Penetration Testing mailing list archives
RE: Hacking to Xp box
From: "Omar A. Herrera" <omar.herrera () oissg org>
Date: Fri, 2 Sep 2005 22:51:25 -0500
-----Original Message----- From: Michael Gargiullo [mailto:mgargiullo () pvtpt com] One other thing... Malicious people will go for the low hanging fruit with high value first. Your CEO's PC won't be high on the list.
That's a good point, even the secretary of CEO's might have more important information on their computers than CEO's themselves. But you consider that convincing the CEO is critical to obtain support for an adequate top down security strategy (the secretary is not going to pay for more security resources if they are badly needed). People in high positions tend to lose the sense of the importance of resources, in particular of those they don't interact with. Even if you manage to hack the most critical of their production servers, it is nothing they are familiar with, they probably don't even know the thing exists, and they might not care anyway. If you shut down a critical production server you will definitely caught their attention because of the side-effects, not for the hack of the system itself. But that strategy should be discarded (hitting hard your own organization just to show that risks are real will get you kicked out or jailed, not to mention the damage you could do). Because of this, it might be a better idea to make the demonstration with the CEO's personal computer: You are less likely to hit the organization badly if something goes wrong, and you will still catch her/his attention.
From the tone of the original poster, it seems he was challenged by the CEO.
It might not look too professional to engage in games like this, but to be honest, if he succeeds, he will most probably get more support for security within his company. In short: the company wins if he wins. Many times your most important battles are fought far away from the technical ground (e.g. policies, culture,...) in this case, the real target is the CEO's ego (to make him more conscious about security). Regards, Omar Herrera ------------------------------------------------------------------------------ Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------------------------
Current thread:
- Hacking to Xp box Juan B (Sep 01)
- RE: Hacking to Xp box phugo (Sep 01)
- Re: Hacking to Xp box Max (Sep 02)
- Re: Hacking to Xp box Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] (Sep 03)
- RE: Hacking to Xp box Jayson Anderson (Sep 02)
- Re: Hacking to Xp box Max (Sep 02)
- Re: Hacking to Xp box Marco Monicelli (Sep 02)
- RE: Hacking to Xp box Omar A. Herrera (Sep 02)
- <Possible follow-ups>
- RE: Hacking to Xp box Michael Gargiullo (Sep 02)
- RE: Hacking to Xp box Omar A. Herrera (Sep 03)
- RE: Hacking to Xp box Enrique A. Sanchez Montellano (Sep 03)
- RE: Hacking to Xp box Michael Gargiullo (Sep 02)
- RE: Hacking to Xp box Josh perrymon (Sep 02)
- RE: Hacking to Xp box John Forristel (SunGard-Chico) (Sep 02)
- RE: Hacking to Xp box Eduardo Suzuki (Sep 03)
- RE: Hacking to Xp box Marco Monicelli (Sep 05)
- RE: Hacking to Xp box chad (Sep 03)
- RE: Hacking to Xp box Eduardo Suzuki (Sep 05)
- RE: Hacking to Xp box Marco Monicelli (Sep 05)
- RE: Hacking to Xp box McKinley, Jackson (Sep 05)
(Thread continues...)
- RE: Hacking to Xp box phugo (Sep 01)