penetrate me!

From: William Roush 
------------------------------------------------------
I've dealt with pentesters before, it's kind of aggravating when I have 
working exploits they don't find and we're forking over tons of money 
for them to go on some tangent that results in nothing... :\

Though I as I understand it the market is going the way of SEO and the 
like, once valid, now full of a lot of people that barely know how to do 
it and will just run the same tools you found and charge you insane 
amounts of money for it.

Your client will probably want someone that can rubber stamp a pen test 
on you, so sadly it'll take more than someone that just /knows/ security 
but can give you the paperwork to back it up and a company name.

William Roush
william.roush@roushtech.net
423-463-0592

http://www.roushtech.net/blog/


On 3/27/2014 12:58 AM, Ed King wrote:
> Our "network administrator" at the main office quit over a year ago 
> and a replacement was never hired.
> http://www.linkedin.com/pub/christopher-silver/7/6a8/341
>
> Our "network administrator" at our "NOC" quit over a year ago and 
> never got replaced.
> www.linkedin.com/in/mlaman
>
> Our "phone system guy" quit a year ago, a replacement was hired, but 
> I've seen him, like, once.  When the phone/fax systems goes down, they 
> call ME.
> http://www.linkedin.com/profile/view?id=49461976
>
> So guess what?  I and one of the other programmers on my team 
> inherited all these extra support duties (without a single f'ing penny 
> of a pay raise, mind you).
>
> We inherited hardware and software that hasn't been updated in years 
> (insert career-damaging-but-painfully-true 
> my-boss-is-a-cheap-bastard-and-doesn't-spend-money-on-upgrades comment 
> here)
>
> We know basic firewall, iptables, am mindful of sql injection, can 
> install/run/monitor virus scanners etc, but we are not security 
> experts nor do we play one on t.v.
>
> If this situation wasn't stressful enough, it has now come to a boil 
> as a potential (big!) client "demands" proof of pen testing before 
> they will let us host their data.    At this point I'm spread way to 
> thin and told my boss today that he needs to crack open that wallet 
> and hire an outside pen tester.    Anyone on the list "qualified" to 
> do it?    Willing to work for peanuts?
>
> What defines a qualified pen tester?  I see what appears to be "free" 
> software I could download and run myself, if I was inclined to take on 
> more responsibility w/o pay.    I suppose this free software would be 
> a "good start" but is a pen test done by an "internal" employee good 
> enough for the client, I doubt it.
>
>
>
>
>
> 

=============================================================== From: Ed King ------------------------------------------------------ Our "network administrator" at the main office quit over a year ago and a r= eplacement was never hired.=0Ahttp://www.linkedin.com/pub/christopher-silve= r/7/6a8/341=0A=0AOur "network administrator" at our "NOC" quit over a year = ago and never got replaced.=0Awww.linkedin.com/in/mlaman=0A=0AOur "phone sy= stem guy" quit a year ago, a replacement was hired, but I've seen him, like= , once.=A0 When the phone/fax systems goes down, they call ME.=0Ahttp://www= .linkedin.com/profile/view?id=3D49461976=0A=0ASo guess what?=A0 I and one o= f the other programmers on my team inherited all these extra support duties= (without a single f'ing penny of a pay raise, mind you).=0A=0AWe inherited= hardware and software that hasn't been updated in years (insert career-dam= aging-but-painfully-true my-boss-is-a-cheap-bastard-and-doesn't-spend-money= -on-upgrades comment here)=0A=0AWe know basic firewall, iptables, am mindfu= l of sql injection, can install/run/monitor virus scanners etc, but we are = not security experts nor do we play one on t.v.=A0=A0=A0 =0A=0AIf this situ= ation wasn't stressful enough, it has now come to a boil as a potential (bi= g!) client "demands" proof of pen testing before they will let us host thei= r data.=A0=A0=A0 At this point I'm spread way to thin and told my boss toda= y that he needs to crack open that wallet and hire an outside pen tester. = =A0=A0 Anyone on the list "qualified" to do it?=A0=A0=A0 Willing to work fo= r peanuts?=0A=0AWhat defines a qualified pen tester?=A0 I see what appears = to be "free" software I could download and run myself, if I was inclined to= take on more responsibility w/o pay. =A0=A0 I suppose this free software w= ould be a "good start" but is a pen test done by an "internal" employee goo= d enough for the client, I doubt it.

