Internal Pen-testing

TBRAYSTBRAYS Member Posts: 267
When is the best time to do a internal pen-test, rite after your vulnerability assessment right? How would you go about doing it?
Bachelors of Science in Technical Management - Devry University
Masters of Information Systems Management with Enterprise Information Security - Walden University
Masters of Science in Information Assurance - Western Governors University
Masters of Science Cyber Security/Digital Forensics - University of South Florida

Comments

  • beadsbeads Senior Member Member Posts: 1,520 ■■■■■■■■■□
    Depends entirely on the corporate culture, i.e. management's tolerance towards penetration testing. First, you need to have a plan of attack or what your going to be testing; the criticality of systems to be tested; a back out plan should something go wrong, like taking out a production server; and finally letting the appropriate people know the who, what's, wheres; whens and whys of the test. No one wants to called at 3:00AM to hear that your test just took out a major segment of the network and they have remote in or worse to help clean up the mess.

    In other words a lot of background though has to go into these things not to mention a great deal of communication and approval.

    - beads
  • JDMurrayJDMurray MSIT InfoSec, CISSP, SSCP, GSEC, EnCE, C|EH, CySA+, PenTest+, CASP+, Security+ Surf City, USAAdmin Posts: 12,161 Admin
    And please, please, please have a formal policy to notify the NSOC people that you will be doing something that will cause their IDS/IPS' to fill up the security event collection system with thousands of evil-looking connections and malicious signature hits. Give us a chance to recognize and filter out that dross by source IP, will ya? ;)
  • impelseimpelse Member Posts: 1,237 ■■■■□□□□□□
    JDMurray wrote: »
    And please, please, please have a formal policy to notify the NSOC people that you will be doing something that will cause their IDS/IPS' to fill up the security event collection system with thousands of evil-looking connections and malicious signature hits. Give us a chance to recognize and filter out that dross by source IP, will ya? ;)

    I think you guys are working and begin to receive a lot of alerts and begin move/check everything to found out that somebody was testing.....lol
    Stop RDP Brute Force Attack with our RDP Firewall : http://www.thehost1.com
    It is your personal IPS to stop the attack.

  • JDMurrayJDMurray MSIT InfoSec, CISSP, SSCP, GSEC, EnCE, C|EH, CySA+, PenTest+, CASP+, Security+ Surf City, USAAdmin Posts: 12,161 Admin
    impelse wrote: »
    I think you guys are working and begin to receive a lot of alerts and begin move/check everything to found out that somebody was testing.....lol
    Oh, it happens sometimes weekly. People don't realize their traffic is NOT traveling unnoticed and anonymously across the network, or what affect their traffic may have on other hosts. In some cases, people are genuinely doing things that could not occur on a corporate network and should be performed in a private testing network instead.
  • impelseimpelse Member Posts: 1,237 ■■■■□□□□□□
    Today I was running a vulnerability assessment and my supervisor it was monitoring the network for performance and was complaining that devices was dropping a lot of packets, and I saw the ip addresses that he was checking, it was my scan, lol
    Stop RDP Brute Force Attack with our RDP Firewall : http://www.thehost1.com
    It is your personal IPS to stop the attack.

  • jamesleecolemanjamesleecoleman Member Posts: 1,899 ■■■■■□□□□□
    lol what did he say after you told him?
    Booya!!
    WIP : | CISSP [2018] | CISA [2018] | CAPM [2018] | eCPPT [2018] | CRISC [2019] | TORFL (TRKI) B1 | Learning: | Russian | Farsi |
    *****You can fail a test a bunch of times but what matters is that if you fail to give up or not*****
  • sexion8sexion8 Member Posts: 242
    impelse wrote: »
    Today I was running a vulnerability assessment and my supervisor it was monitoring the network for performance and was complaining that devices was dropping a lot of packets, and I saw the ip addresses that he was checking, it was my scan, lol

    I perform a full blown vuln assessments using a brutally modified OpenVAS+GFI+Nessus concoction and full blown pentests once a month. My assessments are performed at night / early morning so I can see the results the next day. My pentests are random and unannounced. Most of the times MIS doesn't even see/detect me when I don't want them to. But when I need to be brutal and noisy, I will give them the heads up.

    As for the initial question, that is something management must decide believe it not. Not the security engineer. They know/understand (at least I would hope), risk and its association to the infrastructure. They have to be the ones to dictate when testing should be done. Most times I would prefer it to be: RA --> vuln assess --> remediate --> GAP analysis, that's just me though.

    JD, when you do EnCE?

    (fixed typo from ince to once ;))
    "Everything we hear is an opinion, not a fact. Everything we see is a perspective, not the truth." - Marcus Aurelius
  • JDMurrayJDMurray MSIT InfoSec, CISSP, SSCP, GSEC, EnCE, C|EH, CySA+, PenTest+, CASP+, Security+ Surf City, USAAdmin Posts: 12,161 Admin
    sexion8 wrote: »
    JD, when you do EnCE?
    About six months ago.
Sign In or Register to comment.