Re: Need Some Guidance Please

[Aarón Mizrachi <unmanarc () gmail com>]

On Domingo 19 Abril 2009 15:09:10 Elizabeth Tolson escribió:
> THANKS EVERYONE!!!! I really received some valuable information.
>
> One thing I did not state clearly --- when this guy "Ethically Hacked"
> without employees knowing it, he did it with the permission of the CEO
> or owner of the company.  Apparently, he meets with the CEOs and they
> are the only ones aware of his Pen Testing.

This have a name.

perfect external blackbox pentesting audit.

---------------------------------------

* Perfect: Because the it department are also tested on their natural responce 
and the conditions are good. This must also be tested on a pentest. Today, you 
must evaluate the it security team responce, not only the "patched or not 
patched" devices.

If the attack were advised to it department, the it department could "over-
react" and distort the test result. 

* External: because its done by an external men.

* Blackbox: Completly blinded attack, simulating an attacker

----------------------------------------------

Finally, an a real attacker, would not ask to the it department for their 
actions... 

----------------------------------------------

Who need to know about it?

- CEO in conjuction with Legal department 

----------------------------------------------

What terms are commonly involved?

- To protect company operations, attacks should not involve "Denial of 
Service".

----------------------------------------------

What protections should take the pentester?

- Use anonymizing mechanisms to prevent actions against him while the pentest 
are being executed.

- CEO must redirect all legal actions to the legal department. 

----------------------------------------------

Its ethical for the CEO not to say anything during the pentest?

There could be an intense debate... I think yes and not. But could be 
reasonable because, a real hacker wont never ask you before an attack.

----------------------------------------------

What are the final risks on two sides (CEO and Pentester)?

- For the pentester: If something happens during the pentest, the pentester 
have to be over-protected by legal documents (from NDA to permissions), but, 
this also have to be considered that this servers could be already hacked, and 
are difficult to probe that any damage are caused by the pentester or a real 
attacker, or inclusive by internal people.

- For the CEO: Their company have to be prepared to "information recovery 
plan" in case that something goes wrong. And have this in mind: Something 
could goes wrong. 

----------------------------------------------

Owner of the company can ask for a pentest?

- Short answer: NO directly (Better: should not direcly).
- Answer: owners means accionists, first of all, you have to be the "legal 
control" of the company, then, the right way is to plan this with the CEO and 
legal department.

This is like the owner of the company likes to play with fire and burn their 
own company for fun. On some countries this could be taken as "Deliberate 
Bankruptcy", and the owner/director assume the legal consecuences.

----------------------------------------------

This pentest are a silver bullet?

No.

this is a perfect blackbox pentest, and are blinded pentest. The logical way 
to protect your company is to do this:

1.- A perfect blackbox pentest (Then: inform, and solve detected issues)
2.- A blackbox pentest (Then: inform, and solve detected issues)
3.- A whitebox pentest  (Then: inform, and solve detected issues)
4.- Do an exhaustive audit, something like ISO 27001 should work. Make the 
documents, plans, etc. (Then: inform, and solve detected issues)
5.- Audit code's, internal applications, and more. (Then: inform, and solve 
detected issues)
6.- Repeat step 1,2,3 periodically. And repeat steps 4 and 5 when is required.
7.- Periodically audit documents with the reality (completly whitebox)
8.- Have a people dedicated to follow the plan (updates, checks, etc)

****
Not a definitive guide because every company have their own priorities. The 
step zero is measure the risk of information security hazards, calcule 
probabilities, and adjust a budget...

----------------------------------------------

What you can do to get a balance between all your worries?

1. As CEO, inform to your IT department that this test could happen yearly 
without any advice. Then, this can increase the responce and responsability 
over real attacks, because the IT department dont know when it is an excersice 
or not.
2. Prepare a disaster recovery plan and backup policy. This is too important, 
because you will delegate some legal rights to the pentester that could expose 
your plataform to unexpected stress, and if something goes wrong... you as 
company, must be prepared (also... this is the final objective, be prepared, 
because a real attacker will not take any considerations)
3. Then... Hope for the best

