Re: RE: What is being a pen tester really like? (fwd)

From: paul_boam@yahoo.com
Date: Thu Aug 03 2006 - 08:30:42 EDT

Next message: faisalrdanka@fastmail.co.uk: "Re: Checklist for checking the security of internet banking"
Previous message: jszatmary@users.sourceforge.net: "Nessj 0.7.0 Released (a.k.a. Reason)"
Maybe in reply to: Porter, Thomas (Tom): "RE: What is being a pen tester really like? (fwd)"
Next in thread: R. DuFresne: "Re: RE: What is being a pen tester really like? (fwd)"
Reply: R. DuFresne: "Re: RE: What is being a pen tester really like? (fwd)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

('binary' encoding is not supported, stored as-is) The best pen testing firms impose QA through CESG CHECK team leaders. Unfortunately that doesnt protect you as the customer from either the pen tester having a bad day/hangover or a new vulnerability or better tool/exploit occuring 30 minutes after your pen test has just finished.

If I had just run nmap against a target and found all but 80 and 443 open with everything else filtered, no old OS/versions and nikto came back with what turned out to be 10000 false positives I would be inclined to look for an easier target.

All of these results are relatively easily implemented through anti reconnaisance techniques. These techniques make sure that the target is not attractive to a would be attacker and although they dont replace a proper layered security architecture, they do significantly reduce the threat. Anyone playing iso27001 will see the risks drop significantly, and whats more it's easier to teach people to harden than it is to pen test, which is often intuitive once you get past a tools capability.

Pen testing has been described as a burglar finding the open window, then spending most time explaining how he stole the video recorder, dvd, tv, fridge, etc etc etc.... you could stop all this however by closing and locking the window. You could even put a dummy burglar alarm up outside if you get my drift.

Before embarking on a career in pen testing take a look at a career in hardening. Its of much greater value to the client in every sense.

Paul

------------------------------------------------------------------------------
This List Sponsored by: Cenzic

Concerned about Web Application Security?
Why not go with the #1 solution - Cenzic, the only one to win the Analyst's
Choice Award from eWeek. As attacks through web applications continue to rise,
you need to proactively protect your applications from hackers. Cenzic has the
most comprehensive solutions to meet your application security penetration
testing and vulnerability management needs. You have an option to go with a
managed service (Cenzic ClickToSecure) or an enterprise software
(Cenzic Hailstorm). Download FREE whitepaper on how a managed service can
help you: http://www.cenzic.com/news_events/wpappsec.php
And, now for a limited time we can do a FREE audit for you to confirm your
results from other product. Contact us at request@cenzic.com for details.
------------------------------------------------------------------------------

Next message: faisalrdanka@fastmail.co.uk: "Re: Checklist for checking the security of internet banking"
Previous message: jszatmary@users.sourceforge.net: "Nessj 0.7.0 Released (a.k.a. Reason)"
Maybe in reply to: Porter, Thomas (Tom): "RE: What is being a pen tester really like? (fwd)"
Next in thread: R. DuFresne: "Re: RE: What is being a pen tester really like? (fwd)"
Reply: R. DuFresne: "Re: RE: What is being a pen tester really like? (fwd)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:56:31 EDT