Home page logo

pen-test logo Penetration Testing mailing list archives

RE: What a security test should do?- from thinking about: Ethical Hacking Training
From: "Rob Shein" <shoten () starpower net>
Date: Fri, 23 Jan 2004 16:38:43 -0500

Policy strength (there might be no policy requiring password changes, or
there might be one, which isn't enforced), internal controls (what if an
employee hacks from inside...then what?), contractor handling, mostly other
policy-related things come to mind.  It's also hard to be sure how good
their response to incidents is as well, since a pen-tester will (hopefully)
avoid doing many things that a malicious hacker would do, even deliberately.

-----Original Message-----
From: Pete Herzog [mailto:pete () isecom org] 
Sent: Friday, January 23, 2004 3:32 PM
To: Jeff Shawgo; pen-test () securityfocus com
Subject: What a security test should do?- from thinking 
about: Ethical Hacking Training

What does a pen test fail to provide?

I had to think about this for a little while because it's not 
so much to me what someone needs to know to be a security 
manager, CISO, or security consultant, but rather what do we 
expect from a security test?

I know what pen-tests have been used for but I think a lot of 
that is also under-analyzing the results of a pen-tset.  As 
an auditor of pen-test reports for some companies, I see many 
of these reports focusing on software vulnerabilities, the 
occassional rooting of boxes, and the holy trilogy of web app 
hacks (XSS, Command Injection, Buffer Overflows).  Most 
reports will have a traceroute to each host in the network 
but not even say why or what that is useful for.  So in the 
end these reports leave a lot of analysis up to the client 
and if they are not capable of this kind of analysis, the 
report has much less worth.

I have felt that security tests should do more. They should 
test configurations and policies as well.  A test may tell 
you, for example, about patch management, which department 
influences the company's Internet presence, and if the 
firewall admin has top-level support or a policy to follow 
regarding opening new ports.  All of these things may 
negatively influence the strength of network security in ways 
that make it just as vulnerable as a remote service exploit.

As Jeff mentions here, there is a lot more to network 
security than pen-testing but for the most part, testing 
should be also able to verify when the foundation is rotten.

So my question is, what parts of security can't be verified 
in a security test?  No flames please-- I'm just trying to 
make the OSSTMM (osstmm.org) better.


Pete Herzog, Managing Director
Institute for Security and Open Methodologies
www.isecom.org - www.osstmm.org
www.hackerhighschool.org - www.isestorm.org

-----Original Message-----
From: Jeff Shawgo [mailto:jeff.shawgo () verizon net]
Sent: Tuesday, January 20, 2004 18:46 PM
To: pen-test () securityfocus com
Subject: Re: Ethical Hacking Training

On the other hand, most people also forget that knowing how 
to perform 
a pen-test or exploit is only one very very tiny aspect of 
The organization that has a solid policy, coordinated antivirus, 
well-managed firewalls, patch management policy, e-mail and web 
filtering, code review, and basic system hardening is likely to be 
many times more secure than the organization that focuses 
on *any* one 
individual's skill as a pen-tester.

If the security foundation is rotten, it does little good 
to point out 
that the windows are unlocked.

Pen-testing is important, but the basics need to be there first. 
That's the message most people are missing - probably 
because it's not 
as attractive.





  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]