[Techtalk] server pen testing

[Elwing]

On Aug 10, 2011, at 4:13 AM, Eeva Järvinen wrote:

> 2011/8/9 Walt <pippin at fred.net>:
>> I seem to remember at least a couple of the Chix had
>> made security and pen-testing a bit of a specialty. Am I
>> right? Would anyone be interested in tackling this? And
>> yes, it would be for pay, though right now we're trying to
>> establish how much this would cost.
> 
> I'm not volunteering to do it (and I'm also probably good enough to do
> really serious testing), but as I've done that kind of stuff (for pay,
> white-hat stuff) and bought such services, I'd hazard a guess you're
> looking at a cost couple of thousand of euros if you want some serious
> pen-testing. You'll want nice, good NDAs covering the process plus
> appropriate releases from companies and people involved - as in, if
> the pen-tester damages the server by giving it a serious go, who'll
> pay for the damages, for both perhaps operational and and hw/sw stuff
> and so on.
> 
> The other thing is to decide what to look for - usually it's the human
> side that's the weakest: you can usually talk yourself into almost
> anything and everything given enough time (say, HBGary - it was a
> classic case of crackers talking their way in), and the potential for
> damage is often far higher, but more often than not people aren't very
> willing to test that, preferring just testing the sw/hw side of
> things. Not that it's not important, and effective, too - but you need
> to know what you're looking for. Simply asking someone to pen-test a
> server doesn't mean much, unless you're looking for an all-out test,
> which would mean having a go at the server by any and all means
> possible - but it's not that many servers that need that kind of
> security, and I guess you wouldn't be asking this on such a public
> channel if the server was to be secured against anything and
> everything. You need to plan the testing in order to benefit from it
> as much as you can.
> 


Disclaimer: My company offers these services and I help scope them and price them.

I agree with Eeva about scoping properly - you really need to know what you expect to get from the pen testing.  A list of vulnerabilities you want to fix?  An in-depth try anything test?  Just your web application?  Will the testers do black box testing (ie, know nothing about your network)?  White/greybox testing (where they know the tech you're using to focus attempts)?  Do you just need to check a checkbox for compliance purposes?  Does the pentester need to be a PCI QSV? 

Are there any limitations on the testing such as "don't touch this really sensitive server"?

Depending on what your goals are is how long the testing takes and how much it costs.  A real quick mostly automated test to check a (non-PCI) compliance checkbox will run you between $2500 USD and $13,000 (depends on the company).  More indepth testing will run upwards of $20,000 USD.  The price also depends on the size of the network - if you're talking one server, it's less than if you're talking an entire Class C address space.

No matter what company you go with, ask them at least the following questions (possibly after setting up an NDA):
-What kind of experience do you have with technology X (where tech X is whatever your server is running - like Lotus Domino, Windows, etc  Most companies will be familiar with Windows/OS X/UNIX, but you need specialty experience for some things like Novell and Lotus)
-Do you have references that would be willing to talk with us? (you may or may not get these because of NDAs - most of the companies we work for we can't even mention that we've done work for them)
-Do you have a sample report we could look at? (most companies will have sanitized reports available, so you can see what you're getting)
-Can you share your methodology with us?