Penetration Testing mailing list archives
Re: Penetration Testing Services
From: Jonathan Leigh <dantevios () gmail com>
Date: Tue, 3 Aug 2010 09:31:22 -0500
I am not a professional penetration tester, but I have done penetration testing for money before. There seems to be a tunnel vision with you thinking a vulnerability scanner is a good security assessment tool, so I feel inclined to help enlighten you to the benefits that an external penetration tester can bring as you ask. Also I do not work for the private sector, so the opinion you are getting from me is genuine. I am not a salesman. First of all computer security is not just about your computers. If you go read "The Ware Report", it's a big unclassified government document that started the basis for security in the United States for computer systems, there are diagrams that show you the proper way to defend a network. It goes over things like you should have multiple firewalls, one that acts as an egress filter, and another that does more in depth examining of packets. But it also talks about physical security to the point where it even considers insects, such as termites, a risk to destroying your computer equipment. Also it mentions interesting things such as radiation. Did you know keyboards emit radiation when you type on them and keystrokes can be captured from a distance? There are people that have worked on proof of concepts for these things. You can be as detailed or as undetailed as you want about security, but there are a number of risks that are there that do not involve software that would surprise you. I am glad you are skeptical. There are a lot of phony people in the information security industry that will just run nmap and vulnerability scanners as you say. Good penetration testers, however, will start from the ground up trying to do physical breaches of your company and doing black box testing of your network. They will social engineer your employees into giving them information. They will trick your employees into installing trojan viruses and possibly cameras and sound recording devices so that they can watch you during the penetration test. You *think* you know the structure of your network right now, but penetration testers will find ways of getting into your network that you may not know that you could. One example of this may be that one of your departments has plugged a wireless router onto your network that you do not know about. This would give a hacker a back door into your network. Pen Testers will test to see if your employees do stupid things like write down root passwords of your servers on sticky notes in their offices. They address questions such as is your proprietary information being transferred securely throughout your internal Ethernet network or are you using an unencrypted protocol where a hacker can just man in the middle it and steal the credit card information of people you do business with? Do you store sensitive information in proper encrypted formats? There are about a billion other things I could rant to you about all day, but to get off my rant and address your questions: What are the limitations of Nessus as a vulnerability scanner? There are a few different types of vulnerability scanners on the market. I have used a few of them. The ones I have used are OpenVAS (the open source version of Nessus), Nessus itself, and Nexpose. When you use these products, you will get false positives, false negatives (meaning the vulnerabilities are there but are not detected), and inconsistent results depending on how you tweak the scans. These vulnerability scanners can see only what they are programmed to see. Meaning if your users are running vulnerable applications on their computer, but for some reason the ports to those applications are closed (or they are not meant to be accessed over the network) when you scan over the network, you will not know they are running vulnerable software. A prime example for you about this is your finance department may be running an outdated version of adobe reader, adobe flash, or their web browser. A vulnerability scanner will usually not detect this. Do you think a hacker is going to bother finding a way to remotely exploit your network? No, they're going to social engineer your departments until they find your finance person, then they are going to start sending them emails with evil pdfs in them (I could tell you a number of client side attacks that take a lot longer to explain) that will install a rootkit on their computer. Then one day you will wonder why all the money in your company suddenly disappears. "How do I as a penetration tester portray the importance of external pen tests?" It is critical to have an external penetration tester test your network. It is a full time job to be a penetration tester and we are a separate job from just being a network administrator for a reason. As a disclaimer, like I said, I am not a professional penetration tester. There are plenty of good points that could be added to this rant, but I think I have highlighted a few important ones that may help change your perspective. -- -- Thank you, Jon Leigh ========================================================== Email: Dantevios () gmail com Website: http://www.dantevios.com Facebook: http://www.facebook.com/dantevios Twitter:http://www.twitter.com/dantevios Gtalk: Dantevios () gmail com ICQ: 577683269 AIM: Dantevios MSN: Dantevios () hotmail com Yahoo: Dantevios () yahoo com Skype User: Dantevios Skype #: 662-524-3653 ========================================================== On Mon, Aug 2, 2010 at 6:18 AM, cribbar <crib.bar () hotmail co uk> wrote:
