SlideShare ist ein Scribd-Unternehmen logo
1 von 3
Downloaden Sie, um offline zu lesen
Cloud penetrator-hakin9-review-march-2012
REVIEW




  SecPoint Cloud
  Penetrator
  Online Vulnerability Assessment Scan
  Waking up every morning a skeptic is not that difficult. By 10 AM there
  are usually two or three interactions that prove I was right.



     I
      was invited by Hakin9 to do an evaluation of a prod-         Management overview: If you are a customer who
      uct called “SecPoint® Cloud Penetrator”, a service        needs the appearance of security for management or
      provided by SecPoint® of Copenhagen Denmark               compliance reasons, this tool provides excellent reports
(my first thought was that I needed to do an on-site as-        that can be filed in your compliance file. If you are a cus-
sessment – and visit Tivoli gardens – it’s been over 40         tomer to whom true security, confidentiality, integrity,
years since my last visit – but I still remember it well). In   and availability are of crucial or of utmost importance -
reviewing their web site I noted that they provide many         this is, in my opinion, one of the better tools to help you
tools in the security arena, both products and services,        towards that goal.
on-site and off. In my disclosure request to Hakin9 I was
informed “ They collaborated with us long time ago, and            For those of you who are interested in TRUE secu-
they refreshed the co-op two weeks ago “. Hakin9 also           rity, confidentiality, integrity, and availability:
provided me a copy of an assessment of the SecPoint®               This is a product that, in my opinion, should be in your
Penetrator S300 (an onsite system) by Michael Munt              tool kit.
some years ago.
                                                                   The time and study that would be required to dupli-
   As a true skeptic, I need to be skeptical of the custom-     cate the quality of this analysis would be far more than
er also. I find there are basically two types of customers      the cost of the service. Plus having a whole team dealing
for this type of product: Customers who want the best           with new threats appearing daily would cost far more
confidentiality, integrity, and availability possible; and      than the daily cost of $ 0.44 per day (1 IP, 6 months ser-
the second type who needs the appearance of security            vice) up to $ 2.41 per day (8 IPs, 1 Year Service).
for management or compliance purposes.
                                                                    The quick look at the overall assessment in a graphic
                                                                is very useful to visualize which server to work on first.

                                                                   Because of operational difficulties ( I used up my two
                                                                free scans only to find out that their cloud based service
                                                                couldn’t “see” the test targets ), I did not run the scans
                                                                myself, and they were run by SecPoint®’s team. As a con-
                                                                sequence, I have no opinion on the ease of use or user in-
                                                                terface, I would commend you to Mr. Munt’s article:
                                                                (http://www.secpoint.com/awards/HAKIN9-Product-Re-
                                                                view-PP3000-English-June-2010.pdf).

                                                                   Before starting the scan I was required to provide
                                                                written proof of “ownership” of the to-be-scanned IP’s,
Figure 1: Interface                                             and permission for SecPoint® to run the scan.

 2                                                                                                                  03/2012
Sec Point Cloud Penetrator: Online Vulnerability Assessment Scan




Figure 2: Risk Factor

   They provided evidence of scans of the two request-         the time at the scanning site. For multinational organi-
ed IPs and I was favourably impressed. The scan of “.6”        zations this would be much better if it also listed UTC. I
took 17 hours and 58 minutes and was performed by              have testified in court where a simple issue of “what time
SecPoint® Cloud Penetrator 8.8.1.115 . The scan of “.10”       was it” was used by the defense to obfuscate whether
took almost 10 hours and 28 minutes and was the same           two reports were simultaneous, and I spent 40 minutes
version of Cloud Penetrator. Both of these evaluations         being questioned by the prosecution to clarify simple
were run simultaneously ( “.10” was started 2 seconds af-      time conversions because the reports had different times
ter “.6”) so they were potentially competing for band-         on them.
width (our side 10 MBPS Fibre Optic). According to Mr.
Munt’s article there is a “Quick Audit”, which may be con-         SecPoint® seems to get other things right. On the “.6”
siderably faster.                                              server they reported that the IP was listed on the barra-
                                                               cudacentral blacklist (the higher priced spread did not
   The reports listed all the vulnerabilities and issues re-   get this one), but better than that, they correctly, in my
ported by a competing product (of considerable higher          opinion, listed it as a “High” risk (Can you spell Availabil-
cost) run 1 day later on unmodified servers.                   ity). Arguably email is the most pervasive use of the web,
                                                               and this single issue (it is not a vulnerability) can cause
   Of note, the reports provided by SecPoint® provided         your email never to be received.
not only the reference to the vulnerability/issue in Bug-
traq (Securityfocus.com) and the Official CVE (main-              My overall assessment of the tool was favourable, and
tained by Mitre under a US Government contract), but           I would highly recommend it to customers. Of course
the Impact information (“what does this mean to me”),          your mileage may vary, but starting out with a high mile-
so I didn’t have to go to CVE or Bugtraq to find out what      age tool is always better than finding out you were using
issue was. This saves me considerable time over the            a higher cost, lower mileage tool.
competing product (did I mention higher priced?) which
simply gave me a reference to the CVE and left me on my           	
own to research the issue.

