RE: Email Pen-testing
From: Rob Shein (shoten_at_starpower.net)
Date: 03/23/04
- Previous message: Mike Shaw: "RE: Bank Audit Best practices"
- In reply to: R. DuFresne: "RE: Email Pen-testing"
- Next in thread: Brad.Murray_at_tas.alcatel.ca: "RE: Email Pen-testing"
- Reply: Brad.Murray_at_tas.alcatel.ca: "RE: Email Pen-testing"
- Reply: Michael Richardson: "Re: Email Pen-testing"
- Reply: R. DuFresne: "RE: Email Pen-testing"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: "'R. DuFresne'" <dufresne@sysinfo.com>, "'Kevin'" <kevin@kevincomputers.com.sg> Date: Tue, 23 Mar 2004 00:26:59 -0500
> of the bag. Advance warnings of each and every step is not a
> level playing filed and certainly does not resemble reality for sure.
Alright. Imagine for a second you're not a security expert, but instead
you're the designer of body armor for police. When you test your armor, do
you have some cops wear it on the beat and set up an ambush using some
gangbangers unload on them in public? Of course not. You're not looking to
resemble reality, and not just because the reality is a bad bad thing.
Under those circumstances, you're going to lose a lot of your data's
validity. How far was the weapon from the vest, what kind of ammo was used,
what was the angle...it goes on. And of course, in a pen test, if you get
into the client and they are a bank, for example, you're not going to give
yourself a nice six- or seven-figure bonus just because you can. That too
would resemble reality, but again, that's not really the point. It's not a
Spielberg film, you're not trying to make it as real as possible. You're
just looking to see if it could be done as the real thing.
You put the vest on a mannekin, take it to your firing range, carefully
measure the distance, and then fire your hand-loaded bullet through a
custom-made rifle that is highly accurate and repeatably maintains a
consistent velocity towards the target. You're going to take copious notes
on every aspect of it, and by no means will any human be in view anywhere
downrange when the shot is fired. This is a bit more like how pen-testing
should be done. You're right, it's not a level playing field, but that
didn't start when the pen-tester notified the company; it started when the
company hired them and promised not to prosecute them for breaking in :)
---------------------------------------------------------------------------
You're a pen tester, but is google.com still your R&D team?
Now you can get trustworthy commercial-grade exploits and the latest
techniques from a world-class research group.
www.coresecurity.com/promos/sf_ept1
----------------------------------------------------------------------------
- Previous message: Mike Shaw: "RE: Bank Audit Best practices"
- In reply to: R. DuFresne: "RE: Email Pen-testing"
- Next in thread: Brad.Murray_at_tas.alcatel.ca: "RE: Email Pen-testing"
- Reply: Brad.Murray_at_tas.alcatel.ca: "RE: Email Pen-testing"
- Reply: Michael Richardson: "Re: Email Pen-testing"
- Reply: R. DuFresne: "RE: Email Pen-testing"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
