Pentest - Who would you recommend?
-
@Breffni-Potter said in Pentest - Who would you recommend?:
@s.hackleman said in Pentest - Who would you recommend?:
I used to use Trustwave for external PCI pen testing.
PCI compliance is an absolute joke. As are the auditors who charge money to "test" for compliance.
How to be compliant really quickly?
- Get second internet connection, All ports in blocked.
- Place PCI traffic onto that internet connection and isolate it on its own network.
- Ask to run the test, success, you passed.
External testing for low levels sure, but SAQ-B for a company that holds credit card numbers and does charges to recover losses to those cards is a whole different ball game. I took my job quite seriously.
-
@Jimmy9008 said in Pentest - Who would you recommend?:
@IRJ said in Pentest - Who would you recommend?:
@Jimmy9008 said in Pentest - Who would you recommend?:
@IRJ said in Pentest - Who would you recommend?:
@scottalanmiller said in Pentest - Who would you recommend?:
@IRJ said in Pentest - Who would you recommend?:
@scottalanmiller said in Pentest - Who would you recommend?:
@Carnival-Boy said in Pentest - Who would you recommend?:
@IRJ said in Pentest - Who would you recommend?:
You definitely don't want a pen test, you need a security assessment. There will be plenty of things to fix, and after securing the network then you could do a pen test the following year.
Same thing. What do you think an assessment will do that a pentester won't (and vice versa)?
One is only testing penetration from a set of attacks. Most security vulnerabilities are not penetration so aren't part of that test (like SQL Injection is not penetration) plus it tests attacks, not risks.
Example.. which tells you how long it will take to break through a door, hitting it with a hammer or knowing a lot about the door? If you know enough about the door, you know where it is weak or if the hinges are about to give out. If you just hit it with a hammer, you might get lucky and get in on the first swing or you might never hit it hard enough to break the hinge.
Both are valuable, but one tells you a lot more, typically.
Yes, alot of people use security assessment and pentesting as interchangeable terms but they are much different. Pen testing is only done when you feel you've already covered everything found on a security assessment.
Yes, doing both is definitely good. But if only doing one, it's the assessment that I'd want.
Especially in an org that I am assuming has not run any vuln scans. They are going to have over a year's worth of work if they are lucky.
We would like to see what could be cone 'as is'. Just because we have not had a security report done, does not mean one should assume we would fail it. We have a lot in place and fixed processes, of course, nowhere is 100%, but i'd like to see what an external tester could do with nothing more than the company name. That's all an actual attacker would have.
I suppose it's possible, but I have never seen that to be the case. If you aren't looking for vulnerabilities how are you addressing them?
If they can get in using their various techniques... that shows the vulnerability.
But what if they can't get in? Breaking in only shows a weakness, it doesn't expose the "how".
-
@Jimmy9008 said in Pentest - Who would you recommend?:
Yes, we are aware of this - however that is not the test. We have to trust employees. If we didn't, they would be gone.
No, you have to trust top level IT. You don't have to trust other employees. This is the most important piece of IT security - that trusting employees is what you must avoid. In the real world, they are your security holes.
-
@Jimmy9008 said in Pentest - Who would you recommend?:
Even so, the test is still:
- Out name is xyz. Document what you try, and what was successful.
Or does nowhere offer that?
Sure, it's a good way to make fast money. It's just not a good thing to pay for because it doesn't tell you very much. Even if they break in, it's up to you to figure out how and why and how to fix it. And the only way to know if you fixed it is to pen test again with the same test. It's costly and ineffective but big money for pentesters, so absolutely everyone provides it, but it's like memorizing the answers for a test - it doesn't mean you learned the material or are secure in any way, just that you fixed things so that one specific test fails.
-
@scottalanmiller said in Pentest - Who would you recommend?:
@Jimmy9008 said in Pentest - Who would you recommend?:
Yes, we are aware of this - however that is not the test. We have to trust employees. If we didn't, they would be gone.
No, you have to trust top level IT. You don't have to trust other employees. This is the most important piece of IT security - that trusting employees is what you must avoid. In the real world, they are your security holes.
That is literally Cyber Security 101. Human Error and Internal Attacks are much more likely than someone exploiting a complicated external buffer overflow attack.
-
@scottalanmiller said in Pentest - Who would you recommend?:
@Jimmy9008 said in Pentest - Who would you recommend?:
Even so, the test is still:
- Out name is xyz. Document what you try, and what was successful.
Or does nowhere offer that?
Sure, it's a good way to make fast money. It's just not a good thing to pay for because it doesn't tell you very much. Even if they break in, it's up to you to figure out how and why and how to fix it. And the only way to know if you fixed it is to pen test again with the same test. It's costly and ineffective but big money for pentesters, so absolutely everyone provides it, but it's like memorizing the answers for a test - it doesn't mean you learned the material or are secure in any way, just that you fixed things so that one specific test fails.
I will say this again. Pen testing is done when you are confident you are already secure. You cannot be confident you are secure when you have never done an internal or external assessment so it is just a waste of money, for your company. On the other hand, A salesman is never not going to sell you a service so they will convince you with buzz words that you need. In most cases, the salesman probably doesnt understand the difference either.
-
@IRJ said in Pentest - Who would you recommend?:
@scottalanmiller said in Pentest - Who would you recommend?:
@Jimmy9008 said in Pentest - Who would you recommend?:
Yes, we are aware of this - however that is not the test. We have to trust employees. If we didn't, they would be gone.
No, you have to trust top level IT. You don't have to trust other employees. This is the most important piece of IT security - that trusting employees is what you must avoid. In the real world, they are your security holes.
That is literally Cyber Security 101. Human Error and Internal Attacks are much more likely than someone exploiting a complicated external buffer overflow attack.
Like, 100x more likely. It's opportunity. Employees know where everything is hidden, how much it is worth, who would want to buy it, who to extort, many have an axe to grind, etc. External people are stuck attacking an unknown for unknowns for no reason but money.
-
@scottalanmiller said in Pentest - Who would you recommend?:
@IRJ said in Pentest - Who would you recommend?:
@scottalanmiller said in Pentest - Who would you recommend?:
@Jimmy9008 said in Pentest - Who would you recommend?:
Yes, we are aware of this - however that is not the test. We have to trust employees. If we didn't, they would be gone.
No, you have to trust top level IT. You don't have to trust other employees. This is the most important piece of IT security - that trusting employees is what you must avoid. In the real world, they are your security holes.
That is literally Cyber Security 101. Human Error and Internal Attacks are much more likely than someone exploiting a complicated external buffer overflow attack.
Like, 100x more likely. It's opportunity. Employees know where everything is hidden, how much it is worth, who would want to buy it, who to extort, many have an axe to grind, etc. External people are stuck attacking an unknown for unknowns for no reason but money.
Every class I have taken has drilled a few principles in your head
- Human Error is the biggest cause for attack
- Internal attacks are many times more likely than external attacks
- Security needs a top down approach in order to be successful
- Asset Management is numero uno in importantance. You cannot protect what you do not know about.
These are common themes you would see in Security classes ranging from juniors to senior techs and from management to senior management (Even non IT management if they are at a high enough level).
-
@IRJ said in Pentest - Who would you recommend?:
- Internal attacks are many times more likely than external attacks
And more effective. A trivial insider attack can do more damage than a dramatic external one.
-
@irj said in Pentest - Who would you recommend?:
- Security needs a top down approach in order to be successful
This is important for IT to understand. Business needs to drive security, and IT enable it. IT can't be the driver of security. If you have to convince people that they want to be secure, they don't really want to be secure.