Penetration Testing mailing list archives
Re: Penetration test report - your comments please?
From: simonis <simonis () myself com>
Date: Wed, 30 May 2001 10:53:11 -0400
Curt Wilson wrote:
The www.<sitename.com> system is currently running at <ISP> and does not have any type of firewall or other access control mechanism in place that I am aware of. Therefore, this audit is only reflective of the current state of the system. Network and host remote vulnerability conditions were tested for, with the exclusion of Denial of Service (DOS) and brute-force attacks. I was unable to penetrate into the operating system or database within the allotted time, therefore it is likely that <sitename.com> is fairly secure from all but the most determined attackers or those with pre-existing access.
I wouldn't feel comfortable making this claim based on 3 hours of testing, especially given the unusual constraints. Were I an attacker I would try social engineering, and I would also try a bruteforce attack against the database. Excluding these takes alot away from the overall value of a penetration test and really turns it into a simple, cursory scan.
Basic recommendations: Disable any unnecessary services and web modules.
I would expand on this. Since you weren't allowed to do alot with the test, you should focus on the report as a place to add value. Specify which services are known to be easily exploited, give some examples and some guidance on protecting services that are indeed necessary.
Apply all necessary patches on a timely basis.
This could be expanded to not only the application of patches, but also the necessity of a section in the security policy mandating their application. I'd also be curious as to if they detected your scans. Alot of people seem to be in the mind that a penetration test should only evaluate the security, or "hardness" of the target hosts and perhaps the effectiveness of the firewalls. I also like to include the ability of the IDS systems to detect my presence, and how the intrusion was handled. Is there a written manual for incident response? If so, were the procedures followed, and were they effective? There's so much more benefit to be gained from a pen-test than just simply "did the host respond to my romance". Or maybe I just suffer from eternal scope creep ;-)
Current thread:
- Penetration test report - your comments please? Curt Wilson (May 30)
- RE: Penetration test report - your comments please? pete (May 30)
- Re: Penetration test report - your comments please? simonis (May 30)
- Re: Penetration test report - your comments please? R. DuFresne (May 30)
- Re: Penetration test report - your comments please? bacano (May 30)
- Re: Penetration test report - your comments please? Brian Nottle (May 31)
- Re: Penetration test report - your comments please? Curt Wilson (May 31)
- Re: Penetration test report - your comments please? Brian Nottle (May 31)
- <Possible follow-ups>
- RE: Penetration test report - your comments please? samsi data (May 30)
- RE: Penetration test report - your comments please? railwayclubposse (May 31)
- RE: Penetration test report - your comments please? R. DuFresne (May 31)
- Re: Penetration test report - your comments please? rudi carell (May 31)
- Re: Penetration test report - your comments please? Curt Wilson (May 31)
- RE: Penetration test report - your comments please? Steve Skoronski (May 31)
(Thread continues...)