Why is Pentesting Needed?

Why can’t I just use an automated service like http://www.trust-guard.com ?

One reason to reconsider only using Trust-guard is that it is not QSA certified from the PCI Security Standards council:

https://www.pcisecuritystandards.org/approved_companies_providers/qsa_companies.php

As a pentester (penetration tester) we use a QSA certified tool to verify vulnerability assessments on your resources. (such as Nessus) we have also used Qualys. We only use these advanced tools which are manual in nature.

Unfortunately the pentest is manual in nature and it requires an independent entity to test your network. It is also not wise to depend on internal assessments with Nessus and Qualys only.

The PCI compliance standard requires an independent review of your network – there is something to be said to look at an attack on your network by a red team attacker (not a blue team defense thinking).

Red team = Certified Ethical Hacker – independent attack from outside

Blue team = your IT department working at keeping bad guys out.

That is the basic reality of the pentest and pentester it requires a differnet mode of thinking.

Look at the following controversy:

http://threatpost.com/lack-of-csprng-threatens-wordpress-sites/111016

WordPress seems to have an internal vulnerability due to a bug. And the internal developers(blue team) did not find it, and they are not discussing this sophisticated attack vector

“The issue lies in the fact that WordPress doesn’t contain a cryptographically secure pseudorandom number generator. A researcher named Scott Arciszewski made the WordPress maintainers aware of the problem nearly eight months ago and said that he has had very little response.”

This is an example of the Attackers(red team) using the latest techniques to attack the very fundamentals of a piece of software.

The blue team has no interest in checking this method, and as it was developed a long time ago it is off the radar now. But as criminal developers as well as regular crypto researchers get more sophisticated in their attacks the blue team is not equipped to handle this mode of thinking.

A red team is required to think outside of the standard (out of box).

Although fundamentally testing a network is different from finding a “bug” in software, there are similarities in the thinking required to test a network.

Here is the pentesting portion(11.3) from the standard:

From 11.3 guidance portion:

Penetration testing is generally a highly manual process. While some automated tools may be used, the tester uses their knowledge of systems to penetrate into an environment. Often the tester will chain several types of exploits together with a goal of breaking through layers of defenses. For example, if the tester finds a means to gain access to an application server, they will then use the compromised server as a point to stage a new attack based on the resources the server has access to. In this way, a tester is able to simulate the methods performed by an attacker to identify areas of potential weakness in the environment. Penetration testing techniques will be different for different organizations, and the type, depth, and complexity of the testing will depend on the specific environment and the organization’s risk assessment.

Notice the manual process which inherently requires a review of vulnerability assessments and potentially uncovers needed fixes or glaring openings into the environment.

and the next page(11.3.1) is important:

Notice the 11.3.2 testing Procedure:

11.3.2.b Verify that the test was performed by a qualified internal resource or qualified external third party, and if applicable, organizational independence of the tester exists (not required to be a QSA or ASV).

from 11 3

It is preferable to have an organizational independent tester attacking your site.

Why is Pentesting Needed?

Like this:

1 thought on “Why is Pentesting Needed?”

Leave a Comment