Penetration testing is valuable as long as you are sensible about it. We have regular penetration tests here done by third-party outside "specialists" who come in at the end-customer's request. They turn up, ring the doorbell, announce who they are and what they have come to do, then sit down in a chair. And the first thing they ask for is "Can I have a diagram of your network and a list of all your IP addresses please?" At this point I always wind them up by saying something like "No way - If you want to check the security of our systems then go sit out in your car with your laptop, with no access to my site and no information. THEN if you can break in I'll be worried"
Of course, I give them the info and they have a prod at things and come up with the odd vulnerability, but that's the point. What they are doing is a technical exercise looking for technical issues and not a real-world test of your overall security. And some of the issues they identify, while technically valid, are so obviously stupid in the real world that my only conclusion is that some of these companies rely on software tools and don't really bother to read and interpret the output they give. Case in point - one group of auditors flagged up a vulnerability in the embedded printservers in our Laserjet printers. The blurb generated by their tool burbled on about an attacker being able to gain access to the device and modify its files and software. Ooh I'm really scared - they don't even have a hard disk! It's just a print server running some code burnt into an EPROM for goodness sake!
Re: Pen Test important?
13 years 5 months ago #6989
I agree 100% with Bishop, most of the 'pen-testers' out there are just guys who learned how to type an IP address into a tool and click 'start scan'.. they do not know how to interpret results or actually discover vulnerabilities manually.. for this you need professional hackers.. lets face it, its the only way.
I do however have to disagree about the printer thing.. did you know that most HP printers run a Java virtual machine ? An attacker can actually run any java program they want from the printer..
A case in point, you can use a networked printer to portscan someone (imagine getting a call from some admin saying your systems are scanning him, and then you discover that the IP belongs to your printer hehe !!).. another use is to make the printer an anonymous proxy.. there are loads of fun scenarios that I'm sure your point 'n click pen-testers will never have even dreamed of
That said, if you feel that their reports are just copy pasted out of the vulnerability scanner's output, you should kick them out