Re: Using 0days as part of pen-test?

[David Howe <DaveHowe.Pentest () googlemail com>]

Oliver Schad wrote:
> I think it's important to estimate or show the costs for a succesful 
> attack. Which way you choose to do this don't matters. The costs is a 
> value where a customer can work with.


Sure, but the framing is important too.

  I once got asked "what will we do if one of the network administrators
decides to hack the system" as part of a security review. The answer was
- you had better hope that never happens, as you are lost beyond hope of
retrieval.

  Pentesting is all about risk assessment - if you presume too much
advance knowledge, then while the "cost" of the penetration is high, the
likelyhood (in the real world) of that threat is low and the one-off and
ongoing costs for defending against it tend to be uneconomic. For
instance, on one site I still support, the "admin threat" is dealt with
by posting an armed soldier behind the admin, with orders to restrain
and/or shoot the admin if he tries to access anything beyond his
security clearance and/or current job, and a second admin to tell the
guard when this happens (as the guard isn't even allowed to look at the
screen)

  Obviously, this is economic if you are on a military base (with a
surplus of armed soldiers) _and_ the admin concerned is an occasional
visitor (for tech support above and beyond what the onsite staff can
provide). I have no firm evidence what happens for the second admin in
his day to day job, but I am under the impression (from random comments)
that when I leave, he goes back to his nice, code-and-card-access-only
terminal room and RDPs to the server concerned with no checks or
balances at all....

  On the whole, companies seem to want one of two things from a pentest;
they want a "clean" report for due diligence, or they want a proactive
action list they can use to get budget and improve security (determining
which they want early on can save you a lot of heartache). There *are*
exceptions, but not many :)