what i do?

Am an Information Risk Consultant and Penetration Tester, i specialize mostly in penetrating secure networks/computer systems where i simulate an organized professional attack against your organization, where after that a detailed report with weakness and exploited vectors are summarized. This will help you gain control over your infrastructures security and maximize your protection.

Monday, June 24, 2013

Real Penetration Testers VS The Fakes

Lately I have been seeing reports done by several banks as I worked for a Government entity to see how secure Kenyan Banks are to Compromise / Security Breaches as we all moved to a further digital network as campaigned by the new officials.

Now, what I came to see, were Reports by several Security companies on Penetration Testing, which were really bad, am still wondering whether to call it disgusting, or un-purified work.

So I got to ask myself, how would a client know if the guys he hired are really doing something? As I read these reports, most of the snapshots were from Nmap, Cain and Abel, Nessus etc. Funny, I rarely saw no snapshot from xterm, terminal, konsole etc. At least, I was wishing, "please, just a MS CMD screen shot, please"

Other pentests as I read, were done for 7 days, or 10 days, and as you know, this is equally impossible for a PT, unless you are doing a Health Check. Health Checks are supposed to be free, why pay millions for one. Does it make any sense?

So anyway, how do you know you are getting robbed?

a) The Pentest team are just using MS Windows

Any hacker out there who is trying to rob you, hack your network, he will be busy using tougher tools, and mostly these will be found on Unix/Linux systems, which are more robust, and can handle robust networks adequately. So unless the team is using Core Impact, then you are not getting your moneys worth.

b) The Pentest is taking less than 2 weeks

Any hack, Penetration test, goes further than a Vulnerability Test, or even a Health Check. Real Black hats, even in Terrorism and Organized Crime, take time, scanning, checking vulnerabilities, learning the network, coding new scripts to find ways to bypass the some changes you did on your Webserver/Filters, Social Engineering and many more. Yes, in Hollywood, they take 5 minutes. So if you are getting a pentest and these guys are just busy firing nmaps, nessus, burp, w3af, etc, and nothing else is happening, and they actually told you ten days Pentest, or less, please just fire them, they are just after your money.

c) Logs, on your Systems

One thing i know as a Pentesters is that logs will always be there, no matter how covert you are during a test. As a Pentester, an online Bruteforce, will always come as the last option. So as a System Admin, if you see some bruteforce on telnetd, or maybe sshd on the first five days, just know these pentesters are hopeless. Another tool used commonly is nmap. Most of the Organizations out there have Firewalls and IDSs already implemented on the network, you can always see nmap scans no matter how covert they move, but why would a Pentester still run nmap on your network on last days or even on the second week? But if he is running a nmap scan, from a machine that you own, that he has already infiltrated, then bravo, he has talent and is giving you, your moneys worthy.

d) Pentesters Clocking time, in and out

This is mostly for Internal Assessments, where the Pentester sits in your internal network with his machine. So he/she is there in the morning for the first few days and leave by 5 pm every day. The same schedule, even after the second week, what is really happening here? Ask yourself that twice. To make it clear, every pentester has a habit of getting a shell, and trying to maintain it until he has found a way to lay down a backdoor on that system. He/She cant lose that contact, that first shell is everything to move to next target, and use it for more malicious attempts on the other machines. So, if on the third week, the penetesters are not even prolonging testing, eg even going 18 hrs on that desk, then just know, they are not getting any shells, and they are busy facebooking and tweeting, as nmap scripts run on repeat, just to impress you.

e) BlackBox Testing, turned into a WhiteBox

I have seen organizations asking for a blackbox penetration testing, and then i have seen penesters, ask for logins, passwords and connections. Seriously, a blackbox test is a blackbox Assessment, it would rather turn into Red Team Assessment. Come on Security guys, get over yourselves, lets give these people what they asked for, there is a reason they did.

Well, i cant remember other ways for you to identify the fake Penetration Testers, but one thing you gotta remember, these days, in IT Field, certifications don't matter much anymore, they are just there to show you he/she can learn, that way you find Bedroom Coders are the best programmers than guys fresh from University.

More blog entries later,



Daniel Njora said...

Chuks this is very informative. Keep it up.

Bright Gameli said...

cant be said any better...Thanks

Anon said...

the nail has been hit on the bum...ouch

George said...

totally identify with your sentiments!!

Boniface Mbote said...

interesting approach to security conmen.

Antonio said...

Agree 100% with your sentiments.

chuksjonia said...

Thankx guys.

Ss_Veritas said...

which one are you? real or fake

Ss_Veritas said...

ISO na cert ni lazima,i find ur opinion to this extent misleading

chuksjonia said...

Get ur Cert, then a report that shows nmap and nessus, how will that help the client? Ur Cert?

Ss_Veritas said...

there is no patch for a pen tester's foolishness,lack of Enterprise IT governance is the threat agent here not certification