> Anyway, I do appreciate the advice.  Yes, I did receive my fair share
> of questions of "Do you know this ...... Do you know that ..... Do you
> know how to do this ........ Do you know what xxxxxxx means, etc."
> Sometimes I find that computer geeks run hot and cold --- many are so
> eager to help others and on the other hand, many want to feel that
> they are the only ones who can do a certain job or should be the only
> ones doing a job.  Again, I really appreciate all the advice you all
> gave me.
>
> Someone asked about experience.  That is the one thing I am REALLY
> lacking in.  However, I feel I can safely say that no one on this list
> was born knowing how to PenTest --- you learned somehow and
> somewhere....... and that is what I am doing now.
>
> I graduated from College with a Bachelors Degree in Social Work.  For
> 20 years, I have been a Child Protective Social Worker, an Adult
> Protective Services Social Worker, and now I am a Social Worker for
> the Terminally Ill.  The abuse was bad enough of Children and Elderly,
> but now I lose several clients per month and burn out has set in.  Oh,
> not to mention the pay --- after 20 years, last year I finally made
> over the $30,000.00 salary.
>
> Two years ago, I started taking Information Security Courses at the
> Community College knowing I wanted a change.  Computer Forensics has
> always interested me --- and I wanted to see what Computer Security
> was all about.  From those courses, I became Security+ Certified and
> Network+ Certified.
>
> I decided to pursue my Masters --- either get a teaching job or
> something.  The Community College suggested that I get an Associates
> in Info Sec, then transfer and get a Bachelors in Info Sec and then
> pursue my Masters.  I knew that if I did that -- and work full time, I
> would be in a nursing home when I graduated!!  So I decided to jump
> right in and get my Masters.
>
> EVERYONE in my classes work in some sort of Computer Security Field
> --- either at the Pentagon, Lockheed Martin, Military Bases, or Banks,
> etc.  I attend Capitol College in Laurel Maryland.  My classes have
> been Network Security, Internal Protection, Computer Forensics,
> Malware, Cryptography, Wireless Security, Applied Wireless Security,
> Complimentary Security, Computer Security Risk Management, Perimeter
> Protection, and Internet Law.  I have a 3.97 average.
>
> One thing about me --- I am stubborn --- when someone tells me I
> cannot do something, I dig my heels in and work my tail off to do it.
> That is what I have done at Capitol ---- where some people study three
> hours a week, I have to study 10 because I am not as well versed as
> they are.  The labs are coming easier for me, but to begin with, they
> were HARD!!!!!
>
> I will get a better job --- I am determined ---- I know it will be at
> an entry level but I wll do it!!!!!

Im sure that you will :-)
Many congratulations for your degree. Persistence and determination make the 
good people and the good professionals.

> I will keep you all posted on my next steps.
>
> Thanks friends.
>
> Elizabeth
>
>
> On Fri, Apr 17, 2009 at 10:11 AM, Elizabeth Tolson
>
> <elizabethtolson () gmail com> wrote:
> > Hi Everyone:
> >
> > I am finishing up my Master's Degree in Information Assurance from
> > Capitol College.  I had one Penetration Testing Classes which I really
> > enjoyed.
> >
> > I have done some research on Pen Testing and this seems to be
> > something that I might be interested in doing.
> >
> > During my research, I saw someone who was a Licensed Pen
> > Tester/Consultant.  Basically, he was hired by companies -- anywhere
> > from banks, law firms, accountants, merchants, etc --- to conduct pen
> > testing.  He would "ethically hack" without the employees knowing it.
> > He would also do some pen testing via social engineering.  He would
> > conduct Pen Testing during different hours of the day and night to
> > discover vulnerabilities, etc.  After the testing, he would submit a
> > report to the president/owner of the company with suggestions on
> > making his network a stronger, more secure network.
As i said before, this is a perfect blackbox pentesting, but, legally, could 
have some issues if something goes wrong and you have to be over-protected by 
a contract.

This type of pentest is tipically contracted when the IT department says that 
their security meassures are the best.

> > Does anyone do this as a consultant?  Or, is this guy blowing smoke
> > and this is not a "real job".  I have seen some companies that do
> > this, but have not seen any individuals who do this.

It could be a real job. The company model decrease your incomes. but have two 
principal benefits:
- protects you because its a legal barrier between the company and you as 
pentester. 
- gets more clients... this is because pentesting/security company generally 
have a sales department...

Doing this as individual, over-expose you against legal responces, but its 
perfectly possible. And your income will be great if you have a sufficient CEO 
contacts. ALSO _You have to consider also that lawyers cost money_, and its 
matter of probabilities being on judges.

> > Also, if I am interested in pursing Pen Testing, what certs would you
> > recommend.  What additional training would you recommend.  What books
> > would you recommend?

There... CISSP and ethical hacker

CISCO also offers another certifications about security to their plattaform, but 
its only if you are interested to specialize on cisco.

> > Thanks a lot.
> >
> > Elizabeth

good luck!
> ------------------------------------------------------------------------
> This list is sponsored by: InfoSec Institute
>
> Tired of using other people's tools? Why not learn how to write your own
> exploits? InfoSec Institute's Advanced Ethical Hacking class teaches you
> how to write stack and heap buffer overflow exploits for Windows and Linux.
> Gain your Certified Expert Penetration Tester (CEPT) cert as well.
>
> http://www.infosecinstitute.com/courses/advanced_ethical_hacking_training.h
> tml ------------------------------------------------------------------------


------------------------------------------------------------------------
This list is sponsored by: InfoSec Institute

Tired of using other people's tools? Why not learn how to write your own exploits?
InfoSec Institute's Advanced Ethical Hacking class teaches you how to write stack and heap buffer overflow exploits for 
Windows and Linux. Gain your Certified Expert Penetration Tester (CEPT) cert as well.

http://www.infosecinstitute.com/courses/advanced_ethical_hacking_training.html
------------------------------------------------------------------------