Penetration Testing mailing list archives
Re: Need Some Guidance Please
From: Micheal Cottingham <techie.micheal () gmail com>
Date: Sat, 18 Apr 2009 15:14:07 -0400
Hi Elizabeth, I'm going to have to respectfully disagree with Jeffrey on some of the points. As someone who has done penetration testing, security audits, etc., done right penetration testing can tell you a lot that you couldn't otherwise get. While I absolutely agree that network/sysadmins should run nmap, MBSA, Nessus, etc. on their network, that only tells part of the story. For example, will Nessus tell you that the SQL injection it found will lead to code execution on the server that the database server runs on? Probably not. You would have to go and verify that yourself. Will MBSA tell you that your employees can be bribed with chocolate to give up passwords? (http://news.bbc.co.uk/2/hi/technology/3639679.stm) No, that's something that has to be verified. Will nmap tell you that you have a physical security problem and someone can bypass alarms to get in and plant monitoring devices? Again, that's something that has to be verified. Will Shavlik tell you that someone misconfigured the NAS, put firewall, switch, and router configs on it, and someone has been stealing the configs? The point I am making here is that while these tools have a purpose and administrators absolutely need to make use of them, they only tell part of the story. Also, I have to disagree on the penetration tests causing trouble because people weren't notified. Done right and responsibly, those who need to know will know about the testing will be notified. Part of the point of testing is that those who are monitoring the servers/network need to be "out of the loop" so when they see malicious activity, they can respond to it as they would for any other incident. If for example they know I'm coming, chances are pretty good that they will react differently than if they did not know I was coming. As an auditor/pen tester, I don't want that. I want to know that if I do something, the people I'm trying to help will have the ability through their network monitoring to respond to incidents. So when it is the real thing, they know what to do and do it quickly and accurately. Congratulations on your Master's, by the way. :) ------------------------------------------------------------------------ This list is sponsored by: InfoSec Institute Learn all of the latest penetration testing techniques in InfoSec Institute's Ethical Hacking class. Totally hands-on course with evening Capture The Flag (CTF) exercises, Certified Ethical Hacker and Certified Penetration Tester exams, taught by an expert with years of real pen testing experience. http://www.infosecinstitute.com/courses/ethical_hacking_training.html ------------------------------------------------------------------------
Current thread:
- Need Some Guidance Please Elizabeth Tolson (Apr 17)
- Re: Need Some Guidance Please Jeffrey Walton (Apr 17)
- Re: Need Some Guidance Please Michael Boman (Apr 18)
- Re: Need Some Guidance Please Daniel Clemens (Apr 18)
- Re: Need Some Guidance Please Jeffrey Walton (Apr 18)
- Re: Need Some Guidance Please Micheal Cottingham (Apr 18)
- Re: Need Some Guidance Please Michael Boman (Apr 21)
- Re: Need Some Guidance Please Nate (Apr 18)
- Need for Intrusion/Infection Data Baykal, Adnan (CSCIC) (Apr 21)
- Re: Need for Intrusion/Infection Data Jon Janego (Apr 21)
- Re: Need for Intrusion/Infection Data Leonardo Cavallari Militelli (Apr 21)
- RE: Need for Intrusion/Infection Data Honer, Lance (Apr 21)
- Re: Need Some Guidance Please Jeffrey Walton (Apr 17)
- Re: Need Some Guidance Please Elizabeth Tolson (Apr 21)
- Re: Need Some Guidance Please Stephen Mullins (Apr 21)
- Re: Need Some Guidance Please Aarón Mizrachi (Apr 30)
- Re: Need Some Guidance Please Matt Gardenghi (Apr 21)