To put Zate's final paragraph in different words: Your sysadmins need to know what data is on the systems you pop. Your CTO needs to understand the effect a compromise of that data might have on the rest of the business. You need to suggest fixes that don't involve "you need to escalate priority on all of them to highest now," since that's almost certain to happen.
Succinctly, if you don't have data classification and what boxes are allowed to store which levels, you're in trouble already. But if you're in that situation, you can use this experiment to force such an examination, assuming your SAs don't just say "we're too busy fixing all the problems you've already pointed out, get stuffed." Mike On 2011/01/18 11:34 AM, Zate Berg wrote: > If the CTO is requesting it then you are over a major hurdle already, > getting management to understand what it means when you can pop a box > easily and allowing you to test like this. > > I have had luck with taking Nessus scans and trying to exploit > weaknesses with Metasploit to prove a point. I have also had success > with just filtering Nessus output on "exploitable" vulnerabilities > (can do that in filters in the web client). Nessus will show you in > the results vulnerabilities that have confirmed exploits in > metasploit/canvas/core. > > I think the key here is presenting your findings in a format that says > more than "ha we got shell". Being able to frame up exactly what the > impact to the business of that particular system getting compromised > is. Does it hold important data? Is it a trusted system with access > to other more important systems? The context of what you have > compromised is really important. > > Good luck. > > Zate > > > > On Mon, Jan 17, 2011 at 11:16 PM, Steve <[email protected]> wrote: >> I am curious to everyone's opinion on the following ....We have a small >> group of servers in our environment that run out of date operating >> systems, primarily windows 2000 and redhat 3. We are doing the dance >> with business teams, migration is happening but slow. >> Our CTO has asked the security team to begin testing exploit code >> against these servers - a successful exploit would move that server up >> the priority list of getting it migrated off onto a supported operating >> system. Our tests only hit non-production servers so production is not >> impacted. >> >> >> Does anyone else have a similar process or tried something similar and >> was it successful ? >> >> --Steve >> _______________________________________________ >> Pauldotcom mailing list >> [email protected] >> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >> Main Web Site: http://pauldotcom.com >> > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com > _______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
