[PEN-TEST] Please educate the client....

[INOM <inom () OZEMAIL COM AU>]

Hack0r in a Suit:
I have over the past few month had the opportunity to be wheeled, with my
leash, out to speak to several client. As a Pen tester it seems that I also
make a good salesman. This is not because I am silver tongued but rather
because I try and educate and inform the customer as to the real
implications of being penetrated from internal or external sources. I tend
to try and explain the in's and outs in a way that the Accountants can
understand. I steer clear of jargon like overflows and port scan's. I save
those for latter meetings with the Sys Admins.

Look Mum no hands:
So what is my point. Well I was going through the bugtraq attack and
penetration list along with my morning coffee and decided to follow a posted
link. Well the link  turned out to be yet another Vulnerability tester. Put
in your IP and your security problems are solved forever. Ok I know that
it's not quite like that but Do the customers?

The Kitchen Sink:
A couple of days ago  I was  at a clients site as and had chance to look
over discuss a proposal from another company. This company, according to
thier proposal, were about to throw everything (including the kitchen sink)
at the client. The list was endless Cybercop, ISS, Nexus, Omniguard, Nmap,
Satan, Natas. But, not even once did the company mention how they were going
to use the  information collected from these programs except to say the
deliverable would be a high level report based on findings from the attack
and penetration test.


Mum The computer has taken over the Microwave again:
After having read the report and explaining the concept of "HACK IN A CAN
AnP's" to the customer. I was just a little concerned and worried. Are we
the old fashioned "Grey Mattered Computer" destined to be side-lined buy
our"Point and Click" competitors?  Well after a few minutes of thinking, I
failed to recall a single account of a computer breaking into another
computer on it own accord. Then I thought of the security software
developers that spend thousands of hours compiling code for a impenetrable
fire wall, only to have a spotty faced 16 year old walk through it, armed
with only a  $300 dollar computer, a can of coke, and 2 packets of Oreo's.
Lets see the above list of scanners do that....


Moth balls should be used with digression
Like moth ball's security scanner should be use as part but not all of the
answer. Lets face it  you still need to haul all of your old suites out of
the closet for a real look and a bit of fresh air some times. Most of the
people I have come in contact with have said they only pay about+ - 20%
relevantance's to what the scanners have to say. They are a great guide and
time saver, but will they know to look for test boxes, new exploits, the
modem the guy on the 4 floor put in with out the IT department knowing so he
can work from home or  how to social engineer information out of people?


<end rant>

In closing my rant, if you come across these "Point and Click Hack0rs"
Please remind them of the damage they do to real security. Also remind them
that 2 minutes after the box they just audited and reported on is hacked,
they will have a very unhappy customer on thier hands. Do they then want to
believe that there trusty scanner was correctly configured on the day and
that they had the vulnerability Data base correctly updated before the scan.
To Para phrase a common quote "Computers don't break into computers, people
DO" and another one "Computers don't make mistakes, they just perfectly
execute yours".

Please educate the client....

</end rant>

INOM
[s0d.org]