Re: [lists] Re: What to spend on a pentest

From: David M. Zendzian (dmz@dmzs.com)
Date: Sat Aug 05 2006 - 14:54:21 EDT

• Next message: R. DuFresne: "Re: RE: What is being a pen tester really like? (fwd)"
• Previous message: Andrej Budja: "RE: How to check an Executive's notebook"
• In reply to: Curt Purdy: "RE: [lists] Re: What to spend on a pentest"
• Next in thread: The McLain Family: "Re: [lists] Re: What to spend on a pentest"
• Maybe reply: The McLain Family: "Re: [lists] Re: What to spend on a pentest"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

I've been following this thread and have noticed that no one here is
considering the liability of a "real" pen test. Unless you are testing
QA or Dev environments, anything you find could not only prove that a
compromise is real but also bring that business offline, and since you
don't know when or where or what you'll find the business would need to
keep someone "on-call" during the entire engagement to restore or fail over.

Plus if you look at some of the pen-test requirements (standards(pci,
...), regulations(sox, hipaa, ...)) and look at what they call for when
pen-testing. PCI pen-tests are required yearly, however the pen test
must stop right at the edge of running the exploit, so you never know if
it actually runs. So here we have an industry standard "pen-test" (and
don't forget that PCI also requires quarterly vulnerability assessments)
where the pen-test is specifically required to not penetrate.

That tied with most business' not willing to perform social or physical
testing, it is 90% network based these days; so the majority of
pen-tests are really only expanded vulnerability tests. But also
remember that most companies only get pen-tests or vulnerability tests
because of these standards or regulations which then bind what they
testers are able to do.

What I would be interested in is hearing from those 10% of pen testers
who are able to do "real" pen tests, and what motivates their clients if
it is not a "requirement".

David M. Zendzian
dmz

Curt Purdy wrote:
> Intel96 wrote:
>
>> You also need to determine how much manual testing may have to be
>> performed on the systems. Such as cracking logins, cracking cookies,
>> etc, or searching the systems for embedded passwords in script or
>> configurations files and looking at the database schemes.
>>
> <snip>
>
> Unfortunately, most pentest companies don't do manual testing. Like the
> bank that I was ISO at hired NetBankAudit to "pentest" them. They likely
> had a young tech running scripts on a dozen clients that night and found one
> minor problem on our acquistion. The next Sunday night between 10pm and
> 6am, I manually tested and found six serious problems.
>
>
> Curt Purdy CISSP, GSNA, GSEC, CNE, MCSE+I, CCDA
> Information Security Officer
> Information Systems Security
> infosysec.net
> 443.846.4231
>
> -------------
>
> If you spend more on coffee than on IT security, you will be hacked.
> What's more, you deserve to be hacked.
> -- former White House cybersecurity czar Richard Clarke
>
>
>
> ------------------------------------------------------------------------------
> This List Sponsored by: Cenzic
>
> Concerned about Web Application Security?
> Why not go with the #1 solution - Cenzic, the only one to win the Analyst's
> Choice Award from eWeek. As attacks through web applications continue to rise,
> you need to proactively protect your applications from hackers. Cenzic has the
> most comprehensive solutions to meet your application security penetration
> testing and vulnerability management needs. You have an option to go with a
> managed service (Cenzic ClickToSecure) or an enterprise software
> (Cenzic Hailstorm). Download FREE whitepaper on how a managed service can
> help you: http://www.cenzic.com/news_events/wpappsec.php
> And, now for a limited time we can do a FREE audit for you to confirm your
> results from other product. Contact us at request@cenzic.com for details.
> ------------------------------------------------------------------------------
>
>
>

------------------------------------------------------------------------------
This List Sponsored by: Cenzic

Concerned about Web Application Security?
Why not go with the #1 solution - Cenzic, the only one to win the Analyst's
Choice Award from eWeek. As attacks through web applications continue to rise,
you need to proactively protect your applications from hackers. Cenzic has the
most comprehensive solutions to meet your application security penetration
testing and vulnerability management needs. You have an option to go with a
managed service (Cenzic ClickToSecure) or an enterprise software
(Cenzic Hailstorm). Download FREE whitepaper on how a managed service can
help you: http://www.cenzic.com/news_events/wpappsec.php
And, now for a limited time we can do a FREE audit for you to confirm your
results from other product. Contact us at request@cenzic.com for details.
------------------------------------------------------------------------------

• Next message: R. DuFresne: "Re: RE: What is being a pen tester really like? (fwd)"
• Previous message: Andrej Budja: "RE: How to check an Executive's notebook"
• In reply to: Curt Purdy: "RE: [lists] Re: What to spend on a pentest"
• Next in thread: The McLain Family: "Re: [lists] Re: What to spend on a pentest"
• Maybe reply: The McLain Family: "Re: [lists] Re: What to spend on a pentest"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:56:34 EDT