Cisco’s Advanced Services has been performing penetration tests for our customers since the acquisition of the Wheel Group in 1998. We call them Security Posture Assessments, or SPA for short, and I’ve been pen testing for just about as long. I’ll let you in on a little secret about penetration testing: it gets messy!
During our typical assessments we may analyze anywhere between 2,000 and 10,000 hosts for vulnerabilities, perform various exploitation methods such as account enumeration and password attempts, buffer/stack overflows, administrative bypasses, and others. We then have to collect and document our results within the one or two weeks we are on site and prepare a report.
How can anyone keep track of all this data, let alone work together as a team? Are you sure you really found the holy grail of customer data and adequately documented it? What if you’re writing the report but you weren’t the one who did the exploit? Read More »
Tags: Cisco Security, exploits, pen testing, penetration testing, security
Security professionals are planners by nature. Our industry expects planning, legal and standards compliance requires it, and we drive ourselves toward it. However, the best plans fall out of date quickly. And as the adage commonly paraphrased as “no plan survives contact with the enemy” states, even properly maintained, up-to-date, and well-thought-out plans may fall apart during an incident.
What’s the remedy? We certainly shouldn’t throw out our plans. Instead, we should test and adjust our plans so that when the real enemy shows up, we might have a plan that survives, at least from a broad perspective. In short: security professional, hack thyself!
Read More »
Tags: penetration testing, security
Tell me if this sounds familiar… you are asked to perform a penetration test on customer’s network to determine the security posture of their assets and the first thing they do is give you a list of assets that you are NOT allowed to test, because they are critical systems to the business. Ironic isn’t it? This is exactly the difficulty you can expect when performing penetration testing in the cloud, but multiplied by ten.
There is a lot to think about and plan for when you want to perform a penetration test in a cloud service provider’s (CSP) network. Before we get into the technical details, we need to start with the basics.
Read More »
Tags: cloud, Cloud Computing, cloud security, penetration testing, vulnerability assessment