Home page logo
/

pen-test logo Penetration Testing mailing list archives

RE: [lists] Re: What to spend on a pentest
From: "David M. Zendzian" <dmz () dmzs com>
Date: Sat, 5 Aug 2006 22:23:23 -0700

A minor note to your correction :)

You are correct, according to the SAP any who are required to perform the full sap audit, level 1 or those who have 
been escalated to level one by having been compromised, can perform their own internal pen testing. But as this topic 
was on what to pay for a pen test I assumed it was being done externally. Plus from what I'm use to, many companies 
with less than 20MM / year in revenue usually don't have enough dedicated staff to have a true expert in pen tests and 
getting extra budget for 10 or 20+k in tests....

When I have asked in the course of performing pen tests for pci audits either our contracts or visa has said go only to 
the point of penetrating, do not actually penetrate.

There can be a lot ascertained by thurough analysis of investigation that can really assist it and security staff to 
know what to watch and where needs better or other forms of protection.

Back to my question, for those able to get full authorization to do a full pen test what usually motivates that level 
of commitment?

David
Qdsp 
qabp

-----Original Message-----
From: "Erin Carroll" <amoeba () amoebazone com>
To: pen-test () securityfocus com
Sent: 8/5/06 2:29 PM
Subject: RE: [lists] Re: What to spend on a pentest

I wanted to make a minor correction to David's post since I am intimately
familiar with PCI at my day job. :)

The PCI standard does require a business obtain quarterly vulnerability
assessments from an external vendor. PCI also requires an annual penetration
test. The relevant PCI sections are 11.2 and 11.3

----
11.2 - Run internal and external network vulnerability scans at least
quarterly and after any significant change in the network (e.g. new system
component installations, changes in network topology, firewall rule
modifications, product upgrades). Note that external vulnerability scans
must be performed by a scan vendor qualified by the payment card industry

11.3 - Perform penetration testing on network infrastructure and
applications at least once a year and after any significant infrastructure
or application upgrade or modification (e.g. operating system upgrade,
sub-network added to the environment, web server added to the environment)
---

You'll notice the annual pen-test requirement in 11.3 doesn't specify that
an external "qualified" vendor need perform it (it can be done in-house) and
there is nothing specifying that you "stop right at the edge of running the
exploit" as David states. By definition a pen-test requires compromising or
exploiting a vulnerability, otherwise it is a vulnerability scan. However,
nothing in 11.3 specifies that the pen-test has to be run on all production
systems or all at once so that businesses can avoid downtime by creative
interpretation. I could pen-test and compromise a select couple of
webservers out of a production cluster to avoid downtime to business and
that would meet with the 11.3 requirement.

What isn't explicitly defined in 11.2 and 11.3 are where you will see
businesses diverge in policy and procedures…what qualifies to the business
as *significant* changes in the network? For some companies defining
"firewall rule modification" as significant would mean they would have to VA
and pen-test every damned week and I would buy stock in several VA companies
so fast you'd get whiplash. :)

--
Erin Carroll
Moderator
SecurityFocus pen-test list
"Do Not Taunt Happy-Fun Ball" 


-----Original Message-----
From: David M. Zendzian [HYPERLINK HYPERLINK mailto:dmz () dmzs com
mailto:dmz () dmzs com HYPERLINK mailto:dmz () dmzs com mailto:dmz () dmzs com] 
Sent: Saturday, August 05, 2006 11:54 AM
To: Curt Purdy
Cc: 'Intel96'; 'Michael Weber'; pen-test () securityfocus com
Subject: Re: [lists] Re: What to spend on a pentest

I've been following this thread and have noticed that no one 
here is considering the liability of a "real" pen test. 
Unless you are testing QA or Dev environments, anything you 
find could not only prove that a compromise is real but also 
bring that business offline, and since you don't know when or 
where or what you'll find the business would need to keep 
someone "on-call" during the entire engagement to restore or 
fail over.

Plus if you look at some of the pen-test requirements 
(standards(pci, ...), regulations(sox, hipaa, ...)) and look 
at what they call for when pen-testing.  PCI pen-tests are 
required yearly, however the pen test must stop right at the 
edge of running the exploit, so you never know if it actually 
runs. So here we have an industry standard "pen-test" (and 
don't forget that PCI also requires quarterly vulnerability 
assessments) where the pen-test is specifically required to 
not penetrate.

That tied with most business' not willing to perform social 
or physical testing, it is 90% network based these days; so 
the majority of pen-tests are really only expanded 
vulnerability tests. But also remember that most companies 
only get pen-tests or vulnerability tests because of these 
standards or regulations which then bind what they testers 
are able to do.

What I would be interested in is hearing from those 10% of 
pen testers who are able to do "real" pen tests, and what 
motivates their clients if it is not a "requirement".

