Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Penetration testing via social engineering/physical penetration

From: "Ryan Russell" <ryanr () sybase com>
Date: Sat, 26 Sep 1998 09:44:43 -0700




The general consensus is that you can usually find someone willing to give
up their username/password.  I think it is still popular opinion that most
attacks come from within a company or a former employee.


Sad but true.


If I can walk into your building and pour sugar down into your backup
generators, or sit down in a cube all day w/o being questioned (other than
someone else new to the building asking you for directions to the

bathroom)

that this is just as big of a risk to be broken trough as any
misconfiguration (since there are bound to be misconfigurations on the
inside of a company's network, and once you are on that side wall, your
border firewall is now useless.


Yep, perimeter security alone isn't sufficient.  Yep, you're totally
dependent
on your physical facilities being secure.


From my perspective, it would appear that this would have no effect, or a
positive effect.  I'm sure we've all seen/worked at/been to sites which
have many gullible and uneducated (as far as not falling for the fact that
I'm some line technician 20ft up on a pole) employees, and some very, very
unattentive security guards at the gates.  But what do you expect with

what

you're paying those people.


I'm having difficulty picking out your question, unless you were making
a statement.

We are all totally dependent on physical security to keep our information
secure.  I suspect most of us don't have responsibility for pysical
security
in addition to network/system security.  There is the advantage that the
attacker puts themselves at a greater risk by showing up in your building.

If you're asking something along the lines of "should full penetration
testing be
allowed, including social engineer?  Is there any point since they're
guaranteed
to get in?"

Before anyone pays for any penetration test, they should know what they
want
tested.  My opinion is that there's no point in testing something you
already know
is broken.  If you're confident your firewall is in good shape, test that.
If you're
confident that your internal system security is in good shape (ha!) then
test that.   If you think your users are educated enough to recognize a
scam
over the phone(ha! HA!) , do SE testing.

When my management asks me if I want/can we do a security audit, I tell
them
"No, let's fix the problems I've been pointing out for the last couple of
years,
and quit asking me to introduce new ones."

Really... I'll do my own audit for half the money :)

I would probably only ever request a pinpoint audit... to test something
specific
that I think is in good shape.

Put it this way, a good hacker, with no fear of being caught (because
you're
paying them) is guaranteed to get in eventually.

                         Ryan
Previous By Date Next
Previous By Thread Next

Current thread: