RE: physical security pentesting procedures, tips, audit programs?

[Frank Knobbe <frank () knobbe us>]

On Thu, 2004-12-09 at 14:12, Todd Towles wrote:
> Frank, If I remember correctly Xyberpix stated that they should be
> hidden. St8r from his e-mail
>
>  " be allowed, stick a business card somewhere out of site, and make a
> note of it."

Ah, okay. I still think it's a bad idea :)

> [...] The general staff
> wouldn't know what is going on...and sorry to say it but the test is
> designed to find the sorry security, not hide it.

Sure, but you show it to management/sponsor. You don't show it to the
people affected unless they are involved in a test (like branch managers
having you detained in their office).

Penetration Testing is all about showing flaws, but to the sponsor, not
the folks who commit the violations. It's the responsibility of the
sponsors to take action in a way they see fit.

Discretion is paramount in these engagements. You just don't leave stuff
behind.


But hey, if that works for you, more power to you ;)

Cheers,
Frank

Attachment: signature.asc
Description: This is a digitally signed message part