RE: External Pentests Obsolete?



For PCI compliance, external scans are a requirement. They also provide
a sanity check, verifying that there are no undocumented/incorrectly
documented services/hosts.



-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx]
On Behalf Of Yiannis Koukouras
Sent: Thursday, August 09, 2007 3:19 AM
To: pen-test@xxxxxxxxxxxxxxxxx
Subject: External Pentests Obsolete?

Hi all,

Do you think that an external infrastructure pentest is nowadays
obsolete?

What I want to say is that, most of the serious companies nowadays will
only have a few servers on their DMZ (web server, mail server, SSL
concentrator, terminal server, citrix) and will only allow access to one
or two ports for each of them. The rest of the infrastructure (excluding
the internet facing router and firewall) will be completely
inaccessible.

Thus, if web application testing is out of scope, there isn't much to
test, is it? Only half a dozen of services to check vulnerabilities and
misconfiguration, check if mail rely is on, make a password bruteforce
attack(?), check that the DNS can't be poison and VOILA! You have
finished!

Do you think that it is ethical to consult our clients to "buy" an
external pentest anymore?

P.S. If I am wrong, PLEASE prove me wrong!

--
Ioannis Koukouras
CISSP
MSc in Computer Systems Security
BEng in Electronic Engineering
http://www.linkedin.com/in/ikoukouras

=
Cruise Value Center - Mexico Cruises
Cruise Value Center is one of America's leading discount brokers on
Mexican cruises. Let our experts help you choose the cruise vacation
package that will meet your budget and lifestyle.
http://a8-asy.a8ww.net/a8-ads/adftrclick?redirectid=83149e4a674877039cb5
c210b2445439


--
Powered by Outblaze

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------


------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------



Relevant Pages

  • Re: FAX virus
    ... to loading a virus" to be disingenuous. ... he has a fax server (this will convert from ... Need to secure your web apps NOW? ... buy it or download a solution FREE today! ...
    (Pen-Test)
  • RE: Web Application Testers.
    ... programmed to remain on the original server. ... Achillesor subwebwhen breaking web apps; ... This list is provided by the SecurityFocus Security Intelligence Alert ...
    (Pen-Test)
  • Re: Building Web Applications C#
    ... If you just want to learn C# web apps without complicated server setup, VS2005 has a built-in web server, you don't need IIS at all. ... but note that IIS5 is what you get with Win2k; if you have XP you'll get IIS 5.1` and if you use Windows Server 2003 you'll get IIS6. ... However, if you're writing serious C# web apps for small business, you'll need two computers; a client with Win2k/XP/Vista and a server running Win2003 or Longhorn. ...
    (microsoft.public.vsnet.general)
  • Re: FAX virus
    ... Kindly discuss about the various attack vectors, and ways to safeguard against the same. ... My FAX server allows me to receive faxes from my clients from Internet. ... My fax server routes the stuff to the document processing ... Need to secure your web apps NOW? ...
    (Pen-Test)