RE: Email Pen-testing

["R. DuFresne" <dufresne () sysinfo com>]

It's about time the industry, IT as a whole comes to understand;

a pentest is something much more then a simple port/vuln scan from
outside.


a simple port/vuln scan has it's value, as a way to probe for potential
risks.  A *real* pentest is an attempt to actually make use of potential
holes, show they are in fact real risks, and will in fact be able to be
exploited to gain illegal//unwanted entry into an org's systems and to
their core data and apps.  At lesat tince Mitnick's days social
engineering has shown to be a major gateway to resources that should be
better protected.

A company asking for a mere set of potentials wants a sweet little report
done on a port/vuln scan that anyone with minimal skills can accomplish.
A companyt actually wishing to determine how well they have done their job
of protecting assests might opt for a full pentest, with all the stops out
of the bag.  Advance warnings of each and every step is not a level
playing filed and certainly does not resemble reality for sure.

Thanks,

Ron DuFresne


On Mon, 22 Mar 2004, Kevin wrote:

> Well, human are the weakest link in the security ring.. and social
> engineering is always the easiest (if not the best) technique to open up
> loopholes in a security system.
>
> Although it's an area which requires most emphasizes and concern, it is
> also the most sensitive area where security managers get stuck often in.
>
> If the company is ok with social engineering in the pen test, then I
> suppose it's ok.. It's ethical as long as you're doing it for a cause
> not malicious and harmful.
>
>
> -----Original Message-----
> From: Blake [mailto:netspan () hotmail com] 
> Sent: Sunday, March 21, 2004 12:22 AM
> To: pen-test () securityfocus com
> Subject: Email Pen-testing
>
>
>
> Wanted to get your opinion on something...
>
> Doing a pen-test for a small bank which was proving very difficult to
> get it. A friend of mine suggested I send a backdoor trojan attachment
> via an email. If they clicked on it, the backdoor performs maybe a
> boxscan, grab passwords, and connects out to the Internet. --Much like a
> virus.
>
> I think this type of testing is becoming more relevant nowadays,
> especially with whats out there. It reinforces properly configured
> antivirus software and user awareness.
>
> I spoke with a previous customer of mine about the idea. He said he
> would be very upset if he was not told prior to that type of test as
> part of normal pen-testing.
>
> Generally speaking, my code of ethics doesn't allow me to social
> engineer. I don't like lying and misleading people. Also people tend to
> hate you after they've been punk'd.
>
> What's your ideas on the email pen-tesing?
>
>
> -Blake
>
> ------------------------------------------------------------------------
> ---
> Ethical Hacking at the InfoSec Institute. Mention this ad and get $545
> off
> any course! All of our class sizes are guaranteed to be 10 students or
> less
> to facilitate one-on-one interaction with one of our expert instructors.
> Attend a course taught by an expert instructor with years of
> in-the-field
> pen testing experience in our state of the art hacking lab. Master the
> skills
> of an Ethical Hacker to better assess the security of your organization.
> Visit us at:
> http://www.infosecinstitute.com/courses/ethical_hacking_training.html
> ------------------------------------------------------------------------
> ----
>
>
> ---------------------------------------------------------------------------
> You're a pen tester, but is google.com still your R&D team?
> Now you can get trustworthy commercial-grade exploits and the latest
> techniques from a world-class research group.
> www.coresecurity.com/promos/sf_ept1
> ----------------------------------------------------------------------------

-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        admin & senior security consultant:  sysinfo.com
                        http://sysinfo.com

"Cutting the space budget really restores my faith in humanity.  It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation."
                -- Johnny Hart

testing, only testing, and damn good at it too!


---------------------------------------------------------------------------
You're a pen tester, but is google.com still your R&D team?
Now you can get trustworthy commercial-grade exploits and the latest
techniques from a world-class research group.
www.coresecurity.com/promos/sf_ept1
----------------------------------------------------------------------------