.

Pentesting is scary!

<<

Kev

Sr. Member
Sr. Member

Posts: 428

Joined: Sat Sep 29, 2007 12:26 pm

Post Mon Nov 12, 2007 10:59 pm

Pentesting is scary!

I have been doing pentesting for a long time now and I still get this weird feeling in my gut every time I get asked to do it. This is just my personal rant and if you haven't been involved in testing the security of a company I am sure you don't understand.  Its just a weird feeling that it all relies on you. They ask you to come in and test their security. Let them know if they are safe or not. I always feel such a weight on me. Am I going to really see every thing? Am I going to catch every hole?  If I miss something and 2 weeks later it gets exploited, how do I look?  Did me missing one little thing I should have seen just compromised a lot of important data? Did that compromise hurt peoples lives?  Their personal information.  So many noobs want to get into ethical hacking because they see it has a fun and legal way to hack. Yes, there is truth to that, but there is so much more to it than that.  Its nothing like being a lone black hat hacker where you only answer to yourself.  You have to work and answer to a lot of people. REAL people that you see and not faceless victims on the net.  I guess the moral of this rant is you better make sure you really know what you are doing if you do a pentest!  If you certify a network as safe you better make sure.  You must have a passion to be the best!  Look at every person in every field that was great? Bruce Lee was a total nut about practicing his art. His wife claimed he even practiced in his sleep! Franz Liszt, the greatest pianist of all time practiced his fingers when he was eating dinner or while riding in a stage coach.  If you want to be good you must practice and have an obsession.
That doesn't mean read a lot of theory books!  Practice, Practice, Practice!  Eat, drink and sleep hacking if you want to be in the top 10 in the world. Dont settle for being average. Remember as an ethical hacker people are depending on your skill. If you say your network cant be breached, make damn sure its true!
Last edited by Kev on Mon Nov 12, 2007 11:02 pm, edited 1 time in total.
<<

matthiasfan

Newbie
Newbie

Posts: 25

Joined: Tue Aug 07, 2007 2:18 pm

Post Tue Nov 13, 2007 2:35 pm

Re: Pentesting is scary!

Very good post.  You never really think of it that way, but it's very true.  I work for a church academy, and you always wonder if there is something that you are missing.  I mainly worry about the kids and teachers messing it up, but I have to test the penetration too.  I always wonder what new way someone can get into our system, both over the net and physically.  Thank you for the post though.
<<

Kevan

User avatar

Jr. Member
Jr. Member

Posts: 95

Joined: Fri Mar 16, 2007 7:20 pm

Post Sat Nov 17, 2007 9:57 pm

Re: Pentesting is scary!

When you pen test, do you use already-made programs, or your own?
I may be a newbie, but I am willing to learn.
<<

Kev

Sr. Member
Sr. Member

Posts: 428

Joined: Sat Sep 29, 2007 12:26 pm

Post Mon Nov 19, 2007 7:11 pm

Re: Pentesting is scary!

Both.
<<

dean

Post Wed Nov 21, 2007 10:16 am

Re: Pentesting is scary!

This is just my personal rant and if you haven't been involved in testing the security of a company I am sure you don't understand. Its just a weird feeling that it all relies on you. They ask you to come in and test their security. Let them know if they are safe or not. I always feel such a weight on me. Am I going to really see every thing? Am I going to catch every hole?  If I miss something and 2 weeks later it gets exploited, how do I look?  Did me missing one little thing I should have seen just compromised a lot of important data? Did that compromise hurt peoples lives?


I've been doing this a while now too and I think you're being a little melodramatic.

A pentest provides management with information about the condition of risks and internal controls at a given point in time. Future changes in environmental factors and actions by staff, etc... will impact these risks and internal controls in ways that the pentester cannot anticipate.

