Penetration Testing mailing list archives
RE: Email Pen-testing
From: "R. DuFresne" <dufresne () sysinfo com>
Date: Tue, 23 Mar 2004 17:54:26 -0500 (EST)
On Tue, 23 Mar 2004, Rob Shein wrote:
of the bag. Advance warnings of each and every step is not a level playing filed and certainly does not resemble reality for sure.Alright. Imagine for a second you're not a security expert, but instead you're the designer of body armor for police. When you test your armor, do you have some cops wear it on the beat and set up an ambush using some gangbangers unload on them in public? Of course not. You're not looking to resemble reality, and not just because the reality is a bad bad thing. Under those circumstances, you're going to lose a lot of your data's validity. How far was the weapon from the vest, what kind of ammo was used, what was the angle...it goes on. And of course, in a pen test, if you get into the client and they are a bank, for example, you're not going to give yourself a nice six- or seven-figure bonus just because you can. That too would resemble reality, but again, that's not really the point. It's not a Spielberg film, you're not trying to make it as real as possible. You're just looking to see if it could be done as the real thing. You put the vest on a mannekin, take it to your firing range, carefully measure the distance, and then fire your hand-loaded bullet through a custom-made rifle that is highly accurate and repeatably maintains a consistent velocity towards the target. You're going to take copious notes on every aspect of it, and by no means will any human be in view anywhere downrange when the shot is fired. This is a bit more like how pen-testing should be done. You're right, it's not a level playing field, but that didn't start when the pen-tester notified the company; it started when the company hired them and promised not to prosecute them for breaking in :)
Imagine a remodeler, retrofitting a new room addition onto an old house. You make a prelim estimate, and adjust that once you are into the walls and studs and have found the unexpected. Much like my envisioning here the work of liu die yu who took a number <6 wasn't it?> minor exploits to combine into something a tad more strategic then any of them alone. The dynamics of what is found after poking about might well set one to venture off the planned path. Thanks, Ron DuFresne -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ admin & senior security consultant: sysinfo.com http://sysinfo.com "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart testing, only testing, and damn good at it too! --------------------------------------------------------------------------- You're a pen tester, but is google.com still your R&D team? Now you can get trustworthy commercial-grade exploits and the latest techniques from a world-class research group. www.coresecurity.com/promos/sf_ept1 ----------------------------------------------------------------------------
Current thread:
- RE: Email Pen-testing, (continued)
- RE: Email Pen-testing Chuck Herrin (Mar 22)
- RE: Email Pen-testing James Taylor (Mar 23)
- RE: Email Pen-testing Kevin (Mar 23)
- RE: Email Pen-testing Chris Hurley (Mar 23)
- RE: Email Pen-testing AJ Butcher, Information Systems and Computing (Mar 23)
- RE: Email Pen-testing Frank Knobbe (Mar 24)
- Re: Email Pen-testing Michael Richardson (Mar 24)
- RE: Email Pen-testing Rob Shein (Mar 23)
- RE: Email Pen-testing Brad . Murray (Mar 23)
- Re: Email Pen-testing Michael Richardson (Mar 23)
- RE: Email Pen-testing R. DuFresne (Mar 23)
- Re: Email Pen-testing Rainer Duffner (Mar 23)