SLUG Mailing List Archives
Re: [SLUG] Penetration Test
- To: slug@xxxxxxxxxxx
- Subject: Re: [SLUG] Penetration Test
- From: Daniel Pittman <daniel@xxxxxxxxxxxx>
- Date: Sun, 01 Nov 2009 18:15:37 +1100
- User-agent: Gnus/5.13 (Gnus v5.13) Emacs/23.1 (gnu/linux)
Rick Phillips <rick@xxxxxxxxxxxxx> writes:
>> Just of out of interest, what kind of server are you talking about ?
> Briefly, we have been running this server for 5 years principally to serve
> learning materials to students. Initially, the server was sanctioned by the
> Education Department and it has grown in usefulness and reliability and
> contrary to the official LMS run by the department, is very easy to use. We
> run Moodle which is free, they run Blackboard, which is not. The success of
> our Moodle is proving to be of some embarrassment to them now as other
> schools are pushing for a similar situation as our own and now they want our
> service closed down.
> The department is employing a "white hat" to do a penetration test at the
> end of this month and we thought it would be better to be fore armed.
That seems a reasonable approach to me, although I would generally prefer to
rely on security auditing and design to prepare for such events.
Certainly, my general experience when faced with that sort of situation is
that checking our risk assessments, and doing an internal audit of the system
against that, was very effective.
> We know there is money involved and we are looking for a trustworthy
> company or individual to do the job without destroying our server and
> who will advise us where our weaknesses, if any, lie.
> Perhaps I am being naive and simplistic in my approach.
> This is a serious matter for us and I certainly didn't appreciate last
> night's reply to the list.
I am going to presume you are referring to my comments here, because there
isn't much harm if I don't.
First, let me say that I am sorry you didn't appreciate the response, and the
implied criticism of your plan. It was absolutely not my intention to offend,
but rather to continue to question my own assumptions in the face of someone
who disagreed with me.
I regret that my statements came across poorly, and left you feeling unhappy.
Secondly, in light of the situation this seems to be a reasonable strategy: if
you know that you are going to be penetration tested then, indeed, getting
someone professional and external to do a penetration test is going to give
you some useful information.
I would strongly advise that you couple your penetration test with a serious
security and risk assessment, though: they cover very different ground.
It is also my experience that when you face a social problem — like the other
folks trying to get you shut down — having a serious technical risk assessment
document, and a security plan, and proof that you internally audit against
those documents is a *very* valuable addition.
I suggest that in addition to passing this present technical challenge you
need to be working to produce details that help you prove to the department
that you are secure, and that you have considered the issues, *without* them
needing to go to the trouble of actually testing you.
I can't say that with certainly, obviously — I don't work with, or for, the
NSW department of education. I can say that in similar situations, including
dealing with similar government departments down in Victoria, those social
strategies have worked effectively for me in the past.
 I am still not convinced the department are making the right decision in
their approach to the situation, but in the context...
✣ Daniel Pittman ✉ daniel@xxxxxxxxxxxx ☎ +61 401 155 707
♽ made with 100 percent post-consumer electrons
Looking for work? Love Perl? In Melbourne, Australia? We are hiring.