Penetration Testing mailing list archives
Re: Need Some Guidance Please
From: Aarón Mizrachi <unmanarc () gmail com>
Date: Wed, 29 Apr 2009 12:32:10 -0430
On Domingo 19 Abril 2009 15:09:10 Elizabeth Tolson escribió:
THANKS EVERYONE!!!! I really received some valuable information. One thing I did not state clearly --- when this guy "Ethically Hacked" without employees knowing it, he did it with the permission of the CEO or owner of the company. Apparently, he meets with the CEOs and they are the only ones aware of his Pen Testing.
This have a name. perfect external blackbox pentesting audit. --------------------------------------- * Perfect: Because the it department are also tested on their natural responce and the conditions are good. This must also be tested on a pentest. Today, you must evaluate the it security team responce, not only the "patched or not patched" devices. If the attack were advised to it department, the it department could "over- react" and distort the test result. * External: because its done by an external men. * Blackbox: Completly blinded attack, simulating an attacker ---------------------------------------------- Finally, an a real attacker, would not ask to the it department for their actions... ---------------------------------------------- Who need to know about it? - CEO in conjuction with Legal department ---------------------------------------------- What terms are commonly involved? - To protect company operations, attacks should not involve "Denial of Service". ---------------------------------------------- What protections should take the pentester? - Use anonymizing mechanisms to prevent actions against him while the pentest are being executed. - CEO must redirect all legal actions to the legal department. ---------------------------------------------- Its ethical for the CEO not to say anything during the pentest? There could be an intense debate... I think yes and not. But could be reasonable because, a real hacker wont never ask you before an attack. ---------------------------------------------- What are the final risks on two sides (CEO and Pentester)? - For the pentester: If something happens during the pentest, the pentester have to be over-protected by legal documents (from NDA to permissions), but, this also have to be considered that this servers could be already hacked, and are difficult to probe that any damage are caused by the pentester or a real attacker, or inclusive by internal people. - For the CEO: Their company have to be prepared to "information recovery plan" in case that something goes wrong. And have this in mind: Something could goes wrong. ---------------------------------------------- Owner of the company can ask for a pentest? - Short answer: NO directly (Better: should not direcly). - Answer: owners means accionists, first of all, you have to be the "legal control" of the company, then, the right way is to plan this with the CEO and legal department. This is like the owner of the company likes to play with fire and burn their own company for fun. On some countries this could be taken as "Deliberate Bankruptcy", and the owner/director assume the legal consecuences. ---------------------------------------------- This pentest are a silver bullet? No. this is a perfect blackbox pentest, and are blinded pentest. The logical way to protect your company is to do this: 1.- A perfect blackbox pentest (Then: inform, and solve detected issues) 2.- A blackbox pentest (Then: inform, and solve detected issues) 3.- A whitebox pentest (Then: inform, and solve detected issues) 4.- Do an exhaustive audit, something like ISO 27001 should work. Make the documents, plans, etc. (Then: inform, and solve detected issues) 5.- Audit code's, internal applications, and more. (Then: inform, and solve detected issues) 6.- Repeat step 1,2,3 periodically. And repeat steps 4 and 5 when is required. 7.- Periodically audit documents with the reality (completly whitebox) 8.- Have a people dedicated to follow the plan (updates, checks, etc) **** Not a definitive guide because every company have their own priorities. The step zero is measure the risk of information security hazards, calcule probabilities, and adjust a budget... ---------------------------------------------- What you can do to get a balance between all your worries? 1. As CEO, inform to your IT department that this test could happen yearly without any advice. Then, this can increase the responce and responsability over real attacks, because the IT department dont know when it is an excersice or not. 2. Prepare a disaster recovery plan and backup policy. This is too important, because you will delegate some legal rights to the pentester that could expose your plataform to unexpected stress, and if something goes wrong... you as company, must be prepared (also... this is the final objective, be prepared, because a real attacker will not take any considerations) 3. Then... Hope for the best
Anyway, I do appreciate the advice. Yes, I did receive my fair share of questions of "Do you know this ...... Do you know that ..... Do you know how to do this ........ Do you know what xxxxxxx means, etc." Sometimes I find that computer geeks run hot and cold --- many are so eager to help others and on the other hand, many want to feel that they are the only ones who can do a certain job or should be the only ones doing a job. Again, I really appreciate all the advice you all gave me. Someone asked about experience. That is the one thing I am REALLY lacking in. However, I feel I can safely say that no one on this list was born knowing how to PenTest --- you learned somehow and somewhere....... and that is what I am doing now. I graduated from College with a Bachelors Degree in Social Work. For 20 years, I have been a Child Protective Social Worker, an Adult Protective Services Social Worker, and now I am a Social Worker for the Terminally Ill. The abuse was bad enough of Children and Elderly, but now I lose several clients per month and burn out has set in. Oh, not to mention the pay --- after 20 years, last year I finally made over the $30,000.00 salary. Two years ago, I started taking Information Security Courses at the Community College knowing I wanted a change. Computer Forensics has always interested me --- and I wanted to see what Computer Security was all about. From those courses, I became Security+ Certified and Network+ Certified. I decided to pursue my Masters --- either get a teaching job or something. The Community College suggested that I get an Associates in Info Sec, then transfer and get a Bachelors in Info Sec and then pursue my Masters. I knew that if I did that -- and work full time, I would be in a nursing home when I graduated!! So I decided to jump right in and get my Masters. EVERYONE in my classes work in some sort of Computer Security Field --- either at the Pentagon, Lockheed Martin, Military Bases, or Banks, etc. I attend Capitol College in Laurel Maryland. My classes have been Network Security, Internal Protection, Computer Forensics, Malware, Cryptography, Wireless Security, Applied Wireless Security, Complimentary Security, Computer Security Risk Management, Perimeter Protection, and Internet Law. I have a 3.97 average. One thing about me --- I am stubborn --- when someone tells me I cannot do something, I dig my heels in and work my tail off to do it. That is what I have done at Capitol ---- where some people study three hours a week, I have to study 10 because I am not as well versed as they are. The labs are coming easier for me, but to begin with, they were HARD!!!!! I will get a better job --- I am determined ---- I know it will be at an entry level but I wll do it!!!!!
