RE: Blue Team ROE

They are the customer - they get to create whatever constraints
they want to maintain the security of their system. If you want
the work - not only do you need to go along with the constraints
- but as a professional, you need to write up as part of the
pen test report, the implications of those constraints, i.e.

If you believe that an attacker who was not constrained, could
have loaded malicious software, removed hashes/files, etc. and
compromised the system - then your report should indicate:

1) the inability of the constraints to allow you to identify
some of the weaknesses of the system
2) the files/hashes, etc. that you were able to view and not
remove - and what you think removing them would have resulted
3) what the customer should do to respond to the things you
4) what the customer might do to protect against things they
wouldn't allow you to do

In other words, be a professional, it is not about your ego
in being able to get in or not - it is providing the best
information to the customer about how to secure themselves
in the future, but also both from a CYA perspective and
to best serve the customer you need to clearly document
the constraints put on you that because they don't exist
on a malicious attacker - could allow the customer's
systems to be compromised in ways your penetration testing
is not allowed to show.


"We cannot ensure success, but
we can deserve it." John Adams


I wanted to send out a general email asking the members of
this list their professional opinions on being limited during
a Blue Team pen-test. I have a govt customer that is trying
deny us the ability to remove password hashes/files from the
system for cracking, write procedures for every tool/exploit
that could be possibly executed, not allow the loading of any
tools/exploits on target systems, things like that..... Of
course my reaction is that my company will not perform the
assessment with such restrictions, what are some thoughts
from this list on this subject?

This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.