External Pentests Obsolete?

From: Yiannis Koukouras (d4rw1n@linuxmail.org)
Date: Thu Aug 09 2007 - 03:18:36 EDT


Hi all,

Do you think that an external infrastructure pentest is nowadays obsolete?

What I want to say is that, most of the serious companies nowadays will only have a few servers on their DMZ (web server, mail server, SSL concentrator, terminal server, citrix) and will only allow access to one or two ports for each of them. The rest of the infrastructure (excluding the internet facing router and firewall) will be completely inaccessible.

Thus, if web application testing is out of scope, there isn’t much to test, is it? Only half a dozen of services to check vulnerabilities and misconfiguration, check if mail rely is on, make a password bruteforce attack(?), check that the DNS can’t be poison and VOILA! You have finished!

Do you think that it is ethical to consult our clients to “buy” an external pentest anymore?

P.S. If I am wrong, PLEASE prove me wrong!

-- 
Ioannis Koukouras
CISSP
MSc in Computer Systems Security
BEng in Electronic Engineering
http://www.linkedin.com/in/ikoukouras 
=
Cruise Value Center - Mexico Cruises
Cruise Value Center is one of America's leading discount brokers on Mexican cruises. Let our experts help you choose the cruise vacation package that will meet your budget and lifestyle.
http://a8-asy.a8ww.net/a8-ads/adftrclick?redirectid=83149e4a674877039cb5c210b2445439
-- 
Powered by Outblaze
------------------------------------------------------------------------
This list is sponsored by: Cenzic
Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!
http://www.cenzic.com/downloads
------------------------------------------------------------------------


This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:58:00 EDT