Page 1 of 2 12 LastLast
Results 1 to 10 of 16

Thread: Vulnerability and Penetration testing

  1. #1
    Senior Member bAgZ's Avatar
    Join Date
    Jul 2001
    Posts
    206

    Vulnerability and Penetration testing

    I have this new project in which i am involved at moment. We have to develop a methodology for penetration testing of Internet, extranet and any remote connection modules.

    The objective of External Penetration and Vulnerability Testing is to
    measure the exposure of online services to attacks from the Internet and
    other external access points, and evaluate the effectiveness of our network
    controls, including firewalls, routers, IDS and servers, to guard against
    such attacks.

    I would like to identify vulnerable entry points into the network through various
    Internet and Extranet links as well as dial-up access and other untrusted
    connectivity. While doing all this i thought it would be good idea to test all web apps and
    databases for any known problems.

    Does anyone have any advice how would one go about doing this? What else am i missing?
    When we get to actual testing should we use any commercially available products? Any
    good links on Locking down RADIUS servers? Do you think its worth getting someone from
    the oustide as the consultant to help out?

    Or just any advice or suggestion on the topic would be helpful.
    ----------------------------------------------------------------------------------------------------------
    "If I'd asked my customers what they wanted, they'd have said a faster horse." ~ Henry Ford

  2. #2
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    Do you think its worth getting someone from the oustide as the consultant to help out?
    Definitely.. For several reasons, the first being objectivity.. Second being experience.. Third, you get to watch and learn from a pro

    But for some more info on the subject, did you take a look through the SANS reading room?
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  3. #3
    Frustrated Mad Scientist
    Join Date
    Dec 2004
    Posts
    1,152
    If you have to do it yourself make sure you get your 'liability waiver' letter (stay out of jail card) from SENIOR management. You have to make sure you are clear of blame should your testing damage/incapacitate/slow the network.
    You'll probably also need written permission from your ISP.

  4. #4
    Senior Member
    Join Date
    Mar 2004
    Posts
    113
    Hey,

    I have attached a report on Penetration testing , May be it will help.

    MRG.

  5. #5
    Senior Member bAgZ's Avatar
    Join Date
    Jul 2001
    Posts
    206
    Thanks to evreyone who replied.
    ----------------------------------------------------------------------------------------------------------
    "If I'd asked my customers what they wanted, they'd have said a faster horse." ~ Henry Ford

  6. #6
    AO Senior Cow-beller
    Moderator
    zencoder's Avatar
    Join Date
    Dec 2004
    Location
    Mountain standard tribe.
    Posts
    1,177
    <quoting SirDice's thoughts on this>

    ...first being objectivity
    Absolutely. "Oh, I built that server myself last week and secured it to the XYZ standard. I *know* it's ok, let's save time and not scan it..."

    ...Second being experience
    Have you ever installed, configured, and run NMAP, Nessus, Nikto, Watchfire, Websphere, etc.? Daunting task, just to learn to make them all work and get accurate results back, for a proper evaluation. Then using them to perform a specific audit for your company? That's a lot to ask, especially if you are on a tight timeline.

    ...Third, you get to watch and learn from a pro
    <Not knowing who all SD is referring to, I'll abstain from making any comments...just because they have business cards and can talk the talk does NOT mean they are especially good at what you need. Many companies claim to play in this area...fewer are probably quite good at doing a legitimately decent job.>

    There are some underlying questions that will help you decide the best course of action.
    1- Why is the company doing this? Are they really that interested in Information Security and Assurance, or are they afraid of exposure to liability (under GLBA, SOx, HIPAA, PCI, etc. ad naseum?)
    2- (Probably related to 1) Is there budget to manage this project, or are they more interested in having an internal resource use his own system(s) to run the technical portion and provide a report. A consultant would simply drain on the IT budget for this internal resources group.
    3- Are you willing to stake your reputation on the outcome of this endeavor, if 1 and 2 are answered unfavorably?

    I'm not trying to dissuade you, I simply want you to make some informed decisions. If this is an assessment to satisfy the curiosity of the IT manager, awesome, go for it! If some C-level exec is worried about compliance but won't spend money to do things properly, CYA!
    "Data is not necessarily information. Information does not necessarily lead to knowledge. And knowledge is not always sufficient to discover truth and breed wisdom." --Spaf
    Anyone who is capable of getting themselves made president should on no account be allowed to do the job. --Douglas Adams (1952-2001)
    "...people find it far easier to forgive others for being wrong than being right." - Albus Percival Wulfric Brian Dumbledore

  7. #7
    Gonzo District BOFH westin's Avatar
    Join Date
    Jan 2006
    Location
    SW MO
    Posts
    1,187
    I am not sure what company you are doing the pen testing for... but don't forget, like Mitnick and several others have said, humans are often the weakest link in security... so you might want to include some social engineering attacks in the pen test.
    \"Those of us that had been up all night were in no mood for coffee and donuts, we wanted strong drink.\"

    -HST

  8. #8

    some

    I used to do some pen-testing back in the day.

    Not only do you want someone that knows what they are doing, but you want someone who REALLY knows what they are doing.

    If all they know how to do is to use Hyena to analyze your network for blank passwords (or some weak **** like that), and not actually try to "buffer overflow" anything in your network. Then they aren't doing a pen-test. A hacker wouldn't be as merciful and neither should your pen-tester.

    Go all out.

  9. #9
    AO Senior Cow-beller
    Moderator
    zencoder's Avatar
    Join Date
    Dec 2004
    Location
    Mountain standard tribe.
    Posts
    1,177
    Originally posted here by westin
    I am not sure what company you are doing the pen testing for... but don't forget, like Mitnick and several others have said, humans are often the weakest link in security... so you might want to include some social engineering attacks in the pen test.
    Uhm, thanks and all, but he pretty clearly states what the objective of this excercise is...

    "to measure the exposure of online services to attacks from the Internet and other external access points, and evaluate the effectiveness of our network controls, including firewalls, routers, IDS and servers, to guard against such attacks."

    Yes, social engineering is a big deal and needs to be addressed. So is virus/malicious software that could enter the network by means of a floppy/CD/usb storage device (basically, sneakernet infection), or browsing hostile websites/servers without adequate protections. None of these are, in fact, directly related to the stated objective.

    But thanks.
    "Data is not necessarily information. Information does not necessarily lead to knowledge. And knowledge is not always sufficient to discover truth and breed wisdom." --Spaf
    Anyone who is capable of getting themselves made president should on no account be allowed to do the job. --Douglas Adams (1952-2001)
    "...people find it far easier to forgive others for being wrong than being right." - Albus Percival Wulfric Brian Dumbledore

  10. #10
    Senior Member Deeboe's Avatar
    Join Date
    Nov 2005
    Posts
    185
    Yeah, I'm gonna have to agree with zencoder on that one.

    I do Pen Testing here and everyone tells me that Social Engineering is a critical part of the process. I just dont include that in most of my pen testing. That comes down to security awareness for your employees. Any smooth talking individual can social engineer into anything. I know a few women that I have social engineer myself into their... well, you get my point.

    The bigger concern in most cases (like what bAgZ started with) is "network controls, including firewalls, routers, IDS and servers". I prefer the good ol fashion computer based attack there! If you want to social engineer, I believe that is more of a test of your security awareness program, not your network controls.

    -Deeboe
    If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.
    - Sun Tzu, The Art of War

    http://tazforum.**********.com/

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •