He’s got some good points, but there are a few things overlooked. To write something like this post, he should have backed it up with better examples and real stats.
Originally, pen testing was a simulation of what real attackers would do. Then it became more about validating vuln scan/assessment results. Now its essentially about compliance check boxing. (PCI)
I’m pretty sure these PCI “compliance checks” don’t assess the (most of the time “extreme”) stupidity of the employees or even owners / administrators of the hardware. Those who author said compliance checks really believe that social engineering, physical security, phishing, advanced WiFi relay attacks and even hardware planting can be done with automated scripts? An automated script is going to reroute your companies SIP traffic to eve’s drop on your conversations for tiny, but important, morsels of data that can be further used to penetrate even deeper into your institution?
…you can productize a device or a software tool more than you can productize a skilled person.
You’re definitely right about that, but people like Kevin Mitnick, Chris Hadnagy, and many others HAVE “productized” themselves rather well using techniques that cannot be scripted. Trying to raise awareness in the human factor of all of this “security.” Maybe it simply takes knowledge and gifts that only few have to “productize” a person.
…hiring people who can emulate real attackers is overkill, too expensive…
You’re right about the expense part, but doesn’t that come with getting a master of the trade? I have seen institutions/corporations/universities/etc drop far more money on things far less important.
If you look at the direction these tools [Metasploit, Core, Canvas] are going, it is to automate more and more of this process.
My recent post about “Information Security Awareness” stated that any organization should have a single person capable enough of clicking though one of those frameworks on a regular basis and record the results for the developers of his or her organization to analyze. This is compliance checking and NOT penetration testing.
I would like to stress to my readers that there are many more vectors of attack on any particular system than simply remote exploits. This was the sole purpose of WeakNet Linux Lite and WEAKERTHAN. It was to force users to use imagination and skill. I too, cringe at the sight of bloated frameworks that do nothing to teach the user or exercise his or her hacking talents. I have to “productize” Weakerthan. If I want you all to use it and like it, I have to commit to your wishes. Unfortunately, Mr. Ownage is %100 right in this aspect. You all demand things to be automated and easy to use. I once spent countless hours teaching someone to connect their wireless card to their router which had WPA enabled. After which he begged me to add “Network -Manager” to my next release. This is just one reason why I gave up and decided the next release will be a DVD/USB release.
Well, I can only take your word for it, Mr. Ownage, as you are a professional in the field, and I am not. If this is true, then man,… what a sad state our security has become in this nation; nothing more than a government regulated peep show through our own privacy / security practices. I personally would choose a different career path if all pentesting was simply “compliance testing.” I would really like to urge any computer security enthusiast out there reading this to not trust his opinion. Use your brains and imagination, study, work overtime, write code, drink caffeine, and most importantly – do what you love, practice safe hacking, and have fun! ;)
I guess the Black Hats have it better than ever now!?
Go corporate America, go!