RE: Ethical hacker article published

["Craig Wright" <cwright () bdosyd com au>]

Hello,
Unfortunately, there is no peer review process associated with industry magazines. In the case of this one I note that 
you are the editor which also makes review less likely.  However there are some points the article I would like to 
point out.

To start with, the terminology that you have grouped together (ethical hacking, penetration testing, intrusion testing 
and red teaming), are all different.  It may be true that are overlaps between each of these, but they're not the same. 
 This is a common misconception and one that I will hopefully response.  Common mistakes to nomenclature, even when 
made by many people, do not make them correct.

Of most important note is the fallacy that you have that ethical attackers are actually testing system security.  This 
is not correct.  In fact it is being constantly shown (references available on request) that ethical attacks to far 
less to categorically qualify security risks than many other forms of testing.  They do not for instance take note of 
internal controls.  In fact, many potential vulnerabilities cannot be discovered in a penetration test by the nature of 
the testing.  Next it needs to be remembered that there is an economic cost associated with penetration testing.  The 
Ethical attacker is constrained by a budget of time and thus money.

Blind testing by its very nature will take longer than auditing a site with knowledge.  The review undertaken by the 
ethical attacker is thus hobbled from the start. It is infeasible to state that the contractor will have more knowledge 
at the end of a review if it is done as an ethical attack with limited knowledge over a systems review with full 
information.

Red teaming has been used by both government and business for many decades in a variety of areas including physical and 
logical based testing. At its simplest it's a peer review concept.  Another way to look at it is a method of assessing 
vulnerabilities. In cases where red teaming refers to the provision of adversarial perspectives, and the design of the 
red team is not hampered in the matter is that ethical attacks are.  There is a little correlation between a red team 
exercise and an ethical attack in any sense of the word.

The formation of red cells is a situation unlikely to occur in any ethical attack.  Further, internal intelligence is 
unlikely to be gathered as part of an ethical attack.  In this instance is more likely that the ethical attack will 
consist of beating away at the Internet gateway.  An engagement to read team is wider in scope, areas including 
internal subversion and associated control checks cannot be ignored in this type of test.  It is unlikely that they 
would even cross the mind of the ethical attacker.

Next, a vulnerability assessment and ethical attack differ significantly.  Moderate or the assessments are part of a 
complete risk analysis program.  Ethical attacks do not in themselves form part of this measure and process although 
they may be used as a single phase within one of these processes.

Vulnerability assessments involve the cataloguing of assets and capabilities.  The lack of internal knowledge provided 
in the typical ethical attack process precludes this phase.  Next, honourably assessments work on the basis of 
assigning value to the asset that is being attested by this process.  This is a quantifiable value which is determined 
through this process.

Subsequently, vulnerabilities, and potentially threats to these resources are determined.  In this process is not 
limited to external attacks.  This process needs to take into account not only external attacks and even internal 
attacks, but a necessarily must also consider physical threats and many other test outside the reach of the ethical 
attack.

The lack of foreknowledge as to the qualification of value associated with any particular asset negates the possible 
assessment of a vulnerability status by an ethical attack process.

Further, although it is commonly called a vulnerability, and unpatched system or "hole" is not in itself make a 
vulnerability.  What the ethical attacker is noting is a potential vulnerability.  Other information needs to be 
associated with this potential vulnerability before it may be classified as a vulnerability.  There is great difference 
between a potential vulnerability and a vulnerability.  Before this determination can be made it is necessary to 
understand the system being tested.  The limited knowledge provided in blind testing or other black box test processes 
are seldom adequate to provide this information.  Although the ethical attacker or even penetration tester may stumble 
across a vulnerability with serious consequences, it is rarely likely that they will be old to determine this without 
additional internal information.

Although many people do not seem to realise the difference between these types of processes, ethical attacks are not 
vulnerability assessments, nor are they read teaming exercises.

Hence the value in peer reviews before publishing.

Regards,
Craig S Wright


-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Steve Fletcher
Sent: Wednesday, 21 February 2007 1:18 PM
To: pen-test () securityfocus com
Subject: Ethical hacker article published

For anyone who is interested, my recent article on ethical hackers has been
published.  You can find it at
http://www.certmag.com/articles/templates/CM_gen_Article_template.asp?articl
eid=2652&zoneid=225 or in the March issue of Certification Magazine.

Thanks again to everyone who provided helpful information.  Unfortunately,
they edited out the sentence giving credit to those to provided information.
:(

If anyone has any feedback (good or bad), please let me know for future
articles.

Steve Fletcher
MCSE (NT4/Win2k), MCSE: Security (Win2k), HP Master ASE, Security+
Email:  safletcher () insightbb com
Web:  http://safletcher.home.insightbb.com
 


------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.

http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------


Liability limited by a scheme approved under Professional Standards Legislation in respect of matters arising within 
those States and Territories of Australia where such legislation exists.

DISCLAIMER
The information contained in this email and any attachments is confidential. If you are not the intended recipient, you 
must not use or disclose the information. If you have received this email in error, please inform us promptly by reply 
email or by telephoning +61 2 9286 5555. Please delete the email and destroy any printed copy. 

Any views expressed in this message are those of the individual sender. You may not rely on this message as advice 
unless it has been electronically signed by a Partner of BDO or it is subsequently confirmed by letter or fax signed by 
a Partner of BDO.

BDO accepts no liability for any damage caused by this email or its attachments due to viruses, interference, 
interception, corruption or unauthorised access.

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.

http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------