Re: Email Pen-testing
From: Michael Richardson (mcr_at_sandelman.ottawa.on.ca)
Date: 03/23/04
- Previous message: Rainer Duffner: "Re: Email Pen-testing"
- In reply to: Rob Shein: "RE: Email Pen-testing"
- Next in thread: R. DuFresne: "RE: Email Pen-testing"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: pen-test@securityfocus.com Date: Tue, 23 Mar 2004 11:12:26 -0500
-----BEGIN PGP SIGNED MESSAGE-----
>>>>> "Rob" == Rob Shein <shoten@starpower.net> writes:
Rob> You put the vest on a mannekin, take it to your firing range,
Rob> carefully measure the distance, and then fire your hand-loaded
Rob> bullet through a custom-made rifle that is highly accurate and
Rob> repeatably maintains a consistent velocity towards the target.
Rob> You're going to take copious notes on every aspect of it, and
Rob> by no means will any human be in view anywhere downrange when
Rob> the shot is fired. This is a bit more like how pen-testing
Rob> should be done. You're right, it's not a level playing field,
Rob> but that didn't start when the pen-tester notified the company;
Rob> it started when the company hired them and promised not to
Rob> prosecute them for breaking in :)
Right, so, to finish the analogy, to do the test right, you get the
bank the duplicate their network (plus as much of the Internet as is
feasible), plus their "trading partners" in your testing lab, with the
same configuration, and you then attack this in a controlled way.
(And if you are NASA, you get a duplicate Mars done to imperial units
and drop your landers on that version first)
- --
] ON HUMILITY: to err is human. To moo, bovine. | firewalls [
] Michael Richardson, Xelerance Corporation, Ottawa, ON |net architect[
] mcr@xelerance.com http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys
iQCVAwUBQGBh6IqHRg3pndX9AQEr+AQAmLh6k0xlzJl6s6s9urDZotmu3AX4V10m
W7OWn5piOo0zIHAa97duZVg+BPLsGTqz8scAPXjtUxC3T/pIRVNWWhc5h8I68LBx
xqayLiQcbZmHt5WFCTctYiHMFa9gPHoBZQBj9v3qGzYRR5XrWuUP4KmGuWvGrANJ
fjR03P1X4pA=
=3xj+
-----END PGP SIGNATURE-----
---------------------------------------------------------------------------
You're a pen tester, but is google.com still your R&D team?
Now you can get trustworthy commercial-grade exploits and the latest
techniques from a world-class research group.
www.coresecurity.com/promos/sf_ept1
----------------------------------------------------------------------------
- Previous message: Rainer Duffner: "Re: Email Pen-testing"
- In reply to: Rob Shein: "RE: Email Pen-testing"
- Next in thread: R. DuFresne: "RE: Email Pen-testing"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