=============================================================== From: Bret McHone ------------------------------------------------------ We use Sword and Shield for our external pen testing. http://www.swordshield.com/ They are good, the only thing you have to watch out for is that they like to try to sell you stuff on top of their pen testing. Thanks, Bret On Thu, Mar 27, 2014 at 1:02 AM, William Roush wrote:

=============================================================== From: Joseph Simoneau ------------------------------------------------------ If it'll satisfy your requirements for professionalism, I can get in contact with the greyhat club at Georgia tech. We're all students, mostly undergrads, but I'm sure we'd love to put a team together for travel (if necessary, not sure what scenarios you're looking at), possibly a pittance, and resume fodder. Some of us definitely know what we're doing; some have interned or co-op'd; and graduates tend to get hired by firms like PWC and BishopFox. If you're interested, send me some information, and I'll ask for interest at the meeting tonight. -js Our "network administrator" at the main office quit over a year ago and a replacement was never hired. http://www.linkedin.com/pub/christopher-silver/7/6a8/341 Our "network administrator" at our "NOC" quit over a year ago and never got replaced. www.linkedin.com/in/mlaman Our "phone system guy" quit a year ago, a replacement was hired, but I've seen him, like, once. When the phone/fax systems goes down, they call ME. http://www.linkedin.com/profile/view?id=49461976 So guess what? I and one of the other programmers on my team inherited all these extra support duties (without a single f'ing penny of a pay raise, mind you). We inherited hardware and software that hasn't been updated in years (insert career-damaging-but-painfully-true my-boss-is-a-cheap-bastard-and-doesn't-spend-money-on-upgrades comment here) We know basic firewall, iptables, am mindful of sql injection, can install/run/monitor virus scanners etc, but we are not security experts nor do we play one on t.v. If this situation wasn't stressful enough, it has now come to a boil as a potential (big!) client "demands" proof of pen testing before they will let us host their data. At this point I'm spread way to thin and told my boss today that he needs to crack open that wallet and hire an outside pen tester. Anyone on the list "qualified" to do it? Willing to work for peanuts? What defines a qualified pen tester? I see what appears to be "free" software I could download and run myself, if I was inclined to take on more responsibility w/o pay. I suppose this free software would be a "good start" but is a pen test done by an "internal" employee good enough for the client, I doubt it.

=============================================================== From: Christopher Rimondi ------------------------------------------------------ Unfortunately it is probably just due diligence and who you have perform it will not be as important as that you had it done. If your client has someone who mildly knows what they are doing they may look at the scope of the test. Without knowing more information about your situation the things I would look at when hiring someone like this are their experience, references, insurance, etc... I will give Stephen Haywood a good recommendation FWIW. On Thu, Mar 27, 2014 at 8:58 AM, Joseph Simoneau wrote:

=============================================================== From: Stephen Kraus ------------------------------------------------------ Man, sounds like the company I'm working for: All the IT got left by the wayside and was in a mess when I came in.

=============================================================== From: AverageSecurityGuy ------------------------------------------------------ Ed, I do pen testing professionally and have my own company so there is = low overhead. If you want to talk more about what you need and pricing, = please email me off list. Thanks, -- Stephen Haywood Owner, ASG Consulting CISSP, OSCP 423.305.3700 asgconsulting.co and a replacement was never hired. never got replaced. I've seen him, like, once. When the phone/fax systems goes down, they = call ME. inherited all these extra support duties (without a single f'ing penny = of a pay raise, mind you). (insert career-damaging-but-painfully-true = my-boss-is-a-cheap-bastard-and-doesn't-spend-money-on-upgrades comment = here) install/run/monitor virus scanners etc, but we are not security experts = nor do we play one on t.v. =20 as a potential (big!) client "demands" proof of pen testing before they = will let us host their data. At this point I'm spread way to thin and = told my boss today that he needs to crack open that wallet and hire an = outside pen tester. Anyone on the list "qualified" to do it? = Willing to work for peanuts? software I could download and run myself, if I was inclined to take on = more responsibility w/o pay. I suppose this free software would be a = "good start" but is a pen test done by an "internal" employee good = enough for the client, I doubt it.

