Tuesday, 14 June 2011

Vulnerability scanning <> penetration testing

It is fair to say that vulnerability scanning / port scaning is a component of any penetration test, however many companies are relying purely on the results of these scans to assess their security, often carrying out these assessments themselves or using automated services.

The role as a pen tester is a continuous learning curve and the use of tools can greatly simplify the bulk of the task, however many of the issues I find are through manual testing and verification as tools alone cannot always pinpoint these issues.

Testing your own systems also has it's disadvantages due to the fact that tests are undertaken against known targets using expected input. A third party testing the same target will approach this from a different angle as they do not always know what is expected and will vary the attack in order to glean different responses. Interpreting these errors and modifying the approach can often lead to uncovering new vulnerabilities in the systems. On many occasions it may not be an actual vulnerability which is found but just simply the ability to access information which was not intended.


The games industry has used a similar approach for many years, the team who program the games are not the same people who test the games. Games testers vary in age and are tasked with playing the game to destruction. The primary reason is due to the fact that the person writing the game will play the game the way it is intended and is unlikely to find the glitch or move which effectively breaks the system or circumnavigates the intended gameplay. The underlying code itself may appear to be sound but the results of certain input may deliver an unexpected result.

A thorough penetration test can vary from a few days to several months depending on the size and complexity of the target network. When choosing a comapny to carry out this work I believe it is essential that the customer assertains whether they are getting a standard vulnerability assessment or a full penetration test.

The systems most likely to be at risk are the critical systems which companies are more nervous about making changes to, Web Servers,Data Servers, Database Servers, Switches and routers to name a few. On the flip side many breaches are undertaken using a single compromised host on the internal network.

Remember, a pen tester will only target systems which have been explicitly authorised by the client, therefore it is essential that the key systems are identified.


Black box testing, where the tester has very little initial information is considered by many to be the best approach, but consider the possibility of an attack carried out by someone who already has a reasonable amount of information about the internal systems. Often a basic understanding of company processes and systems can lead to a more thorough test. In these circumstances the knowledge of the system administrators combined with the experience of the tester is combined to greater effect.

If you would like more information about services offered please feel free to contact me or post a comment.

SecurID was responsible for Lockheed Martin breach

SC Magazine Full Story

Email Retention Policies

Many companies have little to no email retention policies in place.  The idea here is to ensure that if a business related email is required...