John, I appreciate your addition to the discussion. However, I must say that I disagree with the idea of a "blind" anything, for several reasons. and foremost, it isn't safe. What I mean by that is that if you're conducting a "blind" external pen test, and you have no idea what you're dealing with, with regards to the overall infrastructure, you could very well take down a mission-critical system. Second, conducting a "blind" external pen test and telling the client that "I got in through this hole in that server" and telling him what patch to apply is doing him a disservice. Doing so doesn't take a complete look at the overall infrastructure...you're only addressing one hole on one server. The overall security of the entire infrastructure depends on a lot more than the sum of all the holes in all of the systems. For example, when I look at an infrastructure with many NT systems, I'll take a look at the patch levels on each one. Then, I'll analyze that information in the context of the entire infrastructure...what does it mean if the patch levels are all different? How about if the patch levels are all the same, but they're all SP 4? Doing so addresses the REAL security issues of the infrastructure. Third, a "blind" internal pen test provides as little meaningful information to the customer as an external one. If you provide a list of holes on a list of systems, and what to do for each one (a la an ISS Internet Scanner report), you do nothing for your client that he couldn't do for himself...therefore, you add no value. What are the real issues of the infrastructure? A lack of staffing? Is training needed? Is it a lack of guidance or leadership from management. My point is simply this...customers pay consultants to provide a service. That service should provide value, as well. Anyone can purchase a commercial scanning product, and amortize the overall cost of the product and licensing over several clients. The business differentiator for consulting firms is the analysis they provide. In order to provide an analysis that is meaningful to and adds values to the customer, the consulting firm must understand the infrastructure as completely as possible. This not only includes the technical aspects, but the day-to-day business processes, as well. Pen tests do not provide this information. Further, pen tests attempt to emulate a 'real world' attack, to some degree. The attacker or pen tester will generally compromise a system with the first vulnerability that they successfully exploit. If the pen tester finds a hole to get in, does he then go back and find all of the other possible holes? Not likely. So telling the customer how he got in and how to patch that hole does the customer little good. They patch the hole and think they're safe. Even if the consulting firm does a more comprehensive scan, and provides all of the holes they found that could be exploited, this is only a snapshot. Instructing the customer to patch the holes adds no value. A vulnerability assessment requires the consultant to understand the business processes, so that the recommendation can be provided in terms that describe security as a process. > Since we are all professionals, we > usually gain access from the outside. Of all of the statements you made, this one concerned me the most. I'm not sure how being a professional equates to gaining access. > When we walk into the CIO's office > and hand him the administrative passwords we > instantly gain credibility > while making the threat more tangible. This > tangibility is part of the package. What you're talking about here is really shock value. You can obtain the same information in other ways...timing how long it takes for L0phtcrack to crack a certain percentage of the hashes in the SAM, for example. Besides, what does it do to your credibility if you weren't able to gain access, let alone get admin passwords? Do you, as a consultant, or your company offer a guarantee that you'll get in? I'm just curious... Thanks, Carv __________________________________________________ Terrorist Attacks on U.S. - How can you help? Donate cash, emergency relief information http://dailynews.yahoo.com/fc/US/Emergency_Information/ ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
This archive was generated by hypermail 2b30 : Sun Sep 16 2001 - 23:07:37 PDT