   From a compliance and evidentiary (forensic) view-
point, there were some things I would have liked to have
seen in the reports. I would have liked to have seen both
the source IP and the target IP listed on each page of the     ABOUT THE EVALUATOR
report (26 pages for one scan and 36 pages for the other
scan) to prevent page replacement. The report listed the       DAVID VON VISTAUXX, CHS®, PMP®, CISSP®.
time in Eastern European time on every page of the re-         Can be reached at:
port (excellent) this was presumably because that was          hakin.secpoint.article@infrastructuresecurity.net


www.hakin9.org                                                                                                          3

Weitere ähnliche Inhalte

Ähnlich wie Cloud penetrator-hakin9-review-march-2012

Accuracy and time_costs_of_web_app_scanners
Accuracy and time_costs_of_web_app_scannersAccuracy and time_costs_of_web_app_scanners
Accuracy and time_costs_of_web_app_scannersLarry Suto
 
sts-scanner_tutorial
sts-scanner_tutorialsts-scanner_tutorial
sts-scanner_tutorialtutorialsruby
 
sts-scanner_tutorial
sts-scanner_tutorialsts-scanner_tutorial
sts-scanner_tutorialtutorialsruby
 
Hacking Web Aplications using Cookie Poisoning
Hacking Web Aplications using Cookie PoisoningHacking Web Aplications using Cookie Poisoning
Hacking Web Aplications using Cookie PoisoningSumutiu Marius
 
From Duke of DevOps to Queen of Chaos - Api days 2018
From Duke of DevOps to Queen of Chaos - Api days 2018From Duke of DevOps to Queen of Chaos - Api days 2018
From Duke of DevOps to Queen of Chaos - Api days 2018Christophe Rochefolle
 
Presentation Requirements For A Computer System
Presentation Requirements For A Computer SystemPresentation Requirements For A Computer System
Presentation Requirements For A Computer SystemTiffany Carpenter
 
Securing a Cloud Migration
Securing a Cloud MigrationSecuring a Cloud Migration
Securing a Cloud MigrationVMware Tanzu
 
TierPoint White Paper_With all due diligence_2015
TierPoint White Paper_With all due diligence_2015TierPoint White Paper_With all due diligence_2015
TierPoint White Paper_With all due diligence_2015sllongo3
 
With-All-Due-Diligence20150330
With-All-Due-Diligence20150330With-All-Due-Diligence20150330
With-All-Due-Diligence20150330Jim Kramer
 
I Think About My Biggest Weakness
I Think About My Biggest WeaknessI Think About My Biggest Weakness
I Think About My Biggest WeaknessGina Buck
 
Making Security Agile - Oleg Gryb
Making Security Agile - Oleg GrybMaking Security Agile - Oleg Gryb
Making Security Agile - Oleg GrybSeniorStoryteller
 
Code instrumentation
Code instrumentationCode instrumentation
Code instrumentationMennan Tekbir
 
Splunk conf2014 - Dashboard Fun - Creating an Interactive Transaction Profiler
Splunk conf2014 - Dashboard Fun - Creating an Interactive Transaction ProfilerSplunk conf2014 - Dashboard Fun - Creating an Interactive Transaction Profiler
Splunk conf2014 - Dashboard Fun - Creating an Interactive Transaction ProfilerSplunk
 
IRJET- Real Time Monitoring of Servers with Prometheus and Grafana for High A...
IRJET- Real Time Monitoring of Servers with Prometheus and Grafana for High A...IRJET- Real Time Monitoring of Servers with Prometheus and Grafana for High A...
IRJET- Real Time Monitoring of Servers with Prometheus and Grafana for High A...IRJET Journal
 
