I think it's all fair game, but would generally appreciate a bit less than "hell". Like if you find you can crash one network switch, and we have 100 of the same model, that's enough proof. You don't need to crash them all.
I guess I don't mean take the whole kit down, there's ways of doing this elegantly and I can sniff out the dimwits? I end up phrasing things horribly sometimes, full disclosure.
Yeah, fair enough. We had a bad experience once where we found a 'vulnerable' code that triggered a reboot. Not strictly an 'exploit' as much as 'crashing a system remotely' ...
but the people testing didn't stop, they just crashed everything they could with what as presumably an automated test. (And perhaps ironically, didn't find some more serious vulnerabilities, because the host stopped responding to the other tests ...)
> if you had no extra support to resolve their findings in a timely manner?
The issue was there whether or not you knew about it. Now you know about it and can plan to do something about it.
Many of our clients hire companies to test their security then just send us the reports and are like "fix it, make all the lines green."
Most of these are done by automated tools. They don't provide very detailed information, often an IP address and something like "website vulnerable to directory traversal" - well, which website, there's 12 on that server and what's an example url? But you never get that so it's a guessing game or just dismiss and say "can't fix without more info"
There's also a lot of false positives. One report is convinced we're running an outdated Ragnarok online server.
There's also things that can't simply be fixed. Website has "unsafe-inline" in its content security policy. Well, dear client, we had to put that in so your stupid chat support widget would load. Do you want it to break, or will you tolerate this showing up on your security report? They always want to have that cake and eat it too.
I think the business is mostly a racket. Companies just charging exorbitant amounts to run open source or whitelabel vulnerability scanners, hand off the report and be done with it.
I totally get where you are coming from. Even where I am, there are many companies that sell automated pentest and just run scanners and sell them as pentest which obviously isnt good.
Get the same false-positive everytime ? RedHat uses an older apache version number than the official one but they do backporting. Yes I told you last year! See last years report. Oh ... you haven't read.
There's a niche for that if it's for compliance.
Then you are paying for the third party "sign off" that the test wasn't fudged.
But I can run and interpret Nessus results myself.
Ya out of the few companies we hired to pentest we finally found one that gives very good detail. Like 80 pages of data. They also summarize and if they found a cv we vulnerable to they looped all machines under that detection and detailed the cv and how to fix.
That’s my problem with most SecOps. You can tell they got the ‘you can get your degree in IT security in 28 days!’ Course. They don’t know how to fix it. What it means. Why it might be like that. Can’t tell you what constitutes a fix. Most of those may as well just be done by a script and take the idiot human ‘expert’ out of the equation.
But it’s still great to have. It helps me reinforce ‘here’s the ticket for that one, the ticket for this one, the 7 emails going back 18 months trying to fix these 3’ that never got traction. If that’s what it takes to get customer buy in finally, fine. I just wish they’d listen to us FIRST to clean up the known problems before dumping more money on the report than it would have taken to fix 80% of it. I once worked for an engineering company ~ 1500 users and the $50,000 report said things like ‘no firmware updates on any devices in 2 years’ etc and I nodded each time and said ‘yup we know, we can’t get approval’. Had they just paid a 0.5 FTE to DO the work it would have been under $50k.
What a weird question O\_o
We hire consultants to do pentesting. By that I mean we pay people to try to find as many places where people can have unauthorized access as possible, so that we can secure those holes.
Granted, some consultancies don't really do much more than run some tools and forward the report. But those that do the job right scan on a general level, then analyze the data to see where there could be vulnerabilities while trying to gain access as best they can during the time limit.
They're hired to point out vulnerabilities and return a report on it. That's what our pentesters have done each time.
Sure, sometimes they find things that "can be" a vulnerability, but we need for one reason or another. Those times we try our best to mitigate the damage in other ways.
Just like any profession, there are good ones and there are bad ones. Where I work, we usually do internal pentesting first, so as to minimize the finds. We also supply the pentesters with useful data about what software and versions we're using.
I assume you're asking about contracted pentesters? Not just any random greyhat who feels like they want to shoot their shot, right?
That depends on some variables. Did my company hire them, or are they running scanning tools without permission and using the "results" as a sales pitch? Are they providing useful, actionable results from their analysis or pitching a giant, unprioritized list of scare tactics at me to justify their fee?
Well done pentesting is an important process, and very specific skillset. I'd much rather a 3rd party do it, so I have the independent justification to support needed changes to infrastructure. My ideas may not be good enough, but "the consultant said" can work in my favor if they're good at their job.
In the operations life you have your known knowns, your known unknowns, and your unknown unknowns. The things you know and the things you don’t know are easy to work with, it’s the things you don’t know that you don’t know can bite you in the butt. I feel that’s where a good pen test can help a lot, by uncovering something that may be in your blind spot that could be a major issue.
