Pen Test important?

Is penetration testing good for security? What information is gained by an oraganization by doing these tests? And what does it test? I'm assuming it isn't just software vulnerabilities.

www.firewall.cx/articles-network-security-intro-1.php

Have a look

Penetration testing is valuable as long as you are sensible about it. We have regular penetration tests here done by third-party outside "specialists" who come in at the end-customer's request. They turn up, ring the doorbell, announce who they are and what they have come to do, then sit down in a chair. And the first thing they ask for is "Can I have a diagram of your network and a list of all your IP addresses please?" At this point I always wind them up by saying something like "No way - If you want to check the security of our systems then go sit out in your car with your laptop, with no access to my site and no information. THEN if you can break in I'll be worried"
Of course, I give them the info and they have a prod at things and come up with the odd vulnerability, but that's the point. What they are doing is a technical exercise looking for technical issues and not a real-world test of your overall security. And some of the issues they identify, while technically valid, are so obviously stupid in the real world that my only conclusion is that some of these companies rely on software tools and don't really bother to read and interpret the output they give. Case in point - one group of auditors flagged up a vulnerability in the embedded printservers in our Laserjet printers. The blurb generated by their tool burbled on about an attacker being able to gain access to the device and modify its files and software. Ooh I'm really scared - they don't even have a hard disk! It's just a print server running some code burnt into an EPROM for goodness sake!

I agree 100% with Bishop, most of the 'pen-testers' out there are just guys who learned how to type an IP address into a tool and click 'start scan'.. they do not know how to interpret results or actually discover vulnerabilities manually.. for this you need professional hackers.. lets face it, its the only way.

I do however have to disagree about the printer thing.. did you know that most HP printers run a Java virtual machine ? An attacker can actually run any java program they want from the printer..

A case in point, you can use a networked printer to portscan someone (imagine getting a call from some admin saying your systems are scanning him, and then you discover that the IP belongs to your printer hehe !!).. another use is to make the printer an anonymous proxy.. there are loads of fun scenarios that I'm sure your point 'n click pen-testers will never have even dreamed of

That said, if you feel that their reports are just copy pasted out of the vulnerability scanner's output, you should kick them out

Heh! Heh! We did kick that lot out (LOL) and the new lot are much better

Do you have any further info on those HP printer exploits? We have hundreds of HP JetDirect cards at various versions across our printer estate so I'd like to do a little investigation

I wasn't knocking PEN testing by the way, It's useful and valuable - as long as you know what it's useful for and what it will tell you

Well my favourite security researcher Phenoelit has done extensive research on HP JetAdmin vulnerabilities.. do a google for his name with printer vulnerability you'll find lots of stuff.. check out some of these links
members.cox.net/ltlw0lf/printers.html
www.blackhat.com/presentations/bh-usa-02...henoelit-network.pdf
cert.uni-stuttgart.de/archive/bugtraq/2004/04/msg00351.html
www.giac.org/practical/GSEC/Vernon_Vail_GSEC.pdf

and www.phenoelit.de

He actually has programs that talk the printers JBL language


I wish I could find that one awesome paper though..