RE: Ethical hacker article published

From: Craig Wright (cwright@bdosyd.com.au)
Date: Thu Feb 22 2007 - 17:25:48 EST


Hello,
Unfortunately, there is no peer review process associated with industry magazines. In the case of this one I note that you are the editor which also makes review less likely. However there are some points the article I would like to point out.

To start with, the terminology that you have grouped together (ethical hacking, penetration testing, intrusion testing and red teaming), are all different. It may be true that are overlaps between each of these, but they're not the same. This is a common misconception and one that I will hopefully response. Common mistakes to nomenclature, even when made by many people, do not make them correct.

Of most important note is the fallacy that you have that ethical attackers are actually testing system security. This is not correct. In fact it is being constantly shown (references available on request) that ethical attacks to far less to categorically qualify security risks than many other forms of testing. They do not for instance take note of internal controls. In fact, many potential vulnerabilities cannot be discovered in a penetration test by the nature of the testing. Next it needs to be remembered that there is an economic cost associated with penetration testing. The Ethical attacker is constrained by a budget of time and thus money.

Blind testing by its very nature will take longer than auditing a site with knowledge. The review undertaken by the ethical attacker is thus hobbled from the start. It is infeasible to state that the contractor will have more knowledge at the end of a review if it is done as an ethical attack with limited knowledge over a systems review with full information.

Red teaming has been used by both government and business for many decades in a variety of areas including physical and logical based testing. At its simplest it's a peer review concept. Another way to look at it is a method of assessing vulnerabilities. In cases where red teaming refers to the provision of adversarial perspectives, and the design of the red team is not hampered in the matter is that ethical attacks are. There is a little correlation between a red team exercise and an ethical attack in any sense of the word.

The formation of red cells is a situation unlikely to occur in any ethical attack. Further, internal intelligence is unlikely to be gathered as part of an ethical attack. In this instance is more likely that the ethical attack will consist of beating away at the Internet gateway. An engagement to read team is wider in scope, areas including internal subversion and associated control checks cannot be ignored in this type of test. It is unlikely that they would even cross the mind of the ethical attacker.

Next, a vulnerability assessment and ethical attack differ significantly. Moderate or the assessments are part of a complete risk analysis program. Ethical attacks do not in themselves form part of this measure and process although they may be used as a single phase within one of these processes.

Vulnerability assessments involve the cataloguing of assets and capabilities. The lack of internal knowledge provided in the typical ethical attack process precludes this phase. Next, honourably assessments work on the basis of assigning value to the asset that is being attested by this process. This is a quantifiable value which is determined through this process.

Subsequently, vulnerabilities, and potentially threats to these resources are determined. In this process is not limited to external attacks. This process needs to take into account not only external attacks and even internal attacks, but a necessarily must also consider physical threats and many other test outside the reach of the ethical attack.

The lack of foreknowledge as to the qualification of value associated with any particular asset negates the possible assessment of a vulnerability status by an ethical attack process.

Further, although it is commonly called a vulnerability, and unpatched system or "hole" is not in itself make a vulnerability. What the ethical attacker is noting is a potential vulnerability. Other information needs to be associated with this potential vulnerability before it may be classified as a vulnerability. There is great difference between a potential vulnerability and a vulnerability. Before this determination can be made it is necessary to understand the system being tested. The limited knowledge provided in blind testing or other black box test processes are seldom adequate to provide this information. Although the ethical attacker or even penetration tester may stumble across a vulnerability with serious consequences, it is rarely likely that they will be old to determine this without additional internal information.

Although many people do not seem to realise the difference between these types of processes, ethical attacks are not vulnerability assessments, nor are they read teaming exercises.

Hence the value in peer reviews before publishing.

Regards,
Craig S Wright

-----Original Message-----
From: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com] On Behalf Of Steve Fletcher
Sent: Wednesday, 21 February 2007 1:18 PM
To: pen-test@securityfocus.com
Subject: Ethical hacker article published

For anyone who is interested, my recent article on ethical hackers has been
published. You can find it at
http://www.certmag.com/articles/templates/CM_gen_Article_template.asp?articl
eid=2652&zoneid=225 or in the March issue of Certification Magazine.

Thanks again to everyone who provided helpful information. Unfortunately,
they edited out the sentence giving credit to those to provided information.
:(

If anyone has any feedback (good or bad), please let me know for future
articles.

Steve Fletcher
MCSE (NT4/Win2k), MCSE: Security (Win2k), HP Master ASE, Security+
Email:  safletcher@insightbb.com
Web:  http://safletcher.home.insightbb.com
 

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.

http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------

Liability limited by a scheme approved under Professional Standards Legislation in respect of matters arising within those States and Territories of Australia where such legislation exists.

DISCLAIMER
The information contained in this email and any attachments is confidential. If you are not the intended recipient, you must not use or disclose the information. If you have received this email in error, please inform us promptly by reply email or by telephoning +61 2 9286 5555. Please delete the email and destroy any printed copy.

Any views expressed in this message are those of the individual sender. You may not rely on this message as advice unless it has been electronically signed by a Partner of BDO or it is subsequently confirmed by letter or fax signed by a Partner of BDO.

BDO accepts no liability for any damage caused by this email or its attachments due to viruses, interference, interception, corruption or unauthorised access.

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.

http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:57:36 EDT