Penetration Testing mailing list archives
RE: Ethical hacker article published
From: "Clement Dupuis" <cdupuis () cccure org>
Date: Sat, 24 Feb 2007 08:28:59 -0500
Good day Craig and all, Writing about everything you have mentioned below would become a large document with great information in it. This would probably translate to what the OSSTMM (http://www.isecom.org) is today. It clearly talks about the jargon used in today's security field and behoove the tester to perform the risk assessment you mentioned while taking under consideration the context, the policies, other areas at risks, and the protection mechanisms that are in place. Obviously no magazine or publisher will allow you to publish the OSSTMM within their trade pub. They prefer short article with bold statements that attract the reader. It seems that not only within security testing but also within the security profession at large there is struggle with terms and their definition. People see risks, vulnerabilities, exploits, and exposures are the same which is not the case. We need to get a better grasp on our lexicon. I love vulnerability scanners who trigger a HIGH level vulnerability because a port is shown open. A good example would be port 21 is open. The scanner will flag it as high risk, is it? Probably not and you cannot tell simply looking at the scanner results. You have to go one step further and look at the policies in place, the software use, its configuration, the way it is administered, what is being disturbed, etc... etc... It would have been great to see coverage of the different types of test that could be done within the article. More companies today will perform white box tests where they get a lot more benefits from the money spent. As you have mentioned, it is doubtful that one will have all of the details and fully understand the target only gathering information from the public side. You can only claim that potential vulnerabilities could exist unless penetration would be allowed then you could prove that exploitation is possible as well. Craig, I just wanted to say it is a great post that you did below. Maybe you should write a series of articles about it. Take care Clement cdupuis () cccure org http://www.professionalsecuritytesters.org -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Craig Wright Sent: Thursday, February 22, 2007 5:26 PM To: pen-test () securityfocus com Cc: Steve Fletcher Subject: RE: Ethical hacker article published Hello, Unfortunately, there is no peer review process associated with industry magazines. In the case of this one I note that you are the editor which also makes review less likely. However there are some points the article I would like to point out. To start with, the terminology that you have grouped together (ethical hacking, penetration testing, intrusion testing and red teaming), are all different. It may be true that are overlaps between each of these, but they're not the same. This is a common misconception and one that I will hopefully response. Common mistakes to nomenclature, even when made by many people, do not make them correct. Of most important note is the fallacy that you have that ethical attackers are actually testing system security. This is not correct. In fact it is being constantly shown (references available on request) that ethical attacks to far less to categorically qualify security risks than many other forms of testing. They do not for instance take note of internal controls. In fact, many potential vulnerabilities cannot be discovered in a penetration test by the nature of the testing. Next it needs to be remembered that there is an economic cost associated with penetration testing. The Ethical attacker is constrained by a budget of time and thus money. Blind testing by its very nature will take longer than auditing a site with knowledge. The review undertaken by the ethical attacker is thus hobbled from the start. It is infeasible to state that the contractor will have more knowledge at the end of a review if it is done as an ethical attack with limited knowledge over a systems review with full information. Red teaming has been used by both government and business for many decades in a variety of areas including physical and logical based testing. At its simplest it's a peer review concept. Another way to look at it is a method of assessing vulnerabilities. In cases where red teaming refers to the provision of adversarial perspectives, and the design of the red team is not hampered in the matter is that ethical attacks are. There is a little correlation between a red team exercise and an ethical attack in any sense of the word. The formation of red cells is a situation unlikely to occur in any ethical attack. Further, internal intelligence is unlikely to be gathered as part of an ethical attack. In this instance is more likely that the ethical attack will consist of beating away at the Internet gateway. An engagement to read team is wider in scope, areas including internal subversion and associated control checks cannot be ignored in this type of test. It is unlikely that they would even cross the mind of the ethical attacker. Next, a vulnerability assessment and ethical attack differ significantly. Moderate or the assessments are part of a complete risk analysis program. Ethical attacks do not in themselves form part of this measure and process although they may be used as a single phase within one of these processes. Vulnerability assessments involve the cataloguing of assets and capabilities. The lack of internal knowledge provided in the typical ethical attack process precludes this phase. Next, honourably assessments work on the basis of assigning value to the asset that is being attested by this process. This is a quantifiable value which is determined through this process. Subsequently, vulnerabilities, and potentially threats to these resources are determined. In this process is not limited to external attacks. This process needs to take into account not only external attacks and even internal attacks, but a necessarily must also consider physical threats and many other test outside the reach of the ethical attack. The lack of foreknowledge as to the qualification of value associated with any particular asset negates the possible assessment of a vulnerability status by an ethical attack process. Further, although it is commonly called a vulnerability, and unpatched system or "hole" is not in itself make a vulnerability. What the ethical attacker is noting is a potential vulnerability. Other information needs to be associated with this potential vulnerability before it may be classified as a vulnerability. There is great difference between a potential vulnerability and a vulnerability. Before this determination can be made it is necessary to understand the system being tested. The limited knowledge provided in blind testing or other black box test processes are seldom adequate to provide this information. Although the ethical attacker or even penetration tester may stumble across a vulnerability with serious consequences, it is rarely likely that they will be old to determine this without additional internal information. Although many people do not seem to realise the difference between these types of processes, ethical attacks are not vulnerability assessments, nor are they read teaming exercises. Hence the value in peer reviews before publishing. Regards, Craig S Wright -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Steve Fletcher Sent: Wednesday, 21 February 2007 1:18 PM To: pen-test () securityfocus com Subject: Ethical hacker article published For anyone who is interested, my recent article on ethical hackers has been published. You can find it at http://www.certmag.com/articles/templates/CM_gen_Article_template.asp?articl eid=2652&zoneid=225 or in the March issue of Certification Magazine. Thanks again to everyone who provided helpful information. Unfortunately, they edited out the sentence giving credit to those to provided information. :( If anyone has any feedback (good or bad), please let me know for future articles. Steve Fletcher MCSE (NT4/Win2k), MCSE: Security (Win2k), HP Master ASE, Security+ Email: safletcher () insightbb com Web: http://safletcher.home.insightbb.com ------------------------------------------------------------------------ This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php?camp=70160000 0008bOW ------------------------------------------------------------------------ Liability limited by a scheme approved under Professional Standards Legislation in respect of matters arising within those States and Territories of Australia where such legislation exists. DISCLAIMER The information contained in this email and any attachments is confidential. If you are not the intended recipient, you must not use or disclose the information. If you have received this email in error, please inform us promptly by reply email or by telephoning +61 2 9286 5555. Please delete the email and destroy any printed copy. Any views expressed in this message are those of the individual sender. You may not rely on this message as advice unless it has been electronically signed by a Partner of BDO or it is subsequently confirmed by letter or fax signed by a Partner of BDO. BDO accepts no liability for any damage caused by this email or its attachments due to viruses, interference, interception, corruption or unauthorised access. ------------------------------------------------------------------------ This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php?camp=70160000 0008bOW ------------------------------------------------------------------------ ------------------------------------------------------------------------ This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW ------------------------------------------------------------------------
Current thread:
- Ethical hacker article published Steve Fletcher (Feb 21)
- <Possible follow-ups>
- RE: Ethical hacker article published Craig Wright (Feb 23)
- RE: Ethical hacker article published Steve Fletcher (Feb 23)
- RE: Ethical hacker article published Craig Wright (Feb 23)
- RE: Ethical hacker article published Clement Dupuis (Feb 25)
- RE: Ethical hacker article published dfullerton (Feb 26)
- RE: Ethical hacker article published Clement Dupuis (Feb 28)