What90 wrote:Fair enough sil,I'd imagine the people that hire you in a vested interest in proving if their security is working as expected. I'd be interested to know how many companies take the extra step and purchase the full package.
Almost all companies that have met with my managers, etc., almost always (at least 99%) gone through a full blown NETWORK/HOST based penetration test - most opt out for social engineering. When we get RFP's or calls we make them aware of the differences of a vulnerability assessment and a penetration test. What most opt for is a dually visible test (blackbox in, whitebox out). From the outside perspective, it's zero knowledge, from the inside it's whitebox based. This method (whitebox in) allows us to have firsthand knowledge in the event we overlook something.
What90 wrote:Fear factory of exploiting systems
The problem with live exploits on live system is that you may break something, even with the upmost care taken.
You find we have well known system X, and have exploit Y for it, and get sign off to run it. Me, as the client, didn’t know that the loony coder had added crappy code to the app and your exploit nails our production SQL server. This stops the factory and Z number of million dollars is lost while we scramble to fix the broken system. This would be an excellent way of generating new career “opportunities” at other companies for me...
Would a bad guy do this to get the gold – without a doubt - but is a pentest, rather than a code review or assessment, be the safer option to discover this?
The problem with an attacker is that he won't care whether he does. We attempt our best to keep our timing parameters down, to perform extreme testing at low level hours and often we ask beforehand if they can either mirror the EXACT server on a development box to avert this. You state: Would a bad guy do this to get the gold – without a doubt - but is a pentest
What is your definition of a blackbox test? In my own testing gigs, I'm always sketchy at running "anything" in fact I can't recall the last time I have run "anything." When I'm attacking a machine from the blackhat level it is a very targeted, structured and well planned out test. There would be no need for me to launch N amount of worthless exploits for the hope of getting in. I focus on specifics which minimize the potential of breaking something. Now, on a whitebox (internal) test, this becomes even more focused as I know the specifics of what I'm after. There is no need for guesswork. The risks are even more minimized for example... Now I won't have to worry about fiddling with attacking say an Apache server as I am now aware that - that Apache server - is nothing more than a proxy. No need to run Apache based tools....
There are plenty of mechanisms to exploit servers without bringing the house down and to be honest, the point you make is sort of moot and I mean this in a respectful way. Go back and take a look at all the Aurora based attacks and let me know at what point in time did any of those companies (GE, Google, Yahoo, Rockwell, General Dynamics, etc.) have their house crumble down even AFTER attackers loaded COCKTAILS of exploits to get in.
What90 wrote:Your analogy of the door is very clear, but it highlights the bigger problem of a pentest; it only focuses on what you’re allowed to test. You do a stellar job showing how to get in and how the company can defend it. What about the un-scoped windows, chimney, cellar or garage entry points?
Isn't this what you specify from the onset. What you will and won't be testing. If a client stated they only wanted this tested that's fine. I would definitely point out that the lack of testing on another door, chimney, garage may still be an entry point and let them make that decision. My bottom line in a pentest:
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
I make this quite clear to a client and make it quite clear that an attacker may not simply focus on a webserver. As long as a business is online in any shape form or fashion, there are dozens of attack vectors. I offer the low hanging fruit first as that is the obvious and quickest for clients to understand but I won't beat around the bush to them and state: "Well I couldn't compromise your IIS server behind an Apache proxy running on OpenBSD, therefore you're safe!" On the contrary I will let them know that although their forward facing connection is untouchable, there may be other mechanisms to get in." I make them aware and let them choose what to do - it's their business and their money.
Again the analogy: Client wonders after seeing the news and hearing about a hacker... "Am I secure?" The client already is aware that hackers are attacking and that they may be insecure (vulnerable). What service am I giving them in stating: "Well, you MIGHT be vulnerable!" ... "K now pay me" as opposed to the obvious: "I tested the vulnerability and can validate that you're NOT vulnerable. Which one has a deeper/worthwhile benefit.
I will snip out portions to keep this down to a readable/manageable thread so forgive me for just snipping out to the questions and spacing them out for clarity.
What90 wrote:Would a company like this be aware of what threat agents that are placed to attack the organization?
Would it help to undertake full exploitation testing?
Do you think most small to large companies have that level of awareness or care factor about security?
The company would have to have some cost metric to justify the effort, time and expense of a full test. The need to balance this against what they believe a breach will cost them is paramount.
If that test isn't demanded from the board of directors, then do you think it will get anyone from that company any closer to a better security posture?
Is it that they don't care, understand or think it won’t happen to them?
