RE: [lists] Re: What to spend on a pentest

Good point. The majority of companies will farm out the pen-testing to
external parties and from what I've seen costs range from $10-50k+ depending
on size of engagement.

To answer your original question, the driving force I've seen in most cases
is either they've a)been compromised in the past and want to check their new
security products/processes for effectiveness (paranoia/been burned before)
or b)are compelled to do so to meet legal or contractual requirements (PCI,
HIPAA etc... and the cost of non-compliance or not doing it is much higher
than dropping some cash on a pen-test).

I sometimes forget that my company is not the norm as it has dedicated
security staff with VA, audit, and pen-test background and can do the
pen-testing in-house... which allows for a much broader scope in terms of
if, and how far, we can penetrate during testing.

--
Erin Carroll
Moderator
SecurityFocus pen-test list
"Do Not Taunt Happy-Fun Ball"

-----Original Message-----
From: David M. Zendzian [mailto:dmz@xxxxxxxx]
Sent: Saturday, August 05, 2006 10:23 PM
To: Erin Carroll; pen-test@xxxxxxxxxxxxxxxxx
Subject: RE: [lists] Re: What to spend on a pentest

A minor note to your correction :)

You are correct, according to the SAP any who are required to
perform the full sap audit, level 1 or those who have been
escalated to level one by having been compromised, can
perform their own internal pen testing. But as this topic was
on what to pay for a pen test I assumed it was being done
externally. Plus from what I'm use to, many companies with
less than 20MM / year in revenue usually don't have enough
dedicated staff to have a true expert in pen tests and
getting extra budget for 10 or 20+k in tests....

When I have asked in the course of performing pen tests for
pci audits either our contracts or visa has said go only to
the point of penetrating, do not actually penetrate.

There can be a lot ascertained by thurough analysis of
investigation that can really assist it and security staff to
know what to watch and where needs better or other forms of
protection.

Back to my question, for those able to get full authorization
to do a full pen test what usually motivates that level of commitment?

David
Qdsp
qabp

-----Original Message-----
From: "Erin Carroll" <amoeba@xxxxxxxxxxxxxx>
To: pen-test@xxxxxxxxxxxxxxxxx
Sent: 8/5/06 2:29 PM
Subject: RE: [lists] Re: What to spend on a pentest

I wanted to make a minor correction to David's post since I
am intimately familiar with PCI at my day job. :)

The PCI standard does require a business obtain quarterly
vulnerability assessments from an external vendor. PCI also
requires an annual penetration test. The relevant PCI
sections are 11.2 and 11.3

----
11.2 - Run internal and external network vulnerability scans
at least quarterly and after any significant change in the
network (e.g. new system component installations, changes in
network topology, firewall rule modifications, product
upgrades). Note that external vulnerability scans must be
performed by a scan vendor qualified by the payment card industry

11.3 - Perform penetration testing on network infrastructure
and applications at least once a year and after any
significant infrastructure or application upgrade or
modification (e.g. operating system upgrade, sub-network
added to the environment, web server added to the environment)
---

You'll notice the annual pen-test requirement in 11.3 doesn't
specify that an external "qualified" vendor need perform it
(it can be done in-house) and there is nothing specifying
that you "stop right at the edge of running the exploit" as
David states. By definition a pen-test requires compromising
or exploiting a vulnerability, otherwise it is a
vulnerability scan. However, nothing in 11.3 specifies that
the pen-test has to be run on all production systems or all
at once so that businesses can avoid downtime by creative
interpretation. I could pen-test and compromise a select
couple of webservers out of a production cluster to avoid
downtime to business and that would meet with the 11.3 requirement.

