Penetration Testing mailing list archives
[PEN-TEST] Please educate the client....
From: INOM <inom () OZEMAIL COM AU>
Date: Thu, 14 Sep 2000 07:48:43 +1000
Hack0r in a Suit: I have over the past few month had the opportunity to be wheeled, with my leash, out to speak to several client. As a Pen tester it seems that I also make a good salesman. This is not because I am silver tongued but rather because I try and educate and inform the customer as to the real implications of being penetrated from internal or external sources. I tend to try and explain the in's and outs in a way that the Accountants can understand. I steer clear of jargon like overflows and port scan's. I save those for latter meetings with the Sys Admins. Look Mum no hands: So what is my point. Well I was going through the bugtraq attack and penetration list along with my morning coffee and decided to follow a posted link. Well the link turned out to be yet another Vulnerability tester. Put in your IP and your security problems are solved forever. Ok I know that it's not quite like that but Do the customers? The Kitchen Sink: A couple of days ago I was at a clients site as and had chance to look over discuss a proposal from another company. This company, according to thier proposal, were about to throw everything (including the kitchen sink) at the client. The list was endless Cybercop, ISS, Nexus, Omniguard, Nmap, Satan, Natas. But, not even once did the company mention how they were going to use the information collected from these programs except to say the deliverable would be a high level report based on findings from the attack and penetration test. Mum The computer has taken over the Microwave again: After having read the report and explaining the concept of "HACK IN A CAN AnP's" to the customer. I was just a little concerned and worried. Are we the old fashioned "Grey Mattered Computer" destined to be side-lined buy our"Point and Click" competitors? Well after a few minutes of thinking, I failed to recall a single account of a computer breaking into another computer on it own accord. Then I thought of the security software developers that spend thousands of hours compiling code for a impenetrable fire wall, only to have a spotty faced 16 year old walk through it, armed with only a $300 dollar computer, a can of coke, and 2 packets of Oreo's. Lets see the above list of scanners do that.... Moth balls should be used with digression Like moth ball's security scanner should be use as part but not all of the answer. Lets face it you still need to haul all of your old suites out of the closet for a real look and a bit of fresh air some times. Most of the people I have come in contact with have said they only pay about+ - 20% relevantance's to what the scanners have to say. They are a great guide and time saver, but will they know to look for test boxes, new exploits, the modem the guy on the 4 floor put in with out the IT department knowing so he can work from home or how to social engineer information out of people? <end rant> In closing my rant, if you come across these "Point and Click Hack0rs" Please remind them of the damage they do to real security. Also remind them that 2 minutes after the box they just audited and reported on is hacked, they will have a very unhappy customer on thier hands. Do they then want to believe that there trusty scanner was correctly configured on the day and that they had the vulnerability Data base correctly updated before the scan. To Para phrase a common quote "Computers don't break into computers, people DO" and another one "Computers don't make mistakes, they just perfectly execute yours". Please educate the client.... </end rant> INOM [s0d.org]
Current thread:
- [PEN-TEST] Please educate the client.... INOM (Sep 13)
- <Possible follow-ups>
- Re: [PEN-TEST] Please educate the client.... Dude, Bacano (Sep 14)