Pentests all have a scope. I strongly doubt that every pentest you've been involved in covers the company's entire infrastructure. A company of any reasonable size will define the scope of the pentest and as such their will be substantial limitations to your view into that environment. Are you only testing the internet facing hosts of the company or internal servers too? are DOS attacks fair game? what about user workstations, the users themselves? A pentest is an *attempt* to simulate an attack by a malicious outsider, employee, etc... Any attacker is going to have no such restrictions.

I have just completed a engagement and the internal assessment portion covered very, very specific hosts/servers. This was supposed to be a subset of devices/hosts representative of all their server environment. Turns out that the manager had told the sysadmins about the pentest and they went and patched/reconfigured those machines. Now if I had not been informed of this my report would have stated that based on my findings they were in good shape. Where does my responsibility lie if they get compromised through another server in that data center that they did not patch and the attacker gains access to one of the servers that I vetted and assessed? In that case we actually expanded the scope to include the entire server subnet. We founds LOTS of ingress points.

We, as pentesters, have limitations to what we can or cannot do in a pentest. Attackers don't.

I understand the need to provide a quality service that you can be proud of but how is the responsibility yours if two weeks later a system in their network gets compromised. Sure, if it's one you assessed and it was compromised through a known exploit that was out at the time then, yes, that's probably your responsibility and you should reevaluate your skillset.

The level of your responsibility is directly related to the scope of the engagement. 

I understand the point you are trying to make in that we should take pride in our work and provide the best results possible every time but I think you should be a little clearer on just what that responsibility is, especially considering the number of requests this site sees from people starting out in this or other related fields.

dean
<<

nicky.coder

Newbie
Newbie

Posts: 14

Joined: Sun Oct 07, 2007 5:00 am

Post Wed Nov 21, 2007 1:14 pm

Re: Pentesting is scary!

I agree with what dean has posted.

In every job, there is a risk. And success is with one who is going to take that risk. A penetration test engineer might be having the greater risk as he is involved in identifying the weakness of his client's network. But I suggest to make his role on the safer side by mentioning discliamer's in final report and scopes. Also if you are confident in your assessment, then there is no need to worry. Keep on moving with the next assignment and get engaged for self improvement. This is a profession which requires real professionalism with utmost quality in content and clarity in the data's collected.

There is no situation like "Total Security" as every piece of code is vulnerable to bugs. After all it's a human design and it takes some time to see the vulnerabilities in wild. With the modern sophisticated and complex security produts, vulnerabilities and attack vectors would always be in it's zenith.

As Bruce Schneier said "Security is a process, not a product"!!! And human's are the weakest link to security. So wherever there is a human interaction with a security product, there is a possibility for exploitation. This is one thing all Penetration engineers should know.

"Total security" means when its totally cut off from the network :-)
Sec+, OSCP
<<

Kev

Sr. Member
Sr. Member

Posts: 428

Joined: Sat Sep 29, 2007 12:26 pm

Post Wed Nov 21, 2007 4:01 pm

Re: Pentesting is scary!

LOL, as I stated in my post this was my personal rant. I was attempting blow off a little steam and didn’t expect this post to be scrutinized line by line, but whatever, this is the internet and I should expect that. If my point went over anyones head I apologize and will attempt to be more clear in the future. What inspired my rant was having just completed an audit where the previous tester missed some very obvious openings. Really no excuse for that other than just being lazy or rushing through an assignment. Of course I understand elements can change beyond our control, but what I was trying to stress is when a pentester misses  something he should have seen. Especially something obvious. All we can do is provide the best service and be complete. If we have done a good job and later the network is breached, well thats beyond our control. I guess I wasnt clear.

I was being intentionally melodramatic and hoping to stress a point and for that I make no apology.  I think its important that every pentester should approach his work seriously and understand the repercussions if he is sloppy in his work.  Its important that your client understands that you are aware of this and you are treating his network like your own. Yes we are busting boxes but those boxes can effect people’s lives.  I have been involved in this work for years and my clients want and trust me because I do take it very seriously and perhaps a bit melodramatic in my understanding of my responsibility.  My priority is not to approach a gig like a cold robot and protecting myself with disclaimers, which happens way to often in this line of work.  My clients really appreciate my approach and its due to this that I have more work than I can handle.  Thats why I don’t always have the time to write lengthy detailed posts critical or otherwise. 
Last edited by Kev on Wed Nov 21, 2007 4:56 pm, edited 1 time in total.
<<

dean

Post Wed Nov 21, 2007 6:45 pm

Re: Pentesting is scary!

