Re: Bank pen test

From: Rick Zhong (sagiko@gmail.com)
Date: Fri Mar 03 2006 - 00:45:01 EST


hi,
Are you able to access their ISS scanning report? If yes, i think you
need to take a detailed look at the report and find as much
information as possible. It seems to me that this bank just want to
get rid of all the vulnerabiilties discovered by ISS scanner, be it to
meet compliance or just requirement from the Infosec side. I have seen
a lot of cases where clients just want to have nice VA tools reports.
I doubt they will buy the results from actual penetration testing
using tools such as core impact. I will suggest to focus on the ISS
reports and work on the resolutions base on the reports.

regards,

Rick Zhong Liming
www.sinfosec.org
www.security.org.sg

On 3/3/06, Noe Espinoza Mancillas <nespinoza@grupowissen.com> wrote:
> hello all!
>
> now i'm still wait to start an internal penetration test in a bank .. they
> have a lot of servers.. HP Ux, Win, Sun, Linux , etc. and now they are
> using ISS (scanner) to find vulnerabilitys and then they make a remedation
> with some scripts and other comercial tools... so..
> now they need help becouse the ISS scanner every time that are running found
> the same vulnerabilitys after patchs the servers. I told them that is really
> importan to use some other diferents scanners and make an penetration test
> to review if the vulnerabilities are really risk for the bussines!!.. and
> they don`t accept it ..
>
> buy they need it.. need to make a remediation of all the vulnerabilities in
> all the 4000 servers!
>
> so.. they ask for a pent test for only 20 servers.. and i don`t know how can
> i select the number of servers that i need to test to be sure that all the
> rest of the servers have the same vulnerabilitis!!.. ?
>
> and what kind of tools can i use to make that!?
>
> i never been in that kind of penetration test :(..
>
> i think to use Core Ipact!
>
> any sugestions?
>
>
> regards
>
> noe
>
>
>
> ------------------------------------------------------------------------------
> This List Sponsored by: Lancope
>
> "Discover the Security Benefits of Cisco NetFlow"
> Learn how Cisco NetFlow enables cost-effective security across distributed
> enterprise networks. StealthWatch, the veteran Network Behavior Analysis (NBA)
> and Response solution, leverages Cisco NetFlow to provide scalable,
> internal network security.
> Download FREE Whitepaper "Role of Network Behavior Analysis (NBA) and Response
> Systems in the Enterprise."
>
> http://www.lancope.com/resource/
> ------------------------------------------------------------------------------
>
>

------------------------------------------------------------------------------
This List Sponsored by: Lancope

"Discover the Security Benefits of Cisco NetFlow"
Learn how Cisco NetFlow enables cost-effective security across distributed
enterprise networks. StealthWatch, the veteran Network Behavior Analysis (NBA)
and Response solution, leverages Cisco NetFlow to provide scalable,
internal network security.
Download FREE Whitepaper "Role of Network Behavior Analysis (NBA) and Response
Systems in the Enterprise."

http://www.lancope.com/resource/
------------------------------------------------------------------------------



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:35 EDT