Nt1310 Unit 1 Assignment 1
Nt1310 Unit 1 Assignment 1Nt1310 Unit 1 Assignment 1
Nt1310 Unit 1 Assignment 1Lisa Brown
 
IRJET- Analysis of Forensics Tools in Cloud Environment
IRJET-  	  Analysis of Forensics Tools in Cloud EnvironmentIRJET-  	  Analysis of Forensics Tools in Cloud Environment
IRJET- Analysis of Forensics Tools in Cloud EnvironmentIRJET Journal
 
52892006 manual-testing-real-time
52892006 manual-testing-real-time52892006 manual-testing-real-time
52892006 manual-testing-real-timeSunil Pandey
 
A Survey on Batch Auditing Systems for Cloud Storage
A Survey on Batch Auditing Systems for Cloud StorageA Survey on Batch Auditing Systems for Cloud Storage
A Survey on Batch Auditing Systems for Cloud StorageIRJET Journal
 

Ähnlich wie Cloud penetrator-hakin9-review-march-2012 (20)

Accuracy and time_costs_of_web_app_scanners
Accuracy and time_costs_of_web_app_scannersAccuracy and time_costs_of_web_app_scanners
Accuracy and time_costs_of_web_app_scanners
 
Remote Access
Remote AccessRemote Access
Remote Access
 
sts-scanner_tutorial
sts-scanner_tutorialsts-scanner_tutorial
sts-scanner_tutorial
 
sts-scanner_tutorial
sts-scanner_tutorialsts-scanner_tutorial
sts-scanner_tutorial
 
Hacking Web Aplications using Cookie Poisoning
Hacking Web Aplications using Cookie PoisoningHacking Web Aplications using Cookie Poisoning
Hacking Web Aplications using Cookie Poisoning
 
From Duke of DevOps to Queen of Chaos - Api days 2018
From Duke of DevOps to Queen of Chaos - Api days 2018From Duke of DevOps to Queen of Chaos - Api days 2018
From Duke of DevOps to Queen of Chaos - Api days 2018
 
Presentation Requirements For A Computer System
Presentation Requirements For A Computer SystemPresentation Requirements For A Computer System
Presentation Requirements For A Computer System
 
Securing a Cloud Migration
Securing a Cloud MigrationSecuring a Cloud Migration
Securing a Cloud Migration
 
Securing a Cloud Migration
Securing a Cloud MigrationSecuring a Cloud Migration
Securing a Cloud Migration
 
TierPoint White Paper_With all due diligence_2015
TierPoint White Paper_With all due diligence_2015TierPoint White Paper_With all due diligence_2015
TierPoint White Paper_With all due diligence_2015
 
With-All-Due-Diligence20150330
With-All-Due-Diligence20150330With-All-Due-Diligence20150330
With-All-Due-Diligence20150330
 
I Think About My Biggest Weakness
I Think About My Biggest WeaknessI Think About My Biggest Weakness
I Think About My Biggest Weakness
 
Making Security Agile - Oleg Gryb
Making Security Agile - Oleg GrybMaking Security Agile - Oleg Gryb
Making Security Agile - Oleg Gryb
 
Code instrumentation
Code instrumentationCode instrumentation
Code instrumentation
 
Splunk conf2014 - Dashboard Fun - Creating an Interactive Transaction Profiler
Splunk conf2014 - Dashboard Fun - Creating an Interactive Transaction ProfilerSplunk conf2014 - Dashboard Fun - Creating an Interactive Transaction Profiler
Splunk conf2014 - Dashboard Fun - Creating an Interactive Transaction Profiler
 
IRJET- Real Time Monitoring of Servers with Prometheus and Grafana for High A...
IRJET- Real Time Monitoring of Servers with Prometheus and Grafana for High A...IRJET- Real Time Monitoring of Servers with Prometheus and Grafana for High A...
IRJET- Real Time Monitoring of Servers with Prometheus and Grafana for High A...
 
