what i do?

Am an Information Risk Consultant and Penetration Tester, i specialize mostly in penetrating secure networks/computer systems where i simulate an organized professional attack against your organization, where after that a detailed report with weakness and exploited vectors are summarized. This will help you gain control over your infrastructures security and maximize your protection.

Sunday, January 30, 2011

If They scan and paste, why not just buy the tool!

As an Infosec specialist, you might have worked with tools like Nessus, Appscan, Acunetic etc. Well these tools kind of give a pentester an easy time during an engagement.

Organization throughout the world who have security departments that test vulnerabilities in a daily basis use the same tools for easier scans on their subnets, but they also contract Security Specialists for a view above the scope. Its more money on their budgets so they always expect a better addition of the value they are procuring for.

The other day, i was looking at some reports done by a very powerful company that specializes with AV (Anti-virus)and also on with PT(Penetration Testing). From such AV cooperations i was expecting real good reports but all i could see were copy pastes from Nessus plugins. Many question unanswered there......

One of the questions i asked myself was, why not just buy a scanner and leave it running for your report?

Another question that truly comes up is, will the bad guys be doing the same?

Anyone who has answers, please post below.



./Chuks

Sunday, January 16, 2011

Before PT, Call-inject

Just before a PT Op, clients who understand PT and VA will tend to call, maybe via management or even with their Technical Security Departments, and will ask you as the pentester several questions, maybe about Owasp, methodologies, tools, etc During this session, i tend to listen and also ask questions cause they tend to also lead to Pre-Infor gathering just before the projects.

This actually worked some months ago last year, when doing a PT on a big organization which was using Windows Domain Controllers and was also reachable via the internet. This wasnt to be figured out before the operation, it was to, after negotiations and the start of work.

Companies should be aware of such errors/flaws/human weaknesses, due to the fact that, the pentesters who dont win the bids tend not to be unhappy, and may have discovered that information via the phone-calls.


./Chuks