Re: Fwd: Article Announcement - Demystifying Penetration Testing

From: Michael Puchol (
Date: 12/13/04

  • Next message: Ole Martin Dahl: "Research on penetration testing?"
    Date: Mon, 13 Dec 2004 09:06:19 +0100

    Completely agreed - printing said documents on the CEO's printer is also
    quite a good effect :)

    Jokes aside, I would like to point out that you MUST get yourself a
    get-out-of-jail-free letter from whoever has the authority, the higher
    up the better, if you plan to start showing the company what kind of
    secrets you can grab. You never know what, when or if a legal type will
    look down upon your work.

    Also, have the contact details of someone within the company that you
    can reach 24/7 in case the law takes a shot at you, if the black
    helicopters come, you want to be able to call someone to do some
    explaining fast, before they ship you to Gitmo.

    Best regards,


    Jeffrey Denton wrote:
    > On Fri, 10 Dec 2004 23:07:43 +0530, Debasis Mohanty
    > <> wrote:
    >>This presentation is targeted for all security practitioners (i.e. Security
    >>Officers / Sys Admins / Security Auditors / Security Enthusiasts.etc). This
    >>presentation will give a clear picture on how pen testing is done and what
    >>are the expected results. Various screenshots are provided as a proof of
    >>concepts to give a brief picture of possible end-results.
    > Nice, but it doesn't cover the "So what?" question.
    > If a CEO asks you, "So you broke into my systems, so what?", how do
    > you answer that question? When you first sit down with a company to
    > discuss what you are planning on doing, you should ask them what is
    > critical to their company. Have them list what is critical to their
    > company that would adversely affect them if that information became
    > public or ended up in the hands of their competitors. Examples
    > include new products soon to be released to market, new technologies
    > in the process of being patented, research, contract bids, pending
    > lawsuits (tread with caution here, your right to do pen-testing
    > usually doesn't wave attorney-client privileges), etc.
    > What I'm trying to say is that data mining should be a part of every
    > pen-test. Breaking into their systems in nice, but shocking the
    > customer with what you've been able to gather about them gets more
    > results. Owning a network might end up with your report on some
    > sysadmins desk with the instructions to "fix this." But showing the
    > company that some important research that they have spent millions of
    > dollars and years of time on could easily be compromised will get the
    > CEO directly involved. CEOs don't like having their ass handed to
    > them (and I feel that should be the goal of any pen-test).
    > Also, having a goal with pen-testing is more fun than just owning a network. =)
    > Some other suggestions, if it's obvious that the sysadmins haven't
    > detected any of your intrusions, grab the logs from the servers you
    > broke into. You'll get a few raised eyebrows when you add to your
    > report, "we broke into these servers, and these are the log entries
    > from your servers where you should have caught us." Your customer
    > will feel they get more for their money if you help educate them.
    > Just a suggestion.
    > dentonj

  • Next message: Ole Martin Dahl: "Research on penetration testing?"

    Relevant Pages