[GLLUG] Penetration Test

[Alex Nelson]

On Fri, 2003-01-24 at 23:28, Brad Fears wrote:
> I'll second that.  The department I work for (state gov't, go figure)
> almost contracted EDS to conduct similar penetration tests for some of
> our servers.  EDS wanted $50K for two weeks of testing and reporting.  I
> was able to conduct the same level of testing with mostly open source
> software and a little creativity.  Given, not every company is as
> ridiculously priced as EDS, but in most cases, you can avoid
> professional testing altogether with a little investigation of your
> own.  Besides that, most companies that provide these types of services
> never offer much of an explanation about the nature of vulnerabilities,
> so you won't learn how to maintain a proper level of security as your
> infrastructure grows.
> 
> --Brad Fears
> 
> 

While it is true that the wealth of open source software enables
organizations to conduct such an audit, there are several aspects that
you seem to be missing.

1. Which tools should you use given the particular situation?
2. What does the output from all those tools mean?
3. Did "insider" knowledge assist/prevent you in/from discovering a
vulnerability?
4. Many organizations are required to have outside auditors examine such
things.
5. Does what you found really need to be fixed, or is it acceptable in
your environment?
5. How do you go about fixing what you found?

I could continue, but I think you get the point. The value of such a
service is often that your organization does not have the expertise nor
the time to invest in performing such an audit themselves. 

With that said, you should be very cautious in choosing a vendor for
these services. They may end up with access to sensitive or critical
data needed for the operation of your business. 

-- 
Alex Nelson
ANSoft Computing
www.ansoftcomputing.com
"We make systems work!"