IMHO, you mixed "Vulnerability Assessment" with "Penetration Testing".
Firing Nessus, nmap, W3AF and nikto at an IP range, then going for a coffee waiting for them to finish, then printing the logs for the management is barely considered an ill "Vulnerability Assessment", but I believe "penetration testing" will simulate a real-world attack scenario that will include the whole "vulnerability assessment" phase as a step to get to the final goal, bearing in mind that during a penetration test the process of vulnerability identification will be as stealthy as possible and will most probably rely on manual techniques rather than noisy automated tools.

Penetration testing is conducted to know how the bad guys could infiltrate your network and exploiting every found hole, not only testing your software's patch level, it will/should include every way to break in, i.e. Physical security, Social engineering, manual web application assessment...etc.

Nessus will not detect the uneducated secretary who will open the mail-attachment from someone she doesn't know, or prevent the stranger from plugging in his wireless access point to the unnoticed RJ45 plug behind the sofa in the lobby... you got the idea.

Your confusion is understandable, since lots of so called "penetration testers" are actually "script kiddies" with nice looking tuxedos who do no good other than what your security team is already doing, "real" penetration testers will give you a detailed professional report highlighting other weaknesses as well...

Regards,
Sherif Eldeeb.

-----Original Message-----
From: listbounce (at) securityfocus (dot) com [email concealed] [mailto:listbounce (at) securityfocus (dot) com [email concealed]] On Behalf Of cribbar
Sent: Monday, August 02, 2010 2:18 PM
To: pen-test (at) securityfocus (dot) com [email concealed]
Subject: Penetration Testing Services

Penetration Testing Community - I am interested in getting an expert response
to a discussion that keeps raising up in our company.

First off, I have some basic IT/Infrastructure knowledge, but I am most
definitely not up to the level of a penetration tester (please bare this in
mind with your responses).

Basically, our company has an internal IT Security section, who has recently
purchased some of the popular vulnerability assessment software such as
Nessus. They are running quarterly scans using Nessus across an IP range and
producing a report to senior management on the types of security holes in
the Network and how they can be fixed (and more importantly to management
how much it is going to cost to fix).

Iâ??ve spent a couple of hours on the Nessus website looking at the types of
â??vulnerabilityâ? it will catch, and it seems to cover a whole array of topics
and security issues. This leads to the inevitable comment from senior
management, if we have an IT Security section who are using the most common
vulnerability scanning / penetration testing tools â??what is the point in
investing significant $$$ in buying in a 3rd party to do exactly the same?

I fully appreciate that penetration testing is an area of high skill, as a
3rd party you provide an independent neutral security review, it takes years
to master the topic, and once mastered you need to stay up to date with all
the current vulnerabilities and exploits, and it is your guyâ??s area of
expertise, whereas a security admin is not specific to penetration testing.
And letâ??s be honest, anyone can essentially download a user friendly piece
of software and click â??scanâ? or whatever and produce a report listing
problems.

However, in order to be in defence of the pen testing community during such
discussions, I have a few questionsâ?¦.

â?¢ How do you as penetration testers, portray the importance of this
independent check to future potential clients? Is this independence really
that important?

â?¢ What broadly speaking do you as professional penetration testers bring
additional to a nessus scan during the services you provide? If there are
categories of security issues/vulnerabilities that you can flag up doing one
of your penetration tests that Nessus wont - that would be incredibly useful
to know, and Iâ??d love to be able to identify the limitations of Nessus scans
but I am a bit out of my depth to be able to do so.

â?¢ I trawled through the archives of this forum and others, and it seems some
pen testing companies use the exact same tools such as nmap and nessus, and
in some cases simply pass across a Nessus report for a specific IP range and
thatâ??s the report they use. This to me sounds a complete rip off, and I
canâ??t see the benefit. So where is the added benefit in having an internal
security guy run nessus, and paying a 3rd party pen tester x amount of $$$
money to do exactly the same? Why not just stick with the internal guy? Or
am I missing something? I really would appreciate real examples of whereby
just running Nessus is simply not enough as it wont catch a, b and c!

I look forward to your comments.

