Re: Penetration test report - your comments please?

From: simonis (simonisat_private)
Date: Wed May 30 2001 - 07:53:11 PDT

Next message: Alfred Huger: "Administrivia: Bad moderation & EZMLM"

Previous message: pete: "RE: Penetration test report - your comments please?"
In reply to: Curt Wilson: "Penetration test report - your comments please?"
Reply: R. DuFresne: "Re: Penetration test report - your comments please?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Curt Wilson wrote:
> 
> 
> The www.<sitename.com> system is currently running at <ISP> and does not
> have any type of firewall or other access control mechanism in place that I
> am aware of. Therefore, this audit is only reflective of the current state
> of the system. Network and host remote vulnerability conditions were tested
> for, with the exclusion of Denial of Service (DOS) and brute-force attacks.
> I was unable to penetrate into the operating system or database within the
> allotted time, therefore it is likely that <sitename.com> is fairly secure
> from all but the most determined attackers or those with pre-existing access.

I wouldn't feel comfortable making this claim based on 3 hours of 
testing, especially given the unusual constraints.  Were I an attacker
I would try social engineering, and I would also try a bruteforce attack
against the database.  Excluding these takes alot away from the overall
value of a penetration test and really turns it into a simple, cursory 
scan.

> 
> Basic recommendations: Disable any unnecessary services and web modules.

I would expand on this.  Since you weren't allowed to do alot with the
test, you should focus on the report as a place to add value.  Specify
which services are known to be easily exploited, give some examples and
some guidance on protecting services that are indeed necessary.

> Apply all necessary patches on a timely basis. 

This could be expanded to not only the application of patches, but also
the necessity of a section in the security policy mandating their 
application.

I'd also be curious as to if they detected your scans.  Alot of people
seem to be in the mind that a penetration test should only evaluate the
security, or "hardness" of the target hosts and perhaps the
effectiveness
of the firewalls.  I also like to include the ability of the IDS systems 
to detect my presence, and how the intrusion was handled.  Is there a
written manual for incident response?  If so, were the procedures
followed,
and were they effective?  There's so much more benefit to be gained from 
a pen-test than just simply "did the host respond to my romance".  

Or maybe I just suffer from eternal scope creep  ;-)

Next message: Alfred Huger: "Administrivia: Bad moderation & EZMLM"
Previous message: pete: "RE: Penetration test report - your comments please?"
In reply to: Curt Wilson: "Penetration test report - your comments please?"
Reply: R. DuFresne: "Re: Penetration test report - your comments please?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed May 30 2001 - 09:59:51 PDT