Penetration Testing mailing list archives
Re: Re: Penetration Testing Scheduling
From: zenmasterbob123 () gmail com
Date: 30 Apr 2008 12:54:48 -0000
Hello Yousif; Here is my take. In the words of a particularly wise Israeli back around 30 AD, "If the householder had known the thief was coming, he would have stayed up all night". Some people will tell you that you should never let the customer know exactly when the pen test is going to be done because they are afraid that the customer is going to temporarily increase their security posture in order to pass the test. The idea behind this thinking is that the customer isn't really interested in increasing their security, only in acheiving some sort of regulatory compliance, and that as soon as the test is done expediency will outweigh security and they will return to their prior security posture. Some will say that it is your job as a security professional to help the customer increase their security. I disagree. Your job as a pen tester is to evaluate their security posture. Their security may be artificially high because they are expecting a pen attempt. Your duty, at the most, is to inform them that there is going to be some sort of pen attempt every day they are in business. The only difference between your assessment and every other week in their lives is that they know one of the parties that will be trying to circumvent their defences that particular week. Probably not the only party, however, because if anyone is paying attention to their business they will know that a pen test is being done that week, which provides excellent cover for their attempts. So if it is not already in your contractual obligations to tell the customer when you will be conducting the test, at least down to the beginning and ending hours, then you should probably have the agreement ammended to include the information for at least these three reasons: 1. The aforementioned malicious outsider, who is watching the company and looking for something that will cover his attempts. 2. The malicious insider, who will also be looking for cover and no doubt take advantage of the misdirection to steal, destroy, or modify data. 3. Accuracy in reporting. The customer is paying for an evaluation of their security posture. They need as much detail as possible. When you tell them the times of the test, they can in turn make the decision as to whether they want to treat the test window as an ordinary day, or if they want to test any additional measures they might want to take if, for example, someone made a threat against them. Or they may want to test a combination of reactions. 4. Added value. There are a number of ways they may choose to use this test as a secondary opportunity. The customer may take the opportunity provided by the pen test to monitor their internal staff, in part or as a whole, to see how they react to a pen attempt. They may suspect someone on the inside of having already done something, and take the opportunity to look at employee reactions. They may use the pen test as cover themselves to investigate suspicious internal activity. With the knowledge of when the test will start and end, they can make these plans themselves. And if they haven't thought to do so, you can suggest it and thereby add value to your services. The most important point, though, is that this issue should absolutely be addressed very early on in the discussion of services. If the customer hasn't brought it up, then the customer isn't thinking about all of the remifications of the pen test, and you, as the service provider, need to make them aware of them. I hope I haven't ranted too much. Good luck with your test! ZMB ------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------
Current thread:
- Penetration Testing Scheduling Yousif (Apr 28)
- Re: Penetration Testing Scheduling Dotzero (Apr 29)
- Re: Penetration Testing Scheduling Robin Wood (Apr 29)
- Re: Penetration Testing Scheduling arvind doraiswamy (Apr 29)
- Re: Penetration Testing Scheduling Sat Jagat Singh (Apr 30)
- Re: Penetration Testing Scheduling Anders Thulin (Apr 29)
- <Possible follow-ups>
- Re: Penetration Testing Scheduling Yousif (Apr 29)
- Re: Penetration Testing Scheduling Joey Peloquin (Apr 30)
- Re: Penetration Testing Scheduling Todd Haverkos (Apr 30)
- Re: Re: Penetration Testing Scheduling zenmasterbob123 (Apr 30)