RE: Blue Team ROE

From: Dave Sanford (dsanford@austin.rr.com)
Date: Sun Mar 04 2007 - 23:06:32 EST

• Next message: Michael Hendrickx: "RE: Windows XP salted hashed verification of domain passwords"
• Previous message: Craig Wright: "RE: The legal / illegal line?"
• In reply to: mesenbrink@hotmail.com: "Blue Team ROE"
• Next in thread: krymson@gmail.com: "RE: Blue Team ROE"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

They are the customer - they get to create whatever constraints
they want to maintain the security of their system. If you want
the work - not only do you need to go along with the constraints
- but as a professional, you need to write up as part of the
pen test report, the implications of those constraints, i.e.

If you believe that an attacker who was not constrained, could
have loaded malicious software, removed hashes/files, etc. and
compromised the system - then your report should indicate:

1) the inability of the constraints to allow you to identify
some of the weaknesses of the system
2) the files/hashes, etc. that you were able to view and not
remove - and what you think removing them would have resulted
in
3) what the customer should do to respond to the things you
learned
4) what the customer might do to protect against things they
wouldn't allow you to do

In other words, be a professional, it is not about your ego
in being able to get in or not - it is providing the best
information to the customer about how to secure themselves
in the future, but also both from a CYA perspective and
to best serve the customer you need to clearly document
the constraints put on you that because they don't exist
on a malicious attacker - could allow the customer's
systems to be compromised in ways your penetration testing
is not allowed to show.

Dave

"We cannot ensure success, but
we can deserve it." John Adams

> List,
>
> I wanted to send out a general email asking the members of
> this list their professional opinions on being limited during
> a Blue Team pen-test. I have a govt customer that is trying
> deny us the ability to remove password hashes/files from the
> system for cracking, write procedures for every tool/exploit
> that could be possibly executed, not allow the loading of any
> tools/exploits on target systems, things like that..... Of
> course my reaction is that my company will not perform the
> assessment with such restrictions, what are some thoughts
> from this list on this subject?

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.

http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------

• Next message: Michael Hendrickx: "RE: Windows XP salted hashed verification of domain passwords"
• Previous message: Craig Wright: "RE: The legal / illegal line?"
• In reply to: mesenbrink@hotmail.com: "Blue Team ROE"
• Next in thread: krymson@gmail.com: "RE: Blue Team ROE"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:57:37 EDT