Penetration Testing mailing list archives
Re: Email Security - Pentesters take...
From: Michael Bauer <ravenmsb () gmail com>
Date: Fri, 12 Nov 2010 13:41:18 -0500
Hello, E-mail is always one of the first systems I will peel away at after gaining access to the internal network. The problem is usually it is a very touchy area and often times corporations list the e-mail system as out of bounds or protected when the terms of service are drawn up in the initial contract. I think any penetration tester knows that anything operating on SMTP POP3 or IMAP is one of the best places to gather information and attack but when it's off limits you have to honor your rules of engagement and steer clear of these systems. This is what I feel is probably a large reason why you don't see it. The other would be the fact that it's just so simple that no one really thinks about it. It's obviously one of the first places to look for an easy way in. I don't see people really advertising FTP, Telnet, ect. testing but this is because people have specializations and no one is going to be impressed with specialization of penetrating these basic services. just my 2 cents On Tue, Nov 9, 2010 at 6:32 AM, cribbar <crib.bar () hotmail co uk> wrote:
I have used this forum once before and had some excellent feedback from some very knowledgeable folk, so I wanted to run something by you all again…. I am not over tech but have an understanding on IT and Business/IT alliance, however I’ve recently been scanning the major pen testers offerings and typically web apps, voip, wireless, firewall rules, database etc come up time and again, but from the sample of 12 or so, many of whom are CHECK/CREST accredited, I have never seen any offerings about email penetration testing… To me email is a real business critical system and potentially a compromise of someone’s (i.e. director of a company) email account whether from an internal employee or an external hacker could be catastrophic. Or bringing down an email system (MS Exchange) could also be a disaster to a company…. You also see stuff in the press on an almost daily basis on leaked email or hacked email so I imagine journalists aren’t exactly squeaky clean when it comes to how the gather “intelligence” for their stories… But the fact nobody seems to be selling an email penetration test in their standard catalogue of offerings got me thinking as to perhaps other folk doesn’t see it as a high risk area? Or perhaps modern off the shelf email packages (MS Exchange with an OWA Service exposed to the world) and what not are pretty secure “out the box” so to speak (I find that hard to believe)… My questions to you professional pen testers who offer external services: Is “email security” a sought after pen test by companies? Are companies coming to you asking for quotes for a pen test of their email infra-structure, reviewing risks both internal (employees trying to get at each others mailboxes) and external? Where does email rank in sought after pen tests, i.e. is it typically well down the pecking order? Out of interest what sort of pen tests are folk coming to you from, i.e. a top 3 (web apps, voip, wireless etc)? If you are providing email pen tests, are there common weaknesses and vulnerabilities you are keep coming across in most cases you test? Can you provide some details… Alternatively if you are coming across relatively secure email systems and limited findings I’d be interested to hear that from you lot… A bit of topic, but finally, I am interested in the role of internal IT Auditors in organisations, and what exactly they do or don’t do when it comes to pen testing or auditing their own IT Systems. Are they responsible for checking that the low hanging fruit is not available to attackers (i.e. the IT admin has followed best practice and is applying patches and what not) and then the pen testers come in with your whole armoury of tools to check for more advanced attacks? I just can’t really see the point in IT Auditors if all folk are doing is bringing in pen testers for real assurance? Is it because the internal IT Auditor is not up to the skill set of the pen tester? I got a bit confused as to whether they duplicate the same role so please clarify if you may…. -- View this message in context: http://old.nabble.com/Email-Security---Pentesters-take...-tp30169671p30169671.html Sent from the Penetration Testing mailing list archive at Nabble.com. ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- Email Security - Pentesters take... cribbar (Nov 12)
- Re: Email Security - Pentesters take... Michael Bauer (Nov 12)
- Reverse Engineering the source of the ZeroAccess crimeware rootkit Adam Behnke (Nov 18)
- Re: Email Security - Pentesters take... Anders Thulin (Nov 18)
- Re: Email Security - Pentesters take... Michael Bauer (Nov 12)