Re: [fw-wiz] Off-Topic: Memo of Understanding for Using an , Ethical Hacker

From: Adam Graham (agraham_at_datastreamcowboys.net)
Date: 08/30/04

  • Next message: Barney Wolff: "Re: [fw-wiz] About Port Forwarding, Apache and Firewall Rules" 
    To: firewall-wizards@honor.icsalabs.com
Date: Mon, 30 Aug 2004 09:08:47 -0500

    this is a topic that i know well... I used to be one of the pen testers
    in which you refer... As far as the "hired gun" is concerned on occasion
    systems have had short outages caused by the pen test. For example, one
    instance was from a machine that was never patched, straight out of the
    box NT 4.0 install... no service pack.. this machine had to be rebooted
    because during the pen test the processor shot up to 100% utilization
    and was useless as the SQL 6.5 server until rebooted. I have never first
    hand witnessed any thing more long term outage but have heard nightmare
    stories. So, any written authorization, YES WRITTEN AUTHORIZATION, to
    pen test a network should reflect that there is a possibility for
    outages and such. Weather the pen test team plans on it or not, there
    can be outages. We had a form for the customer that stated without
    confusion what was to be tested, to what degree it was tested
    (everything has a breaking point), and what may occur from the testing.
    CYA... in today's world, battles aren't fought int he trenches, but in
    the courtrooms... so, document everything in such a simple way
    non-egghead people can understand what is involved. Most the people on
    this list i bet, when talking to other IT professionals use a language
    that would give a non-techy management person a brain cramp.
        As for your comment about team hitting the wrong address...
    unfortunately I have been there... partially my fault and the
    customers... My mistake is I did not double check an IP range that a
    customer reversed 2 numbers in the Class C range. So instead of looking
    at their class C, I got a nasty email from an ISP about hitting their
    addresses. I replied back and explained to them what had happened and
    got another nasty email back telling me not to let it happen again...
    Just goes to show Murphy's Law is going good and strong in the IT realm.
        A real good source for more info on this subject is Security Focus's
    list on pen testing..

    So, here's what we learned:
        1. document everything
        2. make info in all documents simple for non-techies to understand
        3. make customer aware of possible outages (even though unplanned)
        4. beware of Murphy

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

  • Next message: Barney Wolff: "Re: [fw-wiz] About Port Forwarding, Apache and Firewall Rules"

    Relevant Pages

    • Re: Why Penetration Test?
      ... On one project a customer had a harden ... >possible paths of attack. ... >can help mitigating a possible exploit of the vulnerability. ... Pen Test will always depend on the skill ...
      (Pen-Test)
    • Re: Pen-testing - pricing model
      ... A customer ask me to pen test his information system ... Obviously a script kiddy will not probably affect my systems within that time and a more experienced people possibly will; that's why when i define TIME i think to an high profile attacker, and that's why customer should engage serious professional pen tester: the higher the skills the more accurate and realistic will be results. ... > Pen Test means "Try to get in and tell me what you can reach". ...
      (Pen-Test)
    • Re: Pen-testing - pricing model
      ... > Pen Test means "Try to get in and tell me what you can reach". ... I tell the customer i did not reach goals in the given timeframe. ... let's say i estimate 15 days because i think that at 99% no one would spend more time to get my informations or to penetrate my systems for any other purpose. ... Then i contact you because someone told me you have the right skills to "act as an attacker" and i ask you to try to get in in 15 days. ...
      (Pen-Test)
    • Re: no service questions, new boston customer
      ... It is not ordinary but a large portion of network maintenence is done over ... Typically customer service has no information on these types ... of outages and neither does tech support.It seems to lie soley with the ... >> go to see system downtime announcements? ...
      (alt.cellular.cingular)
    • Re: DDos within a pentest
      ... > Generally speaking I do not run DDoS during a pen test. ... If you feel that the customer is vulnerable to a DDoS ... > attack and they can do something to mitigate said vulnerability write it ...
      (Pen-Test)