Hi

Interesting. Where I can find a list of all CHECK certified company?
Good penetration testers reading 3 books? :)

Also, where come from this definition from penetration test and
ethical hacking? To me, it's the same and I did a search on the web
and almost of them do not follow your definition.

Thanks

On Tue, Aug 3, 2010 at 11:40 AM, Andre Gironda <andreg (at) gmail (dot) com [email concealed]> wrote:
> On Mon, Aug 2, 2010 at 6:18 AM, cribbar <crib.bar (at) hotmail.co (dot) uk [email concealed]> wrote:
>> Penetration Testing Community - I am interested in getting an expert response
>> to a discussion that keeps raising up in our company.
>> management, if we have an IT Security section who are using the most common
>> vulnerability scanning / penetration testing tools â??what is the point in
>> investing significant $$$ in buying in a 3rd party to do exactly the same?
>
> Scans don't find the vulns that adversaries really use. Only
> penetration-testers do this. Scans find the vulns that a script kiddie
> from 10 years ago could find.
>
> For example, scanners such as Nessus, Qualys, Rapid7, et al -- they
> only find CVEs against metastructure. They do not focus on the
> infostructure (apps and data). They usually do nothing with
> client-side exploits, or drive-by exploits. They don't figure out how
> to break your authentication in your web applications or the session
> management, or bypass your firewalls and antivirus completely by using
> an XSS proxy (or a man-in-the-browser technique like formjacking,
> clickjacking, strokejacking, etc). They do not perform risk management
> or threat-modeling for you. Penetration-testing, if done well (e.g. by
> a CHECK certified company), does all of this.
>
>> I fully appreciate that penetration testing is an area of high skill, as a
>> 3rd party you provide an independent neutral security review, it takes years
>> to master the topic, and once mastered you need to stay up to date with all
>> the current vulnerabilities and exploits, and it is your guyâ??s area of
>> expertise, whereas a security admin is not specific to penetration testing.
>
> Nah. It's not that hard. You have to know enough to run a tool such as
> Burp Suite Pro or ProxyFuzz. You can learn these by picking up a few
> books such as "The Web Application Hacker's Handbook" or "Fuzzing:
> Software Security Testing & Quality Assurance". I might also suggest
> "The Art of Software Security Assessments". You can get by doing most
> app assessments and penetration-tests (or just general ethical hacking
> activities) using these 3 books.
>
> There aren't a lot of good books on client-side exploits or drive-by
> exploits yet. You'll have to dig through the Metasploit project
> yourself. However, some books cover these subjects, such as recent
> ones from the Hacking Exposed or Seven Deadliest Attacks series
> (however, the quality of McGrawHill and Syngress security books are
> extremely low compared to the first three book's publishers that I
> mentioned). Things like Karma, Karametasploit, Metasploit,
> Drivesploit, et al.
>
>> â?¢ I trawled through the archives of this forum and others, and it seems some
>> pen testing companies use the exact same tools such as nmap and nessus, and
>
> Not these ones --
> http://www.cesg.gov.uk/products_services/iacs/check/index.shtml
>
> Penetration-testing requires a threat-model and this threat-model
> should be attacked in production using social engineering, app
> assessments (especially including web applications), database
> privilege escalation, and generalized posture assessments.
> Penetration-tests also require an agreed-upon target asset, such as a
> copy of the 2009 financial report locked in the CEO's safe and using
> an agreed-upon methodology.
>
> Nmap and Nessus can certainly be used during penetration-testing, but
> they are not the start or end of the activities and tools used. I do
> more ethical hacking than penetration-testing, which is usually
> open-ended (no target assets) but using a timeboxed period similar to
> how Agile developers use sprints. My toolbox is more Nikto, Burp Suite
> Pro, and Netsparker. All of these tools can be tied together using The
> Dradis Framework.
>
>> in some cases simply pass across a Nessus report for a specific IP range and
>> thatâ??s the report they use. This to me sounds a complete rip off, and I
>
> Gartner or Forrester can give you a large list of companies that do
> not do this and do not rip you off. You must be using the wrong
> penetration-testing companies. Or you can use companies certified by
> http://www.cesg.gov.uk/products_services/iacs/check/index.shtml
>
>> canâ??t see the benefit. So where is the added benefit in having an internal
>> security guy run nessus, and paying a 3rd party pen tester x amount of $$$
>> money to do exactly the same? Why not just stick with the internal guy? Or
>
> Why not replace the internal guy with Qualys? Any manager can setup
> the IP information on the front panel of the box they give you.
>
>> am I missing something? I really would appreciate real examples of whereby
>> just running Nessus is simply not enough as it wont catch a, b and c!
>> I look forward to your comments.
>
> You're kidding, right? Like I said before, most of the adversaries are
> focused on attacks made popular in the past 6 years; not 10 years ago.
> Nessus or any of these scanners are focused on CVE type
> vulnerabilities in metastructure. They do not focus on CWEs in
> infostructure. They mostly or only work on the server-side, not the
> client-side. Adversaries switched major focus to the client-side and
> now use a very basic model that includes using affiliate web-framework
> tools like Fragus (whitehats would use Drivesploit/Metasploit)
> combined with spamming-tools like Cutwail (whitehats would use
> SET/Maltego) to focus attention on to certain key individuals, and
> then infect their browsers using ZeuS (or their memory both inside and
> outside of the browser using Meterpreter from Metasploit -- usually
> performed by whitehats).
>
> Antivirus, firewalls, and most IPS systems have been shown to not be
> able to prevent these attacks (I am guessing 100 percent of the time,
> but it's probably more like 95-99%). Once in, adversaries using an
> initial IE 0-day exploit will perform a full "Aurora" style
> infiltration, which usually involves breaking admin (using
> auth/sess-mgmt/XSS) panels on web applications (through various means
> usually involving SQLi, RFI/LFI, and file upload vulnerabilities --
> usually in this order), accessing web servers & databases (to insert
> Fragus -- or whitehats might use Metasploit's "Lucky Punch"), and
> grabbing as many source-code repository credentials as possible,
> probably in order to insert their own hidden source-code based
> backdoors into your custom applications and/or steal intellectual
> property, financial records, payment card data, etc (although this is
> easier to do long-term if the adversary inserts his or herself into
> the custom apps that your business depends on by becoming a silent,
> illegal developer).
>
> If the adversary is not capable of performing the attacks in the last
> paragraph (and only able to use tools like Fragus, Cutwail, and ZeuS
> -- which are very easy GUI tools that have many equivalents in China
> and other places around the world), then he or she will usually find a
> way to sell their botnet in order to create a SQLi or RFI botnet
> themselves or angel investors, or to sell to another adversary with
> advanced enough expertise to pull of the final Aurora style attacks.
>
> It's an underground economy that excels at finding every vulnerable
> nook and cranny. If you're not getting hit by it, then you've probably
> performed a lot of penetration-testing. ;>
>
> Cheers,
> Andre
>
> ------------------------------------------------------------------------

> This list is sponsored by: Information Assurance Certification Review Board
>
> Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.
>
> http://www.iacertification.org
> ------------------------------------------------------------------------

>
>

------------------------------------------------------------------------

This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------

[ reply ]