RE: Article Announcement - Demystifying Penetration Testing

From: Debasis Mohanty (mail@hackingspirits.com)
Date: Tue Dec 14 2004 - 13:15:35 EST


Hi Jeffrey,
Thanks for your inputs but I guess you are confusing pen-testing with entire
risk assessement lifecycle. Well as far as the article goes, it only covers
the scope of pen-testing and I have tried to highlight all possible
variables of pentesting and to dig further one can google for those
variables.

I wrote this article to give a clear picture of how a pen-test is done and
how it is different from vulnerability assessment.

>> Nice, but it doesn't cover the "So what?" question.
>> If a CEO asks you, "So you broke into my systems, so what?", how do you
answer that question? When you first sit down
>> with a company to discuss what you are planning on doing, you should ask
them what is critical to their company. Have
>> them list what is critical to their company that would adversely affect
them if that information became public or ended
>> up in the hands of their competitors.

The "So what?" is beyond the scope of this article. There are two things I
believe every security firm does before and after pen-testing. i.e.
Identifying the critical servers / assets before pen-testing and
hardening/patching of servers after the pen-testing. Probably that satisfies
your "So what?" query. But these are something which are beyond the scope of
the article.

>> But showing the company that some important research that they have spent
millions of dollars and years of time on
>> could easily be compromised will get the CEO directly involved. CEOs
don't like having their ass handed to them (and I
>> feel that should be the goal of any pen-test).

That is the reasons Security firms signs strict NDAs with the clients. Most
of the cases the Pen-Tester has to sign much stricter agreements with the
customers and as well as the parent company for security reasons.

>> You'll get a few raised eyebrows when you add to your report, "we broke
into these servers, and these are the log
>> entries from your servers where you should have caught us." Your
customer will feel they get more for their money if
>> you help educate them.

This is what the customer expects to see evertime but somtime it might
happen that a pen-tester might not get 100% success for all the identified
critical servers.

I hope all your queries are answered.

Regds,
Debasis Mohanty

-----Original Message-----
From: Jeffrey Denton [mailto:dentonj@gmail.com]
Sent: Saturday, December 11, 2004 3:02 PM
To: Debasis Mohanty; pen-test@securityfocus.com
Subject: Fwd: Article Announcement - Demystifying Penetration Testing

On Fri, 10 Dec 2004 23:07:43 +0530, Debasis Mohanty
<mail@hackingspirits.com> wrote:

> This presentation is targeted for all security practitioners (i.e.
> Security Officers / Sys Admins / Security Auditors / Security
> Enthusiasts.etc). This presentation will give a clear picture on how
> pen testing is done and what are the expected results. Various
> screenshots are provided as a proof of concepts to give a brief picture of
possible end-results.

Nice, but it doesn't cover the "So what?" question.

If a CEO asks you, "So you broke into my systems, so what?", how do you
answer that question? When you first sit down with a company to discuss
what you are planning on doing, you should ask them what is critical to
their company. Have them list what is critical to their company that would
adversely affect them if that information became public or ended up in the
hands of their competitors. Examples include new products soon to be
released to market, new technologies in the process of being patented,
research, contract bids, pending lawsuits (tread with caution here, your
right to do pen-testing usually doesn't wave attorney-client privileges),
etc.

What I'm trying to say is that data mining should be a part of every
pen-test. Breaking into their systems in nice, but shocking the customer
with what you've been able to gather about them gets more results. Owning a
network might end up with your report on some sysadmins desk with the
instructions to "fix this." But showing the company that some important
research that they have spent millions of dollars and years of time on could
easily be compromised will get the CEO directly involved. CEOs don't like
having their ass handed to them (and I feel that should be the goal of any
pen-test).

Also, having a goal with pen-testing is more fun than just owning a network.
=)

Some other suggestions, if it's obvious that the sysadmins haven't detected
any of your intrusions, grab the logs from the servers you broke into.
You'll get a few raised eyebrows when you add to your report, "we broke into
these servers, and these are the log entries from your servers where you
should have caught us." Your customer will feel they get more for their
money if you help educate them.

Just a suggestion.

dentonj



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:10 EDT