Penetration Testing archives - Sister CISA CISSP

Sister CISA CISSP:

Penetration testing

Mar 30 2009   3:04AM GMT

“Penetration Test” Terms



Posted by: Arian Eigen Heald
Penetration testing, understanding security terms

There are some really terrific pieces of software out there for running a vulnerability scan. I have a lot of respect for all of them. The vendors are working hard to find as many vulnerabilities as possible in order to protect businesses and organizations that need to find and fix those vulnerabilities so that the bad guys don’t get in. A scan is NOT a penetration test. It can be part of one. But it usually isn’t.

Software doesn’t think. It doesn’t perform social engineering. It doesn’t walk down the hall and check everybody’s desks at night until it finds the keyring labeled “server room.” It provides a lot of false positives because it doesn’t account for configurations that have compensating controls elsewhere.

PCI requirements include, for Tier 1 vendors, a quarterly scan of the Internet-facing environment. This is a great idea; kind of like the watchman making sure he rattles the door knobs. But this is a minimum requirement.Is that really all your company can do?

Scans are great for finding the “low-hanging fruit.” They save a lot of manual time and effort to that effect. But don’t let someone sell you a scan and call it a penetration test. Software can only find what you tell it to find. Anyone (literally) can run a scan. You can rest assured that the real bad guys don’t hire “anyone” to write their malware. Someone can spend enormous amounts of time attacking your network, and you can be sure that person has a fairly high skill level. Don’t you want the folks on your side to have equal, if not better, skills?

Next: Why isn’t a scan part of a penetration test?

Feb 13 2009   10:06PM GMT

Facebook Hacking



Posted by: Arian Eigen Heald
Security, Identity theft, Privacy, Penetration testing

I don’t have a Facebook profile. I’ve never even been ON Facebook. There’s something about posting one’s life constantly that I just don’t find all that appealing. I’ve got too much to do online as it is. I admit to being on LinkedIn, mostly because my University dean pushed the entire graduating class from Norwich to get connected, but I find it is of limited value. I often get people I don’t know trying to connect into my network. If I don’t know you personally, I’m not about to do any connecting.

Posting information about oneself has definite perils. I thought long and hard about doing a blog, and I think (or try to) carefully about what I write and who I write about. When I “google” myself, (you have, haven’t you? I know you have) I still see posts from the year 2000. So consider that what you posted five years ago about your problem with your Exchange server using your work email address is probably still out there. How detailed was your post? If somebody read it today, what would it tell them about your network?

So I read with considerable interest a blog posting detailing the use of Facebook as the social research part of penetration testing, and I’d suggest you read it too, especially if your company is using Facebook as a Team tool.

I guess it’s another way of saying that Facebook isn’t just for identity thieves, stalkers and pedophiles anymore. Considering such articles as “Facebook Killed My Career,” a woman being killed due to her Facebook update, and now using it for hacking, I’m a bit dismayed by the ingenuity of “bad people.”

I’d also like to recommend an article, “Ten Settings Every Facebook User Should Know,” as a good starting point for adults and kids. And take the hacking article to your team if you’re using Facebook/MySpace for team building.