3 Factors To Assess Before Doing Your Own Penetration Testing

Tech Insight: 3 Factors To Assess Before Doing Your Own Penetration Testing – DarkReading

Tech Insight: 3 Factors To Assess Before Doing Your Own Penetration Testing
What you need to know about bringing penetration testing in-house

Nov 20, 2009 | 11:43 AM
By John Sawyer

With the veil of mystique and enterprise concerns surrounding penetration testing gradually being lifted, enterprises are realizing how a quality, comprehensive pen test can supplement their security efforts and find holes before attackers do — with the added benefit of meeting PCI DSS requirement 11.3. Now many enterprises are starting to consider whether they should perform pen testing in-house themselves.

The average IT professional views pen testing as a black art. It’s an activity often seen as dangerous and counterproductive to an operational environment where testing could impact business and cause downtime, but it’s a practice gaining popularity thanks to the annual pen-testing requirement by the PCI Data Security Standards (DSS) and publicity surrounding the recent purchase of the Metasploit Project by Rapid7.

Deciding whether to pen test in-house or outsource the job is a decision not to be taken lightly considering it can cost anywhere from $5,000 to $50,000 or more, depending on the size of the target, scope, and reputation of the testing vendor. A pen-testing product, meanwhile, costs anywhere from a few hundred dollars for a narrowly focused tool to $30,000.

While saving tens of thousands of dollars by purchasing your own pen-test tool sounds good at first, with internalizing the work has its own costs. The investment in human resources, training, and software must be weighed against the potential savings from shelling out big bucks for a third party pen test. Let’s examine each:

# Human resources: The first and most obvious cost to the bottom line is HR. Are there existing personnel within the organization who have the skills and experience to perform a comprehensive pen test? If so, then the next decision is whether their current job duties can coexist with their new pen-test duties. Answering those questions can result in the need to hire new staff to fill in as needed, or to redistribute personnel to make sure all areas are covered appropriately.

# Training: Training the newly designated pen tester — or, if you’re lucky, a whole pen-testing team — is the next item on the cost sheet. Time needs to be set aside to attend training either online or at a conference. Online courses, like those from Offensive Security, run as little as $500 to several thousand dollars, while a multiday pen-testing course, like SEC 560 Network Penetration Testing and Ethical Hacking from SANS, is $4,300 for six days.

Don’t forget about retention issues that can accompany adding increased responsibilities on current employees and training both new and current employees. Competent pen-testing skills are very valuable right now, and you’ll need to make sure your pen testers’ salaries are reasonably competitive with how much they could make elsewhere.

It’s not uncommon for employers to draw up a contract that says the employee must repay part or all of the training expenses if he chooses to leave for another employer within a specific amount of time.

# Software: Pen-testing software runs the gamut in terms of cost. Exceptional free tools, like the Metasploit Framework and w3af, are available, but they entail a steeper learning curve compared to a polished commercial solution like Core IMPACT. The differences can be measured in the tens of thousands of dollars and hours versus days to become familiar and reasonably comfortable using the different tools. Determining which software to use will depend on budget, organization size, familiarity of the tools by the pen tester, and technologies used by the target.

Once you’ve answered the question of whether performing in-house pen testing is cost-effective, you still need to answer the ever important question: Can your team perform a comprehensive test that is objective and doesn’t suffer from a myopia that often occurs when the tester is too close to the target organization?

The upside of performing pen testing with an internal team is they are familiar with the organization, the network, where the critical assets are, and the people. They may end up finding chinks in the company’s armor quicker than a third-party pen tester because they have the familiarity and will know where to look first.

But the trade-off is an internal pen-testing team may be too familiar and comfortable with the target environment and could overlook common issues that someone from the outside may not. Personal relationships may even impact whether they target specific users for social engineering exercises, like a simulated phishing attack.

Making the decision to staff, train, and maintain an internal pen-testing team is a big one that can have a serious impact on the security of your company — more than just checking off “YES” on a PCI Self Assessment Questionnaire. It’s a good idea to hire a third-party pen-testing firm to follow up on the initial pen tests by the internal team to make sure they’re doing a solid job — and every couple of years thereafter to ensure results are consistent.

Have a comment on this story? Please click “Discuss” below. If you’d like to contact Dark Reading’s editors directly, send us a message.



NOSMOKE.EXE [rec.humor.funny]

From an ex-field sales/support survivor:

I used to work in a computer store and one day we had a gentleman call in with a smoking power supply. The service rep was having a bit of trouble convincing this guy that he had a hardware problem.

Service Rep: Sir, something has burned within your power supply.

Customer: I bet that there is some command that I can put into the AUTOEXEC.BAT that will take care of this.

Service Rep: There is nothing that software can do to help you with this problem.

Customer: I know that there is something that I can put in… some command… maybe it should go into the CONFIG.SYS.

