Re: Why Penetration Test?

[Gareth Davies <gareth.davies () mynetsec com>]

Tarun The Nut wrote:

> when i mentioned vulnerabilities that are exploitable, i meant not
> only being able to "exploit" the vulnerability but also map all the
> possible paths of attack.
>
> Also by plugging a vulnerability does not necessarily means "patching"
> but taking all possible steps (patches/tools/processes blah blah) that
> can help mitigating a possible exploit of the vulnerability.
>  
Yes that's correct, the 'onion' approach, any vulnerability discovered 
must be mitigated against, including any vector which renders the 
vulnerability exploitable. It's something like risk assessment and 
business impact analysis, 'pen-test' itself tends to just conjour images 
of technical testing, 'ethical hacking' or whatever you want to call it.

The VA part would identify the vulnerability, the risks associated and 
the impact to the business, this can then lead to how to fix the 
problem, mitigate the risk and if the expenditure required to do this is 
worth it. Sometimes not only a patch will do it, but that's all that's 
affordable, and will mitigate the vulnerability to an acceptable level 
of risk.

> The question still remains: Pen Test will always depend on the skill
> set of the company/individual contracted to do Pen Test and results
> will vary from person to person (or company to company).
>  

That's a given, for any kind of consultancy, 
results/methodology/expertise varies from company to company and even 
consultant to consultant. But they are all trying to achive the same end 
result.

A parallel example is Business Continuity Planning, there are guildeines 
given by the BCI and the DRII, but there are no set standards for say 
Business Impact Analysis, so exact results and method differs from 
company to company as they all use proprietory methods, but the end 
results will generally be the same, and the objective is definately the 
same.

> Thankx to Pete Herzog for bringing it out. It skipped my mind to
> include that in my previous mails.
>
> Is it not feasible to assume that the real attacker will be able to
> exploit the vulnerability using any one of the numerous attack paths
> and go about ensuring the vulnerability is "plugged" based on the
> phased approach described in one of my mails earlier?
>  

Yes this is reasonable to assume. But your method is very complete, the 
problem is most companies are not willing to spend enough to engage 
quality consultants for the time span it would take to complete the 
project in this manner. Things like this are usually done on a best 
effort basis.

My approach is generally:

1) Do a technical VA on the segments/servers outlined within the scope
1a) Do a non-technical RA of the premises (staff awareness, physical 
security, policy state (do they exist, are they good? are they enforced?)
2) Identify all 'critical' vulnerabilities
3) Report on these vulnerabilities with preventative measures
4) Patching and Mitigation stage where we handhold the client through 
fixing the machines/reconfiguring securely
5) Re-test to establish risk has been reduced to a level acceptable by 
the client (it can never be eradicated)
6) Suggest further measure to improve the overall architecture (addition 
of security devices/policies/staff education etc.)

Something along those lines anyway.

Cheers

--
Gareth Davies

Manager - Security Practice

Network Security Solutions MSC Sdn. Bhd.
Suite E-07-21, Block E, Plaza Mont' Kiara, No. 2 Jalan Kiara,
Mont’ Kiara, 50480
Kuala Lumpur, Malaysia 
Phone: +603-6203 5303

www.mynetsec.com