On 4/18/2014 11:29 PM, Jeff Kell wrote:
Anyone ever pentested you? It's an enlightening experience. Jeff
At a previous job, we hired a company (with CISSP-certified pentesters)
to do a black box pentest of our network.
Things I was "enlightened" by:
- It's OK to work in a highly technical field with no technical
background. The pentester they sent couldn't get Backtrack running on
the machine we had provided to him because the onboard video didn't
support 32-bit color under Linux (IIRC, a P4-era Dell desktop). The
concept of reading log files to find out what was wrong was completely
foreign to him, as was the required 1-line fix in the X11 config.
- It's OK to not report a horribly insecure box to the client if you're
stupid or lazy. We had set up a honeypot box on our network to see if
the pentester would find it, and despite tons of log evidence showing
that he both found the box and the weak services... no mention of it was
made on the report submitted to us. Needless to say, this made the
entire report suspect, and my boss had great pleasure in yelling at the
vendor when I brought it to her attention.
- It's OK to not know anything at all about the tools you're using to do
the job. The pentester called us because he was getting "weird nmap
results" and couldn't grok them (and insisted that we had given him the
wrong IP addresses). The reason? A firewall that dropped unwanted
traffic. Seriously. CISSP certified and he couldn't figure out how to
detect firewalls that have a default-drop policy.
- It's OK to rely only on automated tools and blindly trust their
output. No attempts at targeted attacks were made, despite being
specifically asked and authorized to do destructive testing against our
test servers. We KNEW from our own testing that there were some SQL
injection and buffer overflow holes there (again, some even placed on
purpose to see what he'd find), and his automated tools didn't find them
so he assumed everything was fine.
And that's just SOME of the stuff from that particular experience.
Enlightening? Yes. I now do my own pentesting, because I'd rather not
waste $20K+ on a report of questionable quality done by someone who may
or may not know how to run nmap, let alone more technical
application-level attacks.
There are undoubtedly some good pen-testers out there that are worth
every dime they charge. However, like every other technical speciality,
there are a LOT of really, really, really terrible practitioners.
Shelling out big money to hopefully find the former in a field of mostly
the latter is bound to be an exercise in both frustration and misspent
resources.
