[153397] in North American Network Operators' Group
Re: Penetration Test Assistance
daemon@ATHENA.MIT.EDU (Bacon Zombie)
Tue Jun 5 16:14:07 2012
In-Reply-To: <268BCFA8-24DD-4794-8DDF-FA7833C328A2@the-watsons.org>
Date: Tue, 5 Jun 2012 21:13:11 +0100
From: Bacon Zombie <baconzombie@gmail.com>
To: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
You should have a look at the Pentest Standards page, it was created
by some very skilled Pen Testers how are trying to create a minimum
standard for all tests and reporting.
http://www.pentest-standard.org/index.php/Main_Page
Also you should just have to give them your external net-block
allocation that is in scope unless it is a more forced test and not a
general external test.
On 5 June 2012 20:48, Brett Watson <brett@the-watsons.org> wrote:
>
> On Jun 5, 2012, at 9:52 AM, Peter Kristolaitis wrote:
>
>>
>> As far as horror stories... yeah. =A0 My most memorable experience was a=
guy (with a CISSP designation, working for a company who came highly recom=
mended) who:
>> =A0 =A0- Spent a day trying to get his Backtrack CD to "work properly". =
=A0When I looked at it, it was just a color depth issue in X that took abou=
t 45 seconds from "why is this broken?" to "hey look, I fixed it!".
>> =A0 =A0- Completely missed the honeypot machine I set up for the test. =
=A0I had logs from the machine showing that his scanning had hit the machin=
e and had found several of the vulnerabilities, but the entire machine was =
absent from the report.
>> =A0 =A0- Called us complaining that a certain behavior that "he'd never =
seen before" was happening when he tried to nmap our network. =A0The "certa=
in behavior" was a firewall with some IPS functionality, along with him not=
knowing how to read nmap output.
>> =A0 =A0- Completely messed up the report -- three times. =A0His report h=
ad the wrong ports & vulnerabilities listed on the wrong IPs, so according =
to the report, we apparently had FreeBSD boxes running IOS or MS SQL...
>> =A0 =A0- Stopped taking our calls when we asked why the honeypot machine=
was completely missing from the report.
>>
>> In general, my experience with most "pen testers" is a severe disappoint=
ment, and isn't anything that couldn't be done in-house by taking the perso=
n in your department who has the most ingrained hacker/geek personality, gi=
ving them Nessus/Metasploit/nmap/etc, pizza and a big ass pot of coffee, an=
d saying "Find stuff we don't know about. Go.". =A0 There is the occasional=
pen tester who is absolutely phenomenal and does the job properly (i.e. th=
e guys who actually write their own shellcode, etc), but the vast majority =
of "pen testers" just use automated tools and call it a day. =A0Like everyt=
hing else in IT, security has been "commercialized" to the point where find=
ing really good vendors/people is hard, because everyone and their mom has =
CEH, CISSP, and whatever other alphabet soup certifications you can imagine=
.
>
> I agree with a lot of what you've said, but there are absolutely good sec=
urity guys (pen tester, vulnerability assessors, etc) that use both open so=
urce and commercial automated tools, but still do a fantastic job because t=
hey understand the underlying technologies and protocols.
>
> I used to do a lot of this in the past, had lots of automated tools, and =
only occasionally wrote some assessment modules or exploit code if necessar=
y.
>
> But again, a person in that position has to understand technology holisti=
cally (network, systems, software, protocols, etc).
>
> -b
--=20
BaconZombie
LOAD "*",8,1