What isn't explicitly defined in 11.2 and 11.3 are where you
will see businesses diverge in policy and procedures…what
qualifies to the business as *significant* changes in the
network? For some companies defining "firewall rule
modification" as significant would mean they would have to VA
and pen-test every damned week and I would buy stock in
several VA companies so fast you'd get whiplash. :)

--
Erin Carroll
Moderator
SecurityFocus pen-test list
"Do Not Taunt Happy-Fun Ball"


-----Original Message-----
From: David M. Zendzian [HYPERLINK HYPERLINK mailto:dmz@xxxxxxxx
mailto:dmz@xxxxxxxx HYPERLINK mailto:dmz@xxxxxxxx
mailto:dmz@xxxxxxxx]
Sent: Saturday, August 05, 2006 11:54 AM
To: Curt Purdy
Cc: 'Intel96'; 'Michael Weber'; pen-test@xxxxxxxxxxxxxxxxx
Subject: Re: [lists] Re: What to spend on a pentest

I've been following this thread and have noticed that no
one here is
considering the liability of a "real" pen test.
Unless you are testing QA or Dev environments, anything you
find could
not only prove that a compromise is real but also bring
that business
offline, and since you don't know when or where or what you'll find
the business would need to keep someone "on-call" during the entire
engagement to restore or fail over.

Plus if you look at some of the pen-test requirements
(standards(pci,
...), regulations(sox, hipaa, ...)) and look at what they call for
when pen-testing. PCI pen-tests are required yearly,
however the pen
test must stop right at the edge of running the exploit, so
you never
know if it actually runs. So here we have an industry standard
"pen-test" (and don't forget that PCI also requires quarterly
vulnerability
assessments) where the pen-test is specifically required to not
penetrate.

That tied with most business' not willing to perform social or
physical testing, it is 90% network based these days; so
the majority
of pen-tests are really only expanded vulnerability tests. But also
remember that most companies only get pen-tests or
vulnerability tests
because of these standards or regulations which then bind what they
testers are able to do.

What I would be interested in is hearing from those 10% of
pen testers
who are able to do "real" pen tests, and what motivates
their clients
if it is not a "requirement".

David M. Zendzian
dmz

Curt Purdy wrote:
Intel96 wrote:

You also need to determine how much manual testing may
have to be
performed on the systems. Such as cracking logins,
cracking cookies,
etc, or searching the systems for embedded passwords in
script or
configurations files and looking at the database schemes.

<snip>

Unfortunately, most pentest companies don't do manual
testing. Like
the bank that I was ISO at hired NetBankAudit to "pentest"
them. They
likely had a young tech running scripts on a dozen clients
that night
and found one minor problem on our acquistion. The next
Sunday night
between 10pm and 6am, I manually tested and found six
serious problems.


Curt Purdy CISSP, GSNA, GSEC, CNE, MCSE+I, CCDA Information
Security
Officer Information Systems Security infosysec.net
443.846.4231

-------------

If you spend more on coffee than on IT security, you will
be hacked.
What's more, you deserve to be hacked.
-- former White House cybersecurity czar Richard Clarke





----------------------------------------------------------------------
--------
This List Sponsored by: Cenzic

Concerned about Web Application Security?
Why not go with the #1 solution - Cenzic, the only one to win the
Analyst's Choice Award from eWeek. As attacks through web
applications
continue to rise, you need to proactively protect your
applications
from hackers. Cenzic has the most comprehensive solutions
to meet your
application security penetration testing and vulnerability
management
needs. You have an option to go with a managed service (Cenzic
ClickToSecure) or an enterprise software (Cenzic
Hailstorm). Download
FREE whitepaper on how a managed service can help you:
HYPERLINK HYPERLINK http://www.cenzic.com/news_events/wpappsec.php
http://www.cenzic.com/news_events/wpappsec.php HYPERLINK
http://www.cenzic.com/news_events/wpappsec.php
http://www.cenzic.com/news_events/wpappsec.php
And, now for a limited time we can do a FREE audit for you
to confirm
your results from other product. Contact us at
request@xxxxxxxxxx for details.


