Penetration Testing mailing list archives
Re: auditing web/mail proxies
From: Justin Rogosky <jrogosky () gmail com>
Date: Tue, 6 Dec 2011 14:42:12 -0500
To sum up what Anders said (feel free to correct me if I am wrong), it all depends on what you are trying to prove. If you want to prove that you can exfiltrate data, then try sending something marked up to be confidential (this comes in a variety of marking and classification that is hard to be specific). In addition, there is a BIG difference between pen testing and auditing, so depending on if it is a pen test or audit your goals will be wildly different. If you are auditing, look at the settings of the system. See if they are whitelisting or blacklisting. Is SSL being intercepted? Is DNS part of it in that they are resolving IPs to determine accessibility? What key words are they hitting on to prevent data leakage. It is a long list of things to check and depends on scope of the test. --Justin On Tue, Dec 6, 2011 at 2:36 AM, Anders Thulin <anders.thulin () sentor se> wrote:
On 2011-12-05 10:21, cribbar wrote:Has anyone ever audited a proxy during a pen test/IT audit or as an audit on itself? If so do you have a scope of what kind of checks you reviewed, or a checklist?An audit is intended to answer the question: does the examined system work according to the rules and regulations it should follow? The next question is, obviously, are there any such rules? That should be answered by the organization owning or otherwise managing the proxy: what rules should be followed? These will typically relate to the management of the proxy: how is access controlled, how are changes implemented, how are logs and backups handled, and so on. (Tests of proper function -- quality testing -- is usually not regarded as part of an audit. That's more akin to penetration testing.) The rules need not be expressed for the proxy specifically, they could be part of an IS or IT policy, applying to all IS or IT systems in the organization. And in some special cases, they might even take the form of local or national law. For an audit, you job includes defining the system you are auditing (the word 'system' is used an a fairly general sense here -- it needn't be just a network 'box', but an entire proxy support and management -- don't forget helpdesk!), identify the rules that are relevant that system, and then verify that they are indeed being followed. If there are no relevant rules, an audit cannot be done. If the system cannot be strictly defined (in the sense of if some entity is part of the system or not), there will be difficulties later. Additionally, if there are rules, but they cannot be audited (quite often because they are imprecise), the only thing is to identify the problem, and suggest a remedy for the next audit. There *are* usually best practice suggestions, which, in the absence of other requirements, could (barely) be used. But again, the system definition decides: are you looking at a proxy box only, or a component in a network, at a system that must be managed over it's lifetime, alone or in relation to other information systems of which it is considered a part? 'Muscular audits' ... deciding on your own what the rules are (or should be) is a possible way, technically, but it's so far from the accepted definition of an audit that I don't consider it practical. -- Anders Thulin anders.thulin () sentor se 070-757 36 10 / Intl. +46 70 757 36 10
------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- auditing web/mail proxies cribbar (Dec 05)
- Re: auditing web/mail proxies Anders Thulin (Dec 05)
- Re: auditing web/mail proxies Dion Stempfley (Dec 10)
- Re: auditing web/mail proxies Justin Rogosky (Dec 10)
- Re: auditing web/mail proxies Brian Quick (Dec 10)
- Re: auditing web/mail proxies A. Ramos (Dec 12)
- Re: auditing web/mail proxies White Hat (Dec 16)
- Re: auditing web/mail proxies Anders Thulin (Dec 05)