Penetration Testing mailing list archives
RE: Pen Test vs. Health Check
From: "Yvan Boily" <yboily () seccuris com>
Date: Mon, 26 Jan 2004 10:31:10 -0600
I agree with the idea that an internal assessment is far more effective than an external assessment; pen-tests are only as good as the talent of the people attacking the network, whereas a vulnerability assessment which involves working with the staff who designed the network to identify issues that exist and potential issues as the network expands provides a much better perspective. The issue is not convincing others in the field though; it is primarily the staff involved on the client end that this issue occurs. The source of most difficulties in this area are : 1. Managers who have only experienced information security issues from watching Hackers or Swordfish (I actually had one manager who thought that Swordfish was technically accurate because RSA had consulted during the movie. :P) 2. IT staff who believe their work is above reproach. This is the single largest issue; I have encountered this during penetration tests where the networking staff insist that we should not even be provided their IP Address range, and application designers who believe that because they are using an application framework their code is solid. One of the other issues that is related to this, and I hate raising it because it seems arrogant, but the concern is incompetence. When I walk into an office where IT guys are expecting to be audited, one guy tells another the common root password they use for their systems in front of me, I question the overall competence of the team. 3. Fear of Blame : this happens when the client is aware of how serious the issue is, and is frightened by the outcome because no one wants to bite the bullet and take responsibility or ownership for this issue. One of the most recent projects I worked on was like this. Nothing says fear quite so well as the client requesting permission to sanitize and approve the report before it hits upper management. Unfortunately trying to deal with this issue is like running into a brick wall; you are dealing with people who need a glowing report because they fear for their jobs and livelihoods, at the same time you encounter security issues that make you wonder how it is that such a high profile company hasn't been owned 10 times over. The best analogy that I can make for this follows: If you go to a doctor because all of a sudden you have horrible rashes appearing you don't sit their silent and make the doctor guess why you are there; you tell the doctor what you know and experienced, and how you live your lifestyle so that the doctor can figure out what is wrong before it kills you. Yvan Boily Seccuris -----Original Message----- From: Andy Cuff [mailto:lists () securitywizardry com] Sent: Sunday, January 25, 2004 9:39 AM To: pen-test () securityfocus com Subject: Pen Test vs. Health Check Hi Folks, Last week Mark Teicher brought up a valid point regarding ethical hacking not solving the underlying issue of an insecure network. Addressing the symptom rather than the cause. I personally don't like the term ethical hacking when referring to a Pen Test, however as you probably noticed think, the term will remain where training is concerned that introduces the student to the techniques and methodology used by a hacker. I do not think that an ethical hacking course will make a security tester. OK, no more about training, honest! A Pen Test is only as good as the testers and is only a snapshot. However, a network that has been secured from the inside out, with a solid secure foundation should stand the test of time, even if it is compromised the attacker may not be able to roam freely and all their actions should be recorded. IMHO a more efficient and thorough method to conduct a security test is the holistic approach, where the tester looks inside the network first from a privileged account, identifying problems and offering solutions, if need be, he/she can then attempt to exploit said vulnerabilities as a demonstration to the client. This method greatly cuts down on the time taken to "scope the joint" externally. Firstly, what are the members thoughts on the above, and what are the downsides in what I have said. Also, does anyone have any good analogies to vindicate the holistic approach over the Pen Test? -andy Talisker Security Tools Directory http://www.securitywizardry.com --------------------------------------------------------------------------- ---------------------------------------------------------------------------- --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Re: Pen Test vs. Health Check, (continued)
- Re: Pen Test vs. Health Check Nexus (Jan 25)
- RE: Pen Test vs. Health Check Robert E. Lee (Jan 26)
- Re: Pen Test vs. Health Check Ivan Arce (Jan 29)
- RE: Pen Test vs. Health Check Rob Shein (Jan 26)
- Re: Pen Test vs. Health Check danielrm26 (Jan 27)
- Re: Pen Test vs. Health Check Clint Bodungen (Jan 27)
- Re: Pen Test vs. Health Check danielrm26 (Jan 28)
- Re: Pen Test vs. Health Check Clint Bodungen (Jan 28)
- Re: Pen Test vs. Health Check danielrm26 (Jan 27)
- Re: Pen Test vs. Health Check Ivan Arce (Jan 29)