From: rmeijer@xs4all.nl
Date: Fri Jun 17 2005 - 04:47:56 EDT
> One question I have not seen yet concerning is why PenTest is: To
> justify your job and a budget. On one project a customer had a harden
> Internet router, a Cisco PIX firewall, and IDS from ISS and an IPS from
> TippingPoint. All scanning (NMAP, Nessus, etc.) was pointless,
> everything was bocked except port 80 and 443. Most web logins required
> SecurID tokens (brute forcing these right..!!) I was able to used SQL
> injections to create local accounts, upload files, but not download,
> because all outbound requested went through a proxy. The customer even
> reconfigured the network each day to see if they could catch.
>
> Now the biggest questions that I get from the customer is how did you
> bypass by filters (IDS, IPS) and I need you to rewrite the final report
> so I can obtain more funding.........to buy more security and hire more
> people.....the biggest hole that I found was the lack of security
> internal process. These things require leadership to fix not more
> funding!!!!!!!!! How do you state that in a report?
I think, from a pentest point of view, sugesting anything that does
directly require funding would be bad. Just list possible measures,
their impact on the security level, and if suitable and available their
projected costs (either financial or time resources of existing staff).
This as I think that budgetary measures must always remain small relative
to the diverted risk, and you as penetration tester mostly have no true
notion of the financial footprint of the risk diverted by the technical
measures sugested.
Further I have seen so litle real (the statistics/stochastics type) risk
analysis based security pollicies, that sugesting to hire a statistician
to do a risk analysis in order to determine suitable security measures,
could be one exeption to this rule of not directly sugesting any
unconditional resource allocation.
Rob
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:25 EDT