From: Yvan Boily (yboily@seccuris.com)
Date: Mon Jan 26 2004 - 11:31:10 EST
I agree with the idea that an internal assessment is far more effective than
an external assessment; pen-tests are only as good as the talent of the
people attacking the network, whereas a vulnerability assessment which
involves working with the staff who designed the network to identify issues
that exist and potential issues as the network expands provides a much
better perspective.
The issue is not convincing others in the field though; it is primarily the
staff involved on the client end that this issue occurs.
The source of most difficulties in this area are :
1. Managers who have only experienced information security issues from
watching Hackers or Swordfish (I actually had one manager who thought that
Swordfish was technically accurate because RSA had consulted during the
movie. :P)
2. IT staff who believe their work is above reproach. This is the single
largest issue; I have encountered this during penetration tests where the
networking staff insist that we should not even be provided their IP Address
range, and application designers who believe that because they are using an
application framework their code is solid. One of the other issues that is
related to this, and I hate raising it because it seems arrogant, but the
concern is incompetence. When I walk into an office where IT guys are
expecting to be audited, one guy tells another the common root password they
use for their systems in front of me, I question the overall competence of
the team.
3. Fear of Blame : this happens when the client is aware of how serious the
issue is, and is frightened by the outcome because no one wants to bite the
bullet and take responsibility or ownership for this issue. One of the most
recent projects I worked on was like this. Nothing says fear quite so well
as the client requesting permission to sanitize and approve the report
before it hits upper management. Unfortunately trying to deal with this
issue is like running into a brick wall; you are dealing with people who
need a glowing report because they fear for their jobs and livelihoods, at
the same time you encounter security issues that make you wonder how it is
that such a high profile company hasn't been owned 10 times over.
The best analogy that I can make for this follows:
If you go to a doctor because all of a sudden you have horrible rashes
appearing you don't sit their silent and make the doctor guess why you are
there; you tell the doctor what you know and experienced, and how you live
your lifestyle so that the doctor can figure out what is wrong before it
kills you.
Yvan Boily
Seccuris
-----Original Message-----
From: Andy Cuff [mailto:lists@securitywizardry.com]
Sent: Sunday, January 25, 2004 9:39 AM
To: pen-test@securityfocus.com
Subject: Pen Test vs. Health Check
Hi Folks,
Last week Mark Teicher brought up a valid point regarding ethical hacking
not solving the underlying issue of an insecure network.
Addressing the symptom rather than the cause.
I personally don't like the term ethical hacking when referring to a Pen
Test, however as you probably noticed think, the term will remain where
training is concerned that introduces the student to the techniques and
methodology used by a hacker. I do not think that an ethical hacking course
will make a security tester. OK, no more about training, honest!
A Pen Test is only as good as the testers and is only a snapshot.
However, a network that has been secured from the inside out, with a solid
secure foundation should stand the test of time, even if it is compromised
the attacker may not be able to roam freely and all their actions should be
recorded.
IMHO a more efficient and thorough method to conduct a security test is the
holistic approach, where the tester looks inside the network first from a
privileged account, identifying problems and offering solutions, if need be,
he/she can then attempt to exploit said vulnerabilities as a demonstration
to the client. This method greatly cuts down on the time taken to "scope
the joint"
externally.
Firstly, what are the members thoughts on the above, and what are the
downsides in what I have said. Also, does anyone have any good analogies to
vindicate the holistic approach over the Pen Test?
-andy
Talisker Security Tools Directory
http://www.securitywizardry.com
---------------------------------------------------------------------------
----------------------------------------------------------------------------
---------------------------------------------------------------------------
----------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:46 EDT