From: krymson@gmail.com
Date: Fri Aug 31 2007 - 16:59:10 EDT
Pen-testing should probably always expect penetration if you can include social engineering, physical proximity, or internal access presence (insider, soft chewy interior, user/admin access,configs access, etc). But a purely external pen-test is a different ballgame.
Your measure of success is going to include the important variable of how much of an Internet footprint your client has. A large footprint may offer some holes, but a small footprint with 3 patched and configured services hiding behind a decent firewall may not offer you much to do at all. I wouldn't be surprised to see pen testers not break into setups like that.
This also changes if you're speaking about application pen testing instead of network pen testing. The size and security of the web application will dictate your success rates. You might not find anything in a small web site except perhaps some XSS or low-lying, non-fatal bugs.
You should always go in hoping and expecting to find an opening since that is what you're paid to do. But don't expect every external pen test to be a success from that standpoint.
<- snip ->
From: James Kelly <macubergeek (at) comcast (dot) net [email concealed]>
> Given this scenario: Red team pen test from the Internet with no
> information or cooperation from IT staff.
>
> What would be a reasonable success rate of breaking in to say at
> least DMZ machines? Of internal hosts on private network?
------------------------------------------------------------------------
This list is sponsored by: Cenzic
Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!
http://www.cenzic.com/downloads
------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:58:05 EDT