From: Vaidya (dnvaidya@rilinfo.net)
Date: Mon Mar 06 2006 - 14:31:57 EST
Dear Craig,
In some cases I have experienced that though the impact (cost) of
vulnerability after it's exploitation is less than the cost of
prevention/remedy or the probability of getting the vulnerability exploited
is very less still financial institutes like banks or the people who deal in
online trading or share market peoples decide to opt the prevention because
their major business works on faith of customer. A single breakout in media
about vulnerability exploitation by the internal employee or from internal
network or from external attacker too can create a doubt about whole
investment the bank or equal institute has made to secure it's "e" enabled
business.
Many times the budget approvers are non techi's and they are more concerned
about their brand name than calculating the dollar value of the impact if at
all it happens with them. They will just question their admin that what the
hell your firewall and IDS/IPS was doing or they will fire the security
consultant. So as per my experience it is not good to ignore the remedy
because it is costly than the impact at least in case of financial
institutes never. Definately a work around can be found out to reduce the
cost of prevention/remedy.
In case of the actual question of Noe now:
Noe though your client is having 4000 servers definitely they are not
running 4000 different applications on it. It's your call to find out the
applications used and the architecture in which all these intelligent
electronic boxes are integrated with each other. I have some suggestions
based on my experience
1. First find out the applications/servers directly facing the internal or
external access (web/admin/monitoring etc)
2. On the basis of your notes you can group them as suggested by Sharon in
trailing mail.
3. Type of OS platforms and type of application or database platforms
including versions can also be a one of the criterion for the selection of
boxes to have quarrel with. Also you can consider the existing protection
mechanisum like firewalls, antiviruses, etc while arriving at the
conclusion.
4. Finally the remedy which your customer is going to select or you propose
is not 100% based only on your PT findings. You can give them the baseline
requirement for each OS, Application, DB versions with tested patches which
you can make mandatory and once they are at that level you can ask them to
patch up the specific vulnerabilities which you have discovered during your
PT in sample basis.
5. From commercial angle you can propose a picture to show them that there
are more types of platforms used in their environment hence they need to
increase the count from 20 to atleast --- (this number you can get from your
marketing person)
Sincerely,
D. N. Vaidya ( //)) //\\// \\// )
----- Original Message -----
From: "Craig Wright" <cwright@bdosyd.com.au>
To: "mystic33" <mystic33@comcast.net>; "Noe Espinoza Mancillas"
<nespinoza@grupowissen.com>; <pen-test@securityfocus.com>
Sent: Sunday, March 05, 2006 3:34 AM
Subject: RE: Bank pen test
>
> Hello,
> Cost. This is the magic factor that is always ignored on this list. The
bank will be working to Risk. If you want to make a piont it needs to be in
real terms. A vulnerability on an internal system is not always a large
risk.
>
> You need to consider the threat and cost. Look at the cost of exploitation
v impact and exposure.
>
> Finding a vulnerability is just that - a vulnerability. What threat is
there? Is this an internal or external issue. Are the mitigating controls
associated with the vulnerability? What is the cost to patch the 4,000
systems vs loss. Have you seen the ALE, system valuations, risk expectancy
or anything else associated with the system?
>
> Some banks will not care if the percieved anualised risk is less than $1
million per year. Have you looked at a return of security investment for the
bank? In fact patching all 4,000 servers to a level that everyone is happy
with may cost the bank upwards of $2-5 million to achieve.
>
> How are you going to justify the bank spending more than the risk - this
would be foolish - to mitigate it. If the bank sees that an internal breach
is likely to occur 10x pa with a average cost per incident of $150,000 they
are not going to spend $2 million to save $1.5 million in risk.
>
> If you want to add value and gve the bank something they can use, stop
with the I need to do a pen test bit. Expand this to the real world. Stop
focusing on FUD. Look to how you can make a real improvement. Sell on terms
that people at the bank understand.
>
> I do assure you that banks understand risk! This is the core business they
are in. They understand finance and they understand vulnerability. They also
know of threat and impact and unless you can make your case with a focus on
risk you are wasting both your time and theirs.
>
> Regards,
> Craig
>
>
> -----Original Message-----
> From: mystic33 [mailto:mystic33@comcast.net]
> Sent: Fri 3/03/2006 3:59 PM
> To: 'Noe Espinoza Mancillas'; pen-test@securityfocus.com
> Cc:
> Subject: RE: Bank pen test
>
>
>
> Hi
>
> First:
> If they want a pen test of only 20 servers there is no way to know if the
> servers that you haven't tested have the same vulnerabilities unless the
20
> are a sample of one of each system down to the os version patch level,
> application version patch level etc.
