On 4/18/2014 11:29 PM, Jeff Kell wrote:
Anyone ever pentested you? It's an enlightening experience. Jeff
At a previous job, we hired a company (with CISSP-certified pentesters) to do a black box pentest of our network. Things I was "enlightened" by: - It's OK to work in a highly technical field with no technical background. The pentester they sent couldn't get Backtrack running on the machine we had provided to him because the onboard video didn't support 32-bit color under Linux (IIRC, a P4-era Dell desktop). The concept of reading log files to find out what was wrong was completely foreign to him, as was the required 1-line fix in the X11 config. - It's OK to not report a horribly insecure box to the client if you're stupid or lazy. We had set up a honeypot box on our network to see if the pentester would find it, and despite tons of log evidence showing that he both found the box and the weak services... no mention of it was made on the report submitted to us. Needless to say, this made the entire report suspect, and my boss had great pleasure in yelling at the vendor when I brought it to her attention. - It's OK to not know anything at all about the tools you're using to do the job. The pentester called us because he was getting "weird nmap results" and couldn't grok them (and insisted that we had given him the wrong IP addresses). The reason? A firewall that dropped unwanted traffic. Seriously. CISSP certified and he couldn't figure out how to detect firewalls that have a default-drop policy. - It's OK to rely only on automated tools and blindly trust their output. No attempts at targeted attacks were made, despite being specifically asked and authorized to do destructive testing against our test servers. We KNEW from our own testing that there were some SQL injection and buffer overflow holes there (again, some even placed on purpose to see what he'd find), and his automated tools didn't find them so he assumed everything was fine. And that's just SOME of the stuff from that particular experience. Enlightening? Yes. I now do my own pentesting, because I'd rather not waste $20K+ on a report of questionable quality done by someone who may or may not know how to run nmap, let alone more technical application-level attacks. There are undoubtedly some good pen-testers out there that are worth every dime they charge. However, like every other technical speciality, there are a LOT of really, really, really terrible practitioners. Shelling out big money to hopefully find the former in a field of mostly the latter is bound to be an exercise in both frustration and misspent resources.