Re: Penetration Testing Services

["k.x86" <kanto.86 () hotmail it>]

cribbar wrote:
> Penetration Testing Community - I am interested in getting an expert
> response to a discussion that keeps raising up in our company. 
>
> First off, I have some basic IT/Infrastructure knowledge, but I am most
> definitely not up to the level of a penetration tester (please bare this
> in mind with your responses). 
>
> Basically, our company has an internal IT Security section, who has
> recently purchased some of the popular vulnerability assessment software
> such as Nessus. They are running quarterly scans using Nessus across an IP
> range and producing a report to senior management on the types of security
> holes in the Network and how they can be fixed (and more importantly to
> management how much it is going to cost to fix). 
>
> I’ve spent a couple of hours on the Nessus website looking at the types of
> “vulnerability” it will catch, and it seems to cover a whole array of
> topics and security issues. This leads to the inevitable comment from
> senior management, if we have an IT Security section who are using the
> most common vulnerability scanning / penetration testing tools –what is
> the point in investing significant $$$ in buying in a 3rd party to do
> exactly the same?  
>
> I fully appreciate that penetration testing is an area of high skill, as a
> 3rd party you provide an independent neutral security review, it takes
> years to master the topic, and once mastered you need to stay up to date
> with all the current vulnerabilities and exploits, and it is your guy’s
> area of expertise, whereas a security admin is not specific to penetration
> testing. And let’s be honest, anyone can essentially download a user
> friendly piece of software and click “scan” or whatever and produce a
> report listing problems. 
>
> However, in order to be in defence of the pen testing community during
> such discussions, I have a few questions….
>
> • How do you as penetration testers, portray the importance of this
> independent check to future potential clients? Is this independence really
> that important? 
>
> • What broadly speaking do you as professional penetration testers bring
> additional to a nessus scan during the services you provide? If there are
> categories of security issues/vulnerabilities that you can flag up doing
> one of your penetration tests that Nessus wont - that would be incredibly
> useful to know, and I’d love to be able to identify the limitations of
> Nessus scans but I am a bit out of my depth to be able to do so. 
Some security issues like weak credentials are not usually identified by
vulnerability scanners like nessus, except for default passwords (depending
on the tested device), null passwords, passwords equal to username. There is
a lot of other insecure passwords which can be tested when doing bruteforce
during a PT. Weak credentials is still one of the most spreaded security
problem


Other security issues can have different impact when discovered by the
scanner and when checked manually. An "information disclosure" is normally
classified by a low issue by the scanner, but this may not be true (think to
a webserver trace publicly accessible, when you can get user cookies...)

You cannot be sure that Nessus will find all vulnerabilities in your
network. During PT, more than 1 vulnerability scanners could be used in
order to be able to identify the largest number of vulnerabilities.

When a system is compromised, additional checks can be done during a PT. For
instance, you may discover that production data lies on a vulnerable test
environment. You can get information or even credentials which allow you to
jump to other systems.

For web application, specific scanners exist in order to identify web
vulnerabilities (XSS, sql injection,....). This is not the main purpose of
nessus which focuses on network vulnerabilities. However, webscanners are
insufficient too. like nessus, you will not be sure that a web vuln scanner
will catch all vulns (and like nessus more than 1 can be used during PT)
and, most important,  you cannot test for logical vulnerabilities (eg: you
can escalate privilege by adding a parameter in your URL like
role=MD5('admin') )


cribbar wrote:
> • I trawled through the archives of this forum and others, and it seems
> some pen testing companies use the exact same tools such as nmap and
> nessus, and in some cases simply pass across a Nessus report for a
> specific IP range and that’s the report they use. This to me sounds a
> complete rip off, and I can’t see the benefit. So where is the added
> benefit in having an internal security guy run nessus, and paying a 3rd
> party pen tester x amount of $$$ money to do exactly the same? Why not
> just stick with the internal guy? Or am I missing something? I really
> would appreciate real examples of whereby just running Nessus is simply
> not enough as it wont catch a, b and c! 
>
> I look forward to your comments. 

-- 
View this message in context: http://old.nabble.com/Penetration-Testing-Services-tp29324189p29337080.html
Sent from the Penetration Testing mailing list archive at Nabble.com.


------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------