Re: Fwd: Article Announcement - Demystifying Penetration Testing

[miguel.dilaj () pharma novartis com]

Hi Jeffrey et all,

I fully agree with what you wrote in the email, but only if that was 
agreed in the pen-test contract. It can be that the critical data is not 
meant to be covered, even with a NDA.
In general, it should be enough to demonstrate that the pen-tester is able 
to reach complete system compromise, because this means that he/she will 
be able to get/tamper/delete any information in the system(s) affected.
But there's one important point you haven't mentioned: system misuse.
It can be launching attacks from the compromised systems, storing nasty 
images/videos/warez in their webservers, etc. In any case you can 
seriously (even legally) harm the victim company.
To do that, the attacker need ONLY system compromise, and he/she doesn't 
care about the company's information assets.
Cheers,

Miguel Dilaj (Nekromancer)
Vice-President of IT Security Research, OISSG

PD: kudos to Debasis, excellent paper.






Jeffrey Denton <dentonj () gmail com>
11/12/2004 09:31
Please respond to Jeffrey Denton

 
        To:     Debasis Mohanty <mail () hackingspirits com>, pen-test () securityfocus com
        cc:     (bcc: Miguel Dilaj/PH/Novartis)
        Subject:        Fwd: Article Announcement - Demystifying Penetration Testing


Jeffrey wrote:
> > This presentation is targeted for all security practitioners (i.e. 
Security
> > Officers / Sys Admins / Security Auditors / Security Enthusiasts.etc). 
This
> > presentation will give a clear picture on how pen testing is done and 
what
> > are the expected results. Various screenshots are provided as a proof 
of
> > concepts to give a brief picture of possible end-results.
>
> Nice, but it doesn't cover the "So what?" question. 
{excellent considerations skipped}