Re: Need Some Guidance Please

[Micheal Cottingham <techie.micheal () gmail com>]

Hi Elizabeth,

I'm going to have to respectfully disagree with Jeffrey on some of the
points. As someone who has done penetration testing, security audits,
etc., done right penetration testing can tell you a lot that you
couldn't otherwise get. While I absolutely agree that
network/sysadmins should run nmap, MBSA, Nessus, etc. on their
network, that only tells part of the story.

For example, will Nessus tell you that the SQL injection it found will
lead to code execution on the server that the database server runs on?
Probably not. You would have to go and verify that yourself. Will MBSA
tell you that your employees can be bribed with chocolate to give up
passwords? (http://news.bbc.co.uk/2/hi/technology/3639679.stm) No,
that's something that has to be verified. Will nmap tell you that you
have a physical security problem and someone can bypass alarms to get
in and plant monitoring devices? Again, that's something that has to
be verified. Will Shavlik tell you that someone misconfigured the NAS,
put firewall, switch, and router configs on it, and someone has been
stealing the configs? The point I am making here is that while these
tools have a purpose and administrators absolutely need to make use of
them, they only tell part of the story.

Also, I have to disagree on the penetration tests causing trouble
because people weren't notified. Done right and responsibly, those who
need to know will know about the testing will be notified. Part of the
point of testing is that those who are monitoring the servers/network
need to be "out of the loop" so when they see malicious activity, they
can respond to it as they would for any other incident. If for example
they know I'm coming, chances are pretty good that they will react
differently than if they did not know I was coming. As an auditor/pen
tester, I don't want that. I want to know that if I do something, the
people I'm trying to help will have the ability through their network
monitoring to respond to incidents. So when it is the real thing, they
know what to do and do it quickly and accurately.

Congratulations on your Master's, by the way. :)

------------------------------------------------------------------------
This list is sponsored by: InfoSec Institute

Learn all of the latest penetration testing techniques in InfoSec Institute's Ethical Hacking class. 
Totally hands-on course with evening Capture The Flag (CTF) exercises, Certified Ethical Hacker and Certified 
Penetration Tester exams, taught by an expert with years of real pen testing experience.

http://www.infosecinstitute.com/courses/ethical_hacking_training.html
------------------------------------------------------------------------