.

how thorough are 3rd party network security assessments

<<

ras76

User avatar

Newbie
Newbie

Posts: 15

Joined: Wed Mar 27, 2013 9:48 am

Post Wed Apr 10, 2013 6:25 am

how thorough are 3rd party network security assessments

Can I ask for a bit of a management friendly / low tech view on an issue? Our organisation (for compliance purposes) has an annual network security health check conducted by a 3rd party pen testing firm. Our internal audit and risk team also express an interest in network security auditing. From what I gather with the external network security review -  they essentially run a set of automated vulnerability scanners (i.e. Nessus) to identify weaknesses, and for proof of concept a sample of issues found are exploited using tools such as metasploit.
My question is how thorough are these external reviews, or put another way – what “network security issues” wont they cover. If our internal team also want to look at network security, are there any specific areas you’d have them focus on which likely wont have been conducted by the 3rd party, or are the 3rd party assessments pretty thorough?
Many Thanks
<<

m0wgli

User avatar

Sr. Member
Sr. Member

Posts: 308

Joined: Fri Jul 20, 2012 3:34 pm

Post Wed Apr 10, 2013 8:12 am

Re: how thorough are 3rd party network security assessments

The thoroughness of the test is going to depend on factors such as the defined scope, rules of engagement, time, and the experience/competence of the tester.
Security + | OSWP | eCPPT (Silver & Gold) | CSTA
<<

UKSecurityGuy

User avatar

Jr. Member
Jr. Member

Posts: 88

Joined: Wed Mar 27, 2013 10:51 am

Post Thu Apr 11, 2013 7:13 am

Re: how thorough are 3rd party network security assessments

By the sounds of things, you've got to bring in qualified external testers to prove compliance with some kind of agreement (CHECK / PCI / Etc).

In my experience, those agreements have strict methology that must be followed, and so the external testers will have to conduct the testing in that method to cover themselves, before they do any 'real' testing.

So yes, they'll typically run automated tools (nmap / nessus / etc) to do the low level information finding and low hanging fruit stuff as that's required, and they won't be able to skip this stage.

Once they're through with that, it depends on how good the testers are, and how much time they've been allocated. Typically on a large network the first automated steps take a long period of time, and thus are costly, so management don't want to put in additional funding to find the 'real' issues, so the results of the test are nothing more than you could do yourself internally.

My advice would be to secure funding for the external testing to pass the contractual requirement you've got, and then secure separate additional funding to bring in the 3rd party to target specific security concerns you've got. If you don't know where your weak areas are, you've better off asking for a scenario based penetration test instead, but bare in mind this can get costly.
<<

Jamie.R

User avatar

Sr. Member
Sr. Member

Posts: 435

Joined: Mon Aug 06, 2012 9:57 am

Location: UK

Post Fri Apr 12, 2013 3:58 am

Re: how thorough are 3rd party network security assessments

I think this depends on a few factors

time
Scope
Money
The 3 part you use

IMO no company should be running Nessus and classing that as a pen test. Nessus is a great tool but no way is is a replacement for a company who are really good at pen testing.

A risk you may have also is the internal people may not have the experience to find certain issue meaning you could leave holes in your security.

The way I would do it is have the 3 party run the pen test then have the internal team fix the issue they find.
| OSWP | eCPPT Silver and Gold | eWPT |

I'm an InterN0T'er
<<

Triban

User avatar

Hero Member
Hero Member

Posts: 620

Joined: Fri Feb 19, 2010 4:17 pm

Post Sun Apr 14, 2013 9:04 pm

Re: how thorough are 3rd party network security assessments

If this is for compliance then the scope may be very broad.  Automated tools will be relied on heavily to meet the engagement schedule.  The Compliance check does not specify what must be covered so things like Social Engineering are hardly ever included in-scope.  The scope may not cover testing of network level security (router/switch ACLs) and it may not even cover web applications.  The test may simply cover the vulnerability assessment as management may have stated they do not want systems taken down.    The one thing you should not receive, however, is a print out of the Nessus scan as the final report.  I've seen this come from a fairly large IT company that happens to now do Vulnerability Assessments.  One major problem with the report I had was that it did not specify specific areas on a website that a finding was found.  But I digress, if you have doubts on your current security measures, why not conduct your own tests?  Outside testing should be used to help your find the flaws you don't know about or don't have the experience to find.  They should not just be a check box on the compliance list.
Certs: GCWN
(@)Dewser
<<

ras76

User avatar

Newbie
Newbie

Posts: 15

Joined: Wed Mar 27, 2013 9:48 am

Post Mon Apr 15, 2013 5:46 am

Re: how thorough are 3rd party network security assessments

3xban wrote:If this is for compliance then the scope may be very broad.  Automated tools will be relied on heavily to meet the engagement schedule.  The Compliance check does not specify what must be covered so things like Social Engineering are hardly ever included in-scope.  The scope may not cover testing of network level security (router/switch ACLs) and it may not even cover web applications.  The test may simply cover the vulnerability assessment as management may have stated they do not want systems taken down.    The one thing you should not receive, however, is a print out of the Nessus scan as the final report.  I've seen this come from a fairly large IT company that happens to now do Vulnerability Assessments.  One major problem with the report I had was that it did not specify specific areas on a website that a finding was found.  But I digress, if you have doubts on your current security measures, why not conduct your own tests?  Outside testing should be used to help your find the flaws you don't know about or don't have the experience to find.  They should not just be a check box on the compliance list.


Are there any useful documents and guides that detail pre-implementation best practices and post implemenation maintenance and monitoring tasks required to avoid the common vulnerabilities.

Return to Network Pen Testing

Who is online

Users browsing this forum: No registered users and 0 guests

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software