Re: Server Penetration Testing

[Todd Haverkos <infosec () haverkos com>]

"Femi Mogaji" <olufemimogaji () gmail com> writes:

> Hi list,
>
> So we just had our annual audit, and one of the findings that came
> up is server-side pen-tests. We already carry out quarterly ASV
> scans & yearly pentest of our external IP addresses, where we fell
> short was the lack of internal pentests. The question is: what tools
> can I use to carry out these tests? Especially tests directed at SQL
> servers & file servers etc. A tool that can generate easy to read
> reports would be really nice. Any input will be appreciated.

The other thing I would add to my prior post about the value of
internal vuln scan for informing the need for patching as well as a
source for useful maturity metrics is that it is definitely worth it
to have an internal penetration test done by a qualified third party
that specializes in penetration testing.  For many organizations, it
it a real eye opener.  Try to get social engineering, wireless, and
some sort of on-site element in scope.  The first is where attackers
are making the most hay (and where nearly every organization will fail
miserably).  An on-site element with usb or cd drops in the parking
lot or restrooms, (or just mailing users a spiffy keyboard and mouse
with an HID device quietly baked in) tanatalizingly labeled "2011
resource action plan" with the initials of the CEO on it can also be
an eye opener.  Getting budget for doing some useful user awareness
training is generally quite easy after such an engagement, and
management starts to "get' that once an attacker gets a toehold
anywhere in your network, for many organizations, it's pretty quickly
game over, complete network compromise after that.

This can be a catalyst for getting budget and political will to
implement critical controls you probably already know you're lacking,
and to do some appropriate network segmentation and regular user
awareness training that you may already know you need, but you can't
get justified.

Best Regards, 
--
Todd Haverkos, LPT MsCompE
http://haverkos.com/

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------