From: Thompson, Jimi (JimiT@mail.cox.smu.edu)
Date: Mon Jan 26 2004 - 16:46:54 EST
<SNIP>
Doing both of these actually in my mind highlights the various dangers to
the client.
The holistic approach will also show that the client must attempt to
safeguard the
internal lan from potentially disgruntled employee's and the such. This is
done through
hardening the internal lan in a variety of ways. It is also important though
to show the
normal external threats as well via a pen test. Doing the two gives a far
more complete
picture of the clients security posture.
</SNIP>
Imagine for a moment that you've built a fabulous car. You've just built
and it sits in your garage idling. If you never drive it, there's a lot
about your car you'll never know. You'll never know what the top speed is.
You'll never know what it takes to red-line the engine. You'll never know
if you need to adjust the suspension to get it to corner better. You'll
never know if you need different rear end gears to get it accelerate faster.
You'll never know if what the gas mileage is like. All you know is that it
looks good. The engine sounds good and you worked really hard to build it.
Never doing a pen-test on your network is like never driving the car.
You'll never know for sure how much hammering it can take from a hacker and
what weak points you need to shore up unless you put it to the test. The
rubber has to meet the road somewhere. If it's not me or someone like me
who's getting paid to do it, it's going to be some hacker that still lives
in his mother's basement. The question boils down to who would you rather
trust? Me - a paid professional with a long history of maintaining client
confidentiality or BlackHat - someone who lives on "owning" you and posting
things like the CEO's salaries to your company email distribution lists.
On the other hand, doing a pen-test without the rest of the audit is rather
like going to the doctor for a physical and finding out that he plans to do
exploratory surgery so that he can look at your internal organs to see if
there's anything wrong with you. It's an invasive procedure that can break
things and have unintended consequences. It should not be attempted by the
inexperienced or without reason (i.e. someone in management read about it in
"Red Herring"/"Fast Company"/"Business 2.0" and has now decided that this
"must" be done). It should be part of an overall security initiative.
Just as you must periodically have unpleasant things done at the doctor's
behest once you reach a certain age (colonoscopy, mammogram, etc.), networks
need the same thing, but only once they reach a certain size. Just as most
children don't need those kinds of procedures, many smaller companies don't
need pen testing either. A simple security audit will suffice. However,
most mid-size companies and larger need this on a regular basis. IMHO, the
size of the network and its growth rate should determine the frequency.
Think of it as a colonoscopy for your network :) - potentially embarrassing,
uncomfortable and perhaps even painful but necessary for continued good
health.
2 cents,
Jimi
---------------------------------------------------------------------------
----------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:46 EDT