Re: Penetration Testing Services

[Justin Klein Keane <justin () madirish net>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello,

  the real difference between a physical tester and a piece of software
is that the human can make connections that are impossible to encode in
algorithms.  There are tons of examples but some quick ones include the
fact that a human tester can follow a chain of functionality that can
lead to a vulnerability.  Nessus can check to see if known
vulnerabilities appear in versions of software it can discover.  A human
can figure out if your CMS allows anonymous users to create new
accounts, if account holders can log in and view forums, whether or not
forums provide clues to the identity of super user accounts, and whether
or not an account holder might be able to escalate privilege using an
internal messaging system to send malicious messages to admins.
Software just can't follow that chain of events.  Furthermore software
can't effectively deal with data classifications.  For instance, if your
secret soda recipe is publicly available to anyone who can guess the
right URL, Nessus will never warn you.  Nessus might find the content,
but it can't evaluate the content or determine if it should fall under a
specific protection realm.  Only a skilled penetration tester who
understands your business can tell you if you're unintentionally leaking
critical business data.

  Of course, there are many penetration testers who won't give you this
sort of data either, so be sure to vet anyone you select.

Justin C. Klein Keane
http://www.MadIrish.net

The digital signature on this message can be confirmed
using the public key at http://www.madirish.net/gpgkey

On 08/03/2010 03:14 AM, Sherif Eldeeb wrote:
> IMHO, you mixed "Vulnerability Assessment" with "Penetration Testing".
> Firing Nessus, nmap, W3AF and nikto at an IP range, then going for a coffee waiting for them to finish, then printing 
> the logs for the management is barely considered an ill "Vulnerability Assessment", but I believe "penetration 
> testing" will simulate a real-world attack scenario that will include the whole "vulnerability assessment" phase as a 
> step to get to the final goal, bearing in mind that during a penetration test the process of vulnerability 
> identification will be as stealthy as possible and will most probably rely on manual techniques rather than noisy 
> automated tools.
>
> Penetration testing is conducted to know how the bad guys could infiltrate your network and exploiting every found 
> hole, not only testing your software's patch level, it will/should include every way to break in, i.e. Physical 
> security, Social engineering, manual web application assessment...etc.
>
> Nessus will not detect the uneducated secretary who will open the mail-attachment from someone she doesn't know, or 
> prevent the stranger from plugging in his wireless access point to the unnoticed RJ45 plug behind the sofa in the 
> lobby... you got the idea.
>
> Your confusion is understandable, since lots of so called "penetration testers" are actually "script kiddies" with 
> nice looking tuxedos who do no good other than what your security team is already doing, "real" penetration testers 
> will give you a detailed professional report highlighting other weaknesses as well...
>
> Regards,
> Sherif Eldeeb.
>
> -----Original Message-----
> From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of cribbar
> Sent: Monday, August 02, 2010 2:18 PM
> To: pen-test () securityfocus com
> Subject: Penetration Testing Services
>
>
> Penetration Testing Community - I am interested in getting an expert response
> to a discussion that keeps raising up in our company. 
>
> First off, I have some basic IT/Infrastructure knowledge, but I am most
> definitely not up to the level of a penetration tester (please bare this in
> mind with your responses). 
>
> Basically, our company has an internal IT Security section, who has recently
> purchased some of the popular vulnerability assessment software such as
> Nessus. They are running quarterly scans using Nessus across an IP range and
> producing a report to senior management on the types of security holes in
> the Network and how they can be fixed (and more importantly to management
> how much it is going to cost to fix). 
>
> I’ve spent a couple of hours on the Nessus website looking at the types of
> “vulnerability” it will catch, and it seems to cover a whole array of topics
> and security issues. This leads to the inevitable comment from senior
> management, if we have an IT Security section who are using the most common
> vulnerability scanning / penetration testing tools –what is the point in
> investing significant $$$ in buying in a 3rd party to do exactly the same?  
>
> I fully appreciate that penetration testing is an area of high skill, as a
> 3rd party you provide an independent neutral security review, it takes years
> to master the topic, and once mastered you need to stay up to date with all
> the current vulnerabilities and exploits, and it is your guy’s area of
> expertise, whereas a security admin is not specific to penetration testing.
> And let’s be honest, anyone can essentially download a user friendly piece
> of software and click “scan” or whatever and produce a report listing
> problems. 
>
> However, in order to be in defence of the pen testing community during such
> discussions, I have a few questions….
>
> • How do you as penetration testers, portray the importance of this
> independent check to future potential clients? Is this independence really
> that important? 
>
> • What broadly speaking do you as professional penetration testers bring
> additional to a nessus scan during the services you provide? If there are
> categories of security issues/vulnerabilities that you can flag up doing one
> of your penetration tests that Nessus wont - that would be incredibly useful
> to know, and I’d love to be able to identify the limitations of Nessus scans
> but I am a bit out of my depth to be able to do so. 
>
> • I trawled through the archives of this forum and others, and it seems some
> pen testing companies use the exact same tools such as nmap and nessus, and
> in some cases simply pass across a Nessus report for a specific IP range and
> that’s the report they use. This to me sounds a complete rip off, and I
> can’t see the benefit. So where is the added benefit in having an internal
> security guy run nessus, and paying a 3rd party pen tester x amount of $$$
> money to do exactly the same? Why not just stick with the internal guy? Or
> am I missing something? I really would appreciate real examples of whereby
> just running Nessus is simply not enough as it wont catch a, b and c! 
>
> I look forward to your comments. 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iPwEAQECAAYFAkxYZLUACgkQkSlsbLsN1gBBXQb6Aj9s3395ATNu4KEfxyZ+F3ZX
Fa9LUyAUee5obMDeI7BHRbEM+jeaLdDOKScNxcj8WehpK2T4P1GqnFnaxmQBmxcT
eAjd0hJwuRZZDaO1Hiwft/6R55yH4s3NhEY9/7OjQKQ3UpooV0gd2HF7vbTPcOnV
qTgxMU5H7DwKt/HxsyT5ftlhD2/ZY55R1jbmhtA7Nq6ktYuf+L+o6SBIh3mtVw67
K4xwM5RHNgWcvedL4O3uE3Zvno756yj87cIi6p75YSBdWo/oaJTI79BEe44WJMVH
m+E1kHXhe2vcHdNDk4g=
=Ufii
-----END PGP SIGNATURE-----

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------