Re: [ISN] Security audit

From: InfoSec News (isn@private)
Date: Thu Oct 30 2003 - 02:00:51 PST

  • Next message: InfoSec News: "[ISN] Windows & .NET Magazine Security UPDATE--October 29, 2003"

    Forwarded from: security curmudgeon <jericho@private>
    
    Oh pen-testing is so glamorous when they write about it like this.
    Leaving out all types of crucial details, making completely harmless
    mistakes in telling the tale, and hiding the reality of pen-testing
    from the readers makes for a great bed time story.
    
    : http://www.nwfusion.com/research/2003/1020audit.html
    :
    : By Joel Shore
    : Network World, 10/20/03
    :
    : Only a security audit can expose the truth about a network's
    : vulnerability. To see how well-prepared a typical enterprise network
    : is, we found a business willing to let us tag along while a
    : professional auditing company poked and probed 28 of its servers, and
    : then delivered its findings in a face-to-face meeting.
    
    So the nameless client agreed these uber-hax0r pen-testers could check
    out *28* machines on the network. Gotcha..
    
    : Networks Unlimited operates from a 19th-century hilltop Victorian
    : mansion framed by giant sycamore trees. The Hudson, Mass., company
    : audits a diverse mix of businesses - banks, retailers, law firms and
    : government agencies - and provides security solutions. Business is
    : booming.
    
    Great. Banks, retailers, law firms and government agency security is
    in the hands of ISS Scanner Jockeys.
    
    : Bernard's PC is loaded with a software smorgasbord any hacker would
    : envy; his tool of choice is Internet Scanner from Internet Security
    : Systems. Internet Scanner provides automated network-vulnerability
    : assessment across servers, desktops and infrastructure devices. It also
    : probes network services, operating systems, routers, switches, servers
    : and firewalls.
    :
    : "We'll be testing for 1,211 different types of vulnerabilities,"
    : Bernard says. One mouse click, and the audit is underway.
    
    I doubt any hacker envies a computer with ISS on it. While it may scan
    for 1,211 different vulnerabilities, freeware tools such as Nikto scan
    for over 2,500 *web based* vulnerabilities alone. Perhaps this was
    meant to read any 'script kiddy' would envy?
    
    The last line sums up the technical prowess involved: One mouse click,
    and the audit is underway.
    
    : By using one server as a proxy, the other servers let Bernard bypass the
    : perimeter security of the network firewall. In just moments, he gains
    : access to a BayStack hub, residing between two Nokia firewall devices.
    : The hub's factory default password was still in place, easy pickings for
    : an attacker who quickly could disable the device, plunging an entire
    : network segment into digital darkness.
    
    I guess a BayStack hub is a "server" in their context? Or did they
    originally mean "28 devices"? Else, that would be out of the scope of
    the penetration test...
    
    : * Ports galore are open, for no apparent reason.
    
    Two Nokia firewalls, and "ports galore" open? And this organization
    relies on it's staff to secure them? heh
    
    : Tomorrow, the pair will start compiling the results from thousands of
    : port scans, vulnerability checks and surveys of software versions,
    : resulting in a report nearly an inch thick. Then it's off to the client
    : with the bad news.
    
    Why would they be running THOUSANDS of portscans for 28 machines? Did
    they test more than the agreed upon 28? Or is this "creative flair"
    added by the author of the article?
    
    : Bernard takes over, handing out his inch-thick report, explaining it
    : page by page.
    
    Inch thick report for 28 machines? Gah, one of those companies that
    clearly hands over the final ISS report w/o editing it. This is just
    about the biggest disservice you could do for a client. If that is all
    you are capable of doing, running ISS and handing off the pre-fab
    report, just sell them the damn product and be on your way. If not, at
    least add some value to assessment.
    
    : And on it goes. Bernard describes each vulnerability in detail and
    : suggests a remedy. Sometimes it's a patch, stopping an unneeded process
    : or closing a port that's open.
    
    Wonder if he just reads the ISS report verbatim?
    
    : Not at all a good reaction, according to Segal and Bernard. "If this was
    : a bank," heads would be rolling. "This is a hospital. Security is no
    : less critical. It's everybody's problem," Segal says.
    
    Hi Segal and Bernard. There's this thingy, like, ya know, called
    HIPAA? Look it up.
    
    : On the ride home, Segal gets philosophical. "Every business is
    : vulnerable," he says. "This one is no different. Hire an auditor and fix
    : the problems before it's too late."
    
    Yeah, I got that on my fortune cookie last week.
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomo@private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Thu Oct 30 2003 - 05:31:20 PST