Re: Penetration test report - your comments please?

["R. DuFresne" <dufresne () sysinfo com>]

On Wed, 30 May 2001, simonis wrote:

> Curt Wilson wrote:
> > The www.<sitename.com> system is currently running at <ISP> and does not
> > have any type of firewall or other access control mechanism in place that I
> > am aware of. Therefore, this audit is only reflective of the current state
> > of the system. Network and host remote vulnerability conditions were tested
> > for, with the exclusion of Denial of Service (DOS) and brute-force attacks.
> > I was unable to penetrate into the operating system or database within the
> > allotted time, therefore it is likely that <sitename.com> is fairly secure
> > from all but the most determined attackers or those with pre-existing access.
>
> I wouldn't feel comfortable making this claim based on 3 hours of 
> testing, especially given the unusual constraints.  Were I an attacker
> I would try social engineering, and I would also try a bruteforce attack
> against the database.  Excluding these takes alot away from the overall
> value of a penetration test and really turns it into a simple, cursory 
> scan.
>
>
> > Basic recommendations: Disable any unnecessary services and web modules.
>
> I would expand on this.  Since you weren't allowed to do alot with the
> test, you should focus on the report as a place to add value.  Specify
> which services are known to be easily exploited, give some examples and
> some guidance on protecting services that are indeed necessary.


I think he did expand upon this as much as he could with the limited
access and time he had to the system<s> in question, though, it was lower
down in the analysis.  Yet, though there was mention of DOS attempts in
the begining of the paper, I saw nothing that hinted it was really
attempted nor results of such attempts.

> > Apply all necessary patches on a timely basis. 
>
> This could be expanded to not only the application of patches, but also
> the necessity of a section in the security policy mandating their 
> application.
>
> I'd also be curious as to if they detected your scans.  Alot of people
> seem to be in the mind that a penetration test should only evaluate the
> security, or "hardness" of the target hosts and perhaps the
> effectiveness
> of the firewalls.  I also like to include the ability of the IDS systems 
> to detect my presence, and how the intrusion was handled.  Is there a
> written manual for incident response?  If so, were the procedures
> followed,
> and were they effective?  There's so much more benefit to be gained from 
> a pen-test than just simply "did the host respond to my romance".  

Good point, this is something that should have had their sensors going and
the tech folks running about attempting to understand what was happening,
unless of course, as with many sites the sensors sit behind the FW on the
lan, and assuming it was working as it should <the fw> nothing passed it's
policies and nothing was seen.  So, I have to admit here to refining my
idea<s|l> on the placement of IDS systems.  It has been my wish to have
sensors placed behind, rather then in front of the fw to eliminate false
positives and techs going through heart arrest hour upon hours per day.
But, one can not ignore exposed systems, although I see those 'exposed'
systems most often, or like to see those 'exposed' systems behind a fw or
packet filter at the least, and would certainly place IDS sensors behind
those fw's or filtering devices.


Thanks,

Ron DuFresne
-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        admin & senior consultant:  darkstar.sysinfo.com
                  http://darkstar.sysinfo.com

"Cutting the space budget really restores my faith in humanity.  It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation."
                -- Johnny Hart

testing, only testing, and damn good at it too!