Penetration Testing mailing list archives
Re: Penetration Testing Scheduling
From: Sat Jagat Singh <flyingdervish () yahoo com>
Date: Wed, 30 Apr 2008 07:47:14 -0700 (PDT)
Red teaming is a valid approach to testing, where the IT staff has no knowledge of the engagement outside of management. It all depends on the rules of engagement. This should be tailored to the client and their needs. Most commonly with the organizations that I work with it is most appropriate to involve the client closely. When they want to test whether their IDS is working properly we try some stealthy probing of systems and accesses that they would want to be alerted about and then ask them, did you get an alert from this stuff I was doing at xx:00p.m. Does the client want to test their incident response procedures and personnel training on that procedure? If so, you need to be sure that specific people are kept out of the loop, so their response is genuine. But not all engagements will include these elements. Certainly the receptionist should not be clued in that someone may try to sneak by her in the next week or so. So, you see that who is let in on knowledge of the testing depends on what is being tested. I also find that a lot of testers get a lot of ego boost out of the game of beating the IT team. If that's your goal, tell them as little as possible. If your goal is, instead, to help them find the vulnerabilities so that they can fix them, you should work with them closely. --- On Tue, 4/29/08, arvind doraiswamy <arvind.doraiswamy () gmail com> wrote:
From: arvind doraiswamy <arvind.doraiswamy () gmail com> Subject: Re: Penetration Testing Scheduling To: Yousif () vapt-sec com Cc: pen-test () securityfocus com Date: Tuesday, April 29, 2008, 10:33 AM Hey Yousif, Thats quite strange actually. Why wouldn't you tell them the time? You have to give them time to get ready , inform various teams to not panic if they see scans and all that stuff. An approximate starting date should be good enough; like 30th April 2008. Doesn't need to be 30th April 2008 - 12:00:09:87:675microseconds :) Cheers Arvind On Sun, Apr 27, 2008 at 1:28 AM, <Yousif () vapt-sec com> wrote:I've heard a lot of folks say that telling yourcustomers exactly when you will begin the testing is not suitable, but I'm not sure as to why they that... Can anyone define for me the right approach? -- Do you plan the assessment and let them know it's within a week or so, or do you simply inform them the date and time specifically?------------------------------------------------------------------------This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilitiesfast.Click to try it, buy it or download a solution FREEtoday!http://www.cenzic.com/downloads------------------------------------------------------------------------------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------
____________________________________________________________________________________ Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ ------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------
Current thread:
- Penetration Testing Scheduling Yousif (Apr 28)
- Re: Penetration Testing Scheduling Dotzero (Apr 29)
- Re: Penetration Testing Scheduling Robin Wood (Apr 29)
- Re: Penetration Testing Scheduling arvind doraiswamy (Apr 29)
- Re: Penetration Testing Scheduling Sat Jagat Singh (Apr 30)
- Re: Penetration Testing Scheduling Anders Thulin (Apr 29)
- <Possible follow-ups>
- Re: Penetration Testing Scheduling Yousif (Apr 29)
- Re: Penetration Testing Scheduling Joey Peloquin (Apr 30)
- Re: Penetration Testing Scheduling Todd Haverkos (Apr 30)
- Re: Re: Penetration Testing Scheduling zenmasterbob123 (Apr 30)