--
View this message in context: http://old.nabble.com/Penetration-Testing-Services-tp29324189p29324189.h
tml
Sent from the Penetration Testing mailing list archive at Nabble.com.

------------------------------------------------------------------------

This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------

0? *?H?÷

 ?0?

10 +0? *?H?÷


 ?Ú0?=0?
¦ͺVðßä¼Tþ"¬³rªU0
 *?H?÷


0_10 UUS10U
VeriSign, Inc.1705U.Class 1 Public Primary Certification Authority0
960129000000Z
280801235959Z0_10 UUS10U
VeriSign, Inc.1705U.Class 1 Public Primary Certification Authority0?0
 *?H?÷



0?å¿m£Va-?HqögÞ¹ë·???
?ú8%¯F??ås¨ ?$]
Ìen°ÐV????¡sß´X9knÁöÕ¨¨?ª1¬°4׏4g? ÍâNEVix?ÚÜG?)»6Éc\Åà×-?{¡·2°{0º*/1ªî£gÚÛ

0
 *?H?÷


L?¸?ÆhßîC3]é¦Ë?Mz3ÿ?ô6­Ø?"6hl|BÌó?.Ä?°Oÿ?vùâ¼JéÍ ?
÷Å)ñ?"]¸±Ý#£{%F0yøêK?ÂÈã·ô@<Ã_SèHä?´{¡5°{%º¸Ó?«?84?óÑq?0?F0?
¯ 
fýGãÂäè?Í?Ýõ:Ë$0
 *?H?÷


0_10 UUS10U
VeriSign, Inc.1705U.Class 1 Public Primary Certification Authority0
051028000000Z
151027235959Z0Ý10 UUS10U
VeriSign, Inc.10UVeriSign Trust Network1;09U2Terms of use at https://www.verisign.com/rpa (c)0510UPersona Not Validated1705U.VeriSign Class 1 Individual Subscriber CA - G20?
"0
 *?H?÷



?
0?

?

É߬çêøøÄ?ÕÁ~6Â<ï|rËÀ«?=?Îo,?í?&æ¶Çæ­C?¤?GGL>TøløÇü±?½0p¼?±ê
?ñ­@ÅDzK¢ò`ü×:ebïÿ{¢V»ÅNp-Ö¢<í°Bè^W!¬¦?ÙéÒÀtGBüÅ4êýæº$Ñ7¢×sÏ

A/c²:?¾¥nôÉJ[=?¦»5ùÔ／qvY»K¶>ÖüZôÖ?òIþlíéÙ?u?yÎ`'ݹ­uÎ/s?z@:?uI°¸ßh¼«Í??P£à<®À
SÍ×0o?2FäIÂlâ¯yÿÛ´µ

£ÿ0ü0U

ÿ0

ÿ
0DU =0;09`?H
?øE

0*0(+

https://www.verisign.com/rpa0U

0 `?H
?øB


0.U'0%¤#0!10UPrivateLabel3-2048-1550U
}^}<ßjlÖ¢??1Ø;?R01U*0(0& $ "? http://crl.verisign.com/pca1.crl0
 *?H?÷


<£Úc:Ä?ª«rÓÜ­P8?J?·îëÙÿ? Ö»új®a?ØhG?ïO¬²IA?I3v???n¹C`½ÂÜ?-?ÁEÀrk$*loçü)Ðw:#ç
õÁ?h¿Æ
T ®5?Ìb<a ÆôÕë°¦?3??Óq?P?Ýb0?K0?3 
»Óñ?çO!¸??Ä[5!;0
 *?H?÷


0Ý10 UUS10U
VeriSign, Inc.10UVeriSign Trust Network1;09U2Terms of use at https://www.verisign.com/rpa (c)0510UPersona Not Validated1705U.VeriSign Class 1 Individual Subscriber CA - G20
100301000000Z
110301235959Z0?
10U
VeriSign, Inc.10UVeriSign Trust Network1F0DU=www.verisign.com/repository/RPA Incorp. by Ref.,LIAB.LTD(c)9810UPersona Not Validated1301U*Digital ID Class 1 - Netscape Full Service10U
Sherif Eldeeb1#0! *?H?÷


archeldeeb (at) gmail (dot) com0 [email concealed]?
"0
 *?H?÷



?
0?