[/End of side track]
My opinionated answer to the first question: The problem with MANY businesses is, they won't know or even care about what threat agents are lurking. Their main concern is about the posture of their security. Can someone GET IN. If so, then how can they get in and HOW do you defend against it. Even experienced security admins and engineers can overlook something/anything. Does this mean they're at fault for something. As a pentester, remember my goal is to get in. There is no defacto "attack vector", it's whatever I choose to use to get in. You can't have automation to defend against a human brain.
My opinionated answer to the second question: Absolutely it would help. You can never (I repeat NEVER) give any tangible results with an assessment. All you're giving is a theory, a hunch.
My opinionated answer to the third question: Most companies won't have that level of awareness and if most understood the true risks associated with NOT understanding, they'd care a hell of a lot more:
A New York marketing firm that as recently as two weeks ago was preparing to be acquired now is facing bankruptcy from a computer virus infection that cost the company more than $164,000.
Karen McCarthy, owner of Merrick, N.Y. based Little & King LLC, a small promotions company, discovered on Monday, Feb. 15 that her firm's bank account had been emptied the previous Friday. McCarthy said she immediately called her bank - Cherry Hill, N.J. based TD Bank - and learned that between Feb. 10 and Feb. 12, unknown thieves had made five wire transfers out of the account to two individuals and two companies with whom the McCarthys had never had any prior business. http://www.krebsonsecurity.com/2010/02/ ... king-loss/
You think that if I showed that to a small to mid sized company to make them aware of the threat that their "care factor" (as you put it) won't go up?
Reponse to your comment: The company would have to have some cost metric to justify the effort, time and expense of a full test
The cost metrics come out of the costs of doing business. If you're performing a business impact analysis ESPECIALLY on a mid sized company, A pentest even at say $100,000.00 is peanuts in comparison to a compromise or running out to buy $100,000.00 in firewalls, IPS, IDS, training, etc., only to find out (drum roll): "You got served!" You still were owned because some security company only gave you an assessment using tools that scanned specifics. They didn't know about programZ running deep in the trenches. Cost of compromise in monetary loss, consumer confidence, potential fines (PCI, SOX) is peanuts versus a pentest.
Answer to your fourth question: "If that test ... security posture?
" There are still other ways to minimize their risk to acceptable levels. This begins with awareness and training. For example, the cost of me contacting say 3 pentesters for a weeks worth of training their staff to perform in-house pentesting is almost always going to be less than actually hiring a shop to perform a lengthy test. The benefits of this is, your staff will have the capabilities of performing recurring testing at no cost to you. It would be inclusive to their job. I'm sure many security admins and engineers would love to get high level training. So from the cost perspective I have two options immediate... 1) Hire an outside firm to do the work or 2) Spend $4k to send one of my engineers to InfoSec Institute and have them learn the ropes. In fact. here is a game plan as a business manager not wanting to fork out 100,000.00+ on a pentest (your wording seems to imply all pentests are uber expensive... it all depends on the scope)... The game plan;
Take John the sec engineer. Send him to InfoSec Institute for 10 day hacker/advanced hacker training for $4k (hello Jack, Mihn, etc., if you stumble on this) . After he is done with that training, contact Dave Aitel at Immunity for some more training (about another $4k) (sup dave if you stumble upon this) (http://www.immunitysec.com/services-cnop.shtml
). Fork out more money for him to go to Blackhat (why not...) Richard Bejtlich's TCP weapons school $2,400.00 As a manager I've now invested
$10,000.00 on what I would hope is a clued in intro pentester. Even if I exaggerate the cost and spend $30,000.00 on training, do you think any of my engineers would be upset with me for sending them to school? My benefit, now I have a strong team. I won't need to spend ANYTHING on assessments OR pentesting. Things all boil down to management, perception, understanding and the cost of doing business. $20k for a business is peanuts when they're aware that the costs of NOT doing could force them into bankruptcy, potentially lose money from loss of confidence, etc.
What90 wrote:I think we could spend hours debating whether exploits should be use, over beers preferably, but this goes back to my original response to jonas’ question. I'd rather hire someone who can argue his corner and put across why they should go the distance to the business and can adapt to the situation in hand, rather than someone just having shiny pile of tools.
I think you've confused my use of "performing a pentest" with "using tools" Here are two links to show historically what I think of the usage and reliance on toolshttp://archives.neohapsis.com/archives/ ... /0096.htmlhttp://infiltrated.net/pentestingextended.html
Hey, as stated to each their own though. I see less value in a security assessment versus a penetration test. Just my two cents.