Security Basics mailing list archives
Re: Server Penetration Testing
From: Todd Haverkos <infosec () haverkos com>
Date: Tue, 27 Sep 2011 07:53:04 -0500
"Femi Mogaji" <olufemimogaji () gmail com> writes:
Hi list, So we just had our annual audit, and one of the findings that came up is server-side pen-tests. We already carry out quarterly ASV scans & yearly pentest of our external IP addresses, where we fell short was the lack of internal pentests. The question is: what tools can I use to carry out these tests? Especially tests directed at SQL servers & file servers etc. A tool that can generate easy to read reports would be really nice. Any input will be appreciated.
The other thing I would add to my prior post about the value of internal vuln scan for informing the need for patching as well as a source for useful maturity metrics is that it is definitely worth it to have an internal penetration test done by a qualified third party that specializes in penetration testing. For many organizations, it it a real eye opener. Try to get social engineering, wireless, and some sort of on-site element in scope. The first is where attackers are making the most hay (and where nearly every organization will fail miserably). An on-site element with usb or cd drops in the parking lot or restrooms, (or just mailing users a spiffy keyboard and mouse with an HID device quietly baked in) tanatalizingly labeled "2011 resource action plan" with the initials of the CEO on it can also be an eye opener. Getting budget for doing some useful user awareness training is generally quite easy after such an engagement, and management starts to "get' that once an attacker gets a toehold anywhere in your network, for many organizations, it's pretty quickly game over, complete network compromise after that. This can be a catalyst for getting budget and political will to implement critical controls you probably already know you're lacking, and to do some appropriate network segmentation and regular user awareness training that you may already know you need, but you can't get justified. Best Regards, -- Todd Haverkos, LPT MsCompE http://haverkos.com/ ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
Current thread:
- Server Penetration Testing Femi Mogaji (Sep 23)
- [Spam] Re: Server Penetration Testing Gichuki John Chuksjonia (Sep 26)
- Re: Server Penetration Testing J Teddy (Sep 27)
- Re: Server Penetration Testing Todd Haverkos (Sep 27)
- Re: Server Penetration Testing Todd Haverkos (Sep 27)