From: Jerry Shenk (jshenk@decommunications.com)
Date: Fri Jan 23 2004 - 19:02:10 EST
When I do a pen-test, I specifically tell them to contact me before they
dig too deeply into a suspected incident. I then record that in the
pen-test report. If they pick up on what I'm doing early (or ever
actually), that's good and I report that in the report. I am constantly
amazed at the number of places that NEVER notice anything. When I go
through 500,000 scripted login attempts over a weekend and nobody every
notices....that's a problem!
-----Original Message-----
From: Rob Shein [mailto:shoten@starpower.net]
Sent: Friday, January 23, 2004 4:39 PM
To: pete@isecom.org; 'Jeff Shawgo'; pen-test@securityfocus.com
Subject: RE: What a security test should do?- from thinking about:
Ethical Hacking Training
Policy strength (there might be no policy requiring password changes, or
there might be one, which isn't enforced), internal controls (what if an
employee hacks from inside...then what?), contractor handling, mostly
other
policy-related things come to mind. It's also hard to be sure how good
their response to incidents is as well, since a pen-tester will
(hopefully)
avoid doing many things that a malicious hacker would do, even
deliberately.
---------------------------------------------------------------------------
----------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:46 EDT