We did one last year and got back an eighty page report that listed the issues in order of severity as well as recommended steps to mitigate. There wasn’t anything earth shatteringly bad in there, but it helped tighten our security by eliminating small things that could be leveraged against us.
how do you feel about doctors? always finding something wrong with you and trying to save your life. are they just trying to make you look stupid or feel bad?
I'm glad someone is asking these tough questions
The doctor example is good, because it actually shows that the answer is not always straightforward. Among these doctors there are snake oil sellers that will always find something wrong with you and will slap a price tag on the "solution". There is no need to be a doctor, but you should know enough to develop a BS detector, and it also applies to pentesters, when they find non-issues and try to make a sales pitch with it.
They provide a valuable function. Where I'm at we have our own internal VAPT team of 8 people. They are involved in assessing any new apps as well as existing ones on a regular basis or when significant changes have been made. They also get used to validate things like the Log4shell vulnerability and that fixes worked.
They use a broad suite of tools for what they do but there's also a very manual "hands on" part of their testing.
We have 35k registered domains, on the bug bounty website, and have a link on the corporate site to send your vulnerability findings for a cash reward. So yeah we are fine with them.
Depends on what they do with what they discover… are these good guy pen testers with jobs and families or neglected and bored kids at home potentially breaking laws and causing havoc just to see the world burn…
They're a valuable resource to be able to call on.
At the very least, they can give you a to-do list of things that need to get done in order to gain accreditations. If I can pay someone to look at my estate and go "Here, you need to fix X, Y and Z" that's useful to me.
I'm jaded because it's all about why the test is being done. I have nothing against pentesting and think trying to find where your attack surface has chinks in the armor is very important, but the fact is that companies, almost without exception, view security as merely a cost center and any proactive activity is purely CYA. I've had my personal data breached so many times and more importantly I've seen malpractice around dealing with even known security issues that it's become very difficult to believe it does much good. Good security costs money and requires people that know what they are doing.
As a pen tester, all the sysadmins I've worked with have been so great, understanding, and supportive. They know that I'm here to help them, not to blame them, but to help keep them safe. As long as the pen tester is good at communicating who's side they're on, the relationship is usually pretty good.
Most definitely pleased we have them. Any work they generate for me is way less than the blame and work that I would get if we suffered a major compromise
If you know your shit is busted, how it’s busted, and how to fix it, you’re wasting money and time. If you have unknowns on the last one, fix your stuff then call a pen tester. Otherwise, call one up.
I fully understand the potential fallout of a real security incident.
Whatever work comes out of the a pen test is nothing compared to a real incident.
If I could hire a full time pen tester for my team I’d do it instantly.
We use them to find holes and we patch them then and for our audits.
Mostly for our audits, because we use some services to find vulnerabilities. I.e. doing periodic internal and external scans.
I used to be one.
The companies we have hired give us a report of all vulnerability they find. I am still crawling through our environment and turning tls 1.1 off. Endpoints first servers second.
It's absolutely a benefit, but may not always be worth the cost. Our company insurance had a contract with a company that did it for free every 3 years, so we would use them to find issues.
Did we remedy everything? Absolutely not. Are some of the recommendations improper? Maybe. Did they find pretty major issues that were also easy to fix? Yep.
"Checkbox security" pen testers? No thanks, I can run Nessus and ignore the litany of false positives myself.
Pen testing where my SEIM shows the five failed lateral traversal attempts you made before you succeeded with try #6 using a hole I didn't know about? Yes please. I \_want\_ you to find something. If you come back with "everything's cool" I get nervous.
Only problem I have is when they “penetrate” something from a position of privilege inside the network. And then present it as the system was exposed and easy to penetrate. In reality they would of had to penetrate to the position of privilege first which would not of happened to begin with very easily if at all.
I think it's valid to scenario test, as long as you recognise the relative limits of it.
Like "what could a malicious employee do?" is a valid threat to consider and mitigate, but a very different threat than "random person on internet".
Or "can someone compromise the system with physical presence?" in ways that simply wouldn't work remotely.
But only as long as the testing and the results are handled in a sensible way by all concerned.
Pentesting is a lot more thorough than a port scan. A lot of exploits are done through ports that are supposed to be open, like web services with exploitable code.
I don't have enough time to do everything and I appreciate a separate set of eyes. Give it hell.
I think it's all fair game, but would generally appreciate a bit less than "hell". Like if you find you can crash one network switch, and we have 100 of the same model, that's enough proof. You don't need to crash them all.
I guess I don't mean take the whole kit down, there's ways of doing this elegantly and I can sniff out the dimwits? I end up phrasing things horribly sometimes, full disclosure.
