what i do?

Am an Information Risk Consultant and Penetration Tester, i specialize mostly in penetrating secure networks/computer systems where i simulate an organized professional attack against your organization, where after that a detailed report with weakness and exploited vectors are summarized. This will help you gain control over your infrastructures security and maximize your protection.

Monday, July 14, 2008

Scope (Pentest)

I been doing alot of pentest lately, and alot of them involved Banks and Mobile Network Providers here in Kenya. What amazed me is that some of the admins knew about scanning system and they thought that was enough. You just lauch Nessus, or Nmap like E and Y guys do, and you write up that the pentest is over, maybe after 3 days. Nooooooo, its doesn't run like that brothers.

After u find the vulnerability, you need to tactically exploit the host, and bypass the IDS signatures, penetrate through to secure networks, crack passwords and even access files that are restricted. How you do it, the duration, every step depends on the ROE and the scope of the pentest as discussed. You may have found some XSS holes and the next day as you get in and get down with your gear, you find that, its just got patched, and the other pages are behind the login page.

One thing you need to stress to the administration is that, the scanners wont see beyond, like an exploitation phase should.


/Chuks

3 comments:

Gentoo said...

Chuks, is this what E and Y guys really do?! Sad. Where have they been doing this and don't their clients demand more? Interestingly, we have some security concerns in our organisation that we would want an experienced person to help us with. Any ideas?!

Gentoo said...

Thats me... commenting that is...

chukjonia said...

I saw this several times and i fear what is really happening to those organizations that have gone through their Assessments.

Good holidays