Re: External Pentests Obsolete?

To:	"Yiannis Koukouras" <d4rw1n@linuxmail.org>
Subject:	Re: External Pentests Obsolete?
From:	"US Infosec" <usinfosec@gmail.com>
Date:	Fri, 10 Aug 2007 13:22:04 -0400
Cc:	pen-test@securityfocus.com
Delivered-to:	sp-com-lists@consult.net
Delivered-to:	pentest-list2@consult.net
Delivered-to:	mailing list pen-test@securityfocus.com
Delivered-to:	moderator for pen-test@securityfocus.com
Dkim-signature:	a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=apatuoSeowmgH0A+lskHVxUKSMk3i1RYyxtBtqXh3PwrPvL3lEVatg7tS9W5bA3r4kUQMGOOMoAIs6RXzCTS92Ypb4DJv+HszVYDJ4J1xTQ2AbcqtzLE86UxcRLCC27kHYACF0DMn/TPK19crNAItw0HKvbyPJznHgkDW7k7rNY=
Domainkey-signature:	a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=YlJFg8vTYPFW+gM6Hm/XNZ3sdJ/ycy93nDf1wD2skpz/DSxgee+Njm78sOf2tWZn7VMKP1RxwZOVk+cCKx/aYXLtdLl/KOB5Km5LYfryFh0vRQjlPDjTJ+Deq4LkPxHBW1l1x4FKojv+wSlJwumAoBVrIN2qPNkoJsqYyWDoq2g=
In-reply-to:	<20070809071836.E34C2CA0A4@ws5-11.us4.outblaze.com>
List-help:	<mailto:pen-test-help@securityfocus.com>
List-id:	<pen-test.list-id.securityfocus.com>
List-post:	<mailto:pen-test@securityfocus.com>
List-subscribe:	<mailto:pen-test-subscribe@securityfocus.com>
List-unsubscribe:	<mailto:pen-test-unsubscribe@securityfocus.com>
Mailing-list:	contact pen-test-help@securityfocus.com; run by ezmlm
References:	<20070809071836.E34C2CA0A4@ws5-11.us4.outblaze.com>
Resent-date:	Sat, 11 Aug 2007 02:18:14 -0600 (MDT)
Resent-from:	pen-test-return-1078484799@securityfocus.com
Resent-message-id:	<20070811081814.9011F237591@outgoing3.securityfocus.com>
Resent-sender:	listbounce@securityfocus.com
Sender:	listbounce@securityfocus.com

I am not going to feel the need to prove you wrong here by educating
you on all the ways to penetrate a network.  I will just say that I am
having no problems penetrating networks and see no reason why
penetration testing would be obsolete anywhere in the near future.

I do remember reading a report from a competitor earlier in the week
that stated that War Dialing was obsolete even though they found open
modems through the pen test.   I thought that was an odd statement to
make considering they actually did the test AND found vulnerable
modems connected to systems!

I think it is way more ethical to consult clients on getting a pen
test especially considering that multiple standards and guidelines
recommend if not demand them to occur on a regular recurring basis
(PCI anyone?).

MAYBE you should not be consulting to do pen tests...

On 8/9/07, Yiannis Koukouras <d4rw1n@linuxmail.org> wrote:
> Hi all,
>
> Do you think that an external infrastructure pentest is nowadays obsolete?
>
> What I want to say is that, most of the serious companies nowadays will only 
> have a few servers on their DMZ (web server, mail server, SSL concentrator, 
> terminal server, citrix) and will only allow access to one or two ports for 
> each of them. The rest of the infrastructure (excluding the internet facing 
> router and firewall) will be completely inaccessible.
>
> Thus, if web application testing is out of scope, there isn't much to test, 
> is it? Only half a dozen of services to check vulnerabilities and 
> misconfiguration, check if mail rely is on, make a password bruteforce 
> attack(?), check that the DNS can't be poison and VOILA! You have finished!
>
> Do you think that it is ethical to consult our clients to "buy" an external 
> pentest anymore?
>
> P.S. If I am wrong, PLEASE prove me wrong!
>
> --
> Ioannis Koukouras
> CISSP
> MSc in Computer Systems Security
> BEng in Electronic Engineering
> http://www.linkedin.com/in/ikoukouras
>
> =
> Cruise Value Center - Mexico Cruises
> Cruise Value Center is one of America's leading discount brokers on Mexican 
> cruises. Let our experts help you choose the cruise vacation package that 
> will meet your budget and lifestyle.
> http://a8-asy.a8ww.net/a8-ads/adftrclick?redirectid=83149e4a674877039cb5c210b2445439
>
>
> --
> Powered by Outblaze
>
> ------------------------------------------------------------------------
> This list is sponsored by: Cenzic
>
> Need to secure your web apps NOW?
> Cenzic finds more, "real" vulnerabilities fast.
> Click to try it, buy it or download a solution FREE today!
>
> http://www.cenzic.com/downloads
> ------------------------------------------------------------------------
>
>

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------

<Prev in Thread]	Current Thread	[Next in Thread>
External Pentests Obsolete?, Yiannis Koukouras Re: External Pentests Obsolete?, US Infosec <= RE: External Pentests Obsolete?, Van Heerden, Francois (CSS) RE: External Pentests Obsolete?, Williamson, Clyde RE: External Pentests Obsolete?, Shenk, Jerry A Re: External Pentests Obsolete?, Jason Ross Message not available Fwd: External Pentests Obsolete?, Joel Jose Re: External Pentests Obsolete?, rajat swarup

Previous by Date:	BlackHat/Defcon 2007 Timing Stuff Released.., haroon
Next by Date:	Re: NMAP Concurrent Scans, Burak CIFTER
Previous by Thread:	External Pentests Obsolete?, Yiannis Koukouras
Next by Thread:	RE: External Pentests Obsolete?, Van Heerden, Francois (CSS)
Indexes:	[Date] [Thread] [Top] [All Lists]