Re: Re: Penetration Testing Scheduling

[zenmasterbob123 () gmail com]

Hello Yousif;

Here is my take.  In the words of a particularly wise Israeli back around 30 AD, "If the householder had known the 
thief was coming, he would have stayed up all night".  Some people will tell you that you should never let the customer 
know exactly when the pen test is going to be done because they are afraid that the customer is going to temporarily 
increase their security posture in order to pass the test.  The idea behind this thinking is that the customer isn't 
really interested in increasing their security, only in acheiving some sort of regulatory compliance, and that as soon 
as the test is done expediency will outweigh security and they will return to their prior security posture.
 
Some will say that it is your job as a security professional to help the customer increase their security.  I disagree. 
 Your job as a pen tester is to evaluate their security posture.  Their security may be artificially high because they 
are expecting a pen attempt.  Your duty, at the most, is to inform them that there is going to be some sort of pen 
attempt every day they are in business.  The only difference between your assessment and every other week in their 
lives is that they know one of the parties that will be trying to circumvent their defences that particular week.  
Probably not the only party, however, because if anyone is paying attention to their business they will know that a pen 
test is being done that week, which provides excellent cover for their attempts.
 
So if it is not already in your contractual obligations to tell the customer when you will be conducting the test, at 
least down to the beginning and ending hours, then you should probably have the agreement ammended to include the 
information for at least these three reasons:
 
1.  The aforementioned malicious outsider, who is watching the company and looking for something that will cover his 
attempts.
 
2.  The malicious insider, who will also be looking for cover and no doubt take advantage of the misdirection to steal, 
destroy, or modify data.
 
3.  Accuracy in reporting.  The customer is paying for an evaluation of their security posture.  They need as much 
detail as possible.  When you tell them the times of the test, they can in turn make the decision as to whether they 
want to treat the test window as an ordinary day, or if they want to test any additional measures they might want to 
take if, for example, someone made a threat against them.  Or they may want to test a combination of reactions.  
 
4.  Added value.  There are a number of ways they may choose to use this test as a secondary opportunity.  The customer 
may take the opportunity provided by the pen test to monitor their internal staff, in part or as a whole,  to see how 
they react to a pen attempt.  They may suspect someone on the inside of having already done something, and take the 
opportunity to look at employee reactions.  They may use the pen test as cover themselves to investigate suspicious 
internal activity.  With the knowledge of when the test will start and end, they can make these plans themselves.  And 
if they haven't thought to do so, you can suggest it and thereby add value to your services.
 
The most important point, though, is that this issue should absolutely be addressed very early on in the discussion of 
services.  If the customer hasn't brought it up, then the customer isn't thinking about all of the remifications of the 
pen test, and you, as the service provider, need to make them aware of them.
 
I hope I haven't ranted too much.  Good luck with your test!
 
ZMB

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------