=============================================================== From: AverageSecurityGuy ------------------------------------------------------ Some pentesters are full of $hit and some are really good. If they = missed exploits that are easily found with Nessus/Nmap/Metasploit then = there is a problem. If they missed an exploit in an obscure system it = may be they didn=92t have enough time to test that system. Either way, = you need to have honest conversations with your pentester and if there = are systems you are particularly worried about then tell them so they = can focus on those areas. -- Stephen Haywood Owner, ASG Consulting CISSP, OSCP 423.305.3700 asgconsulting.co On Mar 27, 2014, at 1:02 AM, William Roush = wrote: have working exploits they don't find and we're forking over tons of = money for them to go on some tangent that results in nothing... :\ like, once valid, now full of a lot of people that barely know how to do = it and will just run the same tools you found and charge you insane = amounts of money for it. test on you, so sadly it'll take more than someone that just knows = security but can give you the paperwork to back it up and a company = name. and a replacement was never hired. never got replaced. I've seen him, like, once. When the phone/fax systems goes down, they = call ME. inherited all these extra support duties (without a single f'ing penny = of a pay raise, mind you). (insert career-damaging-but-painfully-true = my-boss-is-a-cheap-bastard-and-doesn't-spend-money-on-upgrades comment = here) install/run/monitor virus scanners etc, but we are not security experts = nor do we play one on t.v. =20 as a potential (big!) client "demands" proof of pen testing before they = will let us host their data. At this point I'm spread way to thin and = told my boss today that he needs to crack open that wallet and hire an = outside pen tester. Anyone on the list "qualified" to do it? = Willing to work for peanuts? software I could download and run myself, if I was inclined to take on = more responsibility w/o pay. I suppose this free software would be a = "good start" but is a pen test done by an "internal" employee = good enough for the client, I doubt it.

=============================================================== From: AverageSecurityGuy ------------------------------------------------------ Sword and Shield is awesome. I used to work there full time and still do = contract work with them. The sales team can be a bit much sometimes but = the technical team really knows what it is doing. -- Stephen Haywood Owner, ASG Consulting CISSP, OSCP 423.305.3700 asgconsulting.co http://www.swordshield.com/ like to try to sell you stuff on top of their pen testing.=20 wrote: have working exploits they don't find and we're forking over tons of = money for them to go on some tangent that results in nothing... :\ like, once valid, now full of a lot of people that barely know how to do = it and will just run the same tools you found and charge you insane = amounts of money for it. test on you, so sadly it'll take more than someone that just knows = security but can give you the paperwork to back it up and a company = name. and a replacement was never hired. never got replaced. I've seen him, like, once. When the phone/fax systems goes down, they = call ME. inherited all these extra support duties (without a single f'ing penny = of a pay raise, mind you). (insert career-damaging-but-painfully-true = my-boss-is-a-cheap-bastard-and-doesn't-spend-money-on-upgrades comment = here) install/run/monitor virus scanners etc, but we are not security experts = nor do we play one on t.v. =20 as a potential (big!) client "demands" proof of pen testing before they = will let us host their data. At this point I'm spread way to thin and = told my boss today that he needs to crack open that wallet and hire an = outside pen tester. Anyone on the list "qualified" to do it? = Willing to work for peanuts? software I could download and run myself, if I was inclined to take on = more responsibility w/o pay. I suppose this free software would be a = "good start" but is a pen test done by an "internal" employee good = enough for the client, I doubt it.

=============================================================== From: Ed King ------------------------------------------------------ as of this morning I was told to not spend any more time finding a pen test= er.=A0=A0=A0 =0A=0AI predict, 2 weeks from now, I'll be asked "have you fou= nd a pen tester yet?!"=0A=0Amy. brain. is. melting.=0A=0A=0A=0A

=============================================================== From: William Roush ------------------------------------------------------ It was in our primary product, a secondary product they hemmed and hawed over something that /seemed/ insecure at first glance because "well I can change record IDs" that was secured by access controls and he didn't bother to try accessing any documents he didn't have permission to see. Mainly what we got out of them was "security through obscurity will trick me". :| William Roush william.roush@roushtech.net 423-463-0592 http://www.roushtech.net/blog/