Dear,

Kindly note that external penetration test is usually driven by couple of factor ( Compliance, Regulatory, SOX, PCI DSS etc most probably for financial system / Privacy protection)

If there is no regulatory or compliance requirement within your company and if you donâ??t have any financial systems/ or system which holds personal information directly exposed to external network ( Public network), then internal review will suffice and there won't be any need for external test.

You should note that the internal Auditor understand the RISK and have proper understanding of VA/PT and Application testing, let me give you brief how can you have some level of comfort if your system are Secures.

Take an example you have web site which collects and Stores personal information from customers and stores this in backend database.

In such scnerio your internal Audit team should ensure following controls.

1. Security Architecture : Ensuring that the Web system and application / DB are on different segment protected by firewall

2. Configuration review of Firewalls/ Network devices to ensure only required traffic is permitted from external network

3. System Hardening: Ensure your web server OS and Web components ( IIS/Apache ) is hardened.(including AV and patches)

4. Vulnerability Scan : HERE YOUR NESSUS WILL BE USED

5. Web Application Testing: Here you have to cover some manual and auto test for SQL Injection , CCX, Session management etc : You can refer OWASP web site for details, most organization atleast cover Top test vulnerability. ( you can use tools like PAROX / BURP/ Metasploit etc)

6. You need to manually review and Harden the backend database ( Oracle/ SQL etc)

7. Review of Audit logs for incidents ( IPS logs, System logs etc)- This is option security control to understand the past attach pattern.

If your internal Auditor has capability to achieve 80% in each of these then I think it should suffice.

Regards

Khalid - CISO

-----Original Message-----

From: listbounce (at) securityfocus (dot) com [email concealed] [mailto:listbounce (at) securityfocus (dot) com [email concealed]] On Behalf Of MAlMozaiyn (at) alfransi.com (dot) sa [email concealed]

Sent: Sunday, August 08, 2010 2:36 PM

To: cribbar

Cc: listbounce (at) securityfocus (dot) com [email concealed]; pen-test (at) securityfocus (dot) com [email concealed]

Subject: Re: Penetration Testing Services

Hi there,

Tools, like Nessus, are vulnerability-oriented. They can point at

vulnerabilities. Of course, in some cases these are only false-positives.

However, what you need to be aware of is not "only" vulnerabilities. This

needs to be extended to cover Risks.

What a third-party MUST provide is a risk-driven report that shows real

vulnerabilities in your systems and are very relevant to your environment

and makes sense to be fixed.

In addition to the above, penetration testing process is not limited to

scanning the network. As the name indicates, it is to potentially attempt

to penetrate resources for testing (assessment) purposes.

To conclude, Nessus, as well as other tools are a great additions to the

penetration testing practice. It is not the full picture, and at the same

time, missing these factors is a noticeable depreciation.

Have a good day,

Mohammed Almozaiyn, CISSP, GCIH

Senior Security Analyst

â??â??â??â??â??â??â??â??â??â??â??â??â??â??â??â??â??â??â??

* malmozaiyn (at) alfransi.com (dot) sa [email concealed]

â??â??â??â??â??â??â??â??â??â??â??â??â??â??â??â??â??â??â??

From: cribbar <crib.bar (at) hotmail.co (dot) uk [email concealed]>

To: pen-test (at) securityfocus (dot) com [email concealed]

Date: 03-08-2010 09:23 AM

Subject: Penetration Testing Services

Sent by: listbounce (at) securityfocus (dot) com [email concealed]

Penetration Testing Community - I am interested in getting an expert

response

to a discussion that keeps raising up in our company.

First off, I have some basic IT/Infrastructure knowledge, but I am most

definitely not up to the level of a penetration tester (please bare this in

mind with your responses).

Basically, our company has an internal IT Security section, who has

recently

purchased some of the popular vulnerability assessment software such as

Nessus. They are running quarterly scans using Nessus across an IP range

and

producing a report to senior management on the types of security holes in

the Network and how they can be fixed (and more importantly to management

how much it is going to cost to fix).

Iâ??ve spent a couple of hours on the Nessus website looking at the types of

â??vulnerabilityâ? it will catch, and it seems to cover a whole array of

topics

and security issues. This leads to the inevitable comment from senior

management, if we have an IT Security section who are using the most common

vulnerability scanning / penetration testing tools â??what is the point in

investing significant $$$ in buying in a 3rd party to do exactly the same?

I fully appreciate that penetration testing is an area of high skill, as a

3rd party you provide an independent neutral security review, it takes

years

to master the topic, and once mastered you need to stay up to date with all

the current vulnerabilities and exploits, and it is your guyâ??s area of

expertise, whereas a security admin is not specific to penetration testing.

And letâ??s be honest, anyone can essentially download a user friendly piece

of software and click â??scanâ? or whatever and produce a report listing

problems.

However, in order to be in defence of the pen testing community during such

discussions, I have a few questionsâ?¦.

â?¢ How do you as penetration testers, portray the importance of this

independent check to future potential clients? Is this independence really

that important?

â?¢ What broadly speaking do you as professional penetration testers bring

additional to a nessus scan during the services you provide? If there are

categories of security issues/vulnerabilities that you can flag up doing

one

of your penetration tests that Nessus wont - that would be incredibly

useful

to know, and Iâ??d love to be able to identify the limitations of Nessus

scans

but I am a bit out of my depth to be able to do so.

â?¢ I trawled through the archives of this forum and others, and it seems

some

pen testing companies use the exact same tools such as nmap and nessus, and

in some cases simply pass across a Nessus report for a specific IP range

and

thatâ??s the report they use. This to me sounds a complete rip off, and I

canâ??t see the benefit. So where is the added benefit in having an internal

security guy run nessus, and paying a 3rd party pen tester x amount of $$$

money to do exactly the same? Why not just stick with the internal guy? Or

am I missing something? I really would appreciate real examples of whereby

just running Nessus is simply not enough as it wont catch a, b and c!

I look forward to your comments.

--

View this message in context:

http://old.nabble.com/Penetration-Testing-Services-tp29324189p29324189.h
tml

Sent from the Penetration Testing mailing list archive at Nabble.com.

------------------------------------------------------------------------

This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can

actually do a proper penetration test. IACRB CPT and CEPT certs require a

full practical examination in order to become certified.

http://www.iacertification.org

------------------------------------------------------------------------

ARBAH CAPITAL

7th Floor, Samic Building, Al Khaleej Road, Shatee District,

Corniche, P .O. Box 8807, Dammam 31492, Saudi Arabia.

URL: www.arbahcapital.com. Email: info (at) arbahcapital (dot) com [email concealed]

The contents of this email, including all related responses, files and attachments transmitted with it are intended solely for the use of the individual/entity to whom/which they are addressed, and may contain confidential and/or legally privileged information. This Email may not be disclosed or forwarded to anyone else without authorization from the originator of this Email. If you have received this Email in error, please notify the sender immediately and delete all copies from your system.

Please note that the views or opinions presented in this email are those of the author and may not necessarily represent those of Arbah Capital. The recipient should check this Email and any attachments for the presence of any viruses. Arbah Capital accepts no liability for any damage caused by any virus or error transmitted by this Email

[ reply ]