Penetration Testing is Easy — Too Easy
By Daniel Miessler on October 18th, 2007: Tagged as Hacking | Information Security
Penetration testing falls into three basic categories based on the posture of the organization you’re up against. Reality obviously has shades, but here are the main groupings I always seem to run across during internal assessments.
- Trivial Joke
- Standard Mess
- Seriously Stout
And here are some of the primary metrics:
- Asset Management:
- Do they know what all their systems are?
- Is that information kept up to date?
- Would they know if a new system came onto the network?
- Patching:
- Do they have an automated patching system?
- Are patches verified, or are they just assuming they were applied?
- Do they patch everything, or just the stuff that’s not too “scary” to touch?
- Visibility
- Do they run their own regular vulnerability scans?
- Do they have their own IDS and/or IPS systems?
- Do they have logging and auditing enabled?
- Are they actually REVIEWING this information?
- Any solution for real-time alerting/monitoring?
- Hardening
- Are there standards that are followed for hardened system deployments?
- Is the environment scanned for superfluous services?
- Do they follow a least-privilege philosophy, or are they in “just make it work” mode?
The more of these questions that result in blank stares the easier it is to get domain admin and harvest critical data. If the answer is no to more than a few of these questions the group is going to fall into either category 2 or 1. Only people doing all of that stuff (and lots more) end up with decently tight networks/systems (3).
Reality
It’s easy to get excited when exploiting systems, pulling hashes, cracking them, getting domain access, etc., but it’s a false high. What are we doing really? In the cases of 1 and 2 the enemy is either in a coma or not even there. How is that a battle? It’s nothing but knowing how to find the droppings of apathy and underfunding, and then knowing what to do with them.
I totally hacked them…
No, you didn’t. The vast majority of penetration testers out there are successful not because they’re exceptional, but because their targets are open wounds. Attacking these networks is like pushing over little kids. Congratulations on that.
Real penetration testing doesn’t start until two things are true:
- The network/system you are attacking is administered by a serious, properly-resourced security team.
- There are no known, serious vulnerabilities.
If you start with a brick wall and have to invent new ways of getting in — that’s impressive. Until then you’re simply a monkey with a bag of tricks. Maybe you are a smarter monkey who can do more with less, or maybe you’ve created a few of your own tricks, but you’re still just a monkey.
I know because I am one.:
--
Umm, surprise? Almost everyone in security is simply a monkey who has read some books/materials, and applies what they know. Even those who are pen testing applications rather than networks are doing pretty much the same thing - they know what kind of bugs are present in applications, so they try to find them.
But then again, doctors are pretty much monkeys as well, highly trained monkeys, yes, but monkeys nonetheless. So I don’t really see your point.
Comment by kuza55 — 10/18/2007 @ 4:18 am
I’m with kuza on this, what’s your point? If what you’re saying is 99% of the security community is not as l33t as they say they are, okay… but it’s like that all over, in every industry.
We’re all just a bunch of button pushers and keypad mashers in the end.
Comment by Marcin — 10/18/2007 @ 8:57 am
The point?
The point is that people make it into something it isn’t, and that a more tangible sense of accomplishment can probably be achieved by creating something. Just my opinion, of course.
Comment by Daniel Miessler — 10/18/2007 @ 1:26 pm
“Attacking these networks is like pushing over little kids. Congratulations on that.”
Awesome.
-=T=-
Comment by TIMM — 10/18/2007 @ 5:16 pm