Penetration Testing mailing list archives
Re: Penetration Testing - Human Factor
From: <KeenerPB () mcnosc usmc mil>
Date: Sat, 26 Aug 2006 20:51:42 -0400
We use social engineering on almost every assessment we do except when the request is for a strict technical assessment. Capt. Paul B. Keener OIC, Marine Corps Red Team Marine Corps Network Operations & Security Command STE: 703.784.4327 (DSN 278) Cell: 703.399.9639 NIPR: keenerpb () mcnosc usmc mil SIPR: keenerpb () mcnosc usmc smil mil -------------------------- Sent from my BlackBerry Wireless Handheld -----Original Message----- From: StyleWar <stylewar () cox net> To: 'Joey Peloquin' <joeyp () cotse net>; Keener Capt Paul B <KeenerPB () mcnosc usmc mil> CC: 'Pen-Testing' <pen-test () securityfocus com> Sent: Sat Aug 26 19:44:04 2006 Subject: RE: Penetration Testing - Human Factor lol With respect, I think that's a greater commentary on your contracting methods than it is on what's available. The Pen-Tests I have run include everything from physical, to logical, to social/administrative. The customer has had to opt out on specific methods and attack trees as part of the preengagement process. - StyleWar "Patriotism isn't defined in a moment. It's defined in a lifetime."
-----Original Message----- From: Joey Peloquin [mailto:joeyp () cotse net] Sent: Wednesday, August 23, 2006 7:10 AM To: KeenerPB () mcnosc usmc mil Cc: Pen-Testing Subject: Re: Penetration Testing - Human Factor KeenerPB () mcnosc usmc mil wrote:I would disagree with Arian regarding the technical aspectsof "true"hacking...in my experience, social engineering plays a huge role in successful compromise of a network. Most of the time the boundaries are pretty tight so you have to lob one over the fence (social engineering) in order to punch out from the inside todefeat the boundary devices. All due respect, I'm both an Enterprise pen-test customer and an internal pen-tester at the same company, and I don't see social engineering on the radar at all, save a mention as part of our security awareness program. How many enterprises do you all contract with that *actually* include social engineering, and the like, in the scope? We've paid as much as 40K for an engagement and it didn't include social engineering. -jp -------------------------------------------------------------- ---------- This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php -------------------------------------------------------------- ----------
Current thread:
- RE: Penetration Testing - Human Factor, (continued)
- RE: Penetration Testing - Human Factor KeenerPB (Aug 22)
- Re: Penetration Testing - Human Factor Joey Peloquin (Aug 23)
- Message not available
- Re: Penetration Testing - Human Factor K K Mookhey (Aug 23)
- RE: Penetration Testing - Human Factor Robert D. Holtz - Lists (Aug 23)
- Re: Penetration Testing - Human Factor Joey Peloquin (Aug 23)
- Pen-testing/auditing MS Exchange Servers. Serge Vondandamo (Aug 24)
- RE: Pen-testing/auditing MS Exchange Servers. Justin Polazzo (Aug 25)
- RE: Penetration Testing - Human Factor KeenerPB (Aug 22)
- RE: Penetration Testing - Human Factor StyleWar (Aug 26)
- Re: Penetration Testing - Human Factor Joey Peloquin (Aug 29)