RE: Ethical hacker article published

From: Clement Dupuis (cdupuis@cccure.org)
Date: Sat Feb 24 2007 - 08:28:59 EST


Good day Craig and all,

Writing about everything you have mentioned below would become a large
document with great information in it. This would probably translate to
what the OSSTMM (http://www.isecom.org) is today. It clearly talks about
the jargon used in today's security field and behoove the tester to perform
the risk assessment you mentioned while taking under consideration the
context, the policies, other areas at risks, and the protection mechanisms
that are in place. Obviously no magazine or publisher will allow you to
publish the OSSTMM within their trade pub. They prefer short article with
bold statements that attract the reader.

It seems that not only within security testing but also within the security
profession at large there is struggle with terms and their definition.
People see risks, vulnerabilities, exploits, and exposures are the same
which is not the case. We need to get a better grasp on our lexicon.

I love vulnerability scanners who trigger a HIGH level vulnerability because
a port is shown open. A good example would be port 21 is open. The
scanner will flag it as high risk, is it? Probably not and you cannot tell
simply looking at the scanner results. You have to go one step further and
look at the policies in place, the software use, its configuration, the way
it is administered, what is being disturbed, etc... etc...

It would have been great to see coverage of the different types of test that
could be done within the article. More companies today will perform white
box tests where they get a lot more benefits from the money spent. As you
have mentioned, it is doubtful that one will have all of the details and
fully understand the target only gathering information from the public side.
You can only claim that potential vulnerabilities could exist unless
penetration would be allowed then you could prove that exploitation is
possible as well.

Craig, I just wanted to say it is a great post that you did below. Maybe
you should write a series of articles about it.

Take care

Clement
cdupuis@cccure.org
http://www.professionalsecuritytesters.org

-----Original Message-----
From: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com] On
Behalf Of Craig Wright
Sent: Thursday, February 22, 2007 5:26 PM
To: pen-test@securityfocus.com
Cc: Steve Fletcher
Subject: RE: Ethical hacker article published

Hello,
Unfortunately, there is no peer review process associated with industry
magazines. In the case of this one I note that you are the editor which also
makes review less likely. However there are some points the article I would
like to point out.

To start with, the terminology that you have grouped together (ethical
hacking, penetration testing, intrusion testing and red teaming), are all
different. It may be true that are overlaps between each of these, but
they're not the same. This is a common misconception and one that I will
hopefully response. Common mistakes to nomenclature, even when made by many
people, do not make them correct.

Of most important note is the fallacy that you have that ethical attackers
are actually testing system security. This is not correct. In fact it is
being constantly shown (references available on request) that ethical
attacks to far less to categorically qualify security risks than many other
forms of testing. They do not for instance take note of internal controls.
In fact, many potential vulnerabilities cannot be discovered in a
penetration test by the nature of the testing. Next it needs to be
remembered that there is an economic cost associated with penetration
testing. The Ethical attacker is constrained by a budget of time and thus
money.

Blind testing by its very nature will take longer than auditing a site with
knowledge. The review undertaken by the ethical attacker is thus hobbled
from the start. It is infeasible to state that the contractor will have more
knowledge at the end of a review if it is done as an ethical attack with
limited knowledge over a systems review with full information.

Red teaming has been used by both government and business for many decades
in a variety of areas including physical and logical based testing. At its
simplest it's a peer review concept. Another way to look at it is a method
of assessing vulnerabilities. In cases where red teaming refers to the
provision of adversarial perspectives, and the design of the red team is not
hampered in the matter is that ethical attacks are. There is a little
correlation between a red team exercise and an ethical attack in any sense
of the word.

The formation of red cells is a situation unlikely to occur in any ethical
attack. Further, internal intelligence is unlikely to be gathered as part
of an ethical attack. In this instance is more likely that the ethical
attack will consist of beating away at the Internet gateway. An engagement
to read team is wider in scope, areas including internal subversion and
associated control checks cannot be ignored in this type of test. It is
unlikely that they would even cross the mind of the ethical attacker.

Next, a vulnerability assessment and ethical attack differ significantly.
Moderate or the assessments are part of a complete risk analysis program.
Ethical attacks do not in themselves form part of this measure and process
although they may be used as a single phase within one of these processes.

Vulnerability assessments involve the cataloguing of assets and
capabilities. The lack of internal knowledge provided in the typical
ethical attack process precludes this phase. Next, honourably assessments
work on the basis of assigning value to the asset that is being attested by
this process. This is a quantifiable value which is determined through this
process.

Subsequently, vulnerabilities, and potentially threats to these resources
are determined. In this process is not limited to external attacks. This
process needs to take into account not only external attacks and even
internal attacks, but a necessarily must also consider physical threats and
many other test outside the reach of the ethical attack.

The lack of foreknowledge as to the qualification of value associated with
any particular asset negates the possible assessment of a vulnerability
status by an ethical attack process.

Further, although it is commonly called a vulnerability, and unpatched
system or "hole" is not in itself make a vulnerability. What the ethical
attacker is noting is a potential vulnerability. Other information needs to
be associated with this potential vulnerability before it may be classified
as a vulnerability. There is great difference between a potential
vulnerability and a vulnerability. Before this determination can be made it
is necessary to understand the system being tested. The limited knowledge
provided in blind testing or other black box test processes are seldom
adequate to provide this information. Although the ethical attacker or even
penetration tester may stumble across a vulnerability with serious
consequences, it is rarely likely that they will be old to determine this
without additional internal information.

Although many people do not seem to realise the difference between these
types of processes, ethical attacks are not vulnerability assessments, nor
are they read teaming exercises.

Hence the value in peer reviews before publishing.

Regards,
Craig S Wright

-----Original Message-----
From: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com] On
Behalf Of Steve Fletcher
Sent: Wednesday, 21 February 2007 1:18 PM
To: pen-test@securityfocus.com
Subject: Ethical hacker article published

For anyone who is interested, my recent article on ethical hackers has been
published. You can find it at
http://www.certmag.com/articles/templates/CM_gen_Article_template.asp?articl
eid=2652&zoneid=225 or in the March issue of Certification Magazine.

Thanks again to everyone who provided helpful information. Unfortunately,
they edited out the sentence giving credit to those to provided information.
:(

If anyone has any feedback (good or bad), please let me know for future
articles.

Steve Fletcher
MCSE (NT4/Win2k), MCSE: Security (Win2k), HP Master ASE, Security+
Email:  safletcher@insightbb.com
Web:  http://safletcher.home.insightbb.com
 

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.

http://www.cenzic.com/products_services/download_hailstorm.php?camp=70160000
0008bOW
------------------------------------------------------------------------

Liability limited by a scheme approved under Professional Standards
Legislation in respect of matters arising within those States and
Territories of Australia where such legislation exists.

DISCLAIMER
The information contained in this email and any attachments is confidential.
If you are not the intended recipient, you must not use or disclose the
information. If you have received this email in error, please inform us
promptly by reply email or by telephoning +61 2 9286 5555. Please delete the
email and destroy any printed copy.

Any views expressed in this message are those of the individual sender. You
may not rely on this message as advice unless it has been electronically
signed by a Partner of BDO or it is subsequently confirmed by letter or fax
signed by a Partner of BDO.

BDO accepts no liability for any damage caused by this email or its
attachments due to viruses, interference, interception, corruption or
unauthorised access.

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.

http://www.cenzic.com/products_services/download_hailstorm.php?camp=70160000
0008bOW
------------------------------------------------------------------------

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.

http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:57:36 EDT