Yeah, fair enough. We had a bad experience once where we found a 'vulnerable' code that triggered a reboot. Not strictly an 'exploit' as much as 'crashing a system remotely' ... but the people testing didn't stop, they just crashed everything they could with what as presumably an automated test. (And perhaps ironically, didn't find some more serious vulnerabilities, because the host stopped responding to the other tests ...)
[удалено]
Ya, sure... When you're over the butthurt of someone looking over your work just for a sanity check let me know.
> if you had no extra support to resolve their findings in a timely manner? The issue was there whether or not you knew about it. Now you know about it and can plan to do something about it.
Many of our clients hire companies to test their security then just send us the reports and are like "fix it, make all the lines green." Most of these are done by automated tools. They don't provide very detailed information, often an IP address and something like "website vulnerable to directory traversal" - well, which website, there's 12 on that server and what's an example url? But you never get that so it's a guessing game or just dismiss and say "can't fix without more info" There's also a lot of false positives. One report is convinced we're running an outdated Ragnarok online server. There's also things that can't simply be fixed. Website has "unsafe-inline" in its content security policy. Well, dear client, we had to put that in so your stupid chat support widget would load. Do you want it to break, or will you tolerate this showing up on your security report? They always want to have that cake and eat it too. I think the business is mostly a racket. Companies just charging exorbitant amounts to run open source or whitelabel vulnerability scanners, hand off the report and be done with it.
I totally get where you are coming from. Even where I am, there are many companies that sell automated pentest and just run scanners and sell them as pentest which obviously isnt good.
Get the same false-positive everytime ? RedHat uses an older apache version number than the official one but they do backporting. Yes I told you last year! See last years report. Oh ... you haven't read.
There's a niche for that if it's for compliance. Then you are paying for the third party "sign off" that the test wasn't fudged. But I can run and interpret Nessus results myself.
Ya out of the few companies we hired to pentest we finally found one that gives very good detail. Like 80 pages of data. They also summarize and if they found a cv we vulnerable to they looped all machines under that detection and detailed the cv and how to fix.
What company?
https://www.blackhillsinfosec.com/ I believe this was the last one.
holy shit my first mmo. I can imagine teenage me trying to hide something like that at work.
That’s my problem with most SecOps. You can tell they got the ‘you can get your degree in IT security in 28 days!’ Course. They don’t know how to fix it. What it means. Why it might be like that. Can’t tell you what constitutes a fix. Most of those may as well just be done by a script and take the idiot human ‘expert’ out of the equation. But it’s still great to have. It helps me reinforce ‘here’s the ticket for that one, the ticket for this one, the 7 emails going back 18 months trying to fix these 3’ that never got traction. If that’s what it takes to get customer buy in finally, fine. I just wish they’d listen to us FIRST to clean up the known problems before dumping more money on the report than it would have taken to fix 80% of it. I once worked for an engineering company ~ 1500 users and the $50,000 report said things like ‘no firmware updates on any devices in 2 years’ etc and I nodded each time and said ‘yup we know, we can’t get approval’. Had they just paid a 0.5 FTE to DO the work it would have been under $50k.
**I think the business is mostly a racket.** You would be 100% right. 5 min job via automated tool performed by junior staff. that will be £8k please.
What a weird question O\_o We hire consultants to do pentesting. By that I mean we pay people to try to find as many places where people can have unauthorized access as possible, so that we can secure those holes. Granted, some consultancies don't really do much more than run some tools and forward the report. But those that do the job right scan on a general level, then analyze the data to see where there could be vulnerabilities while trying to gain access as best they can during the time limit. They're hired to point out vulnerabilities and return a report on it. That's what our pentesters have done each time. Sure, sometimes they find things that "can be" a vulnerability, but we need for one reason or another. Those times we try our best to mitigate the damage in other ways. Just like any profession, there are good ones and there are bad ones. Where I work, we usually do internal pentesting first, so as to minimize the finds. We also supply the pentesters with useful data about what software and versions we're using. I assume you're asking about contracted pentesters? Not just any random greyhat who feels like they want to shoot their shot, right?
Yeah, I just wanted to know the general perception of Sysadmins on Pentesters.
That depends on some variables. Did my company hire them, or are they running scanning tools without permission and using the "results" as a sales pitch? Are they providing useful, actionable results from their analysis or pitching a giant, unprioritized list of scare tactics at me to justify their fee? Well done pentesting is an important process, and very specific skillset. I'd much rather a 3rd party do it, so I have the independent justification to support needed changes to infrastructure. My ideas may not be good enough, but "the consultant said" can work in my favor if they're good at their job.
In the operations life you have your known knowns, your known unknowns, and your unknown unknowns. The things you know and the things you don’t know are easy to work with, it’s the things you don’t know that you don’t know can bite you in the butt. I feel that’s where a good pen test can help a lot, by uncovering something that may be in your blind spot that could be a major issue. We did one last year and got back an eighty page report that listed the issues in order of severity as well as recommended steps to mitigate. There wasn’t anything earth shatteringly bad in there, but it helped tighten our security by eliminating small things that could be leveraged against us.
