RE: New presentation is up: 0days: How hacking reallyworks

["Maynor, David \(ISS Atlanta\)" <dmaynor () iss net>]

> I'm not suggesting that you guys should quit your jobs, or that deep
> pen-testing isn't value adding.  I just think that these guys who come
> in, start their automated scanning tool (which is usually rebranded
> nessus), get drunk while its running, and collect money are kind of
> worthless.  They kept the admins in check before, but with Dave's
> future of universally patched systems, they won't be helping at all. 
> They may own my network with a few of their 0days, but like I said, it
> doesn't really matter.

> I totally agree that network architecture and design flaw based
> auditing and testing is still very valid, and I'm not arguing against
> that, I'm arguing for it in place of the current "turn on the scanner
> and get drunk" style of pentesting that I see today and in the past.

That doesn't sound like a pentest. It sounds more like a site
assessment. A lot of people try to get away with selling assessments as
pentests. A pentest and a site assessment generally require different
skill sets and have much different deliveries. A pentest by nature is
designed to show what a single, or team, of determined and skillful
attackers can gain from your network. A site assesment is more of the
run the scanner, interprets results and such, review the policy kind of
thing. 

When I did pentests the client would outline the concern that brought me
there; it could have been an exposed peoplesoft application or a
webserver that handles credit card info or to verify newly deployed
security products are working. My efforts would be directed at proving
or disproving their concerns and note any gaps between coverage and
exposure that could be improved. In my experience it is a rare a
customer just says "have at it; I just want to see if you can get in and
how deep you can go." Rare, although I have had a couple of gigs that
shaped up like that, mostly because the customer had a serious
compromise and they didn't know where to start. In that case I evaluated
the type of business and attempted to remotely determine what would cost
them the most money and cause the largest amount of lost productivity
and targeted it. If your pentester is just running a scanner, you are
getting ripped off. 

As far as a universally patched system, I use to have to deal with this
problem a lot. I found that during the policy development if you keep
open services to a minimum it became a lot less of a problem. This is
more of the "block everything except what is explicitly needed" school
of thought. Laptops, in my experience, have been the largest vector of
getting attacks or worms in an environment. If the departments are
properly locked down from each other you may get one department infected
but that is far better than the whole company. This often causes
backlash because several departments need to access resources offered by
other departments. I haven't really run into a case where such services
can't be securely offered while minimizing the exposure of the whole
department. 

Just my thoughts though....




_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
https://lists.immunitysec.com/mailman/listinfo/dailydave