Re: Pentesting vs VA - was Pentesting tool - Commercial

From: Robert E. Lee (robert@outpost24.com)
Date: Thu Feb 28 2008 - 05:52:05 EST

Next message: Trygve Aasheim: "Re: Pentesting tool - Commercial"
Previous message: Andre Gironda: "Re: Pentesting tool - Commercial"
In reply to: Andre Gironda: "Re: Pentesting tool - Commercial"
Next in thread: Andre Gironda: "Re: Pentesting vs VA - was Pentesting tool - Commercial"
Reply: Andre Gironda: "Re: Pentesting vs VA - was Pentesting tool - Commercial"
Reply: Trygve Aasheim: "Re: Pentesting vs VA - was Pentesting tool - Commercial"
Maybe reply: dcdave@att.net: "Re: Pentesting vs VA - was Pentesting tool - Commercial"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

On Wed, 2008-02-27 at 16:48 -0700, Andre Gironda wrote:
> Using exploits on production or IT networks is unethical. This isn't
> the wild west. You're overpaying by about $19K-$26K for what you need
> when you go with Core Impact. I don't know about ya'll, but the idea
> of propagating a pseudo-worm through a corporate network seems about
> as good of an idea as asking the power company to shut off electricity
> to a hospital for "just a minute, to see what will happen".

When using exploits against production systems, in the best case
scenario you've altered the running state of production software. In
the worst case, you've corrupted data or caused a loss of service. Most
of us have accepted these potential outcomes as normal during a manual
penetration test.

The concern companies should have with the exploit frameworks is that
many of their users don't understand what the tool is doing. The users
also don't understand what the exploit is affecting. These tools can be
disastrous in the wrong hands.

A better use of time for most companies would be to use a thorough
vulnerability assessment and management solution. VAM solutions can:
* Identify new vulnerabilities - far more than an exploit framework
* Assign vulnerability related tasks to the responsible Sys Admins
* Allow for retesting of the device/vulnerability to ensure the it was
properly mitigated
* Show trending over time

Our customers value their ability to actually improve their situation
over their ability "Pwn" the systems they already own.

Robert

-- 
Robert E. Lee
Chief Security Officer
Outpost24 - One Step Ahead
http://www.outpost24.com
 
SE Phone: +46 455-61-2320
US Phone: +1 801-924-5902
email: robert@outpost24.com
------------------------------------------------------------------------
This list is sponsored by: Cenzic
Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!
http://www.cenzic.com/downloads
------------------------------------------------------------------------

Next message: Trygve Aasheim: "Re: Pentesting tool - Commercial"
Previous message: Andre Gironda: "Re: Pentesting tool - Commercial"
In reply to: Andre Gironda: "Re: Pentesting tool - Commercial"
Next in thread: Andre Gironda: "Re: Pentesting vs VA - was Pentesting tool - Commercial"
Reply: Andre Gironda: "Re: Pentesting vs VA - was Pentesting tool - Commercial"
Reply: Trygve Aasheim: "Re: Pentesting vs VA - was Pentesting tool - Commercial"
Maybe reply: dcdave@att.net: "Re: Pentesting vs VA - was Pentesting tool - Commercial"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:58:26 EDT