Im sure that you will :-) Many congratulations for your degree. Persistence and determination make the good people and the good professionals.
I will keep you all posted on my next steps. Thanks friends. Elizabeth On Fri, Apr 17, 2009 at 10:11 AM, Elizabeth Tolson <elizabethtolson () gmail com> wrote:Hi Everyone: I am finishing up my Master's Degree in Information Assurance from Capitol College. I had one Penetration Testing Classes which I really enjoyed. I have done some research on Pen Testing and this seems to be something that I might be interested in doing. During my research, I saw someone who was a Licensed Pen Tester/Consultant. Basically, he was hired by companies -- anywhere from banks, law firms, accountants, merchants, etc --- to conduct pen testing. He would "ethically hack" without the employees knowing it. He would also do some pen testing via social engineering. He would conduct Pen Testing during different hours of the day and night to discover vulnerabilities, etc. After the testing, he would submit a report to the president/owner of the company with suggestions on making his network a stronger, more secure network.
As i said before, this is a perfect blackbox pentesting, but, legally, could have some issues if something goes wrong and you have to be over-protected by a contract. This type of pentest is tipically contracted when the IT department says that their security meassures are the best.
Does anyone do this as a consultant? Or, is this guy blowing smoke and this is not a "real job". I have seen some companies that do this, but have not seen any individuals who do this.
It could be a real job. The company model decrease your incomes. but have two principal benefits: - protects you because its a legal barrier between the company and you as pentester. - gets more clients... this is because pentesting/security company generally have a sales department... Doing this as individual, over-expose you against legal responces, but its perfectly possible. And your income will be great if you have a sufficient CEO contacts. ALSO _You have to consider also that lawyers cost money_, and its matter of probabilities being on judges.
Also, if I am interested in pursing Pen Testing, what certs would you recommend. What additional training would you recommend. What books would you recommend?
There... CISSP and ethical hacker CISCO also offers another certifications about security to their plattaform, but its only if you are interested to specialize on cisco.
Thanks a lot. Elizabeth
good luck!
------------------------------------------------------------------------ This list is sponsored by: InfoSec Institute Tired of using other people's tools? Why not learn how to write your own exploits? InfoSec Institute's Advanced Ethical Hacking class teaches you how to write stack and heap buffer overflow exploits for Windows and Linux. Gain your Certified Expert Penetration Tester (CEPT) cert as well. http://www.infosecinstitute.com/courses/advanced_ethical_hacking_training.h tml ------------------------------------------------------------------------
------------------------------------------------------------------------ This list is sponsored by: InfoSec Institute Tired of using other people's tools? Why not learn how to write your own exploits? InfoSec Institute's Advanced Ethical Hacking class teaches you how to write stack and heap buffer overflow exploits for Windows and Linux. Gain your Certified Expert Penetration Tester (CEPT) cert as well. http://www.infosecinstitute.com/courses/advanced_ethical_hacking_training.html ------------------------------------------------------------------------
Current thread:
- Re: Need Some Guidance Please, (continued)
- Re: Need Some Guidance Please Jeffrey Walton (Apr 18)
- Re: Need Some Guidance Please Micheal Cottingham (Apr 18)
- Re: Need Some Guidance Please Michael Boman (Apr 21)
- Re: Need Some Guidance Please Nate (Apr 18)
- Need for Intrusion/Infection Data Baykal, Adnan (CSCIC) (Apr 21)
- Re: Need for Intrusion/Infection Data Jon Janego (Apr 21)
- Re: Need for Intrusion/Infection Data Leonardo Cavallari Militelli (Apr 21)
- RE: Need for Intrusion/Infection Data Honer, Lance (Apr 21)
- Re: Need Some Guidance Please Elizabeth Tolson (Apr 21)
- Re: Need Some Guidance Please Stephen Mullins (Apr 21)
- Re: Need Some Guidance Please Aarón Mizrachi (Apr 30)
- Re: Need Some Guidance Please Matt Gardenghi (Apr 21)
- Re: Need Some Guidance Please Pete Herzog (Apr 21)
- Re: Need Some Guidance Please Todd Haverkos (Apr 23)