is there room for it?
after reading this post on the metasploit blog, i started thinking about how well I currently evaluate product implementations within a typical penetration test. If configuration auditing has been included, I’ll do some of this. However, as a pentester, it pays to know the products in use, and to be familiar with the differences between say, trend micro and kaspersky antivirus or Splunk and syslog. It would be useful to include specific measurements and recommendations around the products in use on the network.
for instance:
- Antivirus: Trend Micro – Configured properly, managed well. Recently garnered the top spot in an
- Spam filtering: Ironport – Not well configured. Recommend moving to the Sophos appliance for ease of use. (based on strengths of the team)
- Monitoring: Snort – Configured poorly. Recommend switching to bro to support policy / functionality separation. would streamline IT processes
- Vuln scanning: Nessus – AdHoc – Need to move to automated process, more advanced web-scanning tool. Look into qualys / ncircle / rapid7.
- Firewall: Cisco PIX
- Logging: Syslog server – …
- etc..
Now, the issue becomes two-fold. one, the tester needs to have a solid understanding of each of the products he’s evaluating / recommending and a clear understanding of the client’s needs. It’s not a typical penetration test function, but would definitely provide value to a customer. (The more i write here, the more it turns into a full configuration audit of the customer’s systems, and while would be a nice-to-have on a pentest, isn’t part of a typical assessment)
i think most shops steer clear of this under the ‘product agnostic’ label, but as long as that’s been made clear up front, i’d say go for it.
Jonathan Cran 