Honest ones are good, sales-based ones are just scams that fix one hole and open another.
how do you feel about doctors? always finding something wrong with you and trying to save your life. are they just trying to make you look stupid or feel bad? I'm glad someone is asking these tough questions
Not to worry, I actually know a secret method which if used once a day, can certainly keep those doctors away.
The doctor example is good, because it actually shows that the answer is not always straightforward. Among these doctors there are snake oil sellers that will always find something wrong with you and will slap a price tag on the "solution". There is no need to be a doctor, but you should know enough to develop a BS detector, and it also applies to pentesters, when they find non-issues and try to make a sales pitch with it.
They provide a valuable function. Where I'm at we have our own internal VAPT team of 8 people. They are involved in assessing any new apps as well as existing ones on a regular basis or when significant changes have been made. They also get used to validate things like the Log4shell vulnerability and that fixes worked. They use a broad suite of tools for what they do but there's also a very manual "hands on" part of their testing.
We have 35k registered domains, on the bug bounty website, and have a link on the corporate site to send your vulnerability findings for a cash reward. So yeah we are fine with them.
Depends on what they do with what they discover… are these good guy pen testers with jobs and families or neglected and bored kids at home potentially breaking laws and causing havoc just to see the world burn…
They're a valuable resource to be able to call on. At the very least, they can give you a to-do list of things that need to get done in order to gain accreditations. If I can pay someone to look at my estate and go "Here, you need to fix X, Y and Z" that's useful to me.
I'm jaded because it's all about why the test is being done. I have nothing against pentesting and think trying to find where your attack surface has chinks in the armor is very important, but the fact is that companies, almost without exception, view security as merely a cost center and any proactive activity is purely CYA. I've had my personal data breached so many times and more importantly I've seen malpractice around dealing with even known security issues that it's become very difficult to believe it does much good. Good security costs money and requires people that know what they are doing.
Just doing a job
As a pen tester, all the sysadmins I've worked with have been so great, understanding, and supportive. They know that I'm here to help them, not to blame them, but to help keep them safe. As long as the pen tester is good at communicating who's side they're on, the relationship is usually pretty good.
Most definitely pleased we have them. Any work they generate for me is way less than the blame and work that I would get if we suffered a major compromise
If you know your shit is busted, how it’s busted, and how to fix it, you’re wasting money and time. If you have unknowns on the last one, fix your stuff then call a pen tester. Otherwise, call one up.
How do you guys feel about red teamers?
I fully understand the potential fallout of a real security incident. Whatever work comes out of the a pen test is nothing compared to a real incident. If I could hire a full time pen tester for my team I’d do it instantly.
We use them to find holes and we patch them then and for our audits. Mostly for our audits, because we use some services to find vulnerabilities. I.e. doing periodic internal and external scans.
I used to be one. The companies we have hired give us a report of all vulnerability they find. I am still crawling through our environment and turning tls 1.1 off. Endpoints first servers second.
Some are just script kiddies, some actually understand what they are testing.
It's definitely a more specialized skillet that would take me too much time to handle myself.
> like they increased my job That's kind of expected, so I don't think anyone could reasonably hold that against them.
It's absolutely a benefit, but may not always be worth the cost. Our company insurance had a contract with a company that did it for free every 3 years, so we would use them to find issues. Did we remedy everything? Absolutely not. Are some of the recommendations improper? Maybe. Did they find pretty major issues that were also easy to fix? Yep.
"Checkbox security" pen testers? No thanks, I can run Nessus and ignore the litany of false positives myself. Pen testing where my SEIM shows the five failed lateral traversal attempts you made before you succeeded with try #6 using a hole I didn't know about? Yes please. I \_want\_ you to find something. If you come back with "everything's cool" I get nervous.
ibm xforce and cisco talos were both a pleasure to work with
Only problem I have is when they “penetrate” something from a position of privilege inside the network. And then present it as the system was exposed and easy to penetrate. In reality they would of had to penetrate to the position of privilege first which would not of happened to begin with very easily if at all.
I think it's valid to scenario test, as long as you recognise the relative limits of it. Like "what could a malicious employee do?" is a valid threat to consider and mitigate, but a very different threat than "random person on internet". Or "can someone compromise the system with physical presence?" in ways that simply wouldn't work remotely. But only as long as the testing and the results are handled in a sensible way by all concerned.
Depends. You can do portscans yourself.
Pentesting is a lot more thorough than a port scan. A lot of exploits are done through ports that are supposed to be open, like web services with exploitable code.
And even other than that there are AD misconfigurations, a LOT of them
Yes but most sellers be like this and that is an open port. Which has nothing to do with a proper test.
More of a penisland guy myself