Penetration Testing mailing list archives
RE: physical security pentesting procedures, tips, audit programs?
From: "Todd Towles" <toddtowles () brookshires com>
Date: Thu, 9 Dec 2004 14:26:26 -0600
Well, I do not work as a pen-tester so you may have more direct knowledge on the subject. I can't speak for Xyberpix, but mine was only a idea offered to a person looking for ideas. Ideas are debatable. Frank has a good point tho, pictures could serve the same purpose as Xyberpix's card idea. Cameras will put the date and time on each photo so that would be usefully. But then you have to hide the camera. =) The general staff should be kept in the dark. The management will decided what to do and what to change and then make that happen. Only persons connected to the test should be aware of it. The changes that come out of it on the other hand may be felt by the general staff. =) I never suggested the public should be aware of the problems. That would be crazy. Hey Frank, you are on FD right? Do you know anything about it? It doesn't seem to be working. Everyone I talk to hasn't received a message on FD since yesterday morning. -Todd
-----Original Message----- From: Frank Knobbe [mailto:frank () knobbe us] Sent: Thursday, December 09, 2004 2:18 PM To: Todd Towles Cc: xyberpix; Vic N; Pen-Test[List] Subject: RE: physical security pentesting procedures, tips, audit programs? On Thu, 2004-12-09 at 14:12, Todd Towles wrote:Frank, If I remember correctly Xyberpix stated that they should be hidden. St8r from his e-mail " be allowed, stick a business card somewhere out of site,and make anote of it."Ah, okay. I still think it's a bad idea :)[...] The general staff wouldn't know what is going on...and sorry to say it butthe test isdesigned to find the sorry security, not hide it.Sure, but you show it to management/sponsor. You don't show it to the people affected unless they are involved in a test (like branch managers having you detained in their office). Penetration Testing is all about showing flaws, but to the sponsor, not the folks who commit the violations. It's the responsibility of the sponsors to take action in a way they see fit. Discretion is paramount in these engagements. You just don't leave stuff behind. But hey, if that works for you, more power to you ;) Cheers, Frank
Current thread:
- physical security pentesting procedures, tips, audit programs? marc spamcatcher (Dec 02)
- Re: physical security pentesting procedures, tips, audit programs? ctg (Dec 03)
- RE: physical security pentesting procedures, tips, audit programs? Eric Greenberg (Dec 07)
- RE: physical security pentesting procedures, tips, audit programs? Vic N (Dec 03)
- RE: physical security pentesting procedures, tips, audit programs? Jerry Shenk (Dec 07)
- Re: physical security pentesting procedures, tips, audit programs? Don Lord (Dec 07)
- RE: physical security pentesting procedures, tips, audit programs? xyberpix (Dec 07)
- RE: physical security pentesting procedures, tips, audit programs? Jerry Shenk (Dec 07)
- Re: physical security pentesting procedures, tips, audit programs? Jose Maria Lopez (Dec 09)
- <Possible follow-ups>
- RE: physical security pentesting procedures, tips, audit programs? Todd Towles (Dec 07)
- RE: physical security pentesting procedures, tips, audit programs? Frank Knobbe (Dec 09)
- RE: physical security pentesting procedures, tips, audit programs? Todd Towles (Dec 09)
- RE: physical security pentesting procedures, tips, audit programs? Todd Towles (Dec 09)
- RE: physical security pentesting procedures, tips, audit programs? xyberpix (Dec 09)
- RE: physical security pentesting procedures, tips, audit programs? Frank Knobbe (Dec 09)
- Re: physical security pentesting procedures, tips, audit programs? nicola (Dec 12)
- Re: physical security pentesting procedures, tips, audit programs? ctg (Dec 03)