RE: nessus exceptions

["R. DuFresne" <dufresne () sysinfo com>]

On Fri, 6 Aug 2004, Jerry Shenk wrote:

> Isn't that just a bit harsh...on both sides.  It's not unethical for a
> company to leave a vulnerability open just to see if a pen-tester finds
> it.  I know that some companies that I consult for have had penetration
> tests done where things have been missed.  One recent one looked like
> they just scanned the common ports (or at least some subset of all of
> them) 'cuz the didn't find a web server on an odd port....wasn't really
> hiding either.  A few years ago, I knew that another guy had opened up
> tftp from the internet but I forgot about it.  I got an alert when the
> testing company hit the tftp server...but they never put it in a report
> and they never "re-tested".  I've always wondered why that never showed
> up.

That's pretty shoddy work, and hopefully the company offering these
"tests" is not getting glowing recommendations from their clients, and
might actually go out of business or hire some folks with a clue.

> I do think that if a company were to put a server up with specific
> holes, they shouldn't complain if I "waste" time exploiting those
> conjured up holes.  A pen-test is normally priced on a time basis so the
> pen-tester should be prioritizing exploitation attempts where the most
> gain seems likely.  If you make this target too interesting, you may
> dilute the value of the pen-test.
>
> Chris:
> I'm  not sure it's fair either to insist on the pen-tester using certain
> tools.  It's really not the tool, it's the guy running the tool...or I
> would hope tools.  If they do a test and ONLY run Nessus (or anything
> else for that matter), that's not a very good test.  I'm wouldn't call
> it a pen-test either...vulnerability scan seems like a better term.

The key here though remains, if the 'testing' company has folks merely
scanning a system with nessus and/or nmap or a tool ot two other then
these, this is not, and I repeat not a pentest, it is a simple vuln scan,
and the most simple and basic of vuln scans, unless they are actually
working in conjunction with the sysadmins of the systems in question to
coordinate anddefine their discoveries; such as checking sstem
configurations and such against the canned reports of the scanner<s>.
Calling these mere vuln scans a pentest in any fashion is a disservice to
the pentesting side of the security industry and should make many stand up
and take notice of the snake-oil being peddled by these charlatans.

Nessus and a few of it's canned sploits being loosed upon a set of servers
or a network is not a pentest, and marketing it as thus is really base.


Thanks,

Ron DuFresne
-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        admin & senior security consultant:  sysinfo.com
                        http://sysinfo.com

"Cutting the space budget really restores my faith in humanity.  It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation."
                -- Johnny Hart

testing, only testing, and damn good at it too!