Penetration Testing mailing list archives

Re: Need Some Guidance Please

From: Michael Boman <michael.boman () gmail com>
Date: Sun, 19 Apr 2009 23:01:12 +0200

On Sat, Apr 18, 2009 at 9:14 PM, Micheal Cottingham
<techie.micheal () gmail com> wrote:

Also, I have to disagree on the penetration tests causing trouble
because people weren't notified. Done right and responsibly, those who
need to know will know about the testing will be notified. Part of the
point of testing is that those who are monitoring the servers/network
need to be "out of the loop" so when they see malicious activity, they
can respond to it as they would for any other incident. If for example
they know I'm coming, chances are pretty good that they will react
differently than if they did not know I was coming. As an auditor/pen
tester, I don't want that. I want to know that if I do something, the
people I'm trying to help will have the ability through their network
monitoring to respond to incidents. So when it is the real thing, they
know what to do and do it quickly and accurately.


Some additional tips. If you end up doing pentest for a very small
shop where the operational people are the same as it management
people, you can still archive sort of the same result by giving the
target organization  a very large time frame in which you will conduct
the work. I have been giving shops 2 months time frame to spend no
more then 2 weeks of work on (I, like most consultants, charge for
time spent - not for the calendar time) - that way they at least need
to stay on their toes for 2 months, and hopefully got into the habit
of doing it from there on.

Best regards
Michael Boman

-- 
http://michaelboman.org - Security Blog & Wiki

------------------------------------------------------------------------
This list is sponsored by: InfoSec Institute

Tired of using other people's tools? Why not learn how to write your own exploits? 
InfoSec Institute's Advanced Ethical Hacking class teaches you how to write stack and heap buffer overflow exploits for 
Windows and Linux. Gain your Certified Expert Penetration Tester (CEPT) cert as well. 

http://www.infosecinstitute.com/courses/advanced_ethical_hacking_training.html
------------------------------------------------------------------------

Current thread:

Need Some Guidance Please Elizabeth Tolson (Apr 17)
- Re: Need Some Guidance Please Jeffrey Walton (Apr 17)
  - Re: Need Some Guidance Please Michael Boman (Apr 18)
  - Re: Need Some Guidance Please Daniel Clemens (Apr 18)
    - Re: Need Some Guidance Please Jeffrey Walton (Apr 18)
  - Re: Need Some Guidance Please Micheal Cottingham (Apr 18)
    - Re: Need Some Guidance Please Michael Boman (Apr 21)
  - Re: Need Some Guidance Please Nate (Apr 18)
    - Need for Intrusion/Infection Data Baykal, Adnan (CSCIC) (Apr 21)
    - Re: Need for Intrusion/Infection Data Jon Janego (Apr 21)
    - Re: Need for Intrusion/Infection Data Leonardo Cavallari Militelli (Apr 21)
    - RE: Need for Intrusion/Infection Data Honer, Lance (Apr 21)
- Re: Need Some Guidance Please Elizabeth Tolson (Apr 21)
  - Re: Need Some Guidance Please Stephen Mullins (Apr 21)
  - Re: Need Some Guidance Please Aarón Mizrachi (Apr 30)
- Re: Need Some Guidance Please Matt Gardenghi (Apr 21)
- Re: Need Some Guidance Please Pete Herzog (Apr 21)

(Thread continues...)