----------------------------------------------------------------------
--------





--------------------------------------------------------------
----------------
This List Sponsored by: Cenzic

Concerned about Web Application Security?
Why not go with the #1 solution - Cenzic, the only one to win the
Analyst's Choice Award from eWeek. As attacks through web
applications
continue to rise, you need to proactively protect your applications
from hackers. Cenzic has the most comprehensive solutions
to meet your
application security penetration testing and vulnerability
management
needs. You have an option to go with a managed service (Cenzic
ClickToSecure) or an enterprise software (Cenzic Hailstorm).
Download FREE whitepaper on how a managed service can help
you: HYPERLINK HYPERLINK
http://www.cenzic.com/news_events/wpappsec.php
http://www.cenzic.com/news_events/wpappsec.php HYPERLINK
http://www.cenzic.com/news_events/wpappsec.php
http://www.cenzic.com/news_events/wpappsec.php
And, now for a limited time we can do a FREE audit for you
to confirm
your results from other product. Contact us at
request@xxxxxxxxxx for
details.
--------------------------------------------------------------
----------------


--
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.1.394 / Virus Database: 268.10.7/409 - Release
Date: 8/4/2006



--
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.1.394 / Virus Database: 268.10.7/409 - Release
Date: 8/4/2006


--
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.1.394 / Virus Database: 268.10.7/409 - Release
Date: 8/4/2006



--------------------------------------------------------------
----------------
This List Sponsored by: Cenzic

Concerned about Web Application Security?
Why not go with the #1 solution - Cenzic, the only one to win
the Analyst's
Choice Award from eWeek. As attacks through web applications
continue to rise,
you need to proactively protect your applications from
hackers. Cenzic has the
most comprehensive solutions to meet your application
security penetration
testing and vulnerability management needs. You have an
option to go with a
managed service (Cenzic ClickToSecure) or an enterprise software
(Cenzic Hailstorm). Download FREE whitepaper on how a managed
service can
help you: http://www.cenzic.com/news_events/wpappsec.php
And, now for a limited time we can do a FREE audit for you to
confirm your
results from other product. Contact us at request@xxxxxxxxxx
for details.
--------------------------------------------------------------
----------------




--
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.1.394 / Virus Database: 268.10.7/409 - Release
Date: 8/4/2006



--
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.1.394 / Virus Database: 268.10.7/409 - Release Date: 8/4/2006



------------------------------------------------------------------------------
This List Sponsored by: Cenzic

Concerned about Web Application Security?
Why not go with the #1 solution - Cenzic, the only one to win the Analyst's
Choice Award from eWeek. As attacks through web applications continue to rise,
you need to proactively protect your applications from hackers. Cenzic has the
most comprehensive solutions to meet your application security penetration
testing and vulnerability management needs. You have an option to go with a
managed service (Cenzic ClickToSecure) or an enterprise software
(Cenzic Hailstorm). Download FREE whitepaper on how a managed service can
help you: http://www.cenzic.com/news_events/wpappsec.php
And, now for a limited time we can do a FREE audit for you to confirm your
results from other product. Contact us at request@xxxxxxxxxx for details.
------------------------------------------------------------------------------

Relevant Pages

  • Re: [lists] Re: What to spend on a pentest
    ... The PCI standard does require a business obtain quarterly vulnerability ... You'll notice the annual pen-test requirement in 11.3 doesn't specify that ... > Officer Information Systems Security infosysec.net ... You have an option to go with a managed service (Cenzic ...
    (Pen-Test)
  • Re: [lists] Re: What to spend on a pentest
    ... Only the vulnerability test needs to be performed by a visa certified vulnerability tester. ... You'll notice the annual pen-test requirement in 11.3 doesn't specify that ... > Officer Information Systems Security infosysec.net ... You have an option to go with a managed service (Cenzic ...
    (Pen-Test)
  • RE: Pen-Test and Social Engineering
    ... may and should be a SE aspect of said Pen-Test. ... I know a place where the security guard barely ... Time of the attacks. ... Audit your website security with Acunetix Web Vulnerability Scanner: ...
    (Pen-Test)
  • RE: testing laptop based on bsd anyone
    ... I wasn't speaking about the relative strengths of security measures within ... an OS as a yardstick to determining viability as a pen-test platform. ... As attacks through web applications continue to rise, ... vulnerability management needs. ...
    (Pen-Test)
  • RE: Business justification for pentesting
    ... This is a risk management thing not a pen-test thing. ... security sucks. ... Audit your website security with Acunetix Web Vulnerability Scanner: ... Cross site scripting and other web attacks before hackers do! ...
    (Pen-Test)
Quantcast