David M. Zendzian
dmz

Curt Purdy wrote:
Intel96 wrote:
  
You also need to determine how much manual testing may have to be 
performed on the systems.  Such as cracking logins, 
cracking cookies, 
etc, or searching the systems for embedded passwords in script or 
configurations files and looking at the database schemes.
    
<snip>

Unfortunately, most pentest companies don't do manual 
testing.  Like 
the bank that I was ISO at hired NetBankAudit to "pentest" 
them.  They 
likely had a young tech running scripts on a dozen clients 
that night 
and found one minor problem on our acquistion.  The next 
Sunday night 
between 10pm and 6am, I manually tested and found six 
serious problems.


Curt Purdy CISSP, GSNA, GSEC, CNE, MCSE+I, CCDA Information 
Security 
Officer Information Systems Security infosysec.net
443.846.4231

-------------

If you spend more on coffee than on IT security, you will 
be hacked. 
What's more, you deserve to be hacked. 
-- former White House cybersecurity czar Richard Clarke
 



----------------------------------------------------------------------
--------
This List Sponsored by: Cenzic

Concerned about Web Application Security? 
Why not go with the #1 solution - Cenzic, the only one to win the 
Analyst's Choice Award from eWeek. As attacks through web 
applications 
continue to rise, you need to proactively protect your applications 
from hackers. Cenzic has the most comprehensive solutions 
to meet your 
application security penetration testing and vulnerability 
management 
needs. You have an option to go with a managed service (Cenzic 
ClickToSecure) or an enterprise software (Cenzic 
Hailstorm). Download 
FREE whitepaper on how a managed service can help you: 
HYPERLINK HYPERLINK http://www.cenzic.com/news_events/wpappsec.php
http://www.cenzic.com/news_events/wpappsec.php HYPERLINK
http://www.cenzic.com/news_events/wpappsec.php
http://www.cenzic.com/news_events/wpappsec.php
And, now for a limited time we can do a FREE audit for you 
to confirm 
your results from other product. Contact us at 
request () cenzic com for details.

----------------------------------------------------------------------
--------


  


--------------------------------------------------------------
----------------
This List Sponsored by: Cenzic

Concerned about Web Application Security? 
Why not go with the #1 solution - Cenzic, the only one to win 
the Analyst's Choice Award from eWeek. As attacks through web 
applications continue to rise, you need to proactively 
protect your applications from hackers. Cenzic has the most 
comprehensive solutions to meet your application security 
penetration testing and vulnerability management needs. You 
have an option to go with a managed service (Cenzic 
ClickToSecure) or an enterprise software (Cenzic Hailstorm). 
Download FREE whitepaper on how a managed service can help 
you: HYPERLINK HYPERLINK http://www.cenzic.com/news_events/wpappsec.php
http://www.cenzic.com/news_events/wpappsec.php HYPERLINK
http://www.cenzic.com/news_events/wpappsec.php
http://www.cenzic.com/news_events/wpappsec.php
And, now for a limited time we can do a FREE audit for you to 
confirm your results from other product. Contact us at 
request () cenzic com for details.
--------------------------------------------------------------
----------------


--
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.1.394 / Virus Database: 268.10.7/409 - Release 
Date: 8/4/2006
 


-- 
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.1.394 / Virus Database: 268.10.7/409 - Release Date: 8/4/2006
 

-- 
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.1.394 / Virus Database: 268.10.7/409 - Release Date: 8/4/2006
 


------------------------------------------------------------------------------
This List Sponsored by: Cenzic

Concerned about Web Application Security? 
Why not go with the #1 solution - Cenzic, the only one to win the Analyst's 
Choice Award from eWeek. As attacks through web applications continue to rise, 
you need to proactively protect your applications from hackers. Cenzic has the 
most comprehensive solutions to meet your application security penetration 
testing and vulnerability management needs. You have an option to go with a 
managed service (Cenzic ClickToSecure) or an enterprise software 
(Cenzic Hailstorm). Download FREE whitepaper on how a managed service can 
help you: http://www.cenzic.com/news_events/wpappsec.php 
And, now for a limited time we can do a FREE audit for you to confirm your 
results from other product. Contact us at request () cenzic com for details.
------------------------------------------------------------------------------




------------------------------------------------------------------------------
This List Sponsored by: Cenzic

Concerned about Web Application Security?
Why not go with the #1 solution - Cenzic, the only one to win the Analyst's
Choice Award from eWeek. As attacks through web applications continue to rise,
you need to proactively protect your applications from hackers. Cenzic has the
most comprehensive solutions to meet your application security penetration
testing and vulnerability management needs. You have an option to go with a
managed service (Cenzic ClickToSecure) or an enterprise software
(Cenzic Hailstorm). Download FREE whitepaper on how a managed service can
help you: http://www.cenzic.com/news_events/wpappsec.php
And, now for a limited time we can do a FREE audit for you to confirm your
results from other product. Contact us at request () cenzic com for details.
------------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]