Penetration Testing mailing list archives
Re: Info collection
From: H Carvey <keydet89 () yahoo com>
Date: 12 Aug 2004 11:12:56 -0000
In-Reply-To: <20040811092548.GA2978 () josefina dcit cz>
Because (at least in our local environment) the customers (be it managers or IT security staff) are used to pay for "Penetration Tests" (as a general common name product) and they expect that the final report is comprehensive (every IP & every port & known/common vulnerability is covered, like in VA).
When I've done these, the issue of the customer's expectations is usually handled by the sales rep. The last thing that the engineers want to deal with is a customer who signs up for a pen-test, but expects something as comprehensive as a VA. Also, service definitions help a lot.
They are also expecting that the consultants attemtp to exploit some vulnerabilities, escalate priviledges through more layers of security, brute-force user/passwords, exploit SQL injections etc. and see how deep they can break and how much info they can gather (like in a pen-test) because they need to get some "real" (demonstrable) results and use them to speed up fixing the issues, upgrading, give reasons for bigger budget for security and to get their vendors/providers under pressure.
Even with vulnerability assessments, I'd shy away from such things. However, in some cases, the sales guys do the right thing and call us (engineers) before anything is signed by the customer. Once on site, we can easily identify the low-hanging fruit, and provide the demonstrable results with minimal impact to the infrastructure.
Shortly, customers pay for "Penetration Tests" (with or without prior knowledge) but actually want VA with pen-test included.
Again, that really needs to be dealt with up front...service definitions, and sales reps (and even the engineers themselves) setting the customer expectations. Sure, if the customer wants it...fine, no problem. However, my experience has been that while the customer admins may want the "demonstrable results", management (ie, check signers) would rather simply stick to what allows them to be in compliance (HIPAA, SEC, etc.) ...just my $0.02...
Current thread:
- RE: Info collection, (continued)
- RE: Info collection Israel Torres (Aug 09)
- Re: Info collection Ali-Reza Anghaie (Aug 09)
- Re: Info collection H Carvey (Aug 09)
- RE: Info collection Michael Shirk (Aug 09)
- RE: Info collection Petr . Kazil (Aug 10)
- RE: Info collection Jeff Gercken (Aug 09)
- RE: Info collection Frank Knobbe (Aug 10)
- Re: Info collection Martin Mačok (Aug 11)
- RE: Info collection Frank Knobbe (Aug 10)
- Re: Info collection H Carvey (Aug 10)
- RE: Info collection Jack Cullen (Aug 11)
- Re: Info collection H Carvey (Aug 12)