Re: Need Some Guidance Please

[Michael Boman <michael.boman () gmail com>]

See comments inline

On Sat, Apr 18, 2009 at 6:35 AM, Jeffrey Walton <noloader () gmail com> wrote:
> Hi Elizabeth,
>
> > I am finishing up my Master's Degree in Information Assurance
> Congratulations.
>
> > During my research, I saw someone who was a
> > Licensed Pen Tester/Consultant.
> You'll get lots of answers from folks who do it for a living. Allow me
> offer the SysAdmin view. While glamorous, the penetration testing can
> be very destructive on a network. I perform regular audits with MBSA,
> NetChk, NMap, and Nessus. As a SysAdmin, I am really interested in two
> things: what ports are open (and why), and what hosts are not patched
> to the latest revision (and why). I have no desire to walk around
> rebooting workstations and servers after a test.

Although doing regular audits are a good thing, there is many places
where they will not find the vulnerabilities. Your (custom) website,
for an example, or 3rd party apps not covered by your audit tools. And
if you have to walk around and reboot servers individually, you have a
problem with the system management bit.

The simple fact that the tools "screws up your system" is a indication
that they are vulnerable to something.

> > He would "ethically hack" without the employees knowing it.
> This can get you in trouble.

Not always true. Sometimes the management wants not only find out if
they are vulnerable against an targeted attack, but sometimes they
engage in penetration testing just to see how their incident response
procedures are working - and then it is fairly common that only the
top management knows what is really going on. The IT administrator
does not need to know that a penetration test is taking place, but
management does need to authorize such a test.

> The result is that someone higher up on the food chain gets very
> irritated because the NOC team had to report downtime on servers. And
> it only gets worst when Domain Controllers are forced to reboot
> because a test 'got away' from the Security team. I was also part of a
> database recovery because a server was rebooted due to a penetration
> test. Again, no one was informed, the DBA did not have an up to date
> backup, and the instantaneous reboot corrupted the database.

Sounds like the upper management was not properly informed in this
instance, or that the boss wasn't high enough in the food chain. The
penetration tests I perform are authorized by the CEO/CIO/CSO, and the
IT department head might not always be aware of the penetration test -
just because the CXO wanted to know if it was going to be noticed in
the first place.

> In the end, nearly anyone can acquire and use the tools. It's all in
> the proper application to achieve the goals of the organization.

True. Penetration testing is not a silver bullet, and it's worse - it
doesn't prove anything. It is usually not an exhaustive test, and may
not include all the vulnerable systems. A system/application audit is
a "better" way to solve the problem, except it is also going to miss
stuff, and not always going to take the full picture into account.
Even if individual components in a network are "secure" and fully
patched, the simple fact that there is a network that connects the
components can cause vulnerabilities.

Best regards
Michael Boman

-- 
http://michaelboman.org - Security Blog & Wiki

------------------------------------------------------------------------
This list is sponsored by: InfoSec Institute

Learn all of the latest penetration testing techniques in InfoSec Institute's Ethical Hacking class. 
Totally hands-on course with evening Capture The Flag (CTF) exercises, Certified Ethical Hacker and Certified 
Penetration Tester exams, taught by an expert with years of real pen testing experience.

http://www.infosecinstitute.com/courses/ethical_hacking_training.html
------------------------------------------------------------------------