?

»w°nÎ?6???Ç?ÚO?n¡¨?ÙääÛÄÂoöCò|}¹|´~W³1vU%8¨SeôÚ?WÝ41qï
 ?×¥
Cr? Ñ½¯
?w?;²É5¤lëP?ÕiNºl\Q@0iv¥r)ÝeõÇûgL\ì5æÿqG.Z;qº¬.¾Îñ2Q?ô
¯8?¡R??µçþ_3bQÈ?ó¯?q|Ðp??êFuÏ)FJÎxÖ9í·þª?>?,þXØ?$=Ü{¼^±Z?0Þ,]?
«¦V??Üc^ìAXi°¿?å*?ÔY´¡`Ê&éß?.?N?ºs|¸ÛK/9ÞÒ?

£Ì0É0 U00DU =0;09`?H
?øE

0*0(+

https://www.verisign.com/rpa0U
 0U%0+
+
0JUC0A0? = ;?9http://IndC1Digita
lID-crl.verisign.com/IndC1DigitalID.crl0
 *?H?÷


?

¾?S?¯;EM6ÈL6!?"B` BÈ7+䍱£'|^??Iì«I
Å?ñÜ¢>P?ýôgF?àK©é?éAÏ7C0@Z¿D»>?À¸?°??L>R4t\Ù?T,dV®ã-z¼ù?øÊgL
Cý*$Gû?Ь²ZD?&:
ì+èsÝÁê¢ùì±²>F6¼|?wéìC·?¯Ç/?îYRfQ»Nm¸ú8IÑkA®ndsÛ?µD
O¹RþxI?ç«+
+ÆS?[??µP£`|Á6«[]Ú¿øÿ8q¯ßÃ2Û«ýÃ-0?ue3ëE-IvÌ|+Ð_?ZMÆ1?E0?A


0ò0Ý10 UUS10U
VeriSign, Inc.10UVeriSign Trust Network1;09U2Terms of use at https://www.verisign.com/rpa (c)0510UPersona Not Validated1705U.VeriSign Class 1 Individual Subscriber CA - G2»Óñ?çO!¸??Ä[5!;0 + ?'0 *?H?÷

1 *?H?÷


0 *?H?÷

1
100803071447Z0# *?H?÷

1Óp?øfÕÕ'Ý@???{¿þ0· *?H?÷

1©0¦0 `?H
e
*0 `?H
e
0
*?H?÷
0 `?H
e
0*?H?÷
?0
*?H?÷

@0+0
*?H?÷

(0+0 `?H
e0 `?H
e0 `?H
e
0
*?H?÷
0?
 +

?71õ0ò0Ý10 UUS10U
VeriSign, Inc.10UVeriSign Trust Network1;09U2Terms of use at https://www.verisign.com/rpa (c)0510UPersona Not Validated1705U.VeriSign Class 1 Individual Subscriber CA - G2»Óñ?çO!¸??Ä[5!;0?
*?H?÷

1õ ò0Ý10 UUS10U
VeriSign, Inc.10UVeriSign Trust Network1;09U2Terms of use at https://www.verisign.com/rpa (c)0510UPersona Not Validated1705U.VeriSign Class 1 Individual Subscriber CA - G2»Óñ?çO!¸??Ä[5!;0
 *?H?÷



?
¡ÌU©?çm 3?!i3b*
¡?ìyÉÛ¬=5øµdÈ?Ä?Åú?ßX°§ =<mÄf?捪v5nv*Ó±´ó9ú?-±·?»çÔëFrÁövEßþ?½>ð0`´¹¸?ÅAþ"8Ú©ZHÒ?á[?tVöwòÇKǦ¦?É?Ĥñr_aå%Ù0Ó.֐&Üοó?hÖ6Ac??¢¶
QÈÐü øJÙ?û?E7x=
¨iñ]??Eò:?HW?õÀ-"øÒò1¤°ã3?Õ?rìrÔ/Ý8¾oÿ\o/ãÈiC»x.SĹ??Ґ¬E:® 
5mR½Ò¿

[ reply ]