Re: Remote Desktop Security - Compliance VS Pen-Test

[Kish Pent <kish_pent () yahoo com>]

Hi Nate,

I'd like to put forth three things here... First, I love the technical incompetence of the Qualysguard scanner, sorry :P

Second, And I concur that this has been posted wrongly to the web-app mailing list. Third, but not last, I would still 
stand by what I wrote, 
Compliance is only for "security marketing" ... 9 out of 10 companies who're compliant with ISO/SCADA etc can be 
penetrated, otherwise why would people write or talk about "Breaking SCADA Systems" ;)

The truth, compliance without pen-test is a sheer waste of time, or an effort to prove that they're secure (to the 
unsuspecting public)

That's just me, YMMV folks ...

Cheers,
Kish

--
Kishore Parthasarathy, 
Penetration Tester, Smart Security,
17/1,Upstairs, Sarojini St,T.Nagar, 
Chennai - 600 017

Phone: 91 98841 80767


--- On Tue, 9/2/08, Nate McFeters <nate.mcfeters () gmail com> wrote:

> From: Nate McFeters <nate.mcfeters () gmail com>
> Subject: Re: Remote Desktop Security - Compliance VS Pen-Test
> To: "Rivest, Philippe" <PRivest () transforce ca>
> Cc: kish_pent () yahoo com, "jaredmalthus" <jared.malthus () gmail com>, webappsec () securityfocus com
> Date: Tuesday, September 2, 2008, 9:17 AM
> > > Pen-Test will do a maximum damage with minimal
> effort I know. It will
> > > probably succeed, but Pen-Test is covered in a
> compliance check as of SOX
> and
> > > COBIT.
>
> What world are you living on?  I've done tons of COBIT
> pentests, its always
> an infrastructure based pentest.  What we're talking
> about here is the need
> for getting web applications secured most importantly right
> now.  Having
> Qualys come in and run their scanning tool on your hosts
> every day isn't
> keeping anyone from getting hacked.
>
> > > Let me explain what I think, compliance is for
> marketability but it also
> > > ensure that a client is doing at least the MINIMUM.
>
> I would contest that compliance does not force clients to
> do the MINIMUM.
> If one of the minimum options is to simply put a WAF in
> front of your web
> app, or point Qualys at your IP addressess, then that is
> NOT an acceptible
> minimum.
>
> To Kish:
> > > Hi Nate,
> > >
> > > The point of having compliance as I understand is
> to "be marketable" to
> your
> > > customers (from their perspective) ... most people
> than not who've passed
> > > compliance will fail a thorough pen-test, hands
> down ;)
>
> If this is the point of compliane it should be scrapped
> immediately.  Being
> compliant does not mean that you are secure; however, if
> you are secure, you
> should be compliant.  If a company is pawning off its
> compliance to its
> customers as security marketing, it should be punished, and
> we should expose
> this "snake oil" marketing practice.
>
> -Nate
>
>
> On Tue, Sep 2, 2008 at 9:04 AM, Rivest, Philippe
> <PRivest () transforce ca>wrote:
>
> > (I don't want to branch out this conversation)
> > Don't you belive that compliance and Pen-Test is 2
> different domains?
> > Let me explain what I think, compliance is for
> marketability but it also
> > ensure that a client is doing at least the MINIMUM.
> The goal is always to
> > aim
> > to at least the minimum. But it is minimum at
> everything, and this is
> > important (everything important..)
> >
> > Pen-Test will do a maximum damage with minimal effort
> I know. It will
> > probably succeed, but Pen-Test is covered in a
> compliance check as of SOX
> > and
> > COBIT. A Pen-Test is aiming at proving security can
> still improve and
> > should
> > be used as such because we all know that most if not
> every network can be
> > penetrated. It should be a mean with which you can
> prove to management that
> > you still need some funding.
> >
> > I'd like to point out to the quote I use in my
> emails:
> > "Everything that can fail, will fail. If
> something can't fail, it will fail
> > anyway" - Murphy
> >
> > Merci / Thanks
> > Philippe Rivest, CEH, Network+, Server+, A+
> > Vérificateur interne en sécurité de
> l'information
> > Courriel: Privest () transforce ca
> > Téléphone: (514) 331-4417
> > www.transforce.ca
> >
> > Vous pourriez imprimer ce courriel, mais faire pousser
> un arbre c'est long.
> > You could print this email, but it does takes a long
> time to grow trees.
> > "Everything that can fail, will fail. If
> something can't fail, it will fail
> > anyway" - Murphy
> > -----Message d'origine-----
> > De : listbounce () securityfocus com
> [mailto:listbounce () securityfocus com] De
> > la
> > part de Kish Pent
> > Envoyé : 2 septembre 2008 03:14
> > À : Nate McFeters
> > Cc : webappsec () securityfocus com; jaredmalthus
> > Objet : Re: Remote Desktop Security
> >
> >
> > Hi Nate,
> >
> > The point of having compliance as I understand is to
> "be marketable" to
> > your
> > customers (from their perspective) ... most people
> than not who've passed
> > compliance will fail a thorough pen-test, hands down
> ;)
