[GLLUG] Penetration Test

Ken Kousky kkousky@ip3inc.com
Mon, 27 Jan 2003 07:41:56 -0500 

My firm does this kind of work and we highly recommend that clients
drive the process themselves. Much of what you learn when you start pen
testing is vital for your ongoing mgmt. 

None of these scanners cover everything and most get pointed at the
perimeter when the majority of vulnerabilities come from within the
firewall. 

Also, virtually all of the major buffer overflow exploits give the
attacker the opportunity to execute "arbitrary code" which means
complete control or "root" on the device and these scanners don't begin
to find these kind of openings ... so I'd suggest you look at
SpiDynamic's scanner and make sure you're not begin myopic in looking
only at the network layer attacks - that's not were series breaches are
coming from today.



Mitre.org and Aberdeen have resurrected the old debate on open vs closed
being more secure - if you're managing assets the debate really doesn't
matter since both environments have extremely serious vulnerabilities.

Hope that helps.


KWK
IP3 Inc.

-----Original Message-----
From: linux-user-admin@egr.msu.edu [mailto:linux-user-admin@egr.msu.edu]
On Behalf Of Brad Fears
Sent: Friday, January 24, 2003 11:29 PM
To: Hampton, Rodney
Cc: 'sreiner@fnba.com'; GLLUG
Subject: RE: [GLLUG] Penetration Test

I'll second that.  The department I work for (state gov't, go figure)
almost contracted EDS to conduct similar penetration tests for some of
our servers.  EDS wanted $50K for two weeks of testing and reporting.  I
was able to conduct the same level of testing with mostly open source
software and a little creativity.  Given, not every company is as
ridiculously priced as EDS, but in most cases, you can avoid
professional testing altogether with a little investigation of your
own.  Besides that, most companies that provide these types of services
never offer much of an explanation about the nature of vulnerabilities,
so you won't learn how to maintain a proper level of security as your
infrastructure grows.

--Brad Fears


On Fri, 2003-01-24 at 11:54, Hampton, Rodney wrote:
> In short, don't hire a company until you've done your homework and
gotten
> the basics out of the way.  Make sure the penetration test you
contract is
> exposing things that you couldn't have discovered on your own.
> 
> My 0.02
> 
> 
> 
> 
> Rodney Hampton
> (sorry abou the HTML mail)
> 
> -----Original Message-----
> From: Suzanne Reiner [mailto:sreiner@fnba.com]
> Sent: Friday, January 24, 2003 10:39 AM
> To: linux-user@egr.msu.edu
> Subject: [GLLUG] Penetration Test
> 
> 
> We're in the market for penetration testing.  If anyone knows of a
reliable
> company, I'm all ears.  FYI:  we will need detailed reporting
(high-level
> for the suits and tech detail for IT) with recommendations.
Familiarity
> with banking/OCC proceedures a plus but, not necessary.
> 
> Cheers,
> 
> Suzanne
> 
> _______________________________________________
> linux-user mailing list
> linux-user@egr.msu.edu
> http://www.egr.msu.edu/mailman/listinfo/linux-user
> 
> 
> _______________________________________________
> linux-user mailing list
> linux-user@egr.msu.edu
> http://www.egr.msu.edu/mailman/listinfo/linux-user


_______________________________________________
linux-user mailing list
linux-user@egr.msu.edu
http://www.egr.msu.edu/mailman/listinfo/linux-user