Penetration Testing mailing list archives
Email Security - Pentesters take...
From: cribbar <crib.bar () hotmail co uk>
Date: Tue, 9 Nov 2010 03:32:30 -0800 (PST)
I have used this forum once before and had some excellent feedback from some very knowledgeable folk, so I wanted to run something by you all again…. I am not over tech but have an understanding on IT and Business/IT alliance, however I’ve recently been scanning the major pen testers offerings and typically web apps, voip, wireless, firewall rules, database etc come up time and again, but from the sample of 12 or so, many of whom are CHECK/CREST accredited, I have never seen any offerings about email penetration testing… To me email is a real business critical system and potentially a compromise of someone’s (i.e. director of a company) email account whether from an internal employee or an external hacker could be catastrophic. Or bringing down an email system (MS Exchange) could also be a disaster to a company…. You also see stuff in the press on an almost daily basis on leaked email or hacked email so I imagine journalists aren’t exactly squeaky clean when it comes to how the gather “intelligence” for their stories… But the fact nobody seems to be selling an email penetration test in their standard catalogue of offerings got me thinking as to perhaps other folk doesn’t see it as a high risk area? Or perhaps modern off the shelf email packages (MS Exchange with an OWA Service exposed to the world) and what not are pretty secure “out the box” so to speak (I find that hard to believe)… My questions to you professional pen testers who offer external services: Is “email security” a sought after pen test by companies? Are companies coming to you asking for quotes for a pen test of their email infra-structure, reviewing risks both internal (employees trying to get at each others mailboxes) and external? Where does email rank in sought after pen tests, i.e. is it typically well down the pecking order? Out of interest what sort of pen tests are folk coming to you from, i.e. a top 3 (web apps, voip, wireless etc)? If you are providing email pen tests, are there common weaknesses and vulnerabilities you are keep coming across in most cases you test? Can you provide some details… Alternatively if you are coming across relatively secure email systems and limited findings I’d be interested to hear that from you lot… A bit of topic, but finally, I am interested in the role of internal IT Auditors in organisations, and what exactly they do or don’t do when it comes to pen testing or auditing their own IT Systems. Are they responsible for checking that the low hanging fruit is not available to attackers (i.e. the IT admin has followed best practice and is applying patches and what not) and then the pen testers come in with your whole armoury of tools to check for more advanced attacks? I just can’t really see the point in IT Auditors if all folk are doing is bringing in pen testers for real assurance? Is it because the internal IT Auditor is not up to the skill set of the pen tester? I got a bit confused as to whether they duplicate the same role so please clarify if you may…. -- View this message in context: http://old.nabble.com/Email-Security---Pentesters-take...-tp30169671p30169671.html Sent from the Penetration Testing mailing list archive at Nabble.com. ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- Email Security - Pentesters take... cribbar (Nov 12)
- Re: Email Security - Pentesters take... Michael Bauer (Nov 12)
- Reverse Engineering the source of the ZeroAccess crimeware rootkit Adam Behnke (Nov 18)
- Re: Email Security - Pentesters take... Anders Thulin (Nov 18)
- Re: Email Security - Pentesters take... Michael Bauer (Nov 12)