A good penetration tester will bring lots of extras to the table, the
big one I think being manual testing, which can confirm whether scan
results are indeed real or false positives and also pick up issues
that scanners can't such as business logic flaws.

External auditors are also able to help advise on remediation for
issues detected, for example on a recent test I found the client was
storing LM hash passwords, I demonstrated even though the admin had an
8 character complex password I could crack it in 5 seconds with
rainbow tables. He then increased it to over 14 characters and I
showed him the difference in the pwdump file to show LM wasn't there
and explained what had happened. I also brought up on screen for him
his own bank details I found in a database, having an outsider come in
and within a half day have your password and bank details makes an
audit more real than having a Nessus report saying you have X high, Y
medium and Z lows.

Its basically the experience that the tester has that makes them
valuable, that also includes instinct. In some areas with all the
background work that we do we can feel that something is wrong despite
it not being obvious.

The external testers who just run Nessus and hand it over are
generally doing a disservice to the industry (a client may ask for
just a scan, thats OK). To avoid this I'd suggest asking for a sample
report from any company you are thinking of using. You should be able
to see from that the level of extra detail they give over a basic
scan. As you know what a Nessus scan looks like you should easily be
able to pick up the frauds.

I'd also ask for post test services, see what is offered. A company
who just scans, hands over the report and just walks away with the
cash should be avoided. You want to be able to ask questions about it
and discuss the findings. This might cost you more as it is extra work
for the auditors but if you get a first good audit and follow up on
the advice given then hopefully the next one will be a lot less
painful as you will have identified and cleaned out all the major
flaws.

Robin

On 2 August 2010 12:18, cribbar <crib.bar (at) hotmail.co (dot) uk [email concealed]> wrote:
>
> Penetration Testing Community - I am interested in getting an expert response
> to a discussion that keeps raising up in our company.
>
> First off, I have some basic IT/Infrastructure knowledge, but I am most
> definitely not up to the level of a penetration tester (please bare this in
> mind with your responses).
>
> Basically, our company has an internal IT Security section, who has recently
> purchased some of the popular vulnerability assessment software such as
> Nessus. They are running quarterly scans using Nessus across an IP range and
> producing a report to senior management on the types of security holes in
> the Network and how they can be fixed (and more importantly to management
> how much it is going to cost to fix).
>
> I?ve spent a couple of hours on the Nessus website looking at the types of
> ?vulnerability? it will catch, and it seems to cover a whole array of topics
> and security issues. This leads to the inevitable comment from senior
> management, if we have an IT Security section who are using the most common
> vulnerability scanning / penetration testing tools ?what is the point in
> investing significant $$$ in buying in a 3rd party to do exactly the same?
>
> I fully appreciate that penetration testing is an area of high skill, as a
> 3rd party you provide an independent neutral security review, it takes years
> to master the topic, and once mastered you need to stay up to date with all
> the current vulnerabilities and exploits, and it is your guy?s area of
> expertise, whereas a security admin is not specific to penetration testing.
> And let?s be honest, anyone can essentially download a user friendly piece
> of software and click ?scan? or whatever and produce a report listing
> problems.
>
> However, in order to be in defence of the pen testing community during such
> discussions, I have a few questions?.
>
> ? How do you as penetration testers, portray the importance of this
> independent check to future potential clients? Is this independence really
> that important?
>
> ? What broadly speaking do you as professional penetration testers bring
> additional to a nessus scan during the services you provide? If there are
> categories of security issues/vulnerabilities that you can flag up doing one
> of your penetration tests that Nessus wont - that would be incredibly useful
> to know, and I?d love to be able to identify the limitations of Nessus scans
> but I am a bit out of my depth to be able to do so.
>
> ? I trawled through the archives of this forum and others, and it seems some
> pen testing companies use the exact same tools such as nmap and nessus, and
> in some cases simply pass across a Nessus report for a specific IP range and
> that?s the report they use. This to me sounds a complete rip off, and I
> can?t see the benefit. So where is the added benefit in having an internal
> security guy run nessus, and paying a 3rd party pen tester x amount of $$$
> money to do exactly the same? Why not just stick with the internal guy? Or
> am I missing something? I really would appreciate real examples of whereby
> just running Nessus is simply not enough as it wont catch a, b and c!
>
> I look forward to your comments.
>
> --
> View this message in context: http://old.nabble.com/Penetration-Testing-Services-tp29324189p29324189.h
tml
> Sent from the Penetration Testing mailing list archive at Nabble.com.
>
>
> ------------------------------------------------------------------------

> This list is sponsored by: Information Assurance Certification Review Board
>
> Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.
>
> http://www.iacertification.org
> ------------------------------------------------------------------------

>
>

------------------------------------------------------------------------

This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------

[ reply ]