Nt1310 Unit 1 Assignment 1
Nt1310 Unit 1 Assignment 1Nt1310 Unit 1 Assignment 1
Nt1310 Unit 1 Assignment 1
 
IRJET- Analysis of Forensics Tools in Cloud Environment
IRJET-  	  Analysis of Forensics Tools in Cloud EnvironmentIRJET-  	  Analysis of Forensics Tools in Cloud Environment
IRJET- Analysis of Forensics Tools in Cloud Environment
 
52892006 manual-testing-real-time
52892006 manual-testing-real-time52892006 manual-testing-real-time
52892006 manual-testing-real-time
 
A Survey on Batch Auditing Systems for Cloud Storage
A Survey on Batch Auditing Systems for Cloud StorageA Survey on Batch Auditing Systems for Cloud Storage
A Survey on Batch Auditing Systems for Cloud Storage
 

Mehr von Amiga Utomo

Thesis of Amiga Utomo
Thesis of Amiga UtomoThesis of Amiga Utomo
Thesis of Amiga UtomoAmiga Utomo
 
Sql injection pen_test_07_2011_teasers
Sql injection pen_test_07_2011_teasersSql injection pen_test_07_2011_teasers
Sql injection pen_test_07_2011_teasersAmiga Utomo
 
Pen test pavol.luptak
Pen test pavol.luptakPen test pavol.luptak
Pen test pavol.luptakAmiga Utomo
 
Pen test free_01_2012
Pen test free_01_2012Pen test free_01_2012
Pen test free_01_2012Amiga Utomo
 
Pen test 06_2012__teasers
Pen test 06_2012__teasersPen test 06_2012__teasers
Pen test 06_2012__teasersAmiga Utomo
 
Pen test press_kit_2012_2
Pen test press_kit_2012_2Pen test press_kit_2012_2
Pen test press_kit_2012_2Amiga Utomo
 
Pen test press_kit_2012
Pen test press_kit_2012Pen test press_kit_2012
Pen test press_kit_2012Amiga Utomo
 
Ce hv6 module 42 hacking database servers
Ce hv6 module 42 hacking database serversCe hv6 module 42 hacking database servers
Ce hv6 module 42 hacking database serversAmiga Utomo
 
Web appc pentesting_05_2012__teasers
Web appc pentesting_05_2012__teasersWeb appc pentesting_05_2012__teasers
Web appc pentesting_05_2012__teasersAmiga Utomo
 

Mehr von Amiga Utomo (10)

Thesis of Amiga Utomo
Thesis of Amiga UtomoThesis of Amiga Utomo
Thesis of Amiga Utomo
 
Sql injection pen_test_07_2011_teasers
Sql injection pen_test_07_2011_teasersSql injection pen_test_07_2011_teasers
Sql injection pen_test_07_2011_teasers
 
Pen test pavol.luptak
Pen test pavol.luptakPen test pavol.luptak
Pen test pavol.luptak
 
Pen test free_01_2012
Pen test free_01_2012Pen test free_01_2012
Pen test free_01_2012
 
Pen test 06_2012__teasers
Pen test 06_2012__teasersPen test 06_2012__teasers
Pen test 06_2012__teasers
 
Pen test press_kit_2012_2
Pen test press_kit_2012_2Pen test press_kit_2012_2
Pen test press_kit_2012_2
 
Pen test press_kit_2012
Pen test press_kit_2012Pen test press_kit_2012
Pen test press_kit_2012
 
Ce hv6 module 42 hacking database servers
Ce hv6 module 42 hacking database serversCe hv6 module 42 hacking database servers
Ce hv6 module 42 hacking database servers
 
Web appc pentesting_05_2012__teasers
Web appc pentesting_05_2012__teasersWeb appc pentesting_05_2012__teasers
Web appc pentesting_05_2012__teasers
 