>
> Second:
> Core Impact is in my opinion a good tool, but be aware of your selected
> exploits. Do you really want to risk running buffer overflow etc. I would
> always run a least 2 tools if possible.
>
> Third:
> Running a tool is just one step in diligent pen test. You may also do some
> manual checking and poking around to verify what the tool has reported.
>
> Last and very important:
> Make sure you are specific in your test plan and have the company sign
off.
> CYA is extremely important.
>
> Hope this is helpful,
>
> Sharon
>
>
>
> -----Original Message-----
> From: Noe Espinoza Mancillas [mailto:nespinoza@grupowissen.com]
> Sent: Thursday, March 02, 2006 5:57 PM
> To: pen-test@securityfocus.com
> Cc: nespinoza@grupowissen.com
> Subject: Bank pen test
>
> hello all!
>
> now i'm still wait to start an internal penetration test in a bank .. they
> have a lot of servers.. HP Ux, Win, Sun, Linux , etc. and now they are
> using ISS (scanner) to find vulnerabilitys and then they make a remedation
> with some scripts and other comercial tools... so..
> now they need help becouse the ISS scanner every time that are running
found
> the same vulnerabilitys after patchs the servers. I told them that is
really
> importan to use some other diferents scanners and make an penetration test
> to review if the vulnerabilities are really risk for the bussines!!.. and
> they don`t accept it ..
>
> buy they need it.. need to make a remediation of all the vulnerabilities
in
> all the 4000 servers!
>
> so.. they ask for a pent test for only 20 servers.. and i don`t know how
can
> i select the number of servers that i need to test to be sure that all the
> rest of the servers have the same vulnerabilitis!!.. ?
>
> and what kind of tools can i use to make that!?
>
> i never been in that kind of penetration test :(..
>
> i think to use Core Ipact!
>
> any sugestions?
>
>
> regards
>
> noe
>
>
>
> --------------------------------------------------------------------------
-- > -- > This List Sponsored by: Lancope > > "Discover the Security Benefits of Cisco NetFlow" > Learn how Cisco NetFlow enables cost-effective security across distributed > enterprise networks. StealthWatch, the veteran Network Behavior Analysis > (NBA) > and Response solution, leverages Cisco NetFlow to provide scalable, > internal network security. > Download FREE Whitepaper "Role of Network Behavior Analysis (NBA) and > Response > Systems in the Enterprise." > > http://www.lancope.com/resource/ > -------------------------------------------------------------------------- -- > -- > > > > > -------------------------------------------------------------------------- ---- > This List Sponsored by: Lancope > > "Discover the Security Benefits of Cisco NetFlow" > Learn how Cisco NetFlow enables cost-effective security across distributed > enterprise networks. StealthWatch, the veteran Network Behavior Analysis (NBA) > and Response solution, leverages Cisco NetFlow to provide scalable, > internal network security. > Download FREE Whitepaper "Role of Network Behavior Analysis (NBA) and Response > Systems in the Enterprise." > > http://www.lancope.com/resource/ > -------------------------------------------------------------------------- ---- > > > > > Liability limited by a scheme approved under Professional Standards Legislation in respect of matters arising within those States and Territories of Australia where such legislation exists. > > DISCLAIMER > The information contained in this email and any attachments is confidential. If you are not the intended recipient, you must not use or disclose the information. If you have received this email in error, please inform us promptly by reply email or by telephoning +61 2 9286 5555. Please delete the email and destroy any printed copy. > > Any views expressed in this message are those of the individual sender. You may not rely on this message as advice unless it has been electronically signed by a Partner of BDO or it is subsequently confirmed by letter or fax signed by a Partner of BDO. > > BDO accepts no liability for any damage caused by this email or its attachments due to viruses, interference, interception, corruption or unauthorised access. > ------------------------------------------------------------------------------ This List Sponsored by: Cenzic Concerned about Web Application Security? As attacks through web applications continue to rise, you need to proactively protect your applications from hackers. Cenzic has the most comprehensive solutions to meet your application security penetration testing and vulnerability management needs. You have an option to go with a managed service (Cenzic ClickToSecure) or an enterprise software (Cenzic Hailstorm). Download FREE whitepaper on how a managed service can help you: http://www.cenzic.com/news_events/wpappsec.php And, now for a limited time we can do a FREE audit for you to confirm your results from other product. Contact us at request@cenzic.com ------------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:37 EDT