That seems like a fair question,

First off, if you have a penetration tester delivering a Nessus report as their final pen-test, you need to fire them immediately.

There is a huge difference between a penetration test, and a vulnerability scan. (If the pen-test is done right)

A Vulnerability Scan will scan a system and compare the results to a known vulnerability database, and then let you know what doesn't match. This is a good start, but it can only check a technical configuration. It will not let you know how two vulnerabilities on different systems will allow those systems to interact.

Suppose you have a business use case scenario in which you forbid two computers to communicate with each other at all. A penetration tester should be able to tell you whether or not they could use a 3rd computer to proxy communications between those two segmented computers.

You will never get the same level of insight from a vulnerability scan that you can from a competent penetration tester.

A penetration tester can test not only your technical controls, but your operational controls, network design, and adherence to policies.

A vulnerability scan will test only known vulnerabilities on technical controls.

Hope that helps.

 

Jason Hurst

Sr. Network Security Administrator

Panda Restaurant Group

jason.hurst (at) pandarg (dot) com [email concealed]

Please consider the environment before printing this email

-----Original Message-----

From: listbounce (at) securityfocus (dot) com [email concealed] [mailto:listbounce (at) securityfocus (dot) com [email concealed]] On Behalf Of cribbar

Sent: Monday, August 02, 2010 4:18 AM

To: pen-test (at) securityfocus (dot) com [email concealed]

Subject: Penetration Testing Services

Penetration Testing Community - I am interested in getting an expert response

to a discussion that keeps raising up in our company.

First off, I have some basic IT/Infrastructure knowledge, but I am most

definitely not up to the level of a penetration tester (please bare this in

mind with your responses).

Basically, our company has an internal IT Security section, who has recently

purchased some of the popular vulnerability assessment software such as

Nessus. They are running quarterly scans using Nessus across an IP range and

producing a report to senior management on the types of security holes in

the Network and how they can be fixed (and more importantly to management

how much it is going to cost to fix).

Iâ??ve spent a couple of hours on the Nessus website looking at the types of

â??vulnerabilityâ? it will catch, and it seems to cover a whole array of topics

and security issues. This leads to the inevitable comment from senior

management, if we have an IT Security section who are using the most common

vulnerability scanning / penetration testing tools â??what is the point in

investing significant $$$ in buying in a 3rd party to do exactly the same?

I fully appreciate that penetration testing is an area of high skill, as a

3rd party you provide an independent neutral security review, it takes years

to master the topic, and once mastered you need to stay up to date with all

the current vulnerabilities and exploits, and it is your guyâ??s area of

expertise, whereas a security admin is not specific to penetration testing.

And letâ??s be honest, anyone can essentially download a user friendly piece

of software and click â??scanâ? or whatever and produce a report listing

problems.

However, in order to be in defence of the pen testing community during such

discussions, I have a few questionsâ?¦.

â?¢ How do you as penetration testers, portray the importance of this

independent check to future potential clients? Is this independence really

that important?

â?¢ What broadly speaking do you as professional penetration testers bring

additional to a nessus scan during the services you provide? If there are

categories of security issues/vulnerabilities that you can flag up doing one

of your penetration tests that Nessus wont - that would be incredibly useful

to know, and Iâ??d love to be able to identify the limitations of Nessus scans

but I am a bit out of my depth to be able to do so.

â?¢ I trawled through the archives of this forum and others, and it seems some

pen testing companies use the exact same tools such as nmap and nessus, and

in some cases simply pass across a Nessus report for a specific IP range and

thatâ??s the report they use. This to me sounds a complete rip off, and I

canâ??t see the benefit. So where is the added benefit in having an internal

security guy run nessus, and paying a 3rd party pen tester x amount of $$$

money to do exactly the same? Why not just stick with the internal guy? Or

am I missing something? I really would appreciate real examples of whereby

just running Nessus is simply not enough as it wont catch a, b and c!

I look forward to your comments.

--

View this message in context: http://old.nabble.com/Penetration-Testing-Services-tp29324189p29324189.h
tml

Sent from the Penetration Testing mailing list archive at Nabble.com.

------------------------------------------------------------------------

This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org

------------------------------------------------------------------------

[ reply ]