Penetration Testing mailing list archives
Re: Formal audit background for the penetration tester?
From: Aarón Mizrachi <unmanarc () gmail com>
Date: Fri, 29 May 2009 19:45:38 -0430
On Viernes 29 Mayo 2009 10:48:52 lister () lihim org escribió:
Has anyone transitioned from a purely technical background in InfoSec to the Audit field? What trends are emerging with increased regulatory scrutiny on the rise. Govt/PCI requirements. As I am not familiar with the CISA certification or the audit field of work, I'm not sure if this would be a step backward or beneficial to a penetration tester or someone with purely technical skills in InfoSec.
CISA is more for a formal audit process. CISA would be appreciated for many companies since helps the auditor to do it well (documentation and process), but is not a limitation for pentesting... specially when pentesting require more technical skills rather than formalisms... An audit well done, could be sufficient without a pentest. But, "well done" is extremly expensive for most companies. Pentesting have three main pourporses: 1- Demonstrate that your network is vulnerable and require a more formal audit: Some companies are vulnerable and dont want to spend budget on Information Security... They think that the network are not vulnerable because they have a firewall, or something like (Sometimes, some companies told me that they are not vulnerable since they have Antivirus...). In such cases, sometimes, the company must be challenged, and... most times, they accept the challenge. The challenge consist in a blackbox audit (mostly pentesting or ethical hacking) that demonstrate that they have vulnerabilities. This challlenge is only to demonstrate and open the budget. This pentest or ethical hacking is generally showed with an impact and risk study... 2- Another goal of pentesting is to complement the audit when you need to reduce costs... As i said, audit as sole could be extremly expensive since if you need to assure something, you will need to review everything, and sometimes, with an ethical hacking you could determine what do you need fastly. Certainly is not fully accurate, but, sometimes, companies with hundred of servers prefers secure it fast rather than secure it well. 3. Validate the formal auditor job. After audit, a third party pentesting could be done to validate the accuracy of audit. (I think that is more psychological effect needed by some CEO's to be happy about their investment on security) ------------------------ How accurate is a pentester? A good pentester could determine many of the things determined on a fully audit. By example, in some webserver with a CMS, the pentester would make emphasis on updates, on install some HIDS/HIPS for future unknown attacks, on password policy, and sometimes in fix policies. A pentester must determine what policies are harmful, and sometimes it will miss some policy recommendations because, since this is a blackbox testing, the pentester couldnot determine some internal policies. I give you an example: The webserver have php with register globals on, but the attacker could not determine it right now... Time ago, a new exploit in a new brach of the CMS software is only explotable if the "register_globals" are on (happen many times)... Then, the pentester could make a final recomendations about hardening php, but not related directly with the pentest flags. --------------------------- Having all of this in mind. let resume the problem. If you have to reduce costs and time accepting some risk, the audit process could be complemented with pentesting. But "a well pentester" are determined by skills rather than a fine documentation and audit know how (that could be apreciated, but is not determinant). - Some specific certifications exist for pentesting... by example, CEH. - For auditing: CISA, ISO27001, etc - For security managment: CISSP, GIAC - Another specific certs are useful in another branches. - Another specific postgrades are useful also ----------------------- PCI and another requirements should be done by formal auditing... After or before that, pentesting (not the audit) are reflecting the blackbox reality, exposed also in wild. I think that is a paradox that a ethical hacker would be limited by some rules, when a real attacker not. The only rules that apply to ethical hacking is to be ethical.
------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
-- Ing. Aaron G. Mizrachi P. http://www.unmanarc.com Mobil 1: + 58 416-6143543 Mobil 2: + 58 424-2412503 BBPIN: 0x 247066C1
Attachment:
signature.asc
Description: This is a digitally signed message part.
Current thread:
- Formal audit background for the penetration tester? lister (May 29)
- Re: Formal audit background for the penetration tester? natron (May 29)
- Re: Formal audit background for the penetration tester? Aarón Mizrachi (May 29)
- Re: Formal audit background for the penetration tester? Stephen Mullins (May 30)
- Re: Formal audit background for the penetration tester? Aarón Mizrachi (May 31)