> > We all know that compliance is crap to begin with, but
> that's the sad
> > reality.
> >
> > Cheers :)
> > Kish
> >
> > --
> > Kishore Parthasarathy,
> > Penetration Tester, Smart Security,
> > 17/1,Upstairs, Sarojini St,T.Nagar,
> > Chennai - 600 017
> >
> > Phone: 91 98841 80767
> >
> >
> > --- On Sun, 8/31/08, Nate McFeters
> <nate.mcfeters () gmail com> wrote:
> > > From: Nate McFeters
> <nate.mcfeters () gmail com>
> > > Subject: Re: Remote Desktop Security
> > > To: kish_pent () yahoo com
> > > Cc: webappsec () securityfocus com,
> "jaredmalthus" <jared.malthus () gmail com
> > > Date: Sunday, August 31, 2008, 5:50 PM
> > > Hard to believe someone would PCI certify
> LogMeIn.  Makes me
> > > lose my faith
> > > in PCI... oh wait, I never had any faith in it to
> begin
> > > with.
> > >
> > > -Nate
> > >
> > > On Sun, Aug 31, 2008 at 5:45 AM, Kish Pent
> > > <kish_pent () yahoo com> wrote:
> > >
> > > > Try RSASecurID or Phonefactor's two
> factor
> > > authentication scheme.
> > > > Overview of what is available in LogMeIn Pro
> version
> > > can be found here,
> > > > https://secure.logmein.com/security.asp
> > > >
> > > > Documentation of security features for
> LogMeIn can be
> > > found here...
> > > >
> https://secure.logmein.com/documentation/Security/wp_lmi_security.pdf
> > > > Cheers :)
> > > > Kish
> > > >
> > > >
> > > > --
> > > > Kishore Parthasarathy,
> > > > Penetration Tester, Smart Security,
> > > > 17/1,Upstairs, Sarojini St,T.Nagar,
> > > > Chennai - 600 017
> > > >
> > > > Phone: 91 98841 80767
> > > >
> > > > --- On Sat, 8/30/08, jaredmalthus
> > > <jared.malthus () gmail com> wrote:
> > > > > From: jaredmalthus
> > > <jared.malthus () gmail com>
> > > > > Subject: Remote Desktop Security
> > > > > To: webappsec () securityfocus com
> > > > > Date: Saturday, August 30, 2008, 6:47
> PM
> > > >  > I need to be PCI compliant using a
> remote access
> > > program
> > > > > called LogMeIn.
> > > > > Does anyone have any suggestions on
> two-factor
> > > > > authentication solutions that
> > > > > work with LogMeIn?
> > > > > --
> > > > > View this message in context:
> http://www.nabble.com/Remote-Desktop-Security-tp19238126p19238126.html
> > > > > Sent from the Web App Security mailing
> list
> > > archive at
> > > > > Nabble.com.
> -------------------------------------------------------------------------
> > > > > Sponsored by: Watchfire
> > > > > Methodologies & Tools for Web
> Application
> > > Security
> > > > > Assessment
> > > > > With the rapid rise in the number and
> types of
> > > security
> > > > > threats, web application security
> assessments
> > > should be
> > > > > considered a crucial phase in the
> development of
> > > any web
> > > > > application. What methodology should be
> followed?
> > > What tools
> > > > > can accelerate the assessment process?
> Download
> > > this
> > > > > Whitepaper today!
> https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F
> > > > >
> -------------------------------------------------------------------------
> > > >
> -------------------------------------------------------------------------
> > > > Sponsored by: Watchfire
> > > > Methodologies & Tools for Web
> Application Security
> > > Assessment
> > > > With the rapid rise in the number and types
> of
> > > security threats, web
> > > > application security assessments should be
> considered
> > > a crucial phase in the
> > > > development of any web application. What
> methodology
> > > should be followed?
> > > > What tools can accelerate the assessment
> process?
> > > Download this Whitepaper
> > > > today!
> https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F
> > > >
> -------------------------------------------------------------------------
> > > >
> -------------------------------------------------------------------------
> > Sponsored by: Watchfire
> > Methodologies & Tools for Web Application Security
> Assessment
> > With the rapid rise in the number and types of
> security threats, web
> > application security assessments should be considered
> a crucial phase in
> > the
> > development of any web application. What methodology
> should be followed?
> > What
> > tools can accelerate the assessment process? Download
> this Whitepaper
> > today!
> https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F
> >
> -------------------------------------------------------------------------
> >




-------------------------------------------------------------------------
Sponsored by: Watchfire
Methodologies & Tools for Web Application Security Assessment
With the rapid rise in the number and types of security threats, web application security assessments should be 
considered a crucial phase in the development of any web application. What methodology should be followed? What tools 
can accelerate the assessment process? Download this Whitepaper today!

https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F
-------------------------------------------------------------------------