The vendor selection process always seems to intrigue me particularly regarding the maturation of penetration testing. Ultimately decisions are based on $$$ and perhaps underlying business driver or Executive owner behind the curtain. But the process, time and effort spent is still...spent. In the commoditized sector of penetration testing, what are the differentiators—of the top vendors pitching their well rooted staff each of over 10+ years of penetration testing experience, renowned authors on the very subject, and list of guppies that have used them for whatever reasons in the past.
Think about it...as I have been on both sides of the fence; what is really produced whether it be black-box or white-box or fuchsia-box method used. And, consider the break point when conducting the PEN test is a competitive advantage and when it becomes a disadvantage or pose more risk to the organization.
Let see--first step in any PEN test is reconnaissance via network scanning and sometimes social engineering to identify hosts/targets. Once the topology is laid out, the services are probed for published vulnerabilities or know exposures; and enumeration commences. A trial-and-error, banging away at each possible attack vector, exploiting the host with nothing more than free tools (some I’ve mentioned already or listed in my favorite site from scanning—angryIP, nmap; and cracking—brutus, SQLdict, pwddump; sniffing—by wireshark and netstumbler; and utilities—netcat, ldp.exe, vncviewer. And, more commercialized WebInspect, AppSec, but also nessus and metasploit); otherwise just buy an expensive tool to do all OSI layers, with customization options and fancy reporting.
The judgement and expectation of the attack methods is best decided prior to to minimize impact and business-centric approach. Additionally crafty techniques (and one can argue the value decisioning) may also include spoofing, key-loggers, zone transferring, and of course the XSS and SQL injection. While being able to snoop around is gratifying for some perpetrators or perhaps launching DDOS attacks, etc, the best payoff is domain administrative access. From there they’re owned without them knowing (at least for a period of time).
From the vendor side, they’ll want to also look at your InfoSec policies and security strategy as well to align their findings but mostly to being the work in selling you more services based on the information they gathered including, risk management analysis and as many compliance services you’ll sign up for. Oh, here's an insider tip: whether it be your own staff or hired vendor that conducts PEN testing, ensure/validate that they have remove all traces of there efforts including the domain admin account they used to own the system.
In the end you get a long list of hosts, some that had vulnerabilities and hopefully a smaller list of host actually compromised (pending how far you’ve told the vendor to go). But that’s where the rubber hits the road as they say. Depending on the amount of time you’re allowed (or will to paid for) the “testing” and the risk you pose to your environment during the process, is really based on how good the PEN tester is….and not to mention how much you’d like to learn about the environment. Meaning, once the keys to the kingdom is acquired how much do you really need to know about other attack vectors [thinking exploratory and discoverable evidence not to mention cost perspective]. You get what you pay for but face it; what company must absolutely need (or actually want) to know about every security deficiency. Hence, isn’t your in-house techie good enough or would your cheapest PEN vendor proposal suffice (outside of actual regulatory requirement of 3rd-party requirements)? As a point to conclude or perhaps start of a separate discussion is zero-day testing which is basically/mostly web-based anyway, right? Notice I really didn't discuss Ethical Hacking which others would say is the same...
No comments:
Post a Comment