RE: Penetration Testing Services

[Mathew Sealy <mat () shj co uk>]

When we look at an infrastructure as a whole, there is a lot more to security than scanning a few servers with some 
easy to use tools, the tools are made to automate a few tasks, i.e. System Update status, Port Scans etc. 

The whole point of a pen test is to test the system from the unknown angle, there is no point having the root and Admin 
passwords and scanning a system, If a 3rd party organisation is used to interrogate your system and find weaknesses, 
security wholes and produce a report for you on when why and how, this can only assist your company on the road to 
securing your infrastructure, the 3rd party organisation could have visited your company spoke to a few employees 
having a cigarette break and managed to get a username or even a password, maybe even walked into your company sat in 
the server room?

The more skill full and tactical the Pen Tester is the more in depth pen test you will receive and the most important 
of all is WHY did this happen HOW can we fix this and teach our Staff not to let this happen, I don’t know any software 
that will allow you to do this.

1 more thing to add, an outside point of view and pen test sometimes brings out things we never thought about, after 
all we are all human, even the guys who make the software.

MS

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of cribbar
Sent: 02 August 2010 12:18
To: pen-test () securityfocus com
Subject: Penetration Testing Services


Penetration Testing Community - I am interested in getting an expert response to a discussion that keeps raising up in 
our company. 

First off, I have some basic IT/Infrastructure knowledge, but I am most definitely not up to the level of a penetration 
tester (please bare this in mind with your responses). 

Basically, our company has an internal IT Security section, who has recently purchased some of the popular 
vulnerability assessment software such as Nessus. They are running quarterly scans using Nessus across an IP range and 
producing a report to senior management on the types of security holes in the Network and how they can be fixed (and 
more importantly to management how much it is going to cost to fix). 

I’ve spent a couple of hours on the Nessus website looking at the types of “vulnerability” it will catch, and it seems 
to cover a whole array of topics and security issues. This leads to the inevitable comment from senior management, if 
we have an IT Security section who are using the most common vulnerability scanning / penetration testing tools –what 
is the point in investing significant $$$ in buying in a 3rd party to do exactly the same?  

I fully appreciate that penetration testing is an area of high skill, as a 3rd party you provide an independent neutral 
security review, it takes years to master the topic, and once mastered you need to stay up to date with all the current 
vulnerabilities and exploits, and it is your guy’s area of expertise, whereas a security admin is not specific to 
penetration testing.
And let’s be honest, anyone can essentially download a user friendly piece of software and click “scan” or whatever and 
produce a report listing problems. 

However, in order to be in defence of the pen testing community during such discussions, I have a few questions….

• How do you as penetration testers, portray the importance of this independent check to future potential clients? Is 
this independence really that important? 

• What broadly speaking do you as professional penetration testers bring additional to a nessus scan during the 
services you provide? If there are categories of security issues/vulnerabilities that you can flag up doing one of your 
penetration tests that Nessus wont - that would be incredibly useful to know, and I’d love to be able to identify the 
limitations of Nessus scans but I am a bit out of my depth to be able to do so. 

• I trawled through the archives of this forum and others, and it seems some pen testing companies use the exact same 
tools such as nmap and nessus, and in some cases simply pass across a Nessus report for a specific IP range and that’s 
the report they use. This to me sounds a complete rip off, and I can’t see the benefit. So where is the added benefit 
in having an internal security guy run nessus, and paying a 3rd party pen tester x amount of $$$ money to do exactly 
the same? Why not just stick with the internal guy? Or am I missing something? I really would appreciate real examples 
of whereby just running Nessus is simply not enough as it wont catch a, b and c! 

I look forward to your comments. 

--
View this message in context: http://old.nabble.com/Penetration-Testing-Services-tp29324189p29324189.html
Sent from the Penetration Testing mailing list archive at Nabble.com.


------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------


______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.

______________________________________________________________________