Dailydave mailing list archives
Re: New presentation is up: 0days: How hacking reallyworks
From: David Stein <david.r.stein () gmail com>
Date: Wed, 2 Feb 2005 13:47:51 -0500
The best pen-testing I ever saw was done against another business unit in $MY_COMPANY. I learned about it from our company newsletter. The pen-testers (named, I kid you not, "Hackers for Hire") were actually caught by our ever-alert system administrators, who were pictured in the newsletter being congratulated by the company president for their good work. The story's headline was something like "$MY_COMPANY's Network Secure Against All Threats". Now, at first I thought that (having seen the utter security disaster that is $MY_COMPANY's network) these must be the stupidest pen-testers on the planet. But then I came to realize that they're probably the smartest. If I had had the contract, I would have worked very hard, tromped all over the network, produced a scathing report and humiliated the IT staff. That would have made me feel pretty good, at least for a while. The brilliant folks at "Hackers for Hire", on the other hand, must have turned Nessus on at maximum noise level and lit up the firewall for hours (days?) while kicking back with some brews, waiting for someone to notice. Then they came in, sheepishly admitted that our crack IT staff was too much for them, collected a big check and laughed all the way to the bank. And when it's time for next year's audit, who do you think is going to get the contract? They've made our IT department their friends for life. In business, always ask WWDD?[1] and act accordingly. David Stein david.r.stein(at)gmail(dot)com [1] What would Dogbert do? On Tue, 01 Feb 2005 16:35:00 -0500, Ron Gula <rgula () tenablesecurity com> wrote:
At 04:17 PM 2/1/2005, Kevin Ponds wrote:I'm not suggesting that you guys should quit your jobs, or that deep pen-testing isn't value adding. I just think that these guys who come in, start their automated scanning tool (which is usually rebranded nessus), get drunk while its running, and collect money are kind of worthless.Yeah, but lots of folks are used to paying large sums of money for this so they are "compliant". Even if I can sprinkle the IBM magic pixie dust on all my systems so they are patched 100% 24x7, I still need to prove this to the auditors who are in my hair.
_______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com https://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- RE: New presentation is up: 0days: How hacking reallyworks Maynor, David (ISS Atlanta) (Feb 01)
- Re: New presentation is up: 0days: How hacking reallyworks robert (Feb 01)
- <Possible follow-ups>
- RE: New presentation is up: 0days: How hacking reallyworks Maynor, David (ISS Atlanta) (Feb 01)
- Re: New presentation is up: 0days: How hacking reallyworks Kevin Ponds (Feb 01)
- Re: New presentation is up: 0days: How hacking reallyworks Ron Gula (Feb 01)
- Re: New presentation is up: 0days: How hacking reallyworks Kevin Ponds (Feb 01)
- Re: New presentation is up: 0days: How hacking reallyworks Ron Gula (Feb 01)
- Re: New presentation is up: 0days: How hacking reallyworks Hamid . K (Feb 01)
- Message not available
- Re: New presentation is up: 0days: How hacking reallyworks David Stein (Feb 02)
- Re: New presentation is up: 0days: How hacking reallyworks Holden Williamson (Feb 05)
- Re: New presentation is up: 0days: How hacking reallyworks Holden Williamson (Feb 05)
- Re: New presentation is up: 0days: How hacking reallyworks Anthony Zboralski (Feb 06)
- Re: New presentation is up: 0days: How hacking reallyworks Kevin Ponds (Feb 01)