Fwd: Article Announcement - Demystifying Penetration Testing

From: Jeffrey Denton (dentonj_at_gmail.com)
Date: 12/11/04

  • Next message: nicola_at_softech.it: "Re: physical security pentesting procedures, tips, audit programs?"
    Date: Sat, 11 Dec 2004 02:31:46 -0700
    To: Debasis Mohanty <mail@hackingspirits.com>, pen-test@securityfocus.com

    On Fri, 10 Dec 2004 23:07:43 +0530, Debasis Mohanty
    <mail@hackingspirits.com> wrote:

    > This presentation is targeted for all security practitioners (i.e. Security
    > Officers / Sys Admins / Security Auditors / Security Enthusiasts.etc). This
    > presentation will give a clear picture on how pen testing is done and what
    > are the expected results. Various screenshots are provided as a proof of
    > concepts to give a brief picture of possible end-results.

    Nice, but it doesn't cover the "So what?" question.

    If a CEO asks you, "So you broke into my systems, so what?", how do
    you answer that question? When you first sit down with a company to
    discuss what you are planning on doing, you should ask them what is
    critical to their company. Have them list what is critical to their
    company that would adversely affect them if that information became
    public or ended up in the hands of their competitors. Examples
    include new products soon to be released to market, new technologies
    in the process of being patented, research, contract bids, pending
    lawsuits (tread with caution here, your right to do pen-testing
    usually doesn't wave attorney-client privileges), etc.

    What I'm trying to say is that data mining should be a part of every
    pen-test. Breaking into their systems in nice, but shocking the
    customer with what you've been able to gather about them gets more
    results. Owning a network might end up with your report on some
    sysadmins desk with the instructions to "fix this." But showing the
    company that some important research that they have spent millions of
    dollars and years of time on could easily be compromised will get the
    CEO directly involved. CEOs don't like having their ass handed to
    them (and I feel that should be the goal of any pen-test).

    Also, having a goal with pen-testing is more fun than just owning a network. =)

    Some other suggestions, if it's obvious that the sysadmins haven't
    detected any of your intrusions, grab the logs from the servers you
    broke into. You'll get a few raised eyebrows when you add to your
    report, "we broke into these servers, and these are the log entries
    from your servers where you should have caught us." Your customer
    will feel they get more for their money if you help educate them.

    Just a suggestion.


  • Next message: nicola_at_softech.it: "Re: physical security pentesting procedures, tips, audit programs?"