Re: Penetration Testing - Human Factor

From: KeenerPB@mcnosc.usmc.mil
Date: Sat Aug 26 2006 - 20:51:42 EDT

• Next message: Erin Carroll: "Note from Moderator - Cross-list postings"
• Previous message: StyleWar: "RE: Penetration Testing - Human Factor"
• Maybe in reply to: Marios A. Spinthiras: "Penetration Testing - Human Factor"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

We use social engineering on almost every assessment we do except when the request is for a strict technical assessment.

Capt. Paul B. Keener
OIC, Marine Corps Red Team
Marine Corps Network Operations & Security Command
STE: 703.784.4327 (DSN 278)
Cell: 703.399.9639

NIPR: keenerpb@mcnosc.usmc.mil
SIPR: keenerpb@mcnosc.usmc.smil.mil
--------------------------
Sent from my BlackBerry Wireless Handheld

-----Original Message-----
From: StyleWar <stylewar@cox.net>
To: 'Joey Peloquin' <joeyp@cotse.net>; Keener Capt Paul B <KeenerPB@mcnosc.usmc.mil>
CC: 'Pen-Testing' <pen-test@securityfocus.com>
Sent: Sat Aug 26 19:44:04 2006
Subject: RE: Penetration Testing - Human Factor

lol

With respect, I think that's a greater commentary on your contracting
methods than it is on what's available. The Pen-Tests I have run include
everything from physical, to logical, to social/administrative. The
customer has had to opt out on specific methods and attack trees as part of
the preengagement process.

-

StyleWar

"Patriotism isn't defined in a moment. It's defined in a lifetime."

> -----Original Message-----
> From: Joey Peloquin [mailto:joeyp@cotse.net]
> Sent: Wednesday, August 23, 2006 7:10 AM
> To: KeenerPB@mcnosc.usmc.mil
> Cc: Pen-Testing
> Subject: Re: Penetration Testing - Human Factor
>
> KeenerPB@mcnosc.usmc.mil wrote:
> > I would disagree with Arian regarding the technical aspects
> of "true"
> > hacking...in my experience, social engineering plays a huge role in
> > successful compromise of a network. Most of the time the boundaries
> > are pretty tight so you have to lob one over the fence (social
> > engineering) in order to punch out from the inside to
> defeat the boundary devices.
>
> All due respect, I'm both an Enterprise pen-test customer and
> an internal pen-tester at the same company, and I don't see
> social engineering on the radar at all, save a mention as
> part of our security awareness program.
>
> How many enterprises do you all contract with that *actually*
> include social engineering, and the like, in the scope?
> We've paid as much as 40K for an engagement and it didn't
> include social engineering.
>
> -jp
>
> --------------------------------------------------------------
> ----------
> This List Sponsored by: Cenzic
>
> Need to secure your web apps?
> Cenzic Hailstorm finds vulnerabilities fast.
> Click the link to buy it, try it or download Hailstorm for FREE.
> http://www.cenzic.com/products_services/download_hailstorm.php
> --------------------------------------------------------------
> ----------
>
>

• Next message: Erin Carroll: "Note from Moderator - Cross-list postings"
• Previous message: StyleWar: "RE: Penetration Testing - Human Factor"
• Maybe in reply to: Marios A. Spinthiras: "Penetration Testing - Human Factor"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:56:51 EDT