Penetration Testing mailing list archives
Re: Email Pen-testing
From: Michael Richardson <mcr () sandelman ottawa on ca>
Date: Tue, 23 Mar 2004 11:12:26 -0500
-----BEGIN PGP SIGNED MESSAGE-----
"Rob" == Rob Shein <shoten () starpower net> writes:
Rob> You put the vest on a mannekin, take it to your firing range, Rob> carefully measure the distance, and then fire your hand-loaded Rob> bullet through a custom-made rifle that is highly accurate and Rob> repeatably maintains a consistent velocity towards the target. Rob> You're going to take copious notes on every aspect of it, and Rob> by no means will any human be in view anywhere downrange when Rob> the shot is fired. This is a bit more like how pen-testing Rob> should be done. You're right, it's not a level playing field, Rob> but that didn't start when the pen-tester notified the company; Rob> it started when the company hired them and promised not to Rob> prosecute them for breaking in :) Right, so, to finish the analogy, to do the test right, you get the bank the duplicate their network (plus as much of the Internet as is feasible), plus their "trading partners" in your testing lab, with the same configuration, and you then attack this in a controlled way. (And if you are NASA, you get a duplicate Mars done to imperial units and drop your landers on that version first) - -- ] ON HUMILITY: to err is human. To moo, bovine. | firewalls [ ] Michael Richardson, Xelerance Corporation, Ottawa, ON |net architect[ ] mcr () xelerance com http://www.sandelman.ottawa.on.ca/mcr/ |device driver[ ] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) Comment: Finger me for keys iQCVAwUBQGBh6IqHRg3pndX9AQEr+AQAmLh6k0xlzJl6s6s9urDZotmu3AX4V10m W7OWn5piOo0zIHAa97duZVg+BPLsGTqz8scAPXjtUxC3T/pIRVNWWhc5h8I68LBx xqayLiQcbZmHt5WFCTctYiHMFa9gPHoBZQBj9v3qGzYRR5XrWuUP4KmGuWvGrANJ fjR03P1X4pA= =3xj+ -----END PGP SIGNATURE----- --------------------------------------------------------------------------- You're a pen tester, but is google.com still your R&D team? Now you can get trustworthy commercial-grade exploits and the latest techniques from a world-class research group. www.coresecurity.com/promos/sf_ept1 ----------------------------------------------------------------------------
Current thread:
- RE: Email Pen-testing, (continued)
- RE: Email Pen-testing Blake Wiedman (Mar 22)
- RE: Email Pen-testing Chuck Herrin (Mar 22)
- RE: Email Pen-testing James Taylor (Mar 23)
- RE: Email Pen-testing Kevin (Mar 23)
- RE: Email Pen-testing Chris Hurley (Mar 23)
- RE: Email Pen-testing AJ Butcher, Information Systems and Computing (Mar 23)
- RE: Email Pen-testing Frank Knobbe (Mar 24)
- Re: Email Pen-testing Michael Richardson (Mar 24)
- RE: Email Pen-testing Rob Shein (Mar 23)
- RE: Email Pen-testing Brad . Murray (Mar 23)
- Re: Email Pen-testing Michael Richardson (Mar 23)
- RE: Email Pen-testing R. DuFresne (Mar 23)
- Re: Email Pen-testing Rainer Duffner (Mar 23)