Penetration Testing mailing list archives
RE: Email Pen-testing
From: "Rob Shein" <shoten () starpower net>
Date: Tue, 23 Mar 2004 00:26:59 -0500
of the bag. Advance warnings of each and every step is not a level playing filed and certainly does not resemble reality for sure.
Alright. Imagine for a second you're not a security expert, but instead you're the designer of body armor for police. When you test your armor, do you have some cops wear it on the beat and set up an ambush using some gangbangers unload on them in public? Of course not. You're not looking to resemble reality, and not just because the reality is a bad bad thing. Under those circumstances, you're going to lose a lot of your data's validity. How far was the weapon from the vest, what kind of ammo was used, what was the angle...it goes on. And of course, in a pen test, if you get into the client and they are a bank, for example, you're not going to give yourself a nice six- or seven-figure bonus just because you can. That too would resemble reality, but again, that's not really the point. It's not a Spielberg film, you're not trying to make it as real as possible. You're just looking to see if it could be done as the real thing. You put the vest on a mannekin, take it to your firing range, carefully measure the distance, and then fire your hand-loaded bullet through a custom-made rifle that is highly accurate and repeatably maintains a consistent velocity towards the target. You're going to take copious notes on every aspect of it, and by no means will any human be in view anywhere downrange when the shot is fired. This is a bit more like how pen-testing should be done. You're right, it's not a level playing field, but that didn't start when the pen-tester notified the company; it started when the company hired them and promised not to prosecute them for breaking in :) --------------------------------------------------------------------------- You're a pen tester, but is google.com still your R&D team? Now you can get trustworthy commercial-grade exploits and the latest techniques from a world-class research group. www.coresecurity.com/promos/sf_ept1 ----------------------------------------------------------------------------
Current thread:
- RE: Email Pen-testing, (continued)
- RE: Email Pen-testing Kevin (Mar 22)
- RE: Email Pen-testing R. DuFresne (Mar 22)
- RE: Email Pen-testing Blake Wiedman (Mar 22)
- RE: Email Pen-testing Chuck Herrin (Mar 22)
- RE: Email Pen-testing James Taylor (Mar 23)
- RE: Email Pen-testing Kevin (Mar 23)
- RE: Email Pen-testing Chris Hurley (Mar 23)
- RE: Email Pen-testing AJ Butcher, Information Systems and Computing (Mar 23)
- RE: Email Pen-testing Frank Knobbe (Mar 24)
- Re: Email Pen-testing Michael Richardson (Mar 24)
- RE: Email Pen-testing R. DuFresne (Mar 22)
- RE: Email Pen-testing Kevin (Mar 22)
- RE: Email Pen-testing Rob Shein (Mar 23)
- RE: Email Pen-testing Brad . Murray (Mar 23)
- Re: Email Pen-testing Michael Richardson (Mar 23)
- RE: Email Pen-testing R. DuFresne (Mar 23)
- Re: Email Pen-testing Rainer Duffner (Mar 23)