From: raven@oneeyedcrow.net
Date: Tue Dec 27 2005 - 16:26:22 EST
Heya --
* Erin Carroll <amoeba@amoebazone.com> [2005-12-23 14:19:35 -0500]:
> By far the most irritating and common issue that crops up as a pen-tester
> when doing 3rd party internal/external pen-test and VA's is the lack of a
> clearly defined scope from the client.
I'll second this. Also, since you're an ISP, I'd give a lot of
thought to whether you want your infrastructure tested as well as live
end hosts. (I'd recommend it.) This is the sort of thing you want to
plan very carefully, as the majority of known exploits against backbone
devices are Denial of Service attacks. In most backbone and
infrastructure assessments that I've done, I've taken a white-box
approach and bundled it with a network design assessment. Having access
to the configuration data on the routers and switches can allow you to
look up known vulnerabilities in the version of IOS/CatOS/what have you,
without needing to try the DoS exploits to see if they work. Working
hand in hand with your client's network engineers while testing
sensitive backbone equipment will allow quick responses to outages, good
planning for testing windows that don't conflict with known periods of
critical network usage, and coordination with vendor representatives as
needed to recommend and choose new code train upgrades.
I think it's increasingly important to be aware of
vulnerabilities in routing and switching protocols, as well as their
management. Not every VA firm is well versed in safely and thoroughly
testing the backbone as well as the end hosts. If that's your interest
and scope, make sure you choose a firm that's got solid expertise in
that area. They should be checking for non-cleartext authentication on
routing protocols, ensuring that no backbone management traffic is
leaking out the edges of your network, recommending that you disable CDP
when it's not in diagnostic use, et cetera. In my experience, many
pen-testers are simply unaware of backbone issues, and these security
holes continue to get ignored even after a professional assessment. As
Erin says, define your scope clearly before you start, and shop for
vendors with that in mind, choosing one with skills that suit your
particular need. Best of luck!
Cheers,
Raven
------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:
Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:
http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:18 EDT