0x0e.org | pentesting perspective

braindump on pentesting, QA, metasploit, constant learning

Thoughts on Recommendations (Prevention vs Detection & Reaction)

with one comment

I started thinking about some of the findings we make and the recommendations around them – and how unrealistic we’re being as penetration testers. Take ‘Information Leakage’ for instance. How plausible is it to prevent ALL information leakage? Is that something that we should be asking clients to strive for? What about the best use of their time / resources? wouldn’t that time be better spent monitoring for anomalous events, in general?

what about the social engineering findings where we demonstrate that it’s possible to gather internal company usernames, but is there realistically any way to /prevent/ username enumeration? well, yes, but at what cost / effort? Are we really asking folks to prevent their usernames from reaching the outside world — and what are they thinking when they read that?? aren’t we just reporting this as an informational thing (i think so). I mean, we’re calling for PREVENTION here, but what about the other aspects of security? Detection / Reaction? Wouldn’t it make more sense to recommend clients spend those resources monitoring for mass email blasts from an external address, or for anomalous activity on the internal network?

I think there’s an open question here on how to fit detection / reaction testing into penetration-testing in a meaningful way.

I’ll choose to do business with a company that’s put effort into detection and reaction capabilities as opposed to 100% prevention any day.

Related: http://www.amazon.com/review/product/0962870048/ref=dp_top_cm_cr_acr_txt/104-2922720-6943154?_encoding=UTF8&showViewpoints=1

Advertisements

Written by jcran

January 11, 2010 at 5:07 PM

One Response

Subscribe to comments with RSS.

  1. I think it’s worth mentioning “minimization”, too (yes, it goes along with prevention, but let’s separate them out a bit, shall we?). That is, vulnerabilities arise and intrusion occurs (and it _will_ occur, deary), the organization has gone through the proper rigmarole to minimize the sphere of influence of the attacker.

    Zach

    January 12, 2010 at 7:13 PM


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: