Re: Pen Testing

["Adriel T. Desautels" <ad_lists () netragard com>]

Hi Patrick,
        Let me make a few suggestions on list regarding penetration testing
and the businesses that offer those services. The first suggestion is
that you understand what the terminology means, because a lot of the
providers don't.  A Vulnerability Assessment is a service that is
designed to identify security flaws in technologies in a non-intrusive
manner. Vulnerability Assessments do not make any attempt to
compromise targets and as a result can contain false positives and
false negatives.  A good vulnerability assessment will not be driven
by automated scanners, but will be driven by human expertise.
Automated scanners are not accurate, period.

        Penetration Tests contain many of the same tests as vulnerability
assessments only penetration tests actually attempt to compromise the
target by exploiting an identified vulnerability. Penetration Tests
and Vulnerability Assessments are not interchangeable terms! Any
vendor that swaps these terms is using them incorrectly. If you catch
one that does, find a different/better vendor.

        There are different degrees of Penetration Tests and Vulnerability
Assessments. The degrees vary based on intensity and methodology. The
general purpose of these services is to protect you (the customer)
from real world internet based threats (malicious hackers). As such,
the services should at the very least reproduce the same or similar
level of threat as your business will likely face in the real world.
Testing at a lesser level will do little to protect you against the
threat.  It is not always easy to test at that threat level,
especially if the threat includes physical capabilities, but in my
opinion it is a good practice.

        If someone is asking you for your passwords during a penetration test
then find a different vendor because they already have their
terminology confused. The purpose of a penetration test (see above) is
different than the purpose of a security review/audit/etc. If someone
is going to be delivering a different service than a penetration test
then they might need passwords and access to systems, but if they call
*that* a penetration test then tuck and run because you're not getting
one.
        
        When you are looking for someone to deliver Penetration Testing,
Vulnerability Assessments or other similar professional services, use
someone that specializes in those services only. Do not use IT Shops
that offer security services because you will not get quality services
in most cases. Remember, you want to test your network using the same
level of testing as you might face by the threat in the real world.

        Red flags are poor use of terminology, weak or "proprietary"
methodologies, companies that do not perform and deliver vulnerability
research and development (proof of talent), companies that offer
prices that are too low, companies that rely on automated scanners and
technologies for service delivery, companies that claim that the "low
and slow" approach is "stealth", etc. Well, those are red flags if
you're not looking for a quick scan to get a check in the box. If that
is what you are looking for, then you can use just about any provider.
The question is, are you trying to defend against malicious hackers or
the auditors?
        
On Oct 20, 2008, at 11:33 AM, Patrick Fitzgerald wrote:

> Does anyone know of a pen testing company named Sklar Technology
> Partners, whether it be positive or negative? What should we be
> looking for in a security company? Is it common that a security
> company would need rights such as domain admin rights to perform an
> audit on the network? Any resources that you could suggest would be
> helpful.
>
> Thank you.
>
> ------------------------------------------------------------------------
> This list is sponsored by: Cenzic
>
> Security Trends Report from Cenzic
> Stay Ahead of the Hacker Curve!
> Get the latest Q2 2008 Trends Report now
>
> www.cenzic.com/landing/trends-report
> ------------------------------------------------------------------------

Adriel T. Desautels
ad_lists () netragard com




------------------------------------------------------------------------
This list is sponsored by: Cenzic

Security Trends Report from Cenzic
Stay Ahead of the Hacker Curve!
Get the latest Q2 2008 Trends Report now

www.cenzic.com/landing/trends-report
------------------------------------------------------------------------