Penetration Testing mailing list archives
Re: Using 0days as part of pen-test?
From: Oliver Schad <oliver.schad () oschad de>
Date: Thu, 15 Jan 2009 17:49:11 +0100
Am Donnerstag, 15. Januar 2009 schrieb mir David Howe:
Oliver Schad wrote:I mean, why should I choose as a tester a role of an attacker who knows nothing about the network if there is somebody in this world who could attack this network with all knowledge he needs?Normally the framing of the attack model is part of the negotiation - you can start out by assuming the attacker will have a full network topology and all admin/root passwords, but you will probably find the network isn't really that secure, and the report will probably get slammed as being "unrealistic". However equally, you can't start out by assuming an attacker will know nothing - if an attacker could reasonably know something (a valid user/pass pair on the lan, for example) that needs to be set out in the contract before the pentest starts.
I think it's important to estimate or show the costs for a succesful attack. Which way you choose to do this don't matters. The costs is a value where a customer can work with. Regards Oli
Attachment:
signature.asc
Description: This is a digitally signed message part.
Current thread:
- Re: Using 0days as part of pen-test?, (continued)
- Re: Using 0days as part of pen-test? Chris Griffin (Jan 13)
- Re: Using 0days as part of pen-test? Pete Herzog (Jan 13)
- Re: Using 0days as part of pen-test? purdy (Jan 14)
- Re: Using 0days as part of pen-test? Oliver Schad (Jan 15)
- Re: Using 0days as part of pen-test? David Howe (Jan 15)
- we are security critics was: Re: Using 0days as part of pen-test? Pete Herzog (Jan 15)
- Re: we are security critics was: Re: Using 0days as part of pen-test? David Howe (Jan 17)
- Re: Using 0days as part of pen-test? purdy (Jan 14)
- Re: Using 0days as part of pen-test? Oliver Schad (Jan 15)
- Re: Using 0days as part of pen-test? Pete Herzog (Jan 17)
- Re: Using 0days as part of pen-test? David Howe (Jan 17)
- Re: Using 0days as part of pen-test? Oliver Schad (Jan 17)
- Re: Using 0days as part of pen-test? David Howe (Jan 20)
- Re: Using 0days as part of pen-test? ArcSighter Elite (Jan 13)
- Re: Using 0days as part of pen-test? ArcSighter Elite (Jan 13)
- Re: Using 0days as part of pen-test? ArcSighter Elite (Jan 13)
- Re: Using 0days as part of pen-test? David Howe (Jan 13)
- Re: Using 0days as part of pen-test? ArcSighter Elite (Jan 13)