RE: Email Pen-testing

["R. DuFresne" <dufresne () sysinfo com>]

On Tue, 23 Mar 2004, Rob Shein wrote:

> > of the bag.  Advance warnings of each and every step is not a 
> > level playing filed and certainly does not resemble reality for sure.
>
> Alright.  Imagine for a second you're not a security expert, but instead
> you're the designer of body armor for police.  When you test your armor, do
> you have some cops wear it on the beat and set up an ambush using some
> gangbangers unload on them in public?  Of course not.  You're not looking to
> resemble reality, and not just because the reality is a bad bad thing.
> Under those circumstances, you're going to lose a lot of your data's
> validity.  How far was the weapon from the vest, what kind of ammo was used,
> what was the angle...it goes on.  And of course, in a pen test, if you get
> into the client and they are a bank, for example, you're not going to give
> yourself a nice six- or seven-figure bonus just because you can.  That too
> would resemble reality, but again, that's not really the point.  It's not a
> Spielberg film, you're not trying to make it as real as possible.  You're
> just looking to see if it could be done as the real thing.
>
> You put the vest on a mannekin, take it to your firing range, carefully
> measure the distance, and then fire your hand-loaded bullet through a
> custom-made rifle that is highly accurate and repeatably maintains a
> consistent velocity towards the target.  You're going to take copious notes
> on every aspect of it, and by no means will any human be in view anywhere
> downrange when the shot is fired. This is a bit more like how pen-testing
> should be done.  You're right, it's not a level playing field, but that
> didn't start when the pen-tester notified the company; it started when the
> company hired them and promised not to prosecute them for breaking in :)

Imagine a remodeler, retrofitting a new room addition onto an old house.
You make a prelim estimate, and adjust that once you are into the walls
and studs and have found the unexpected.  Much like my envisioning here
the work of liu die yu who took a number <6 wasn't it?> minor exploits to
combine into something a tad more strategic then any of them alone.

The dynamics of what is found after poking about might well set one to
venture off the planned path.

Thanks,

Ron DuFresne
-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        admin & senior security consultant:  sysinfo.com
                        http://sysinfo.com

"Cutting the space budget really restores my faith in humanity.  It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation."
                -- Johnny Hart

testing, only testing, and damn good at it too!


---------------------------------------------------------------------------
You're a pen tester, but is google.com still your R&D team?
Now you can get trustworthy commercial-grade exploits and the latest
techniques from a world-class research group.
www.coresecurity.com/promos/sf_ept1
----------------------------------------------------------------------------