Some very good comments here, to build on Curt's points, I agree that there is much value in performing an external penetration test, but the tester can add much more to the service by observing things in the organization. It is one of the best ways to test, not only things like IDS mechanisms and firewalls, but the personnel as well. Systems are only as good as the people running them. This divides pen tests into a few shades, black - to white. Black hat testing meaning that only a few key people inside know it's happening. This has the element of real world testing. White hat meaning everyone knowing the attack is in progress. This can sometimes hinder testing as staff will attempt to raise security for the test, and in some cases I've been involved with, full counterstrikes are initiated. What approach do most people here take? Generally, because the client will depend on you to organize the testing, the choice is *usually* yours. What do you think is the best method? Steve -----Original Message----- From: simonis [mailto:simonisat_private] Sent: Wednesday, May 30, 2001 7:53 AM To: Curt Wilson Cc: pen-testat_private Subject: Re: Penetration test report - your comments please? Curt Wilson wrote: > > > The www.<sitename.com> system is currently running at <ISP> and does not > have any type of firewall or other access control mechanism in place that I > am aware of. Therefore, this audit is only reflective of the current state > of the system. Network and host remote vulnerability conditions were tested > for, with the exclusion of Denial of Service (DOS) and brute-force attacks. > I was unable to penetrate into the operating system or database within the > allotted time, therefore it is likely that <sitename.com> is fairly secure > from all but the most determined attackers or those with pre-existing access. I wouldn't feel comfortable making this claim based on 3 hours of testing, especially given the unusual constraints. Were I an attacker I would try social engineering, and I would also try a bruteforce attack against the database. Excluding these takes alot away from the overall value of a penetration test and really turns it into a simple, cursory scan. > > Basic recommendations: Disable any unnecessary services and web modules. I would expand on this. Since you weren't allowed to do alot with the test, you should focus on the report as a place to add value. Specify which services are known to be easily exploited, give some examples and some guidance on protecting services that are indeed necessary. > Apply all necessary patches on a timely basis. This could be expanded to not only the application of patches, but also the necessity of a section in the security policy mandating their application. I'd also be curious as to if they detected your scans. Alot of people seem to be in the mind that a penetration test should only evaluate the security, or "hardness" of the target hosts and perhaps the effectiveness of the firewalls. I also like to include the ability of the IDS systems to detect my presence, and how the intrusion was handled. Is there a written manual for incident response? If so, were the procedures followed, and were they effective? There's so much more benefit to be gained from a pen-test than just simply "did the host respond to my romance". Or maybe I just suffer from eternal scope creep ;-)
This archive was generated by hypermail 2b30 : Thu May 31 2001 - 08:44:08 PDT