![pen-test logo](/images/pen-test-logo.png)
Penetration Testing mailing list archives
Re: Using 0days as part of pen-test?
From: David Howe <DaveHowe.Pentest () googlemail com>
Date: Mon, 19 Jan 2009 11:01:05 +0000
Oliver Schad wrote:
I think it's important to estimate or show the costs for a succesful attack. Which way you choose to do this don't matters. The costs is a value where a customer can work with.
Sure, but the framing is important too. I once got asked "what will we do if one of the network administrators decides to hack the system" as part of a security review. The answer was - you had better hope that never happens, as you are lost beyond hope of retrieval. Pentesting is all about risk assessment - if you presume too much advance knowledge, then while the "cost" of the penetration is high, the likelyhood (in the real world) of that threat is low and the one-off and ongoing costs for defending against it tend to be uneconomic. For instance, on one site I still support, the "admin threat" is dealt with by posting an armed soldier behind the admin, with orders to restrain and/or shoot the admin if he tries to access anything beyond his security clearance and/or current job, and a second admin to tell the guard when this happens (as the guard isn't even allowed to look at the screen) Obviously, this is economic if you are on a military base (with a surplus of armed soldiers) _and_ the admin concerned is an occasional visitor (for tech support above and beyond what the onsite staff can provide). I have no firm evidence what happens for the second admin in his day to day job, but I am under the impression (from random comments) that when I leave, he goes back to his nice, code-and-card-access-only terminal room and RDPs to the server concerned with no checks or balances at all.... On the whole, companies seem to want one of two things from a pentest; they want a "clean" report for due diligence, or they want a proactive action list they can use to get budget and improve security (determining which they want early on can save you a lot of heartache). There *are* exceptions, but not many :)
Current thread:
- Re: Using 0days as part of pen-test?, (continued)
- Re: Using 0days as part of pen-test? Pete Herzog (Jan 13)
- Re: Using 0days as part of pen-test? purdy (Jan 14)
- Re: Using 0days as part of pen-test? Oliver Schad (Jan 15)
- Re: Using 0days as part of pen-test? David Howe (Jan 15)
- we are security critics was: Re: Using 0days as part of pen-test? Pete Herzog (Jan 15)
- Re: we are security critics was: Re: Using 0days as part of pen-test? David Howe (Jan 17)
- Re: Using 0days as part of pen-test? purdy (Jan 14)
- Re: Using 0days as part of pen-test? Oliver Schad (Jan 15)
- Re: Using 0days as part of pen-test? Pete Herzog (Jan 17)
- Re: Using 0days as part of pen-test? David Howe (Jan 17)
- Re: Using 0days as part of pen-test? Oliver Schad (Jan 17)
- Re: Using 0days as part of pen-test? David Howe (Jan 20)
- Re: Using 0days as part of pen-test? Pete Herzog (Jan 13)
- Re: Using 0days as part of pen-test? ArcSighter Elite (Jan 13)
- Re: Using 0days as part of pen-test? ArcSighter Elite (Jan 13)
- Re: Using 0days as part of pen-test? ArcSighter Elite (Jan 13)
- Re: Using 0days as part of pen-test? David Howe (Jan 13)
- Re: Using 0days as part of pen-test? ArcSighter Elite (Jan 13)