RE: Blue Team ROE

They are the customer - they get to create whatever constraints
they want to maintain the security of their system. If you want
the work - not only do you need to go along with the constraints
- but as a professional, you need to write up as part of the
pen test report, the implications of those constraints, i.e.

If you believe that an attacker who was not constrained, could
have loaded malicious software, removed hashes/files, etc. and
compromised the system - then your report should indicate:

1) the inability of the constraints to allow you to identify
some of the weaknesses of the system
2) the files/hashes, etc. that you were able to view and not
remove - and what you think removing them would have resulted
3) what the customer should do to respond to the things you
4) what the customer might do to protect against things they
wouldn't allow you to do

In other words, be a professional, it is not about your ego
in being able to get in or not - it is providing the best
information to the customer about how to secure themselves
in the future, but also both from a CYA perspective and
to best serve the customer you need to clearly document
the constraints put on you that because they don't exist
on a malicious attacker - could allow the customer's
systems to be compromised in ways your penetration testing
is not allowed to show.


"We cannot ensure success, but
we can deserve it." John Adams


I wanted to send out a general email asking the members of
this list their professional opinions on being limited during
a Blue Team pen-test. I have a govt customer that is trying
deny us the ability to remove password hashes/files from the
system for cracking, write procedures for every tool/exploit
that could be possibly executed, not allow the loading of any
tools/exploits on target systems, things like that..... Of
course my reaction is that my company will not perform the
assessment with such restrictions, what are some thoughts
from this list on this subject?

This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.

Relevant Pages

  • Re: Compiling words and Forth programming style
    ... here's my library to do fixed point trig!" ... "Well, I have a really fast one, but I'm afraid my customer considers it proprietary..." ... In other words, everything is customized for some particular set of constraints in a particular project, and it ends up being easier just do write what you need for your particular situation. ... But when he read the code, Chuck was always either sure that he could do it much better this time or adamant that it didn't match the constraints of this situation. ...
  • Thanks for the responses Re: Dropping Primary Key once a week
    ... > Switch of the constraints of the concerned tables. ... > Alter the customer id's. ... >> Any documentation, details, or advice would be appreciated. ...
  • Re: Design Question
    ... > Sounds like the risk of customer calling salesrep calling customer ... > calling salesrep ad inifitum. ... > The perisistence layer just becomes dumb persistence below it. ... My first fear of constraints were that I'd not be able to ...
  • Re: Best way to represent a many to many with optionality?
    ... You have created all the data constraints you need. ... You can never delete the Main Address without deleting the Customer. ... FK ShippingAddressID NULL, -- customer's shipping address or NULL ... Foreign Key Relationships: ...
  • Re: Pen-testing - pricing model
    ... The customer may want more data on how to fix the ... VERY critical to prevent cost issues (especially losses on fixed ... Sometimes scope creep ... Cenzic Hailstorm finds vulnerabilities fast. ...