Re: Penetration tests

[bill () WLK COM (Bill Kennedy)]

Firewall-Wizards Digest wrote:
> From: Edward Cracknell <edward () securIT net>
>
> I'd really like some input regarding penetration tests. Internal and
> External. If you have tools, documentation or a template for considerations
> I'd be grateful. This will be part of an overall risk/vulnerability
> audit, which I have no problems with.

On www.frus.com there is, in addition to the commercial service offering, some
information that you might find useful.  The statement of work and description
of the service would be a good place to start specifications for what you plan
to do and the results you expect to get.  I'll not feign objectivity but I
will share an opinion regarding using a commercial service and self help.  We
believe that a commercial service is useful for confirming due diligence and to
get a third party assessment of vulnerability.  We also believe that it can
only augment, not replace, self help.  If it's applicable at all, a commercial
service should be only one component of a program to evaluate your defenses.

I agree with Marcus that few folks offering products or services for profit
will eagerly share their intellectual property.  I also agree with Darren that
CERT advisories, BugTraq, etc. are valuable resources for constructing a tool
set.  That's pretty much how we built ours and it's a very mixed bag of things
built on a SATAN base.  I'll slightly disagree with Marcus, speaking only for
my company, that we're increasingly secretive about the toolset.  We don't use
anything, other than a few modifications, that isn't generally available or
fairly well known to the "dark side".  I think we'd be embarrassed to disclose
some of the ghastly hacks and disorganized collection of things, but we'd not
be secretive about it.  Here's why and it's stimulated by Darren's observation.

One size fits none.  Penetration testing, we call it "certification" must be
intimately related to the security policy you seek to enforce.  You should
vigorously stress the services the policy regulates but, more important, you
should also confirm that the services the policy permits do not jeopardize the
intent of what it forbids.  Example: if you're permissive for email you have to
be certain your mail server and software are robust enough to deflect exploits
to defeat other defenses.  That's pretty fundamental but astoundingly often
overlooked.  Further, simple scanning should be only one component of a
complete program for ongoing testing and audit.  Scan results are a snapshot
that can and will change after any adjustments are made to network hardware or
software.  That's another reason a commercial service isn't as useful as the
vendors might claim.  There is an exception to that and it's in the interpret-
ation of the results.

Network scans are kind of like memory tests.  They reveal the most egregious
flaws but they often don't discover the heart of a problem.  How you interpret
the results determines how you proceed with the assessment.  The scan will
often give you the clues you need to drill deeper and that's where one size
fits none, home made is better than store bought.  I don't think anyone can
offer a software suite that is complete enough to evaluate how well _your_
defenses conform to and enforce _your_ security policy.  A commercial vendor
might be able to do a better job of interpreting a single scan because they
do it every day but they can't do as good a job as you can evaluating the
threats in the context of your security policy.  Why?  The direction of the
greatest risk resides inside your defense perimeter.  The most likely source
of data corruption and compromise has more to do with practice and procedure
than it does with networks or protocols.  That doesn't mean you can afford to
be sloppy at the perimeter, it means that the perimeter is relatively easy to
monitor and control; the bulk of your defensive effort should be auditing the
other controls you have established.  Penetration testing is a small, but
important, fraction of what's needed to be confident of your information
defenses.  Their greatest value is revealing clues and anomalies that point
you to the less obvious vulnerabilities.  The bad guys are picking fly specks
out of the pepper, you have to do it too.

Finally (mercifully) to get the best results from penetration testing you need
a confederate or coconspirator.  It's damned hard to thoroughly wring it all
out unless you can attempt entry.  Recruit a trusted neighbor or vendor to do
it for you.  If it's a neighbor, reciprocate by doing it for them.  Certainly
you should employ all the technique from within, but the best estimate of your
public face is made from the public side.
-- 
Bill Kennedy bill () WLK COM  | "Man who it is very bad luck to get in a fight
                           |  with because he has devils on his side"
                           |  Comanche name for "Captain Jack", Texas Ranger