Penetration Testing mailing list archives
Re: Fwd: Article Announcement - Demystifying Penetration Testing
From: miguel.dilaj () pharma novartis com
Date: Mon, 13 Dec 2004 09:10:36 +0100
Hi Jeffrey et all, I fully agree with what you wrote in the email, but only if that was agreed in the pen-test contract. It can be that the critical data is not meant to be covered, even with a NDA. In general, it should be enough to demonstrate that the pen-tester is able to reach complete system compromise, because this means that he/she will be able to get/tamper/delete any information in the system(s) affected. But there's one important point you haven't mentioned: system misuse. It can be launching attacks from the compromised systems, storing nasty images/videos/warez in their webservers, etc. In any case you can seriously (even legally) harm the victim company. To do that, the attacker need ONLY system compromise, and he/she doesn't care about the company's information assets. Cheers, Miguel Dilaj (Nekromancer) Vice-President of IT Security Research, OISSG PD: kudos to Debasis, excellent paper. Jeffrey Denton <dentonj () gmail com> 11/12/2004 09:31 Please respond to Jeffrey Denton To: Debasis Mohanty <mail () hackingspirits com>, pen-test () securityfocus com cc: (bcc: Miguel Dilaj/PH/Novartis) Subject: Fwd: Article Announcement - Demystifying Penetration Testing Jeffrey wrote:
This presentation is targeted for all security practitioners (i.e.
Security
Officers / Sys Admins / Security Auditors / Security Enthusiasts.etc).
This
presentation will give a clear picture on how pen testing is done and
what
are the expected results. Various screenshots are provided as a proof
of
concepts to give a brief picture of possible end-results.Nice, but it doesn't cover the "So what?" question.
{excellent considerations skipped}
Current thread:
- Fwd: Article Announcement - Demystifying Penetration Testing, (continued)
- Fwd: Article Announcement - Demystifying Penetration Testing Jeffrey Denton (Dec 12)
- Re: Fwd: Article Announcement - Demystifying Penetration Testing Michael Puchol (Dec 13)
- RE: Fwd: Article Announcement - Demystifying Penetration Testing Vic N (Dec 14)
- RE: Article Announcement - Demystifying Penetration Testing Debasis Mohanty (Dec 15)
- Laptop Considerations David Bouchard (Dec 12)
- Re: Laptop Considerations calvin maready (Dec 13)
- Re: Laptop Considerations Michael Puchol (Dec 13)
- RE: Laptop Considerations Omar Herrera (Dec 13)
- RE: [in] Laptop Considerations Curt Purdy (Dec 13)
- Re: Laptop Considerations Volker Kindermann (Dec 14)
- Re: Fwd: Article Announcement - Demystifying Penetration Testing miguel . dilaj (Dec 13)
- RE: Fwd: Article Announcement - Demystifying Penetration Testing Christopher Adickes (Dec 13)
- Fwd: Article Announcement - Demystifying Penetration Testing Jeffrey Denton (Dec 12)