Click to Play

Ever Heard of Marketing Bird Poop?
It may sound crazy, but it worked and even went viral! Shizuka, a high-end beauty spa in midtown Manhattan, approached Bill Balderaz of Webbed Marketing in an...

Recent Articles

Security Engineers Have Good Reasons Using...
Let us face it, I use P2P, and in many ways that people do not expect, I use it for Joost, I use it to down load software like open office, and Linux distro's, I also use it to download hacker tools to test and research. P2P, Bittorrent in particular have legitimate uses, and...

Two Fresh Apple Security Hacks
Two new chunks of malware are making the rounds this week that allow an attacker to download code of choice on your apple computer. What is interesting is that with the increase in sales, and market penetration of...

Azureus : The Latest Search Engine Hack
This interesting Google hack returns 134 entries in Google, and 63 in Microsoft's search engine, Yahoo returns 216 results. This quick Google hack allows someone to go in and see what someone is sharing with Azureus, one of the more popular bittorrent...

Sinowal Is A Serious Security Threat
RSA Security Blog has a fascinating digest of the Sinowal Trojan, and the idea that is has been in operation since 2006, compromising nearly 300,000 on line banking accounts. There is always a fascination to...

Belgium Outlaws Hacker Tools, Leaves Security...
When good laws go bad, Belgium opens the door to some seriously fun Google Hacking, by outlawing tools, but not addressing poor security measures in the first place. Google hacking is a great way of testing...


12.22.08

Security Professional Need To Test Network Penetration

By Dan Morrill

How do you tell a good security company from a bad one? That is the problem, do you really know you are getting the experts you are paying for.

Businesses hire experts to do pen testing and audit their company to make sure that they are compliant. Yet a writer out at Snosoft has an impassioned article on one of their bloggers web sites on BlogSpot that talks about how to make sure that the customer is getting the value and the experts they are hiring. My own experience with outside experts is not positive, and we have a very high bar for the experts that we hire to test our network for us, both in the past at other jobs, and into the future.

When a customer hires a security professional to perform a Penetration Test, Web Application Security Assessment, or any other service that customer should be getting a real expert. That expert should be able to assess the customers target infrastructure, application, or whatever and should be able to determine points of vulnerability and their respective risks. But that is not what I am seeing. Source: Snosoft

Frankly, when I hire an expert they need to know more than I do about penetration testing, compliance, and how to break into a network. While I do not know everything, I'll spot the flaws quickly in a vendors argument or product. That has been one of the reasons why most pentesting companies that pitch go out the door without a contract. You need to understand the business to make sure you are getting quality. Every company should have one really good pentester on board.

While vendors have been responsive to the work I do, which is fortunate, not every vendor is responsive. Not every security department or business manager understands what I am saying until I show them the issue. Security departments are the first ones to blow me off, until I show them the XSS or other flaw in their system, and then pull stuff or do pop-up's that demonstrate what I am talking about.

The Fundamental Server: Everything You
Need Inside and Outside the Box - Learn More

The demonstration is the most important part, without it, I can talk vaguely about risk, but without showing off the risk, and doing a successful exploit, you will get the glazed eyes and nodding heads routine at the out brief. Then they get ticked off cause you pulled their database or did something else against their test server, and you spend hours explaining what it is you did and how you did it. Great for follow on work, not so good for the security department dealing with a vendor product or some in-house product. I am extraordinarily happy when I can demonstrate the risk, because many customers have gotten used to the nessus scan report being thrown over the wall as "you have issues" and the vendor walks away.

The problem is that most companies get a nessus or other scan report they paid six to twelve thousand dollars for, and no care and feeding or hand holding. This is what we expect when we pay for services, this is in some ways what the business wants, they expect it, and they desire it. A really good pentest shows them flaws and errors that might mean they have to spend money or resources to fix the problem. The customer might not like that, they don't expect it, it is not what the business wants, and they don't desire it.

With so many fly by night security companies setting the expectation bar low, it is difficult to get a company to understand what the issues are without a demo. If the pentester is not good enough to give a demo, it gets thrown under the carpet because the risks are not obvious. I am all for raising the quality bar in the information security field, everyone who participates should be able to do a decent pentest, but even some of the smarter companies have been unable to exploit or demonstrate risk, or missed risk entirely in a web application. That is part of the reason that uninformed or undertrained security companies can do so well, we already have a low bar and a low expectation set from the pentest companies that come in to our businesses. If we had really good pentesters and security companies out there, business would have a fit because they would find out just how ill prepared they really are.

Comments


About the Author:
Dan Morrill has been in the information security field for 18 years, both civilian and military, and is currently working on his Doctor of Management. Dan shares his insights on the important security issues of today through his blog, Managing Intellectual Property & IT Security, and is an active participant in the ITtoolbox blogging community.
About NetworkNewz
NetworkNewz editors, writers and contributors focus on both the big picture and the details of networking. At NetworkNewz our goal is to deliver to you The Key To Network Management.





NetworkNewz is brought to you by:

SecurityConfig.com NetworkingFiles.com
ITmanagementNews.com WebProASP.com
DatabaseProNews.com SQLProNews.com
ITcertificationNews.com SysAdminNews.com
LinuxProNews.com WirelessProNews.com
CProgrammingTrends.com ITmanagementNews.com





-- NetworkNewzis an iEntry, Inc. publication --
iEntry, Inc. 2549 Richmond Rd. Lexington KY, 40509
2008 iEntry, Inc. All Rights Reserved Privacy Policy Legal

archives | advertising info | news headlines | newsletters | comments/feedback | submit article


The Keys To Network Management Ask Questions in the Networking Forum NetworkNewz News Archives About Us Feedback NetworkNewz Home Page About Article Archive News Downloads WebProWorld Forums Jayde iEntry Advertise Contact