Re: Why Penetration Test?

From: intel96 (intel96@bellsouth.net)
Date: Thu Jun 30 2005 - 11:17:32 EDT


Marco,

I totally agree with you that automated tools cannot identify all the
attack vectors and they never well. That is why a good pen-test should
look at more than the logical network with only an automated tool. I
remember a large-scale VA test that I preformed where I found a HUGE
hole in the security of the organization as I was heading to lunch. My
lunch path took me across the loading dock were tons of mainframe
print-outs containing account numbers, social security numbers and more
were waiting to go to the local dump. I grabbed a printout and walked
to the IT manager that hired me for the VA and explained the problem and
about ID theft (this was a nightmare, because ID theft was not even in
the nightly news or the papers yet). The manager pulled all the
printout off the dock and I helped them find a local ShredIT company.
Another time I penetrate the company by getting a job to clean the
building, which providing me with the master keys for the company. This
allowed me to put a disk copier in the trash can that I pulled around.
I was able to obtain copies of the CxO hard drives using my super
access-level as janitor. The company changed the policy about giving
master keys that accessed sensitive spaces after this test.

Intel96

Marco Ivaldi wrote:

>>I was wondering the usefulness of a penetration testing against
>>vulnerability assessment for a company.
>>
>>
>
>Hey pen-testers,
>
>First of all, i apologize for coming so late to the party -- i've been far
>from the Internet for a couple of weeks lately...
>
>Just wanted to point out something crucial to me that surprisingly enough
>has not been mentioned yet in this discussion: a security professional
>must always remember that there are some attack vectors that are hard (if
>not impossible) to spot and test thoroughly using automated VA tools.
>
>Yeah, not all attacks come from the IP infrastructure: instead, in my
>personal and professional experience i witnessed that most dangerous
>attacks come very often through PBX, RAS connected to a PSTN, backup ISDN
>lines connected to routers, good old X.25 networks, etc. Also, not all
>attacks can be easily reproduced using automated VA tools: just think
>about common technologies as WLANs and (web) applications in general, an
>automated testing approach would definitely miss some attack paths. Not to
>mention social engineering, physical intrusions, dumpster diving, and
>other popular ways to fool your expensive security measures.
>
>In short, my point is: depending on the complexity of my operational
>environment, i'd be very careful before deciding to rely _only_ on the
>common IP infrastructure vulnerability assessments done with popular
>automated scanning tools to secure my information. There's more outta here
>that must be tested to ensure you get a 360 degrees vision of your
>organization's security posture and IMHO a good consultant should tell you
>before selling you yet another superficial VA.
>
>Just my 2 euro-cents;) Cheers,
>
>
>



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:30 EDT