I think not quantifying the risk associated with the problems identified in the report is the problem with most pen tests. We had an SQL database here years ago when I first started that used SS numbers as passwords for the web interface. I screamed about it and got nowhere. Then one day at lunch with my boss I pulled out a laptop and hit the website from the public side and dumped all the SS numbers using a simple SQL injection. The system was shut down the same day. The report is incomplete if it doesn't associate the risk to the business with each vulnerability. As soon as I demonstrated the risk it was fixed.
But getting back to the article, I don't think he is attacking the report. What I really think Dave is saying is don't just fix the vulnerabilities in the report...identify why those vulnerabilities exist in the first place. If you fix all the items in the report you are feeding a man for a day. Identify what shortcomings in the process allowed those vulnerabilities to happen and fix those and you have taught them to fix. As long as we are just chasing zero days we will never be secure. From: Andrew S. Baker [mailto:[email protected]] Sent: Tuesday, April 03, 2012 10:52 AM To: NT System Admin Issues Subject: Re: OT: Favour to ask While I agree with the thrust of this article, the fact is that much of the complexity is there because without it, many would not accept that the risks exist. Yes, it is critical that an organization also receive some guidance about how to prioritize the risks and remediate them, but if organizations insist on not maintaining FTEs or consultants who can provide that information/guidance, and they don't seek a qualified security vendor to partner with to obtain said information/guidance, is the problem really the size or complexity of the penetration testing report? ASB http://XeeMe.com/AndrewBaker Harnessing the Advantages of Technology for the SMB market... On Tue, Apr 3, 2012 at 9:31 AM, Kennedy, Jim <[email protected]<mailto:[email protected]>> wrote: I've seen it, my kid wrote it. :) He is currently ripping on the industry pen test standards, much as you were last week. http://searchsecurity.techtarget.com/news/2240147882/Expert-advocates-for-more-effective-pen-tests-less-complex-security From: Ziots, Edward [mailto:[email protected]<mailto:[email protected]>] Sent: Tuesday, April 03, 2012 9:28 AM To: NT System Admin Issues Subject: RE: OT: Favour to ask Take a look at the social engineers toolset, its pretty amazing what you can do with those tools, to test how well your users are equipped against social engineering threats. EZ Edward Ziots CISSP, Security +, Network + Security Engineer Lifespan Organization [email protected]<mailto:[email protected]> From: Kennedy, Jim [mailto:[email protected]]<mailto:[mailto:[email protected]]> Sent: Monday, April 02, 2012 4:08 PM To: NT System Admin Issues Subject: RE: OT: Favour to ask Yes, we all should have sandboxes for this kind of thing. From: Cameron [mailto:[email protected]] Sent: Monday, April 02, 2012 4:05 PM To: NT System Admin Issues Subject: Re: OT: Favour to ask Andrew...you are of course correct! Thankfully we are not our end-users! LOL! On Mon, Apr 2, 2012 at 3:08 PM, Andrew S. Baker <[email protected]<mailto:[email protected]>> wrote: Isn't this the sort of thing we teach our end-users not to fall for in an effort to avoid social engineering issues? Why would we undermine our own education in this arena? ASB http://XeeMe.com/AndrewBaker<http://xeeme.com/AndrewBaker> Harnessing the Advantages of Technology for the SMB market... On Mon, Apr 2, 2012 at 2:53 PM, Cameron <[email protected]<mailto:[email protected]>> wrote: Good afternoon all! I have a favour to ask for my 2nd cousin Heather. She and some class mates have done an assignment for her Cardiology Final (she is pre-med) as a youtube presentation. The information is real, and they came up with a fictional newscast channeling Chalies' Angles. The information is a real study and the athlete in it is her boyfriend. The number of hits is going to determine their grade. I would really appreciate it if you could just *hit* the video (you don't need to watch it!). http://www.youtube.com/watch?v=H3TD98qRPAM&feature=youtu.be Thanks as always! Cameron ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected]<mailto:[email protected]> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
