From: Bennett Todd (bet@rahul.net)
Date: Fri May 31 2002 - 15:59:08 EDT
NB: this is a question from the point of view of the customer of a
pen-test; if that's off-topic for this list my apologies and I'll go
away.
I've had an interesting circumstance arise. I was a customer of a
pen test, and had the happy outcome that the testers found
absolutely nothing, despite the fact that they'd been provided with
complete documentation --- addresses, device functions (indicative
of services running on them), device platforms, routing domains,
interconnectivity, etc. Nicer still, we had alarms go off and get
escalated detecting their activities.
I can't say that this was an unexpected outcome, the plant being
tested didn't suck. And the testers very kindly expanded their
report to provide extensive details on exactly what they did, far
more than would have been necessary in the expected case that they
could report a lot of goo that needed reconciling.
But the thought occurred to me that a really nice approach to take
the next time it comes around again on the guitar would be to
position a honeypot in the facility, just to give the poor scuppers
something to find, and of course to let us collect positive
documentation of our own confirming what was done.
Has anybody done this before? How did you choose what services to
publish in your honeypot? How do you make it believable --- and how
do you avoid making it so juicy that it blinds the testers to any
real substance that might actually be there to find elsewhere in the
tested plant?
-Bennett
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:21 EDT