Penetration Testing mailing list archives
Re: Why Penetration Test?
From: intel96 <intel96 () bellsouth net>
Date: Thu, 30 Jun 2005 11:17:32 -0400
Marco,I totally agree with you that automated tools cannot identify all the attack vectors and they never well. That is why a good pen-test should look at more than the logical network with only an automated tool. I remember a large-scale VA test that I preformed where I found a HUGE hole in the security of the organization as I was heading to lunch. My lunch path took me across the loading dock were tons of mainframe print-outs containing account numbers, social security numbers and more were waiting to go to the local dump. I grabbed a printout and walked to the IT manager that hired me for the VA and explained the problem and about ID theft (this was a nightmare, because ID theft was not even in the nightly news or the papers yet). The manager pulled all the printout off the dock and I helped them find a local ShredIT company. Another time I penetrate the company by getting a job to clean the building, which providing me with the master keys for the company. This allowed me to put a disk copier in the trash can that I pulled around. I was able to obtain copies of the CxO hard drives using my super access-level as janitor. The company changed the policy about giving master keys that accessed sensitive spaces after this test.
Intel96 Marco Ivaldi wrote:
I was wondering the usefulness of a penetration testing against vulnerability assessment for a company.Hey pen-testers, First of all, i apologize for coming so late to the party -- i've been far from the Internet for a couple of weeks lately... Just wanted to point out something crucial to me that surprisingly enough has not been mentioned yet in this discussion: a security professional must always remember that there are some attack vectors that are hard (if not impossible) to spot and test thoroughly using automated VA tools. Yeah, not all attacks come from the IP infrastructure: instead, in my personal and professional experience i witnessed that most dangerous attacks come very often through PBX, RAS connected to a PSTN, backup ISDN lines connected to routers, good old X.25 networks, etc. Also, not all attacks can be easily reproduced using automated VA tools: just think about common technologies as WLANs and (web) applications in general, an automated testing approach would definitely miss some attack paths. Not to mention social engineering, physical intrusions, dumpster diving, and other popular ways to fool your expensive security measures. In short, my point is: depending on the complexity of my operational environment, i'd be very careful before deciding to rely _only_ on the common IP infrastructure vulnerability assessments done with popular automated scanning tools to secure my information. There's more outta here that must be tested to ensure you get a 360 degrees vision of your organization's security posture and IMHO a good consultant should tell you before selling you yet another superficial VA. Just my 2 euro-cents;) Cheers,
Current thread:
- Re: Why Penetration Test?, (continued)
- Re: Why Penetration Test? intel96 (Jun 16)
- AW: Why Penetration Test? Jörg Maaß (Jun 16)
- Re: Why Penetration Test? R. DuFresne (Jun 16)
- Re: Why Penetration Test? rmeijer (Jun 17)
- Message not available
- Re: Why Penetration Test? Pete Herzog (Jun 16)
- RE: Why Penetration Test? Erin Carroll (Jun 16)
- Re: Why Penetration Test? Pete Herzog (Jun 13)
- Re: Why Penetration Test? intel96 (Jun 30)