Penetration Testing Community - I am interested in getting an expert response to a discussion that keeps raising up in our company. First off, I have some basic IT/Infrastructure knowledge, but I am most definitely not up to the level of a penetration tester (please bare this in mind with your responses). Basically, our company has an internal IT Security section, who has recently purchased some of the popular vulnerability assessment software such as Nessus. They are running quarterly scans using Nessus across an IP range and producing a report to senior management on the types of security holes in the Network and how they can be fixed (and more importantly to management how much it is going to cost to fix). I’ve spent a couple of hours on the Nessus website looking at the types of “vulnerability” it will catch, and it seems to cover a whole array of topics and security issues. This leads to the inevitable comment from senior management, if we have an IT Security section who are using the most common vulnerability scanning / penetration testing tools –what is the point in investing significant $$$ in buying in a 3rd party to do exactly the same? I fully appreciate that penetration testing is an area of high skill, as a 3rd party you provide an independent neutral security review, it takes years to master the topic, and once mastered you need to stay up to date with all the current vulnerabilities and exploits, and it is your guy’s area of expertise, whereas a security admin is not specific to penetration testing. And let’s be honest, anyone can essentially download a user friendly piece of software and click “scan” or whatever and produce a report listing problems. However, in order to be in defence of the pen testing community during such discussions, I have a few questions…. • How do you as penetration testers, portray the importance of this independent check to future potential clients? Is this independence really that important? • What broadly speaking do you as professional penetration testers bring additional to a nessus scan during the services you provide? If there are categories of security issues/vulnerabilities that you can flag up doing one of your penetration tests that Nessus wont - that would be incredibly useful to know, and I’d love to be able to identify the limitations of Nessus scans but I am a bit out of my depth to be able to do so. • I trawled through the archives of this forum and others, and it seems some pen testing companies use the exact same tools such as nmap and nessus, and in some cases simply pass across a Nessus report for a specific IP range and that’s the report they use. This to me sounds a complete rip off, and I can’t see the benefit. So where is the added benefit in having an internal security guy run nessus, and paying a 3rd party pen tester x amount of $$$ money to do exactly the same? Why not just stick with the internal guy? Or am I missing something? I really would appreciate real examples of whereby just running Nessus is simply not enough as it wont catch a, b and c! I look forward to your comments. -- View this message in context: http://old.nabble.com/Penetration-Testing-Services-tp29324189p29324189.html Sent from the Penetration Testing mailing list archive at Nabble.com. ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- Penetration Testing Services cribbar (Aug 02)
- RE: Penetration Testing Services Sherif Eldeeb (Aug 03)
- Re: Penetration Testing Services Justin Klein Keane (Aug 03)
- Re: Penetration Testing Services k.x86 (Aug 03)
- Re: Penetration Testing Services Robin Wood (Aug 03)
- RE: Penetration Testing Services Jason Hurst (Aug 03)
- Re: Penetration Testing Services Andre Gironda (Aug 03)
- Re: Penetration Testing Services Richard Miles (Aug 16)
- RE: Penetration Testing Services Mathew Sealy (Aug 03)
- Message not available
- Re: Penetration Testing Services Jonathan Leigh (Aug 03)
- RE: Penetration Testing Services Sherif Eldeeb (Aug 03)
- Re: Penetration Testing Services BMF (Aug 03)
- Re: Penetration Testing Services Todd Hughes (Aug 03)
- RE: Penetration Testing Services Hugo V. Garcia R. (Aug 03)
- Re: Penetration Testing Services MAlMozaiyn (Aug 08)
- RE: Penetration Testing Services Khalid Lakdawala (Aug 12)
- Re: Penetration Testing Services cribbar (Aug 12)