------------------------------------------------------------------------------------

"My statements in this message are personal opinions
which may have no basis whatsoever in fact."




---------------------------------------------------------------------------------

CONFIDENTIALITY CAUTION :
The email is only for the use of the person or entity to whom it is
addressed and contains information that is privileged and confidential. If
you, the reader of this email are not the intended recipient, any
distribution, copying or dissemination of this email is strictly
prohibited. If you have received this email in error, please contact the
sender immediately by return email and delete this email. Thank you. Please
visit our website at http://www.lifeisgreat.com.sg.

---------------------------------------------------------------------------------



---------------------------------------------------------------------------
Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
The Gartner Group just put Neoteris in the top of its Magic Quadrant,
while InStat has confirmed Neoteris as the leader in marketshare.
     
Find out why, and see how you can get plug-n-play secure remote access in
about an hour, with no client, server changes, or ongoing maintenance.
          
Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
----------------------------------------------------------------------------


---------------------------------------------------------------------------
Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
The Gartner Group just put Neoteris in the top of its Magic Quadrant,
while InStat has confirmed Neoteris as the leader in marketshare.

Find out why, and see how you can get plug-n-play secure remote access in
about an hour, with no client, server changes, or ongoing maintenance.

Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
----------------------------------------------------------------------------