Penetration Testing mailing list archives
Re: Need Some Guidance Please
From: Michael Boman <michael.boman () gmail com>
Date: Sat, 18 Apr 2009 09:24:17 +0200
See comments inline On Sat, Apr 18, 2009 at 6:35 AM, Jeffrey Walton <noloader () gmail com> wrote:
Hi Elizabeth,I am finishing up my Master's Degree in Information AssuranceCongratulations.During my research, I saw someone who was a Licensed Pen Tester/Consultant.You'll get lots of answers from folks who do it for a living. Allow me offer the SysAdmin view. While glamorous, the penetration testing can be very destructive on a network. I perform regular audits with MBSA, NetChk, NMap, and Nessus. As a SysAdmin, I am really interested in two things: what ports are open (and why), and what hosts are not patched to the latest revision (and why). I have no desire to walk around rebooting workstations and servers after a test.
Although doing regular audits are a good thing, there is many places where they will not find the vulnerabilities. Your (custom) website, for an example, or 3rd party apps not covered by your audit tools. And if you have to walk around and reboot servers individually, you have a problem with the system management bit. The simple fact that the tools "screws up your system" is a indication that they are vulnerable to something.
He would "ethically hack" without the employees knowing it.This can get you in trouble.
Not always true. Sometimes the management wants not only find out if they are vulnerable against an targeted attack, but sometimes they engage in penetration testing just to see how their incident response procedures are working - and then it is fairly common that only the top management knows what is really going on. The IT administrator does not need to know that a penetration test is taking place, but management does need to authorize such a test.
The result is that someone higher up on the food chain gets very irritated because the NOC team had to report downtime on servers. And it only gets worst when Domain Controllers are forced to reboot because a test 'got away' from the Security team. I was also part of a database recovery because a server was rebooted due to a penetration test. Again, no one was informed, the DBA did not have an up to date backup, and the instantaneous reboot corrupted the database.
Sounds like the upper management was not properly informed in this instance, or that the boss wasn't high enough in the food chain. The penetration tests I perform are authorized by the CEO/CIO/CSO, and the IT department head might not always be aware of the penetration test - just because the CXO wanted to know if it was going to be noticed in the first place.
In the end, nearly anyone can acquire and use the tools. It's all in the proper application to achieve the goals of the organization.
True. Penetration testing is not a silver bullet, and it's worse - it doesn't prove anything. It is usually not an exhaustive test, and may not include all the vulnerable systems. A system/application audit is a "better" way to solve the problem, except it is also going to miss stuff, and not always going to take the full picture into account. Even if individual components in a network are "secure" and fully patched, the simple fact that there is a network that connects the components can cause vulnerabilities. Best regards Michael Boman -- http://michaelboman.org - Security Blog & Wiki ------------------------------------------------------------------------ This list is sponsored by: InfoSec Institute Learn all of the latest penetration testing techniques in InfoSec Institute's Ethical Hacking class. Totally hands-on course with evening Capture The Flag (CTF) exercises, Certified Ethical Hacker and Certified Penetration Tester exams, taught by an expert with years of real pen testing experience. http://www.infosecinstitute.com/courses/ethical_hacking_training.html ------------------------------------------------------------------------
Current thread:
- Need Some Guidance Please Elizabeth Tolson (Apr 17)
- Re: Need Some Guidance Please Jeffrey Walton (Apr 17)
- Re: Need Some Guidance Please Michael Boman (Apr 18)
- Re: Need Some Guidance Please Daniel Clemens (Apr 18)
- Re: Need Some Guidance Please Jeffrey Walton (Apr 18)
- Re: Need Some Guidance Please Micheal Cottingham (Apr 18)
- Re: Need Some Guidance Please Michael Boman (Apr 21)
- Re: Need Some Guidance Please Nate (Apr 18)
- Need for Intrusion/Infection Data Baykal, Adnan (CSCIC) (Apr 21)
- Re: Need for Intrusion/Infection Data Jon Janego (Apr 21)
- Re: Need for Intrusion/Infection Data Leonardo Cavallari Militelli (Apr 21)
- RE: Need for Intrusion/Infection Data Honer, Lance (Apr 21)
- Re: Need Some Guidance Please Jeffrey Walton (Apr 17)
- Re: Need Some Guidance Please Elizabeth Tolson (Apr 21)