VoIP security auditing is becoming more and more complex ... Not!
I am curious how people can conduct penetration tests of a complex VoIP system when they barely understand how VoIP infrastructure works. Today, security people are still stuck to auditing practices from 1990s. When asked to do a penetration test, a consultant often is only looking at past issues that can be detected using various vulnerability scanners. Very few of them know that vulnerability scanners have extremely bad coverage of vulnerabilities in VoIP solutions. And even if the tools did know VoIP, who really cares about past issues that might have been relevant several years ago.
View full article »
Esther Schindler
If the comments are ugly, the code is ugly
claird
SVG a graphics format for 21st century
pasmith
Take Chrome OS for a test spin
Sandra Henry-Stocker
Solaris Tip: Have Your Files Changed Since Installation?
jfruh
Android fragments vs. the iPhone monolith
mikelgan
What Gizmodo missed about the Pro WX Wireless USB disk drive
Sidekick: The Good News & the Bad News
Either way you look at it Microsoft Data Center management did not follow standards or best practices in this failure. In which case it makes me wonder more about the outsourcing of corporate data much less personal data.
- mburton325
Join the conversation here
Quick, practical advice for IT pros. Made fresh daily.
Want to cash in on your IT savvy? Send your tip to tips@itworld.com. If we post it, we'll send you a $25 Amazon e-gift card.
If someone is selling you a
If someone is selling you a penetration test, and then running a vulnerability scanner and handing you a report, you're not getting what you paid for, period.Penetration Test != Audit != Assessment
Back around the turn of the century when I built a small security consulting firm in Texas, we had to explain the difference to customers on most occasions and watch their faces as they realized they hadn't been getting what they were paying for from other firms. You touch on some of the differentiating points in your article, however the differences can be summed up even more precisely:
A Penetration Test is generally exactly that. The target is attacked as a real attacker would; the approach is more stealthy, profiling is done to identify weak targets, those targets are enumerated and surgically attacked until one or more are successfully compromised, then the test is over. Penetration tests are generally limited in scope and comprehensiveness by nature, and on many occasions produce new, undisclosed vulnerabilities in the systems and software the customer employs. Penetration tests by far require the most skill of the three types I'm outlining. The differentiators here are the VARIABLE SCOPE and LENGTH of the test via selective targeting and the end of the test once the goal is reached; successful compromise.
An Audit is generally a test for some form of compliance. The scope is defined exactly by whatever documentation outlines the requirements for compliance. This can be anything from the size of HIPAA to a simple checklist of specific vulnerabilities. If all the requirements are met, the target is compliant and has passed the audit. The differentiation here is that you have something to audit the target AGAINST.
An Assessment is what you get from stock tools like vulnerability scanners, custom tools to identify vulnerabilities, and nice pretty reporting software to tie all the results together and provide mitigation and remediation guidance. Assessments are essentially a test of the target for, and this is the important differentiation, KNOWN vulnerabilities.
My firm was happy to provide all three, given that the customer understood what they were getting when they asked for one or the other.
Thank you for the
Thank you for the definitions for each of these. Unfortunately still today, there are as many definitions as there are security consultants. As my background is in fuzzing, I do not really agree with these definitions. If we do an assessment, we run tools (our own fuzzers, and other available fuzzers and non-fuzzers from other companies) to mostly find unknown vulnerabilities. We can find known issues also, but that is not the purpose of the assessment. This in most cases is an "audit" (or assessment, or test, or review) against a carefully designed test specification, sometimes dictated by the industry and in almost every case pre-run in similar form by an another party. Often this is part of a certification process. And yes, the tools are very similar to what a hacker would use in what you call "penetration test".