Penetration Testing mailing list archives
Re: What is your policy on customers particapating in a pen test?
From: Gary Warner <gar () askgar com>
Date: Wed, 20 Jun 2001 15:49:41 -0500
My observations have been that when IT folk want to be part of a PenTest, they are trying to study your techniques so they can make sure of two things: 1) they know what is going to be attacked and when, so if they can't defend they can at least react with due diligence. 2) they know how the attack was performed so that in a follow-up test there is no way in hell you are going to get in. (Or better yet, that there won't be a follow-up test, because they can report that they could do it themselves for far less money. This comes largely from the misperception that the purpose of a Pen-Test is to slap the hands of IT and say "bad doggie". Face it. Our profession pits our skills as violators against their skills as defenders. That's why it is so critical to help them understand that this is A PART of a much larger project. In our methodology, the IT department is usually made aware of PenTest when their alarms start going off OR when two weeks later we present our findings from phase one and two, and prepare to work with the IT staff for phases three and four. Involving IT in the PenTest creates an artificial world. It would be like calling and making an appointment to burglarize someone's home. Just as part of the PenTest is to analyze security vulnerabilites in their "normal state", part of the PenTest should be to analyze the responsiveness of IT to intrustions in their "normal state". Unfortunately, IT usually wants to be very involved in the PenTest planning and knows you are coming and when. You want to avoid this. First, the more they tell you about their network, the more artificial your PenTest becomes. Its impressive to own every box when they document all the servers first. Its more impressive to start with a blank sheet of paper. The first and second phases of our PenTest involve *NO* data provided from the customer. They want to be involved? Great! Promise them full disclosure during the Gap Analysis, and stroke their egos and tell them how critical their input will be during later phases of the PenTest. As for the timing, try to work the engagement where the PenTest will be begun WITHIN 45 DAYS. Don't tell them when its going to start. Have a coordination point, at the highest management level possible, who will receive daily briefings on planned activities, so they don't go calling the FBI when they shouldn't, or vice versa. But let them sweat. Let them wonder for 30 days when the attack is coming. Let them see some activity, but save the serious punching for the later rounds, when you are fresh, and they are exhausted from this uncustomary watching and waiting. _-_ gar
Current thread:
- Re: What is your policy on customers particapating in a pen test?, (continued)
- Re: What is your policy on customers particapating in a pen test? Meritt James (Jun 19)
- RE: What is your policy on customers particapating in a pen test? Ken Pfeil (Jun 21)
- Re: What is your policy on customers particapating in a pen test? GBH (Jun 19)
- Re: What is your policy on customers particapating in a pen test? Jonathan Rickman (Jun 19)
- RE: What is your policy on customers participating in a pen test? Ken Halbeck (Jun 19)
- Re: What is your policy on customers particapating in a pen test? Vanja Hrustic (Jun 20)
- Re: What is your policy on customers particapating in a pen test? Jonathan Rickman (Jun 21)
- Re: What is your policy on customers particapating in a pen test? Vanja Hrustic (Jun 22)
- RE: What is your policy on customers particapating in a pen test? Bojan Zdrnja (Jun 25)
- RE: What is your policy on customers participating in a pen test? Dom De Vitto (Jun 21)
- Re: What is your policy on customers particapating in a pen test? Gary Warner (Jun 21)
- Re: What is your policy on customers particapating in a pen test? Meritt James (Jun 21)