Tugas ahp amiga
Tugas ahp amigaTugas ahp amiga
Tugas ahp amiga
 

Cloud penetrator-hakin9-review-march-2012

  • 2. REVIEW SecPoint Cloud Penetrator Online Vulnerability Assessment Scan Waking up every morning a skeptic is not that difficult. By 10 AM there are usually two or three interactions that prove I was right. I was invited by Hakin9 to do an evaluation of a prod- Management overview: If you are a customer who uct called “SecPoint® Cloud Penetrator”, a service needs the appearance of security for management or provided by SecPoint® of Copenhagen Denmark compliance reasons, this tool provides excellent reports (my first thought was that I needed to do an on-site as- that can be filed in your compliance file. If you are a cus- sessment – and visit Tivoli gardens – it’s been over 40 tomer to whom true security, confidentiality, integrity, years since my last visit – but I still remember it well). In and availability are of crucial or of utmost importance - reviewing their web site I noted that they provide many this is, in my opinion, one of the better tools to help you tools in the security arena, both products and services, towards that goal. on-site and off. In my disclosure request to Hakin9 I was informed “ They collaborated with us long time ago, and For those of you who are interested in TRUE secu- they refreshed the co-op two weeks ago “. Hakin9 also rity, confidentiality, integrity, and availability: provided me a copy of an assessment of the SecPoint® This is a product that, in my opinion, should be in your Penetrator S300 (an onsite system) by Michael Munt tool kit. some years ago. The time and study that would be required to dupli- As a true skeptic, I need to be skeptical of the custom- cate the quality of this analysis would be far more than er also. I find there are basically two types of customers the cost of the service. Plus having a whole team dealing for this type of product: Customers who want the best with new threats appearing daily would cost far more confidentiality, integrity, and availability possible; and than the daily cost of $ 0.44 per day (1 IP, 6 months ser- the second type who needs the appearance of security vice) up to $ 2.41 per day (8 IPs, 1 Year Service). for management or compliance purposes. The quick look at the overall assessment in a graphic is very useful to visualize which server to work on first. Because of operational difficulties ( I used up my two free scans only to find out that their cloud based service couldn’t “see” the test targets ), I did not run the scans myself, and they were run by SecPoint®’s team. As a con- sequence, I have no opinion on the ease of use or user in- terface, I would commend you to Mr. Munt’s article: (http://www.secpoint.com/awards/HAKIN9-Product-Re- view-PP3000-English-June-2010.pdf). Before starting the scan I was required to provide written proof of “ownership” of the to-be-scanned IP’s, Figure 1: Interface and permission for SecPoint® to run the scan. 2 03/2012
  • 3. Sec Point Cloud Penetrator: Online Vulnerability Assessment Scan Figure 2: Risk Factor They provided evidence of scans of the two request- the time at the scanning site. For multinational organi- ed IPs and I was favourably impressed. The scan of “.6” zations this would be much better if it also listed UTC. I took 17 hours and 58 minutes and was performed by have testified in court where a simple issue of “what time SecPoint® Cloud Penetrator 8.8.1.115 . The scan of “.10” was it” was used by the defense to obfuscate whether took almost 10 hours and 28 minutes and was the same two reports were simultaneous, and I spent 40 minutes version of Cloud Penetrator. Both of these evaluations being questioned by the prosecution to clarify simple were run simultaneously ( “.10” was started 2 seconds af- time conversions because the reports had different times ter “.6”) so they were potentially competing for band- on them. width (our side 10 MBPS Fibre Optic). According to Mr. Munt’s article there is a “Quick Audit”, which may be con- SecPoint® seems to get other things right. On the “.6” siderably faster. server they reported that the IP was listed on the barra- cudacentral blacklist (the higher priced spread did not The reports listed all the vulnerabilities and issues re- get this one), but better than that, they correctly, in my ported by a competing product (of considerable higher opinion, listed it as a “High” risk (Can you spell Availabil- cost) run 1 day later on unmodified servers. ity). Arguably email is the most pervasive use of the web, and this single issue (it is not a vulnerability) can cause Of note, the reports provided by SecPoint® provided your email never to be received. not only the reference to the vulnerability/issue in Bug- traq (Securityfocus.com) and the Official CVE (main- My overall assessment of the tool was favourable, and tained by Mitre under a US Government contract), but I would highly recommend it to customers. Of course the Impact information (“what does this mean to me”), your mileage may vary, but starting out with a high mile- so I didn’t have to go to CVE or Bugtraq to find out what age tool is always better than finding out you were using issue was. This saves me considerable time over the a higher cost, lower mileage tool. competing product (did I mention higher priced?) which simply gave me a reference to the CVE and left me on my own to research the issue. From a compliance and evidentiary (forensic) view- point, there were some things I would have liked to have seen in the reports. I would have liked to have seen both the source IP and the target IP listed on each page of the ABOUT THE EVALUATOR report (26 pages for one scan and 36 pages for the other scan) to prevent page replacement. The report listed the DAVID VON VISTAUXX, CHS®, PMP®, CISSP®. time in Eastern European time on every page of the re- Can be reached at: port (excellent) this was presumably because that was hakin.secpoint.article@infrastructuresecurity.net www.hakin9.org 3