Penetration Testing mailing list archives
Re: Need Some Guidance Please
From: Michael Boman <michael.boman () gmail com>
Date: Sun, 19 Apr 2009 23:01:12 +0200
On Sat, Apr 18, 2009 at 9:14 PM, Micheal Cottingham <techie.micheal () gmail com> wrote:
Also, I have to disagree on the penetration tests causing trouble because people weren't notified. Done right and responsibly, those who need to know will know about the testing will be notified. Part of the point of testing is that those who are monitoring the servers/network need to be "out of the loop" so when they see malicious activity, they can respond to it as they would for any other incident. If for example they know I'm coming, chances are pretty good that they will react differently than if they did not know I was coming. As an auditor/pen tester, I don't want that. I want to know that if I do something, the people I'm trying to help will have the ability through their network monitoring to respond to incidents. So when it is the real thing, they know what to do and do it quickly and accurately.
Some additional tips. If you end up doing pentest for a very small shop where the operational people are the same as it management people, you can still archive sort of the same result by giving the target organization a very large time frame in which you will conduct the work. I have been giving shops 2 months time frame to spend no more then 2 weeks of work on (I, like most consultants, charge for time spent - not for the calendar time) - that way they at least need to stay on their toes for 2 months, and hopefully got into the habit of doing it from there on. Best regards Michael Boman -- http://michaelboman.org - Security Blog & Wiki ------------------------------------------------------------------------ This list is sponsored by: InfoSec Institute Tired of using other people's tools? Why not learn how to write your own exploits? InfoSec Institute's Advanced Ethical Hacking class teaches you how to write stack and heap buffer overflow exploits for Windows and Linux. Gain your Certified Expert Penetration Tester (CEPT) cert as well. http://www.infosecinstitute.com/courses/advanced_ethical_hacking_training.html ------------------------------------------------------------------------
Current thread:
- Need Some Guidance Please Elizabeth Tolson (Apr 17)
- Re: Need Some Guidance Please Jeffrey Walton (Apr 17)
- Re: Need Some Guidance Please Michael Boman (Apr 18)
- Re: Need Some Guidance Please Daniel Clemens (Apr 18)
- Re: Need Some Guidance Please Jeffrey Walton (Apr 18)
- Re: Need Some Guidance Please Micheal Cottingham (Apr 18)
- Re: Need Some Guidance Please Michael Boman (Apr 21)
- Re: Need Some Guidance Please Nate (Apr 18)
- Need for Intrusion/Infection Data Baykal, Adnan (CSCIC) (Apr 21)
- Re: Need for Intrusion/Infection Data Jon Janego (Apr 21)
- Re: Need for Intrusion/Infection Data Leonardo Cavallari Militelli (Apr 21)
- RE: Need for Intrusion/Infection Data Honer, Lance (Apr 21)
- Re: Need Some Guidance Please Jeffrey Walton (Apr 17)
- Re: Need Some Guidance Please Elizabeth Tolson (Apr 21)
- Re: Need Some Guidance Please Stephen Mullins (Apr 21)
- Re: Need Some Guidance Please Aarón Mizrachi (Apr 30)
- Re: Need Some Guidance Please Matt Gardenghi (Apr 21)
- Re: Need Some Guidance Please Pete Herzog (Apr 21)