RE: physical security pentesting procedures, tips, audit programs?

From: Frank Knobbe (
Date: 12/09/04

  • Next message: SÚrgio Yoshioka: "RE: VoIP pentest ?"
    To: Todd Towles <>
    Date: Thu, 09 Dec 2004 14:17:53 -0600

    On Thu, 2004-12-09 at 14:12, Todd Towles wrote:
    > Frank, If I remember correctly Xyberpix stated that they should be
    > hidden. St8r from his e-mail
    > " be allowed, stick a business card somewhere out of site, and make a
    > note of it."

    Ah, okay. I still think it's a bad idea :)

    > [...] The general staff
    > wouldn't know what is going on...and sorry to say it but the test is
    > designed to find the sorry security, not hide it.

    Sure, but you show it to management/sponsor. You don't show it to the
    people affected unless they are involved in a test (like branch managers
    having you detained in their office).

    Penetration Testing is all about showing flaws, but to the sponsor, not
    the folks who commit the violations. It's the responsibility of the
    sponsors to take action in a way they see fit.

    Discretion is paramount in these engagements. You just don't leave stuff

    But hey, if that works for you, more power to you ;)



  • Next message: SÚrgio Yoshioka: "RE: VoIP pentest ?"