Penetration Testing mailing list archives
RE: Blue Team ROE
From: "McCarty, Eric C." <emccarty () er ucsd edu>
Date: Mon, 5 Mar 2007 09:59:25 -0800
+1 These types of constraints are a way to create the illusion of due diligence in that they are having an outside company perform a security audit. As mentioned by others you have two choices: 1). Take the work, do the best you can with what you have and document everything, explaining of course the significant limitations place upon the audit by client constraints. 2). Explain to the client that placing these constraints limits the audit in such a fashion as it creates an unlikely real world scenario and would not improve the security of their network or provide groundwork to improve processes/procedures or strengthen their security posture. Finally I would like to re-iterate that by performing this audit with limitations such as described below you may open yourself up to liability if you do not properly (dot I's and cross T's) document the limitations. Eric McCarty -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Dexter, Ben Sent: Sunday, March 04, 2007 5:52 PM To: mesenbrink () hotmail com Cc: pen-test () securityfocus com Subject: RE: Blue Team ROE I would be asking the client if they think a malicious attacker will abide by policy? How critical is the data? Are there legal ramifications to public exposure? Sounds like a good way to hide security issues behind red tape until it's too late to me...any pen-test with that many restrictions will not be worth conducting due to accuracy issues - your company will probably be used simply to cover the customer's ass in the event something does happen down the track.... i.e. "the results did not indicate any issues..." without mentioning the restrictions on pen-testing - it could possibly open you up for nasty legal stuff too... Ben. -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of mesenbrink () hotmail com Sent: Friday, 2 March 2007 6:45 AM To: pen-test () securityfocus com Subject: Blue Team ROE List, I wanted to send out a general email asking the members of this list their professional opinions on being limited during a Blue Team pen-test. I have a govt customer that is trying deny us the ability to remove password hashes/files from the system for cracking, write procedures for every tool/exploit that could be possibly executed, not allow the loading of any tools/exploits on target systems, things like that..... Of course my reaction is that my company will not perform the assessment with such restrictions, what are some thoughts from this list on this subject? ------------------------------------------------------------------------ This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php?camp=7016 00000008bOW ------------------------------------------------------------------------ ----------------------------------------------------------------------- This email, and any attachments, may be confidential and also privileged. If you are not the intended recipient, please notify the sender and delete all copies of this transmission along with any attachments immediately. You should not copy or use it for any purpose, nor disclose its contents to any other person. ----------------------------------------------------------------------- ------------------------------------------------------------------------ This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php?camp=7016 00000008bOW ------------------------------------------------------------------------ ------------------------------------------------------------------------ This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW ------------------------------------------------------------------------
Current thread:
- Blue Team ROE mesenbrink (Mar 04)
- RE: Blue Team ROE Dexter, Ben (Mar 05)
- RE: Blue Team ROE McCarty, Eric C. (Mar 05)
- RE: Blue Team ROE Dave Sanford (Mar 05)
- RE: Blue Team ROE Angelacci, Anna M CTR SPAWAR, J616 (Mar 13)
- Re: Blue Team ROE Pete Herzog (Mar 14)
- RE: Blue Team ROE Tim Singletary (Mar 14)
- <Possible follow-ups>
- RE: Blue Team ROE krymson (Mar 06)
- RE: Blue Team ROE Dave Sanford (Mar 09)
- Re: Blue Team ROE zenmasterbob123 (Mar 14)
- RE: Blue Team ROE Dexter, Ben (Mar 05)