OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Re: Formal audit background for the penetration tester?

From: Aarón Mizrachi (unmanarcgmail.com)
Date: Fri May 29 2009 - 19:15:38 CDT

On Viernes 29 Mayo 2009 10:48:52 listerlihim.org escribió:
> Has anyone transitioned from a purely technical background in InfoSec to
> the Audit field?
>
> What trends are emerging with increased regulatory scrutiny on the rise.
> Govt/PCI requirements.
>
> As I am not familiar with the CISA certification or the audit field of
> work, I'm not sure if this would be a step backward or beneficial to a
> penetration tester or someone with purely technical skills in InfoSec.
>
CISA is more for a formal audit process.

CISA would be appreciated for many companies since helps the auditor to do it
well (documentation and process), but is not a limitation for pentesting...
specially when pentesting require more technical skills rather than
formalisms...

An audit well done, could be sufficient without a pentest. But, "well done" is
extremly expensive for most companies.

Pentesting have three main pourporses:

1- Demonstrate that your network is vulnerable and require a more formal
audit: Some companies are vulnerable and dont want to spend budget on
Information Security... They think that the network are not vulnerable because
they have a firewall, or something like (Sometimes, some companies told me that
they are not vulnerable since they have Antivirus...).

In such cases, sometimes, the company must be challenged, and... most times,
they accept the challenge.

The challenge consist in a blackbox audit (mostly pentesting or ethical
hacking) that demonstrate that they have vulnerabilities. This challlenge is
only to demonstrate and open the budget.

This pentest or ethical hacking is generally showed with an impact and risk
study...

2- Another goal of pentesting is to complement the audit when you need to
reduce costs... As i said, audit as sole could be extremly expensive since if
you need to assure something, you will need to review everything, and
sometimes, with an ethical hacking you could determine what do you need
fastly. Certainly is not fully accurate, but, sometimes, companies with
hundred of servers prefers secure it fast rather than secure it well.

3. Validate the formal auditor job. After audit, a third party pentesting
could be done to validate the accuracy of audit. (I think that is more
psychological effect needed by some CEO's to be happy about their investment on
security)

------------------------

How accurate is a pentester?

A good pentester could determine many of the things determined on a fully
audit. By example, in some webserver with a CMS, the pentester would make
emphasis on updates, on install some HIDS/HIPS for future unknown attacks, on
password policy, and sometimes in fix policies.

A pentester must determine what policies are harmful, and sometimes it will
miss some policy recommendations because, since this is a blackbox testing,
the pentester couldnot determine some internal policies.

I give you an example:

The webserver have php with register globals on, but the attacker could not
determine it right now... Time ago, a new exploit in a new brach of the CMS
software is only explotable if the "register_globals" are on (happen many
times)...

Then, the pentester could make a final recomendations about hardening php, but
not related directly with the pentest flags.

---------------------------

Having all of this in mind. let resume the problem.

If you have to reduce costs and time accepting some risk, the audit process
could be complemented with pentesting. But "a well pentester" are determined
by skills rather than a fine documentation and audit know how (that could be
apreciated, but is not determinant).

- Some specific certifications exist for pentesting... by example, CEH.
- For auditing: CISA, ISO27001, etc
- For security managment: CISSP, GIAC
- Another specific certs are useful in another branches.
- Another specific postgrades are useful also

-----------------------

PCI and another requirements should be done by formal auditing... After or
before that, pentesting (not the audit) are reflecting the blackbox reality,
exposed also in wild.

I think that is a paradox that a ethical hacker would be limited by some
rules, when a real attacker not. The only rules that apply to ethical hacking
is to be ethical.

> ------------------------------------------------------------------------
> This list is sponsored by: Information Assurance Certification Review Board
>
> Prove to peers and potential employers without a doubt that you can
> actually do a proper penetration test. IACRB CPT and CEPT certs require a
> full practical examination in order to become certified.
>
> http://www.iacertification.org
> ------------------------------------------------------------------------

--
Ing. Aaron G. Mizrachi P.

http://www.unmanarc.com
Mobil 1: + 58 416-6143543
Mobil 2: + 58 424-2412503
BBPIN: 0x 247066C1

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.10 (GNU/Linux)

iEYEABECAAYFAkogeq8ACgkQ2ixydRu83wB6KwCfbQPO9j9cvwsiXq9R1IQutTrl
VPIAni+bdtlihFUo1vo23cbBie0PKg/Z
=3fSZ
-----END PGP SIGNATURE-----