Internal Pen-testing

When is the best time to do a internal pen-test, rite after your vulnerability assessment right? How would you go about doing it?

Find more posts tagged with

Comments

beads

Depends entirely on the corporate culture, i.e. management's tolerance towards penetration testing. First, you need to have a plan of attack or what your going to be testing; the criticality of systems to be tested; a back out plan should something go wrong, like taking out a production server; and finally letting the appropriate people know the who, what's, wheres; whens and whys of the test. No one wants to called at 3:00AM to hear that your test just took out a major segment of the network and they have remote in or worse to help clean up the mess.

In other words a lot of background though has to go into these things not to mention a great deal of communication and approval.

- beads

JDMurray

And please, please, please have a formal policy to notify the NSOC people that you will be doing something that will cause their IDS/IPS' to fill up the security event collection system with thousands of evil-looking connections and malicious signature hits. Give us a chance to recognize and filter out that dross by source IP, will ya?

impelse

JDMurray wrote: »

And please, please, please have a formal policy to notify the NSOC people that you will be doing something that will cause their IDS/IPS' to fill up the security event collection system with thousands of evil-looking connections and malicious signature hits. Give us a chance to recognize and filter out that dross by source IP, will ya?

I think you guys are working and begin to receive a lot of alerts and begin move/check everything to found out that somebody was testing.....lol

JDMurray

impelse wrote: »

I think you guys are working and begin to receive a lot of alerts and begin move/check everything to found out that somebody was testing.....lol

Oh, it happens sometimes weekly. People don't realize their traffic is NOT traveling unnoticed and anonymously across the network, or what affect their traffic may have on other hosts. In some cases, people are genuinely doing things that could not occur on a corporate network and should be performed in a private testing network instead.

impelse

Today I was running a vulnerability assessment and my supervisor it was monitoring the network for performance and was complaining that devices was dropping a lot of packets, and I saw the ip addresses that he was checking, it was my scan, lol

jamesleecoleman

lol what did he say after you told him?

sexion8

impelse wrote: »

Today I was running a vulnerability assessment and my supervisor it was monitoring the network for performance and was complaining that devices was dropping a lot of packets, and I saw the ip addresses that he was checking, it was my scan, lol

I perform a full blown vuln assessments using a brutally modified OpenVAS+GFI+Nessus concoction and full blown pentests once a month. My assessments are performed at night / early morning so I can see the results the next day. My pentests are random and unannounced. Most of the times MIS doesn't even see/detect me when I don't want them to. But when I need to be brutal and noisy, I will give them the heads up.

As for the initial question, that is something management must decide believe it not. Not the security engineer. They know/understand (at least I would hope), risk and its association to the infrastructure. They have to be the ones to dictate when testing should be done. Most times I would prefer it to be: RA --> vuln assess --> remediate --> GAP analysis, that's just me though.

JD, when you do EnCE?

(fixed typo from ince to once

)

JDMurray

sexion8 wrote: »

JD, when you do EnCE?

About six months ago.