LOL, as I stated in my post this was my personal rant. I was attempting blow off a little steam and didn’t expect this post to be scrutinized line by line, but whatever, this is the internet and I should expect that.


So you post something to a public forum that's both a personal "rant" and an attempt to make a point and you did not expect it to be scrutinized??

You talk about stressing a point, yet you don't actually make one in your original post. As I said previously, there are a broad range of people on this site with a broad range of skills from newbie to expert (whatever that may be) and so if you intend to convey a message then perhaps you should be clear about what that message is.

My priority is not to approach a gig like a cold robot and protecting myself with disclaimers, which happens way to often in this line of work.  My clients really appreciate my approach and its due to this that I have more work than I can handle.  Thats why I don’t always have the time to write lengthy detailed posts critical or otherwise.


Yet you have the time for a personal rant??

If you don't want to be criticized, don't post.

dean
<<

Kev

Sr. Member
Sr. Member

Posts: 428

Joined: Sat Sep 29, 2007 12:26 pm

Post Wed Nov 21, 2007 7:03 pm

Re: Pentesting is scary!

Like I said, sorry if my you missed the point of my post which is obvious you did, but  I will try to make my posts more clear. That "rant" took less than 5 minutes to type out, so not much time spent. Now I feel I am starting to waste a little time with this thread, lol. Actually I don't mind criticism, its when I feel my point was not understood that bothers me. I thought I made it clear I was addressing the problem of a pentester missing something and not elements outside our control. Your post went on and on about elements outside our control and therefore we should not hold ourselves accountable.  I agree completely with that and never stated anything contrary to that.

Also, discouraging anyone from posting here is not appreciated. We need more participation here not less.
Last edited by Kev on Wed Nov 21, 2007 7:16 pm, edited 1 time in total.
<<

EmanoN

Newbie
Newbie

Posts: 41

Joined: Wed Sep 12, 2007 3:37 pm

Post Wed Nov 21, 2007 8:24 pm

Re: Pentesting is scary!

Hey dont you guys stop now! This is starting to get to sweet! Nothing like a little forum war to spice up the holidays, even when both are arguing some very stupid small stuff.  What makes it really hilarious is you are both actually saying the same thing and seem to agree on the topic but are arguing about it at the same time. Me thinks you you both have a little more time than you might like to admit.  Kudos to both  for giving me a laugh.

And pentesting is spooky not scary, Ha Ha!  ;)
Last edited by EmanoN on Wed Nov 21, 2007 8:40 pm, edited 1 time in total.
<<

Kev

Sr. Member
Sr. Member

Posts: 428

Joined: Sat Sep 29, 2007 12:26 pm

Post Wed Nov 21, 2007 9:29 pm

Re: Pentesting is scary!

LOL, good point and thanks for now making me laugh.
<<

geekyone

User avatar

Full Member
Full Member

Posts: 180

Joined: Fri Oct 26, 2007 12:45 pm

Location: Peoria, IL

Post Thu Dec 06, 2007 2:00 am

Re: Pentesting is scary!

Excellent post Kev.  :D  I think you and Dean both have good points.  Which I think is the best thing about a good forum you can get different viewpoints of topics.
CISSP, CEH, GPEN, GCIH, GCFA
<<

Kev

Sr. Member
Sr. Member

Posts: 428

Joined: Sat Sep 29, 2007 12:26 pm

Post Thu Dec 06, 2007 10:53 am

Re: Pentesting is scary!

Hey thanks and I agree.

Return to Network Pen Testing

Who is online

Users browsing this forum: No registered users and 1 guest

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software