Vuln Scan vs. Pen Test -- WAS: Re: Penetration testing books

[Jon Kibler <Jon.Kibler () aset com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

gmail wrote:
> Just got done reading Nessus Network Auditing Second Edition. Very good
> book on how to use Nessus for vulnerability testing. Does not go deep
> into the methodology, but does cover Nessus very well. If you plan on
> working with Nessus, a good read.

A vulnerability scan is NOT a penetration test!

The problem is that too many people in the industry that claim to be
penetration testers are nothing more than vulnerability scanners. They
run, Nessus, Retina, etc. against a network from inside the network,
print out a few dozen cases of paper that are the results, and dump the
"Pen Test Report" on the client's door step along with their invoice.

I don't care what all the wackos and rip-off artists in our industry
that call them pen testers claim, a vulnerability scan is NOT a
penetration test! Period. End of discussion.

That said, I do not consider Nessus to be a penetration testing tool.
Nessus is a great tool. It has its proper place in the organization:
Vulnerability Assessment. Use the tool for what it is designed for!

When a new client first contacts me regarding 'pen test work', the first
thing I tell them is "Let's talk, because you probably are not ready for
a pen test... So, why waste money on a test, just to fail it?" I usually
find that after some basic Q&A that they are not even remotely prepared
for a pen test. The number one clue usually being that they have never
had a vulnerability assessment. Clearly, you want to fix your known and
obvious vulnerabilities before you pay someone to break the obvious!
Nessus has its place. This is it.

- From the technical standpoint, why is Nessus (or any other vulnerability
assessment tool for that matter) a lousy pen test tool? A couple of
really BIG factors immediately come to mind:
  1) When you do a pen test, you want to be sneaky, and you definitely
don't want to leave any tracks. Running a vuln assmnt tool should set
off all types of alarms that indicate a system is under attack. This is
NOT stealth!
  2) Most pen tests occur from outside the protected network. Hopefully,
even the most lamely deployed firewall will filter the majority of the
ports that a vuln assmnt tool would hit on (and hopefully set off all
types of alarm bells!), so your tool would not give an accurate
portrayal of whether there were actual exploitable vulnerabilities on
the network, because the required ports were filtered.


Finally, I do concur that the Nessus 2nd Ed. book is a great read -- but
NOT as a pen testing book.

Jon K.
- --
Jon R. Kibler
Chief Technical Officer
Advanced Systems Engineering Technology, Inc.
Charleston, SC  USA
o: 843-849-8214
c: 843-224-2494
s: 843-564-4224
http://www.linkedin.com/in/jonrkibler

My PGP Fingerprint is:
BAA2 1F2C 5543 5D25 4636 A392 515C 5045 CF39 4253


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkla39AACgkQUVxQRc85QlMVbQCdFb1OVa4vJQOIVgImWVRTVrrS
tNkAnjxJeSe/R1QVFdrijGjWkx/c3S2A
=x2ON
-----END PGP SIGNATURE-----




==================================================
Filtered by: TRUSTEM.COM's Email Filtering Service
http://www.trustem.com/
No Spam. No Viruses. Just Good Clean Email.