Re: Penetration test report - your comments please?

["R. DuFresne" <dufresne () sysinfo com>]

One BIG hole I note, late here I know, brain can kick in funny after a
long weekend as we age...

But, where is the evaluation of the security policies and the
hosting/AUP/etc agreements and such?  Without documentation a company has
no policy to enforce.  A lack of such documentation would be a gaping hole
in policy and management of the infrastructure.  I think this would be the
focus of my assessment, as all the probes and how they are logged and
dealt with are dependant upon such documentation and proceedureal
managment.


Thanks,

Ron DuFresne

<I've experianced 'pen tests' under mil proceedures whence even if outside
probes did not show glaring holes, even if documentation met with current
standards and agreements, that access to a user account on an internal
machine had to be granted to demonstrate systems security within
the infrastructure.  I think this perhaps, at least for me, reminds me
that documentation and agreements between the person<s>/company doing the 
security assement and the client, should be looked at by a legal beagle
so as to define such issues as the proceedures and definitions of what
kind of testing is preformed, liability should say a system get hosed in
the process of a scan or overflow exploit, as well as how much either side
is able to, and the conditions of diseminating or disclosing the findings
to others?>

On 30 May 2001, Curt Wilson wrote:

> Thanks for your comments.
>
> The basic issue with this pen test was that the 
> company is a small company offering an internet 
> service for the first time. Budget contraints were the 
> main issue with the limitations placed on the pen test. 
> I would have liked to attempt brute force, trashing, 
> and assessment/penetration of the network 
> infrastructure but these were not included in our 
> arrangement.
>
> How do other pen testers handle issues with 
> outsourced ISPs? This seems like a murky area 
> unless you are actually testing the ISP themselves. 
>
> Certainly, an attacker won't care about such artificial 
> boundaries, as a vulnerability is a vulnerability, 
> whether it appears in the clients IIS server (surely 
> not! :), sendmail, open proxy server, public/private 
> community strings on routers and network devices, 
> or a weakly secured linux host at the ISP just ripe and 
> waiting for a rootkit and sniffer on a non-switched 
> network.
>
> Curt Wilson, Netw3 Consulting
> www.netw3.com
> 618-303-6383

-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        admin & senior consultant:  darkstar.sysinfo.com
                  http://darkstar.sysinfo.com

"Cutting the space budget really restores my faith in humanity.  It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation."
                -- Johnny Hart

testing, only testing, and damn good at it too!