Sunday, February 15, 2009

Pen-testing - Usefull or not?

I have read some articles recently about the "worth" of pen-testing in the corporate environment. Some individuals claims that pen-testing is not usefull and should not be relied upon to asses the security of a corporation and that pen-testing will be a thing of the past. 

I think that if conducted properly, a pen-test offers great value to a company. I also think that the customer must also react properly to the pen-test in order for it to have great value.

A pen-test should be used to test policies and procedures to make sure they are in effect or need fine tuning. If your company policy states that all routers and swithces on the network should user SSH for management and a few routers are found to have telnet running during a test, that should indicate that there is an issue in the enforcement of your policy or procedure. If you don't have any security policy are procedures, well... you shouldn't be conducting any pen-test at this time.

Let me give a real life example.

I had a customer who thought had a pretty solid patch management process in his organization. This client made sure that none of their windows servers had exploitable vulnerabilites and patched them every week on Sundays. After 2 days of pen-testing I had gain full control over their network, not only did I hack into their AD and cracked all their passwords, but I also had access to all their routers and switches. It is true that the client had all his windows server OS properly patched, but their patch management was flawed. It was flawed because it only encapsulated the Windows OS, not the services running on them. So even if their windows servers were fully patched, I was still able to exploit a vulnerability located in veritas backup agent. I have also accomplished the same results with other services such as dameware and remote admin. 

This shows the true value of a pen-test. The customer reacted to the pen-test by modifying their patch management process to ensure that it covered all services on the OS. 

Pen-testing should not only be used to patch holes on your network but should also be used to patch policies, procedures and standards within the company.

Usefull Security Links

Here are a few links that I frequently visit for security news and information:

Here are a few good sites to learn about Application and Network pen-testing:

Industry Certifications:

If you want to be serious about IT security, the CISSP certification is a must.

I recommend you visit for information about the CISSP certification. I have also seen Checkpoint as being reconized as a must have certification. for more information.

How to Bypass Bell's DPI of P2P traffic.

Good evening,

I was wondering why I could not download faster than 50KB/sec, sometimes 30KB/sec with my Utorrent client. I had heard of rumors of certain ISP's who started using traffic shaper tools based on DPI (Deep Packet Inspection) to throttle P2P traffic. Since I work in IT security, I knew that you could not perform DPI on encrypted traffic. The only other way of doing it would be with behavior analysis which would be complex and risky to deploy and could affect other protocols.

So here is what I did to circumvent this "problem"

I use Utorrent, but this applies to other torrent if they support the feature. You can circumvent any traffic shaper by using encryptions. Guess what, most major torrent client supports encryption.

Utorrent encryption how-to:

1- Open Utorrent
2- Click on Options on the menu bar
3- Click on Preferences
4- Under Protocol Encryption choose "Forced"
5- Uncheck "Allow incoming legacy connections"
6- Click OK

I use Bell and once I enabled the settings above I saw my download jump from 50KB/sec to 300KB/sec+

If it still doesn't work, configure a Port of 443 under Connection (Under Preferences window) The logic here is I doubt ISP will attempt any traffic shaping on port 443 which is used for SSL, in other words Secure banking or transactional web sites.

I have heard rumors that ISP use a product called Sandvine to perform traffic shapping.

Philippe Dumont