From: Joel Jose (joeljose420@gmail.com)
Date: Fri Aug 10 2007 - 21:55:47 EDT
---------- Forwarded message ----------
From: Joel Jose <joeljose420@gmail.com>
Date: Aug 11, 2007 7:24 AM
Subject: Re: External Pentests Obsolete?
To: Yiannis Koukouras <d4rw1n@linuxmail.org>
hello there,
please be mindful and thoughful about what u said. The world is
insecure not because there is no security...but because it is not
IMPLEMENTED correctly. 90% of all insecurity is due to not following
the SECURITY standards. So even if the company has only a few ports
open..and if the scenario is exactly like how u described.... then we
still have to test for atleast say, if firewall rules are correctly
given..... if other ports are cleanly blocked..... if services are
rightly patched... if disaster recovery and buisness mitigation are in
place...etc
see.... Pen-Test in not just a PENETRATION ATTEMPT.... In my team when
they get angry..upset..when security is high..when after days of
work..we still arent able to get root.... I dont loose my cool....
infact.. i am only happy that the sysadmins are doing well... For me
PEN-Test is needed to assure that everything is working.. PEN-TEST is
a level of assuarance we give to the customer that certifies that
thier security practises are well in order.....
The Point I am making is... : PEN TEST should be done on a regular
basis... it may allow new vulnerabilities to be found..but MORE
IMPORTANTLY it will give an assurance of the level of preparedness of
the security team. It will warn us hopefully sooner than the
hacker/disaster event about our current security level..so we get time
to correct it..
Remember.. dont think.. u are safe if u have a secure PENTEST
report... in a year or even less... we always have the probability to
introduce new vulnerabilities....or some old code may be discovered
vulnerable in future time..... The only constant in the Technology
world is the Variable ;)
joel.
On 8/9/07, Yiannis Koukouras <d4rw1n@linuxmail.org> wrote:
> Hi all,
>
> Do you think that an external infrastructure pentest is nowadays obsolete?
>
> What I want to say is that, most of the serious companies nowadays will only have a few servers on their DMZ (web server, mail server, SSL concentrator, terminal server, citrix) and will only allow access to one or two ports for each of them. The rest of the infrastructure (excluding the internet facing router and firewall) will be completely inaccessible.
>
> Thus, if web application testing is out of scope, there isn't much to test, is it? Only half a dozen of services to check vulnerabilities and misconfiguration, check if mail rely is on, make a password bruteforce attack(?), check that the DNS can't be poison and VOILA! You have finished!
>
> Do you think that it is ethical to consult our clients to "buy" an external pentest anymore?
>
> P.S. If I am wrong, PLEASE prove me wrong!
>
> --
> Ioannis Koukouras
> CISSP
> MSc in Computer Systems Security
> BEng in Electronic Engineering
> http://www.linkedin.com/in/ikoukouras
>
> =
> Cruise Value Center - Mexico Cruises
> Cruise Value Center is one of America's leading discount brokers on Mexican cruises. Let our experts help you choose the cruise vacation package that will meet your budget and lifestyle.
> http://a8-asy.a8ww.net/a8-ads/adftrclick?redirectid=83149e4a674877039cb5c210b2445439
>
>
> --
> Powered by Outblaze
>
> ------------------------------------------------------------------------
> This list is sponsored by: Cenzic
>
> Need to secure your web apps NOW?
> Cenzic finds more, "real" vulnerabilities fast.
> Click to try it, buy it or download a solution FREE today!
>
> http://www.cenzic.com/downloads
> ------------------------------------------------------------------------
>
>
-- As soon as men decide that all means are permitted to fight an evil, then their good becomes indistinguishable from the evil that they set out to destroy. - Christopher Dawson, The Judgment of Nations -- As soon as men decide that all means are permitted to fight an evil, then their good becomes indistinguishable from the evil that they set out to destroy. - Christopher Dawson, The Judgment of Nations ------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:58:00 EDT