Re: Why Penetration Test?

[intel96 <intel96 () bellsouth net>]

Marco,

I totally agree with you that automated tools cannot identify all the 
attack vectors and they never well.  That is why a good pen-test should 
look at more than the logical network with only an automated tool.  I 
remember a large-scale VA test that I preformed where I found a HUGE 
hole in the security of the organization as I was heading to lunch.  My 
lunch path took me across the loading dock were tons of mainframe 
print-outs containing account numbers, social security numbers and more 
were waiting to go to the local dump.  I grabbed a printout and walked 
to the IT manager that hired me for the VA and explained the problem and 
about ID theft (this was a nightmare, because ID theft was not even in 
the nightly news or the papers yet).  The manager pulled all the 
printout off the dock and I helped them find a local ShredIT company.  
Another time I penetrate the company by getting a job to clean the 
building, which providing me with the master keys for the company.  This 
allowed me to put a disk copier in the trash can that I pulled around.  
I was able to obtain copies of the CxO hard drives using my super 
access-level as janitor.  The company changed the policy about giving 
master keys that accessed sensitive spaces after this test.

Intel96




Marco Ivaldi wrote:

> > I was wondering the usefulness of a penetration testing against
> > vulnerability assessment for a company.
> >    
>
> Hey pen-testers,
>
> First of all, i apologize for coming so late to the party -- i've been far
> from the Internet for a couple of weeks lately...
>
> Just wanted to point out something crucial to me that surprisingly enough
> has not been mentioned yet in this discussion: a security professional
> must always remember that there are some attack vectors that are hard (if
> not impossible) to spot and test thoroughly using automated VA tools.
>
> Yeah, not all attacks come from the IP infrastructure: instead, in my
> personal and professional experience i witnessed that most dangerous
> attacks come very often through PBX, RAS connected to a PSTN, backup ISDN
> lines connected to routers, good old X.25 networks, etc. Also, not all
> attacks can be easily reproduced using automated VA tools: just think
> about common technologies as WLANs and (web) applications in general, an
> automated testing approach would definitely miss some attack paths. Not to
> mention social engineering, physical intrusions, dumpster diving, and
> other popular ways to fool your expensive security measures.
>
> In short, my point is: depending on the complexity of my operational
> environment, i'd be very careful before deciding to rely _only_ on the
> common IP infrastructure vulnerability assessments done with popular
> automated scanning tools to secure my information. There's more outta here
> that must be tested to ensure you get a 360 degrees vision of your
> organization's security posture and IMHO a good consultant should tell you
> before selling you yet another superficial VA.
>
> Just my 2 euro-cents;) Cheers,
>
>