Penetration Testing mailing list archives
Fwd: External Pentests Obsolete?
From: "Joel Jose" <joeljose420 () gmail com>
Date: Sat, 11 Aug 2007 07:25:47 +0530
---------- Forwarded message ---------- From: Joel Jose <joeljose420 () gmail com> Date: Aug 11, 2007 7:24 AM Subject: Re: External Pentests Obsolete? To: Yiannis Koukouras <d4rw1n () linuxmail org> hello there, please be mindful and thoughful about what u said. The world is insecure not because there is no security...but because it is not IMPLEMENTED correctly. 90% of all insecurity is due to not following the SECURITY standards. So even if the company has only a few ports open..and if the scenario is exactly like how u described.... then we still have to test for atleast say, if firewall rules are correctly given..... if other ports are cleanly blocked..... if services are rightly patched... if disaster recovery and buisness mitigation are in place...etc see.... Pen-Test in not just a PENETRATION ATTEMPT.... In my team when they get angry..upset..when security is high..when after days of work..we still arent able to get root.... I dont loose my cool.... infact.. i am only happy that the sysadmins are doing well... For me PEN-Test is needed to assure that everything is working.. PEN-TEST is a level of assuarance we give to the customer that certifies that thier security practises are well in order..... The Point I am making is... : PEN TEST should be done on a regular basis... it may allow new vulnerabilities to be found..but MORE IMPORTANTLY it will give an assurance of the level of preparedness of the security team. It will warn us hopefully sooner than the hacker/disaster event about our current security level..so we get time to correct it.. Remember.. dont think.. u are safe if u have a secure PENTEST report... in a year or even less... we always have the probability to introduce new vulnerabilities....or some old code may be discovered vulnerable in future time..... The only constant in the Technology world is the Variable ;) joel. On 8/9/07, Yiannis Koukouras <d4rw1n () linuxmail org> wrote:
Hi all, Do you think that an external infrastructure pentest is nowadays obsolete? What I want to say is that, most of the serious companies nowadays will only have a few servers on their DMZ (web server, mail server, SSL concentrator, terminal server, citrix) and will only allow access to one or two ports for each of them. The rest of the infrastructure (excluding the internet facing router and firewall) will be completely inaccessible. Thus, if web application testing is out of scope, there isn't much to test, is it? Only half a dozen of services to check vulnerabilities and misconfiguration, check if mail rely is on, make a password bruteforce attack(?), check that the DNS can't be poison and VOILA! You have finished! Do you think that it is ethical to consult our clients to "buy" an external pentest anymore? P.S. If I am wrong, PLEASE prove me wrong! -- Ioannis Koukouras CISSP MSc in Computer Systems Security BEng in Electronic Engineering http://www.linkedin.com/in/ikoukouras = Cruise Value Center - Mexico Cruises Cruise Value Center is one of America's leading discount brokers on Mexican cruises. Let our experts help you choose the cruise vacation package that will meet your budget and lifestyle. http://a8-asy.a8ww.net/a8-ads/adftrclick?redirectid=83149e4a674877039cb5c210b2445439 -- Powered by Outblaze ------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------
-- As soon as men decide that all means are permitted to fight an evil, then their good becomes indistinguishable from the evil that they set out to destroy. - Christopher Dawson, The Judgment of Nations -- As soon as men decide that all means are permitted to fight an evil, then their good becomes indistinguishable from the evil that they set out to destroy. - Christopher Dawson, The Judgment of Nations ------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------
Current thread:
- External Pentests Obsolete? Yiannis Koukouras (Aug 10)
- Re: External Pentests Obsolete? US Infosec (Aug 11)
- RE: External Pentests Obsolete? Van Heerden, Francois (CSS) (Aug 11)
- RE: External Pentests Obsolete? Williamson, Clyde (Aug 11)
- RE: External Pentests Obsolete? Shenk, Jerry A (Aug 11)
- Re: External Pentests Obsolete? Jason Ross (Aug 11)
- Message not available
- Fwd: External Pentests Obsolete? Joel Jose (Aug 11)
- Re: External Pentests Obsolete? rajat swarup (Aug 11)
- <Possible follow-ups>
- Re: Fwd: External Pentests Obsolete? cwright (Aug 12)
- RE: Fwd: External Pentests Obsolete? richard (Aug 13)