Secure? I think I’ve got a firewall…

Security isn’t something that I talk about a lot. It’s not that I don’t think about it, it’s just that, as far as blogging on security goes, there are such better options that I don’t feel like I can bring anything to the table.

Every once in a while, though, I feel like it’s something I should cover, and today is one of those days. My neighbor in the office building called me up this morning and asked what I knew about penetration testing –  specifically about companies providing that service. I told him that I was familiar with the practice, and went over Red Team / Blue Team scenarios, but that I didn’t really know any companies that provided that service, or even just normal penetration testing.

Apparently, he had contracted with a company that would perform light network based reconnaissance and report any vulnerabilities they found. I assume that they were just using Nessus or something similar. Anyway, he wasn’t happy with them. They went so far as to suggest he add them to the whitelist on his firewall, so that they wouldn’t get blocked while doing a syn scan. Ridiculous, in my book. But I’m not a network security professional.

Instead, I would like to appeal to you. Have you ever had another company come in to assess your IT security? What kind of methods did they use? How aggressive were they? And can you suggest a company that is thorough and reliable? I’d love to hear about your experiences, and I know my neighbor would as well.

  • bluehavana

    Black box testing used to be a huge deal for pen testers, but recently, especially with things like SOX and PCI-DSS, network wide security audit are more valuable to companies as the security consultants can get a better view of what is going on in the network and make better recommendations as to the root cause.

    Buuuut… Pen testing companies can be a huge group of shysters. Just performing a Nessus scan doesn’t cut it anymore. They should provide valid, experiential wisdom to the table and look at total overall risk (vulnerability * threat) with the customer. Pen testing as a pen test is dead and has grown up as independent security consultations, which might require a whole bunch of white box tests and audits.

  • Anthony DeChiaro

    Matt, funny you mention that… I actually have a good friend that does this for a living in the NY metro area. They primarily focus on the healthcare industry but I can inquire if they are open to other possibilities. Let me know if you are interested.

  • I prefer comprehensive views of systems, rather than just external pen tests.

    For me, external security reviews in various forms are a fact of life. Either I hire them to look at my systems or internal audit hires them to look at my systems.

    In some cases, we get really sharp auditors taking a very close look at what we do. That makes it interesting. The better the auditors, the more valuable are the reports and findings, and the more likely you are to be able to use them to improve your security.

    And – because I’m work for a public entity in a state with very open rules on state documents, some of my audit findings are public, Googleable and if bad, show up in the morning paper and the 5 o’clock news.

  • -dsr-

    My company has contractual obligations with our customers to get annual external audits, and more often at their expense.

    It’s not a big deal, if you’ve already nailed things down properly. All the major security companies will do this. Typically there’s a meeting beforehand to decide on what will be covered, and when it will happen; a preliminary report, that shows the issues they’ve found ranked in order of severity; then you either fix the problems or declare that they don’t bother you, and then they repeat the tests you previously failed and issue the final report. At the low end, this is basically someone running Nessus against you — shame on you if you aren’t already doing this on a regular basis. At the high end, they try real (non-DOS) attacks against every port you have open. You might create an unprivileged account for them to try to leverage. The cost goes up, of course.

    None of them have ever asked us to change a firewall configuration for them. That’s laughable.

  • Justin

    If a pen test company is saying that you need to reduce your security for them to test your security, then how good of a pen test is it? Besides, you bigger threat is probably compromised desktops that are already in your network or coming in via VPN. That’s the whole point behind defense in depth and comprehensive security plans and audits. For the average company, your users will cause more problems than the random attacks from outside your network. Of course, non-random attacks are a whole different issue.

  • Dan

    Asking you to whitelist them at the firewall just means then can run a nice fast port scan, rather than having to use long delays, or keep swithing proxies to avoid your IDS. This just saves them a load of time, it’s not actually needed, but being able to run a port scan in half an hour is much better than having to do it slyly over 3 days.

    Anything that would give them more access should be avoided, but just preventing them from getting blocked it fine.

  • Oh yes. We have to have ‘external security scans’ regularly as part of PCI compliance. And the cheap way to do that is to have some security firm with a good rep do it remotely. Since we’re a higher ed, and our entire IP space is routable, it makes it really easy for them too! We just allow their specified IP address through all of our Firewalls and IDS/IPS systems, and get an emailed vulnerability report.

    Yes, this did cause grief amongst us techs when we learned about this. We got told to suck up and deal by management. They said the security audit only ‘counts’ if it is done naked, with none of the network-based protections in front of it.

    Right this moment we’re undergoing a far more traditional security audit, where the auditors actually come ON CAMPUS to do their evil-deeds-in-the-name-of-science. Their communication hasn’t been the greatest, and the ethernet port they’re using for all of the scans has been shut down repeatedly while they’ve been here. They’ve also had multiple visits from helpdesk consultants to figure out what in that room was causing all the noise… and they were happy to see the attention. They’re apparently quite used to having their network connection shut off.

    Unlike the remote auditors this crew looks to be using more than just Nessus, they’re using Metasploit as well. They’re not explicitly penetration-testing, they’re just giving the virtual door-knobs a really thorough rattling. Their attempts to figure out if a specific script would allow an SQL injection attack ended up generating hundreds of emails for one of our poor users to sort through.

  • This is only tangentially related, but a while back I took a computer security course at SAIC where the one of the instructors was the Red Team, the students were the Blue Team, and the other instructor called himself the “white team” (scorer, mediator). They set up an entire virtualized environment where we were “inheriting” an unpatched/unmanaged network and had to protect it from intrusion.

    It was really fun, but mostly because I was assigned to cover the Unix machines and I rocked their world. The White Team guy told me that I was the quickest of any previous class to discover that the SSH daemon was a hacked executable that was logging passwords, and to install a proper one (and change the root password) before they ever had a chance to get in and really mess with me.

  • Robin Stamer

    For our PCI audits the pen test was done without editing our firewall rules, and they came on site to see the internal side of things.

  • I’m a big security nut and follow alot of pentest techniques. I have to say that I have never heard of white listing anyone…even if it means that you can speed up the scans. The whole point of a pentest or network assessment is just that….to assess. If you white list or give in to other requests then you aren’t really getting an “outside” look at your network. If it was a company that you used regularly however I say otherwise.

    I’ve done some pentests before and as someone else mentioned it really is no longer just running a Nessus scan. Security has evolved into such a large topic that its hard to stay on top of it all, however its important to get a big perspective of your network, outside and in. Unfortunately my company has no PCI or security requirements which means that security takes a back seat to everything else. While this has its downsides to running a company as a security minded person it does allow me to see where people make their biggest security mistakes.

  • Shamrock Hoax

    Maybe it was just a social engineering experiment.

    Seriously though there are a lot of security companies that promise a pen-test and just run a NESSUS scan. I know, I was a part of one for about two months. They are scum. I had to take a looong shower after I quit.