Re: penetration testing via shrinkware

[Arve Kjoelen <Arve.Kjoelen () ey com>]

One of the reasons clients elect a penetration test instead of (or in addition 
to) an internal review of their networks and hosts, is the opportunity to also 
evaluate 'readiness' or 'education and awareness'.  In other words:  Did 
anyone at the client site have a clue that you broke in or attempted to break 
in? 

Shrink-wrapped software seems to be exceedingly noisy.  If one of the goals is 
to evaluate readiness, shrink-wrapped software will make almost any client 
look good, since the noise made is sure to set off alarm bells in many IT 
shops.

I don't think shrink-wrapped scanners are a nice 'first step'.  Beginning with 
an ISS scan is a sure way to set off alarm bells and have all packets from 
your IP address (range) be silently dropped at their exterior router.  Now how 
are you going to get in?

Rather than a 'first step' shrink-wrapped scanner would seem to fit better as 
a nice 'last step' for the following purposes:
-       To attempt to ring all possible alarm bells just to verify that _someone_  
at the site is looking through logs.
-       In cases where manual/semi-automated penetration was unsuccessful, the 
results of a shrink-wrapped scan can still raise some eyebrows at the client - 
hosts that aren't supposed to be reachable from the Internet might show up, as 
might vulnerabilities you just don't have the time or budget to exploit 
(making that buffer overflow work on AIX4.3 just might take too long, even if 
you don't have to learn RS/6000 assembly)

-Arve.