RE: External Pentests Obsolete?

From: Van Heerden, Francois (CSS) (Francois.VanHeerden@ontario.ca)
Date: Fri Aug 10 2007 - 13:21:09 EDT

• Next message: Burak CIFTER: "Re: NMAP Concurrent Scans"
• Previous message: US Infosec: "Re: External Pentests Obsolete?"
• In reply to: Yiannis Koukouras: "External Pentests Obsolete?"
• Next in thread: Williamson, Clyde: "RE: External Pentests Obsolete?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Sorry to puncture your balloon but a pen test still has value. A scan
can easily reveal if the client is using a commercial backend database
or backup tool that links to their web presence. These can be probed
very easily and most often are misconfigured or overlooked by
overstretched network admins.

In our environment, with a Internet facing web-app, the admins
challenged a pen tester to break in prior to going live. They were
certain their app was impenetrable so the test would be worthless. It
took the pen tester a total of ten minutes to use a configuration
failure in a supposedly "invisible" backup process (commercial backup
software left with default passwords) to gain root and compromise the
entire server.

Pen tests are not just tools run against a server or two; a detailed
vulnerability assessment also uses a great deal of knowledge about
network infrastructure, deployment techniques, a thorough knowledge of
other applications that are likely deployed and have known holes - many
never patched.

Your argument is flawed - go back and spend some more time learning
about how a vulnerability assessment is actually conducted.

Cyberruk

> Do you think that an external infrastructure pentest is nowadays
obsolete?

>What I want to say is that, most of the serious companies nowadays will
only have a few servers on their DMZ (web server, >mail server, SSL
concentrator, terminal server, citrix) and will only allow access to one
or two ports for each of them.
>The rest of the infrastructure (excluding the internet facing router
and firewall) will be completely inaccessible.

>Thus, if web application testing is out of scope, there isn't much to
test, is it? Only half a dozen of services to check >vulnerabilities and
misconfiguration, check if mail rely is on, make a password bruteforce
attack(?), check that the DNS
>can't be poison and VOILA! You have finished!

>Do you think that it is ethical to consult our clients to "buy" an
external pentest anymore?

P.S. If I am wrong, PLEASE prove me wrong!

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------

• Next message: Burak CIFTER: "Re: NMAP Concurrent Scans"
• Previous message: US Infosec: "Re: External Pentests Obsolete?"
• In reply to: Yiannis Koukouras: "External Pentests Obsolete?"
• Next in thread: Williamson, Clyde: "RE: External Pentests Obsolete?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:58:00 EDT