[After a few minutes of going round and round]

Service Rep: Okay, I am not supposed to tell anyone this but there is a hidden command in some versions of DOS that you can use. I want you to edit your AUTOEXEC.BAT and add the last line as C:DOSNOSMOKE and reboot your computer.

[Customer does this]

Customer: It is still smoking.

Service Rep: I guess you’ll need to call Microsoft and ask them for a patch for the NOSMOKE.EXE.

[The customer then hung up. We thought that we had heard the last of this guy but NO… he calls back four hours later]

Service Rep: Hello Sir, how is your computer?

Customer: I called Microsoft and they said that my power supply is incompatible with their NOSMOKE.EXE and that I need to get a new one. I was wondering, where can I get it done and how much it will cost..

Why is my internet slow – take 2

click for larger view

What you’re seeing here is step 1.  I’ve removed vast amounts of unneeded and unused equipment and consolidated the network to one switch.  I removed 4 other switches, one of which had many connections yet was not even powered on.

Why is my internet slow?

A local customer called me to come and check things out, the chief complaint being their internet is slow.

This electrical room is a potential issue, the other being most workstations having zero anti-virus.  Stay tuned for an “after” shot to go along with this “before” shot to see the capabilities of The Restore Store.

IBM Unveils New Virtual Server Security Offering

Product Watch: IBM Unveils New Virtual Server Security Offering – cloud security/Storage – DarkReading

Product Watch: IBM Unveils New Virtual Server Security Offering
VMware offering will help users build security into virtualized data centers, Big Blue says

Nov 13, 2009 | 04:55 PM
By Tim Wilson

IBM today introduced IBM Virtual Server Security for VMware vSphere, a software product designed to help organizations secure and protect their virtual server infrastructures.

The software will help safeguard virtual server environments and allow businesses a more secure path for transitioning critical assets to virtual enterprise data centers, IBM says.

The new security capabilities “are required because of reduced visibility and control that come with the addition of more information technology layers” in virtual server environments, IBM says. “Given this changing landscape, traditional security made for physical computing environments becomes inadequate as a sole solution,” it says.

The new IBM Virtual Server Security for VMware vSphere helps address these concerns, providing protection for every layer of the virtual infrastructure, including the hypervisor, operating system, network, applications, server-based virtual desktops, virtual machine, and traffic between virtual machines, the company says.

By integrating with VMware VMsafe technology, the new software provides clients with better visibility, security granularity, and scalability in their growing virtual data centers, IBM says.

The new capabilities include Virtual Network Access Control (VNAC) to limit network access from a virtual server until security posture is confirmed, rootkit detection and prevention, virtual infrastructure monitoring and reporting to identify vulnerabilities, and autodiscovery to provide visibility and control of the virtual infrastructure.

IBM Virtual Server Security for VMware vSphere will be available in December.

Koobface Worm Poses as Facebook User

Facebook – Koobface Worm Poses as Facebook User – eWeek Security Watch

Koobface Worm Poses as Facebook User

The notorious Koobface botnet has pushed out a new component to help snag Facebook users.

According to Trend Micro, the component automates the following routines: registering a Facebook account, confirming an e-mail address in Gmail to activate the registered account, joining random Facebook groups, adding “friends” and posting messages on their walls.

The point of doing all this, of course, is to infect more users. As it does so, Koobface tries to stay under the radar by checking to see if the account has reached the maximum number of friend requests to avoid alerting Facebook administrators.

“Overall, this new component behaves like a regular Internet user that starts to connect with friends in Facebook,” blogged Trend Micro Advanced Threats Researcher Jonell Baltazar. “All Facebook accounts registered by this component are comparable to a regular account made by a human. The details provided about the account are complete such as a photo, birth date, favorite music and favorite books, among others. In addition, every account registered is unique in such a way that the details vary for every account registered.”

The component fetches details from one of the botnet’s available proxy domains, Baltazar continued. The messages it posts on Facebook walls include a link to either a fake Facebook page or YouTube page hosting the Koobface loader component.

“Facebook users are advised to be careful and security-conscious,” Baltazar blogged. “It is probable that the Koobface botnet owns a particular Facebook account.”

For more on Koobface’s recent moves, check here.

Fully install Windows 7 from the upgrade disc


Fully install Windows 7 from the upgrade disc

Woody Leonhard By Woody Leonhard

Topping the long list of readers’ Windows 7 questions is whether you can use the upgrade disc to perform a full install of the new OS.

You may be surprised to discover that in Windows 7 there’s no difference between the “upgrade” and “full” DVDs and — just as with Vista — the cheaper upgrade version can indeed be used to perform a full install.

