RE: Fwd: Article Announcement - Demystifying Penetration Testing

From: Christopher Adickes (christopher_adickes_at_SHI.com)
Date: 12/13/04

  • Next message: Kris Wingard: "RE: Laptop Considerations" 
    To: pen-test@securityfocus.com
Date: Mon, 13 Dec 2004 09:51:11 -0500

    Can someone please resend the link to the paper. I seemed to have deleted
    it. I am very interested in reading it after seeing some of the discussion
    about it.

    Sorry for the interruption.

    -----Original Message-----
    From: miguel.dilaj@pharma.novartis.com
    [mailto:miguel.dilaj@pharma.novartis.com]
    Sent: Monday, December 13, 2004 3:11 AM
    To: pen-test@securityfocus.com
    Cc: Jeffrey Denton; Debasis Mohanty
    Subject: Re: Fwd: Article Announcement - Demystifying Penetration Testing

    Hi Jeffrey et all,

    I fully agree with what you wrote in the email, but only if that was
    agreed in the pen-test contract. It can be that the critical data is not
    meant to be covered, even with a NDA.
    In general, it should be enough to demonstrate that the pen-tester is able
    to reach complete system compromise, because this means that he/she will
    be able to get/tamper/delete any information in the system(s) affected.
    But there's one important point you haven't mentioned: system misuse.
    It can be launching attacks from the compromised systems, storing nasty
    images/videos/warez in their webservers, etc. In any case you can
    seriously (even legally) harm the victim company.
    To do that, the attacker need ONLY system compromise, and he/she doesn't
    care about the company's information assets.
    Cheers,

    Miguel Dilaj (Nekromancer)
    Vice-President of IT Security Research, OISSG

    PD: kudos to Debasis, excellent paper.

    Jeffrey Denton <dentonj@gmail.com>
    11/12/2004 09:31
    Please respond to Jeffrey Denton

     
            To: Debasis Mohanty <mail@hackingspirits.com>,
    pen-test@securityfocus.com
            cc: (bcc: Miguel Dilaj/PH/Novartis)
            Subject: Fwd: Article Announcement - Demystifying Penetration
    Testing

    Jeffrey wrote:
    >> This presentation is targeted for all security practitioners (i.e.
    Security
    >> Officers / Sys Admins / Security Auditors / Security Enthusiasts.etc).
    This
    >> presentation will give a clear picture on how pen testing is done and
    what
    >> are the expected results. Various screenshots are provided as a proof
    of
    >> concepts to give a brief picture of possible end-results.
    >
    >Nice, but it doesn't cover the "So what?" question.
    >
    {excellent considerations skipped}

  • Next message: Kris Wingard: "RE: Laptop Considerations"