RE: Penetration test report - your comments please?

[Steve Skoronski <skoronski () ctidata com>]

Some very good comments here, to build on Curt's points, I agree that there
is much value in performing an external penetration test, but the tester can
add much more to the service by observing things in the organization. It is
one of the best ways to test, not only things like IDS mechanisms and
firewalls, but the personnel as well. Systems are only as good as the people
running them. 

This divides pen tests into a few shades, black - to white. Black hat
testing meaning that only a few key people inside know it's happening. This
has the element of real world testing. White hat meaning everyone knowing
the attack is in progress. This can sometimes hinder testing as staff will
attempt to raise security for the test, and in some cases I've been involved
with, full counterstrikes are initiated. 

What approach do most people here take? Generally, because the client will
depend on you to organize the testing, the choice is *usually* yours. What
do you think is the best method?


Steve


-----Original Message-----
From: simonis [mailto:simonis () myself com]
Sent: Wednesday, May 30, 2001 7:53 AM
To: Curt Wilson
Cc: pen-test () securityfocus com
Subject: Re: Penetration test report - your comments please?


Curt Wilson wrote:
> The www.<sitename.com> system is currently running at <ISP> and does not
> have any type of firewall or other access control mechanism in place that
I
> am aware of. Therefore, this audit is only reflective of the current state
> of the system. Network and host remote vulnerability conditions were
tested
> for, with the exclusion of Denial of Service (DOS) and brute-force
attacks.
> I was unable to penetrate into the operating system or database within the
> allotted time, therefore it is likely that <sitename.com> is fairly secure
> from all but the most determined attackers or those with pre-existing
access.

I wouldn't feel comfortable making this claim based on 3 hours of 
testing, especially given the unusual constraints.  Were I an attacker
I would try social engineering, and I would also try a bruteforce attack
against the database.  Excluding these takes alot away from the overall
value of a penetration test and really turns it into a simple, cursory 
scan.


> Basic recommendations: Disable any unnecessary services and web modules.

I would expand on this.  Since you weren't allowed to do alot with the
test, you should focus on the report as a place to add value.  Specify
which services are known to be easily exploited, give some examples and
some guidance on protecting services that are indeed necessary.

> Apply all necessary patches on a timely basis. 

This could be expanded to not only the application of patches, but also
the necessity of a section in the security policy mandating their 
application.

I'd also be curious as to if they detected your scans.  Alot of people
seem to be in the mind that a penetration test should only evaluate the
security, or "hardness" of the target hosts and perhaps the
effectiveness
of the firewalls.  I also like to include the ability of the IDS systems 
to detect my presence, and how the intrusion was handled.  Is there a
written manual for incident response?  If so, were the procedures
followed,
and were they effective?  There's so much more benefit to be gained from 
a pen-test than just simply "did the host respond to my romance".  

Or maybe I just suffer from eternal scope creep  ;-)