But that’s just one of your many Windows 7 questions. From what’s possible, to what’s legal, to what-on-earth-were-they-thinking, here’s the skinny on the ins and outs of Microsoft’s best OS yet. There’s no way to fit all your Win7 queries into a single column, so you can be sure I’ll have many more Win7 FAQs in the weeks to come.

Will a Win7 upgrade disc install the full OS?

* “It looks like you can use the upgrade version of Windows 7 to install a ‘genuine’ copy of Windows 7 on any PC, whether it already has Windows on it or not. Why would anybody pay way more money and buy a full-install version of Windows 7 instead of an upgrade version?”

Good question. So far, the only people I know who’ve paid for the full version of Windows 7 thought they had to buy it because they were running Windows XP. When they read that they couldn’t do an in-place upgrade from XP to Win7, they mistakenly thought they had to buy the full release. They got ripped off.

The terminology stinks, but as you will see below in my discussion of upgrade pricing, almost everybody qualifies for an upgrade version of Windows 7.

In my experience, most people using the upgrade package find that their new Win7 key validates immediately after the PC connects to the Internet. You can maximize your chances of getting instant gratification (validation), however.

If you have a version of Windows running on your PC, start Windows, insert the Windows 7 upgrade DVD, and follow the on-screen instructions. (All of the usual caveats about first backing up your data apply, of course.) If you wish, you can reformat your hard drive at the beginning of the installation process. This wipes out all the old data stored on the drive.

In my testing, as long as I started the Win7 installation from within Windows, the upgrade key passed validation. It didn’t matter, in my test runs, whether the PC’s previous version of Windows had ever been validated as “genuine” or not.

If you don’t have Windows running — for example, if you’re installing the OS on a new hard drive — boot from the Win7 upgrade DVD and follow the on-screen instructions. Chances are good that Windows 7 will validate immediately, even if there was no copy of Windows on the drive beforehand.

I have a theory about how and why this straightforward validation just works, but Microsoft hasn’t yet divulged details. I’ll revisit the whys and wherefores in a future column.

If you type in the validation key and see a message stating, “The product key is not valid,” don’t fret. Go ahead and install Win7 without the key and plan on activating the OS later. Remember that you can run Win7 up to 120 days without activating it, as I explained in my Aug. 20 Top Story.

How do I get the upgrade key to activate?

* “I installed the Windows 7 upgrade and the key doesn’t work. What should I do next?”

In such situations, Microsoft recommends that you call the company to validate your copy of Win7 over the phone. In my experience, phone validation works quickly and easily. The people answering the phone bend over backwards to get Win7 validated.

If you want to try this official, phone-it-in approach, review the question in the next section and make sure your PC qualifies for upgrade pricing. If it does, but you can’t get the key to work, gather whatever information you need to verify you qualify and then call Microsoft. The easy way to get Microsoft’s Win7 activation phone number is to click Start, type slui 4, and press Enter.

That said, you can activate with an upgrade key without calling Microsoft at all. There are several ways to do so. For example, writer Paul Thurrott documents in a blog post how you can upgrade in this situation by changing a byte in the Registry and running a single command line.

Failing that, another fairly simple (if more time-consuming) activation method to install from the Win7 upgrade disc and then upgrade Win7 on top of itself. This technique works in Win7 in a nearly identical way to the trick WS editorial director Brian Livingston described for Vista in a Feb. 1, 2007 Top Story.

The short version of that trick is this: Once you’ve installed Win7 from the upgrade DVD, start Win7, and then stick the upgrade disc in the drive again. Follow the instructions to upgrade, but don’t choose Custom — you’re upgrading to Windows 7 from Windows 7. Enter the key when requested, and it’ll validate the next time you’re online.

Does my PC qualify for upgrade pricing?

* “I understand that there are many different ways to upgrade a PC to Windows 7. The $64 question (give or take a few bucks) is whether my PC qualifies for the Upgrade Option for Windows 7 rather than my having to buy the full version. How can I tell?”

Microsoft made it easy in Windows 7 to perform a full install of Windows 7 using only the less-expensive Upgrade Option for Windows 7. In fact, MS made the trick even easier in Windows 7 than it was in Vista, by adding to Win7 the Registry byte change that I mentioned above. The technique in Vista usually required a second install to work. Win7, thanks to changes deliberately added by Microsoft, usually doesn’t require that the setup routine be started twice.

Microsoft’s Windows 7 End-User License Agreement (EULA), however, says you can install an upgrade edition of Win7 only if you had a license for an earlier version of Windows that you’re eradicating.

It’s curious why Microsoft makes it so easy for customers to install an “upgrade” copy of Windows 7 on a PC that supposedly doesn’t qualify. Indeed, why has Microsoft built hooks into the Windows installer to specifically bypass the qualification test — hooks that have been left in place for years?

