Re: External Pen Test / Manual Exploitation

[port530 <port530 () yahoo com>]

Pen-testing is defiantly a way to reduce the number of
false positives, however there are other ways as well.
 If you are uncomfortable with this approach, have the
group performing the vulnerability assessment due
additional follow-up work to verify tool results. 
Most tools provide some form of remediation
recommendations such as apply this patch or remove
that service.  Have the auditor talk to the system
admins and verify the patch was applied or the service
is not running or the system is configured in such a
way that it is not vulnerable.  Also, make sure that
the auditor doesn’t just take the admin’s word for
what the system looks like (what’s on the system). 
Admins are usually overworked and may not know exactly
what is on each box; even though box A is not running
FrontPage, last software upgrade some FrontPage
extensions were inadvertently copied to the production
box, etc. This will take more time so it will probably
cost you more but you will get the same, if not
better, end result without the added risk of brining a
system down.  If price is an issue, then have the
auditor report everything the vulnerability tools
indicated.  Then have your IT staff follow up and
verify system configuration, but aging, is your IT
staff already over-worked?

__________________________________
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software
http://sitebuilder.yahoo.com

---------------------------------------------------------------------------
----------------------------------------------------------------------------