Re: Penetration Testing Scheduling

[Sat Jagat Singh <flyingdervish () yahoo com>]

Red teaming is a valid approach to testing, where the IT staff has no knowledge of the engagement outside of 
management.  It all depends on the rules of engagement.  This should be tailored to the client and their needs.

Most commonly with the organizations that I work with it is most appropriate to involve the client closely.  When they 
want to test whether their IDS is working properly we try some stealthy probing of systems and accesses that they would 
want to be alerted about and then ask them, did you get an alert from this stuff I was doing at xx:00p.m.  Does the 
client want to test their incident response procedures and personnel training on that procedure?  If so, you need to be 
sure that specific people are kept out of the loop, so their response is genuine.  But not all engagements will include 
these elements.  Certainly the receptionist should not be clued in that someone may try to sneak by her in the next 
week or so.

So, you see that who is let in on knowledge of the testing depends on what is being tested.

I also find that a lot of testers get a lot of ego boost out of the game of beating the IT team.  If that's your goal, 
tell them as little as possible.  If your goal is, instead, to help them find the vulnerabilities so that they can fix 
them, you should work with them closely.


--- On Tue, 4/29/08, arvind doraiswamy <arvind.doraiswamy () gmail com> wrote:

> From: arvind doraiswamy <arvind.doraiswamy () gmail com>
> Subject: Re: Penetration Testing Scheduling
> To: Yousif () vapt-sec com
> Cc: pen-test () securityfocus com
> Date: Tuesday, April 29, 2008, 10:33 AM
> Hey Yousif,
> Thats quite strange actually. Why wouldn't you tell
> them the time? You
> have to give them time to get ready , inform various teams
> to not
> panic if they see scans and all that stuff. An approximate
> starting
> date should be good enough; like 30th April 2008.
> Doesn't need to be
> 30th April 2008 - 12:00:09:87:675microseconds :)
>
> Cheers
> Arvind
>
> On Sun, Apr 27, 2008 at 1:28 AM, 
> <Yousif () vapt-sec com> wrote:
> > I've heard a lot of folks say that telling your
> customers exactly when you will begin the testing is  not
> suitable, but I'm not sure as to why they that... Can
> anyone define for me the right approach? -- Do you plan the
> assessment and let them know it's within a week or so,
> or do you simply inform them the date and time
> specifically?
> >
> ------------------------------------------------------------------------
> >  This list is sponsored by: Cenzic
> >
> >  Need to secure your web apps NOW?
> >  Cenzic finds more, "real" vulnerabilities
> fast.
> >  Click to try it, buy it or download a solution FREE
> today!
> >  http://www.cenzic.com/downloads
> ------------------------------------------------------------------------
> >
>
> ------------------------------------------------------------------------
> This list is sponsored by: Cenzic
>
> Need to secure your web apps NOW?
> Cenzic finds more, "real" vulnerabilities fast.
> Click to try it, buy it or download a solution FREE today!
>
> http://www.cenzic.com/downloads
> ------------------------------------------------------------------------


      ____________________________________________________________________________________
Be a better friend, newshound, and 
know-it-all with Yahoo! Mobile.  Try it now.  http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------