In any event, the relevant clause in the Win7 EULA says:

* “To use upgrade software, you must first be licensed for the software that is eligible for the upgrade. Upon upgrade, this agreement takes the place of the agreement for the software you upgraded from. After you upgrade, you may no longer use the software you upgraded from.”

By that standard, the number of machines that don’t qualify for upgrade pricing is mighty tiny. (It also raises disturbing questions about multiboot systems, but I’ll discuss multibooting in a future column.)

For example, if you own a computer with a Windows Certificate of Authenticity sticker on the case as proof of ownership — and the certificate is for Vista or XP — there’s no question whatsoever that the PC qualifies for upgrade pricing.

If you’ve ever paid for a full copy of Windows — one you purchased “off the shelf,” not a copy that was preinstalled on a PC — you own the right to use that copy of Windows on any PC you like, as long as you use it on only one machine at a time. There’s no requirement that you activate it in order for a Win7 upgrade to work on it. How can that not be a legitimate candidate for a Windows 7 upgrade?

The universe of PCs that don’t qualify for upgrade pricing would seem to be limited to those that (1) have been built from scratch or (2) bear counterfeit builds Windows that unsuspecting customers bought from unscrupulous box shops. New virtual machines also require the full version, but that’s about it — this represents a very tiny slice of the consumer-PC pie.

How do I know my Win7 installation is legit?

* “If I can get an upgrade version of Windows 7 to install on my PC and it validates as ‘genuine,’ I’m running everything legally and don’t need to worry about it, right?”

As far as I can tell, if you pass the validation hurdle once with an upgrade version of Windows 7, your computer won’t have to do anything in the future to prove whether you were or were not entitled to an upgrade.

You’ll definitely be running a copy of Win7 that’s validated as genuine. Whether that also means your new copy meets the written definition in Microsoft’s EULA depends on whether you ever owned a legal copy of Windows for that PC. That can sometimes be hard to verify.

Can I upgrade in place from XP to Vista to Win7?

* “I’m running Windows XP. I know I can’t do an in-place upgrade from XP to Windows 7, but can I do an in-place upgrade from XP to Vista, and then another from Vista to Windows 7?”

You can, but that gives Windows two opportunities to shoot you in the foot.

Many of my friends tell me I’m superstitious, but I strongly recommend that people perform a custom (clean) install. Yes, that entails reinstalling programs and re-entering your custom system settings, but it’s still my advice — even if you have a PC that can accommodate an in-place upgrade.

Sticking Win7 on top of an old copy of Windows is like building a new house on old landfill. You never know what’s going to come to the surface, or where, or when. A very large percentage of the problems people are having with Windows 7 installations occur with in-place upgrades.

Which Win7 is right for me: 32-bit or 64-bit?

* “Should I install the 32-bit or 64-bit version of Windows 7? How do I get the right one?”

Every Windows 7 box that you buy on store shelves — whether an upgrade or full version of Home Premium, Professional, or Ultimate — contains two DVDs. One has the 32-bit version and the other has the 64-bit version.

If you ignore the recommendation I made in the above item and insist on performing an in-place upgrade, you can do so only from 32-bit to 32-bit or 64-bit to 64-bit. However, if you do a custom (clean) install on a machine that formerly ran a 32-bit version of XP or Vista, you should seriously consider moving to 64-bit computing.

See my July 16 Top Story for information that will help you determine whether 64-bit is right for you. If you decide that it is, follow the instructions in the article to run the Windows 7 Upgrade Advisor.

If the Upgrade Advisor indicates your PC can support a 64-bit version of Windows — and it doesn’t warn you that your specific hardware doesn’t have drivers — give 64-bit a try. Although there are some devices from major manufacturers that don’t have 64-bit drivers, several of these vendors have been embarrassed into writing new ones.

Can I upgrade Vista Ultimate to any Win7 flavor?

* “I got suckered into paying for Windows Vista Ultimate. What a waste! Adding insult to pecuniary injury, if I want to upgrade, I have to pay for Windows 7 Ultimate, right?”


If you want to perform an in-place upgrade from 32-bit Vista Ultimate, you have to pay for the Windows 7 Ultimate upgrade and must install the 32-bit version. However, if you perform a custom (clean) install, you can upgrade that Vista Ultimate PC to whichever version of Windows 7 you prefer.

It gets confusing because the term “upgrade” has two completely different meanings. If you want to do an in-place upgrade and avoid reinstalling your programs and updating your settings, you have very limited choices about which versions of Windows you can start with and what you can upgrade to. (See Microsoft’s somewhat-muddled explanation of the Win7 Upgrade Option Program on the official Windows 7 site.)

If you’re willing to perform a clean install, you can upgrade any version of XP or Vista to any version of Windows 7, and you need pay for only the Upgrade Option for Windows 7 — no need to buy the full-install package.

I just saved you about a hundred bucks, yes?