Why do we Pen Test?
Page 1 of 2 12 LastLast
Results 1 to 10 of 14

Thread: Why do we Pen Test?

  1. #1
    Senior Member Deeboe's Avatar
    Join Date
    Nov 2005
    Posts
    185

    Question Why do we Pen Test?

    Hi all,

    I've been away from AO for a while, busy with some stuff going on lately. I have a question that fits best here, so I'm back.

    Here's the situation. Recently, my organization is questioning the value of Penetration Testing. It turns out the people asking didn't really know what it was to begin with. I am in the process of explaining it to these folks now. However, the questions keeps coming up; "What is the value added?" "Why should we continue?" "Who should be doing it?"

    So I have a few questions to the mighty AO:

    Why do you pen test?
    Why don't you pen test?
    What is the value?
    Who (what functions) should be doing the testing?

    Also, for the n00bs, here is what a Pen Test is: http://en.wikipedia.org/wiki/Penetration_testing

    Additionally for the member that will slam me for posting a reduntant topic, I am looking for some fresh info. Please, no links to other threads.

    Any input would be great! TIA!

    Thanks,
    -Deeboe
    If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.
    - Sun Tzu, The Art of War

    http://tazforum.**********.com/

  2. #2
    I'd rather be fishing DjM's Avatar
    Join Date
    Aug 2001
    Location
    The Great White North
    Posts
    1,867

    Re: Why do we Pen Test?

    Originally posted here by Deeboe


    So I have a few questions to the might AO:

    Why do you pen test?
    Why don't you pen test?
    What is the value?
    Who (what functions) should be doing the testing?

    Why - Audit requirement!
    Why not - see above.
    Whats the value - see above, also, this is part of our audited SoX process.
    Who - Reliable third party, last one I had done was from IBM.

    Cheers:
    DjM

  3. #3
    AO's MMA Fanatic! Computernerd22's Avatar
    Join Date
    Mar 2003
    Location
    Miami, FL
    Posts
    769
    So I have a few questions to the mighty AO:

    Why do you pen test?
    Why don't you pen test?
    What is the value?
    Who (what functions) should be doing the testing?
    1.) To keep my system 'secure' and up-to-date at all times. Making sure I can find no vulnerabilites to exploit on my machine. Also, making sure I cannot exploit the vulnerabilites that I happen to find. Execute the payload, install a kernel rootkit and a user rootkit, etc...

    2.)

    3.) Value? Is to learn. I figure if I can hack my network/box(s) so can anyone else. I want to Keep my system from being breached. Worse case scenrio, I figure even if they do get in ALL DATA on my system is using encryption EFS provided by NTFS. Plus its fun.

  4. #4
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,883
    Why do you pen test?
    Why don't you pen test?
    What is the value?
    Who (what functions) should be doing the testing?
    1) Regulatory compliance line item (PCI, HSPD-12 and HIPAA in my case) for risk assessment. The GREATEST risk is the unknown. Unless you pen test, you don't know if there are vulnerabilities. Ask your management chain if they are willing to sign off on an unknown risk. Watch how fast the attitude changes.

    2) N/A

    3) See #1 and also management is engaged in the due care concept. If your managers don't perform this cornerstone security task and by chance data is lost from your organization, your management chain can be nailed for not using due care. See the laws on this via google. I'm sure your bosses don't like the idea of visiting the salad man in prison.

    4) We use a tier approach to this. First, we ask the vendor for a list of known issues (if they will give it up). Second, we have a third party, BAE is my choice, run the tests. Then we have internal folks, me included, take a crack at it. In the end, we all compare notes. This yields the most effective results but of course costs the most.

    --TH13
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  5. #5

  6. #6
    Dissident 4dm1n brokencrow's Avatar
    Join Date
    Feb 2004
    Location
    Shawnee country
    Posts
    1,242
    ...nothin' like the ol' double-bind.

    Damned if you do, damned if you don't.
    “Everybody is ignorant, only on different subjects.” — Will Rogers

  7. #7
    Super Moderator
    Know-it-All Master Beaver

    Join Date
    Jan 2003
    Posts
    3,914
    Hey Hey,

    This leads to another interesting debate...

    The value difference in Internal/External Audits (your own employees or an outside company) and Internal/External Audits (Let then come at the network from outside or from inside)..

    I'm not a big fan of having internal employees audit a network... but there is a big IF to that.... if they are the network department... If you have a security group that is in no way, shape or form related to the network department... then it's a great idea... but having the network department do the pentest (I've known companies that do this) is useless... Obviously they are going to secure the systems as much as they can and as best they can... so they aren't going to get into them...

    I like TH13's method of the outside company and an internal group (which I believe in his case is seperate from the network group... corect TH13? )...

    Now the other one.. Do you get them to internally or externally audit your network... So many places go external only... These days more threats come from internal sources...

    The it comes down to what do you need.

    Some pen test companies look for one avenue into the network and then walk away..
    Others will look for every avenue they can uncover..
    Some will help you with policy review.. others won't...
    Do they require network topology and policy before they'll start
    etc..

    You have to really know what you want and why you want it before you get started... especially when everyone these days thinks they can turn around and do pen testing... It's humourous to watch the Security Focus Pen Test mailing list... everyone second post is... I'm doing a pen test for company X what should I do... that's the completely wrong approach... You don't just do a pen test... I feel so for the companies hiring these people... Then again... With places like VulnerabilityAssessment.co.uk releasing the Penetration Testing Framework... only bad things are to come... that framework is the biggest PoS I've ever seen...

    Peace,
    HT
    IT Blog: .:Computer Defense:.
    PnCHd (Pronounced Pinched): Acronym - Point 'n Click Hacked. As in: "That website was pinched" or "The skiddie pinched my computer because I forgot to patch".

  8. #8
    Senior Member Deeboe's Avatar
    Join Date
    Nov 2005
    Posts
    185
    Originally posted here by HTRegz
    I'm not a big fan of having internal employees audit a network... but there is a big IF to that.... if they are the network department... If you have a security group that is in no way, shape or form related to the network department... then it's a great idea... but having the network department do the pentest (I've known companies that do this) is useless... Obviously they are going to secure the systems as much as they can and as best they can... so they aren't going to get into them...
    Do you still feel this way if it is another group within the company doing the Pen Test? For example, if the auditing department worked as an independant function of Finance instead of IT?

    Good discussion points so far. Keep 'em coming! Thanks!

    -Deeboe
    If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.
    - Sun Tzu, The Art of War

    http://tazforum.**********.com/

  9. #9
    Super Moderator
    Know-it-All Master Beaver

    Join Date
    Jan 2003
    Posts
    3,914
    Originally posted here by Deeboe
    Do you still feel this way if it is another group within the company doing the Pen Test? For example, if the auditing department worked as an independant function of Finance instead of IT?

    Good discussion points so far. Keep 'em coming! Thanks!

    -Deeboe
    I believe I said that right in the quote... If you have a seperate and distinct group then it's fine... but a lot of places will have the same group that deploys and configures the network also do it's audits and that doesn't work overly well..
    IT Blog: .:Computer Defense:.
    PnCHd (Pronounced Pinched): Acronym - Point 'n Click Hacked. As in: "That website was pinched" or "The skiddie pinched my computer because I forgot to patch".

  10. #10
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,883
    I like TH13's method of the outside company and an internal group (which I believe in his case is seperate from the network group... corect TH13? )...
    Yes, that is correct.

    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •