Risky Business Podcast #85
I was listening to the the Risky Business podcast this morning (by the way thanks Patrick you do a great job putting the show together). In episode 85 (http://itradio.com.au/?p=206) Patrick talks to one of his sponsors and legendary security expert Marcus Ranum. Old Marcus has some funny views on pen testing and I think they are slightly missing the mark.
Marcus believes that tools such as CORE Impact and Metasploit are not a good idea as it makes a pen tester lazy (If I could generalise his comments to mean that). The things were left out which are an argument as to why tools such as the above are needed and why pen testing is still a valuable exercise are illustrated by the following points;
1. A pen test is not just exploitation of devices ! A pen test is about using the technical access you gain to gather business sensitive information to highlight the risk of weak IT Security controls. It's not about just getting the access !!!! Whilst the tech's in the target organisation understand the impact. It's about highlighting the business impact should someone malicious exploit the same vulnerability and attempt to extract sensitive business information or disrupt operations, this is what senior management are interested in.
2. The tools that assist a penetration tester such as CORE Impact and Metasploit are only as good as the person driving them. CORE Impact whilst having a automated wizard is handy but the manual process is required to get complete coverage. The reason customers like this tool being used is that it has great logging and reporting of all actions taken. Also as a tester when you are finished all you have to do is select cleanup and it removes all the agents (control modules you have installed whilst you have been exploiting systems). Once again great to show compromised hosts but unless you link these to business risk it's not that good for the customer. (Disclosure: Pure Hacking are re-sellers for CORE Impact)
3. Coverage - The old problem with any consulting job is time and with a pen test time is always limited. Customers might not want to dedicate much time to the assessment but still expect a tester to find all the holes ! That is obviously a tough job, with scanning tools at least you get coverage of the target environment and whilst it's working away you focus on the other manual tasks of the test.
4. The win or Loose scenario for a pen testers. This is not something we are too concerned about it's great to compromise a customer network and illustrate a security attack vector that they had not though of. But we still get paid even if we don't find any security weaknesses. In saying that however there are always security controls that can be strengthened to help reduce the risk a environment is exposed to.
5. Secondly both tools have very limited Web Application security support and the shift to Web Application security testing has been very significant in the last 3 years. Most pen testing I perform (70%) is now on Web Applications.
Happy to hear constructive thoughts on my post.
