Re: Pen Testing

["Patrick Fitzgerald" <servicepointtest () gmail com>]

Thank you to everyone for the insight. It's a long story on this
company coming in, and it was not one that we selected from the IT
Dept, more like a friend of a friend doing a favor. They've said
they'll be using GFI Languard, which explains the admin rights on the
domain. I tested the package and did not care for it as the results
from the scans I did were completely inaccurate stating services were
running on machines that actually did not have them installed. At this
point it does not appear they'll be testing externally.

On Wed, Oct 22, 2008 at 8:06 AM, Kartikeya Puri
<puri.kartikeya () gmail com> wrote:
> Well looking around on their site does not give a good impression, that is
> assuming that http://www.sklartechnology.com/consulting_team.html is their
> site. Skillsets they have listed their does not seem like skillsets for a
> "pen testing company". If all you are looking for is a report from nessus
> and other automated tool then may be yes... but in my experience such
> companies rarely add any value.. but i may be wrong...
>
> A security company looking for domain admin is quite comman as it enables
> them to check windows environment for Patches, configurations etc... but it
> will not help in following cases:
>  Databases:- MSSql may give some info and posibally allow them to logon with
> domain admin if it is configured so. Oracle, DB2, Sybase etc will not be
> assessed with domain admin.
>
> Application servers: Apache/Tomcat, Websphere etc will not be assessed.
>
> Applications running on these servers will not be assessed.
>
> Network devices will not be assessed.
>
> List can go on....
>
> We used to ask our clients for domain admin for the last part of the audit
> after we already had assessed everything else as a normal user or outsider.
> After getting the admin we used to just run a MBSA/Nessus to provide patch
> level/shares etc.
>
> Hope I was helpful...
>
> Cheers,
> K
>
>
> On Mon, Oct 20, 2008 at 7:33 PM, Patrick Fitzgerald
> <servicepointtest () gmail com> wrote:
> > Does anyone know of a pen testing company named Sklar Technology
> > Partners, whether it be positive or negative? What should we be
> > looking for in a security company? Is it common that a security
> > company would need rights such as domain admin rights to perform an
> > audit on the network? Any resources that you could suggest would be
> > helpful.
> >
> > Thank you.
> >
> > ------------------------------------------------------------------------
> > This list is sponsored by: Cenzic
> >
> > Security Trends Report from Cenzic
> > Stay Ahead of the Hacker Curve!
> > Get the latest Q2 2008 Trends Report now
> >
> > www.cenzic.com/landing/trends-report
> > ------------------------------------------------------------------------

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Security Trends Report from Cenzic
Stay Ahead of the Hacker Curve!
Get the latest Q2 2008 Trends Report now

www.cenzic.com/landing/trends-report
------------------------------------------------------------------------