Re: Using 0days as part of pen-test?
- From: David Howe <DaveHowe.Pentest@xxxxxxxxxxxxxx>
- Date: Mon, 19 Jan 2009 11:01:05 +0000
Oliver Schad wrote:
I think it's important to estimate or show the costs for a succesful
attack. Which way you choose to do this don't matters. The costs is a
value where a customer can work with.
Sure, but the framing is important too.
I once got asked "what will we do if one of the network administrators
decides to hack the system" as part of a security review. The answer was
- you had better hope that never happens, as you are lost beyond hope of
retrieval.
Pentesting is all about risk assessment - if you presume too much
advance knowledge, then while the "cost" of the penetration is high, the
likelyhood (in the real world) of that threat is low and the one-off and
ongoing costs for defending against it tend to be uneconomic. For
instance, on one site I still support, the "admin threat" is dealt with
by posting an armed soldier behind the admin, with orders to restrain
and/or shoot the admin if he tries to access anything beyond his
security clearance and/or current job, and a second admin to tell the
guard when this happens (as the guard isn't even allowed to look at the
screen)
Obviously, this is economic if you are on a military base (with a
surplus of armed soldiers) _and_ the admin concerned is an occasional
visitor (for tech support above and beyond what the onsite staff can
provide). I have no firm evidence what happens for the second admin in
his day to day job, but I am under the impression (from random comments)
that when I leave, he goes back to his nice, code-and-card-access-only
terminal room and RDPs to the server concerned with no checks or
balances at all....
On the whole, companies seem to want one of two things from a pentest;
they want a "clean" report for due diligence, or they want a proactive
action list they can use to get budget and improve security (determining
which they want early on can save you a lot of heartache). There *are*
exceptions, but not many :)
- References:
- Using 0days as part of pen-test?
- From: ArcSighter Elite
- Re: Using 0days as part of pen-test?
- From: Oliver Schad
- Re: Using 0days as part of pen-test?
- From: David Howe
- Re: Using 0days as part of pen-test?
- From: Oliver Schad
- Using 0days as part of pen-test?
- Prev by Date: Does anybody know about encrypting algorithm of Everest Icode?
- Next by Date: Re: Using 0days as part of pen-test?
- Previous by thread: Re: Using 0days as part of pen-test?
- Next by thread: Re: Using 0days as part of pen-test?
- Index(es):
Relevant Pages
|
