From: R. DuFresne (dufresne@sysinfo.com)
Date: Mon Mar 22 2004 - 13:00:49 EST
It's about time the industry, IT as a whole comes to understand;
a pentest is something much more then a simple port/vuln scan from
outside.
a simple port/vuln scan has it's value, as a way to probe for potential
risks. A *real* pentest is an attempt to actually make use of potential
holes, show they are in fact real risks, and will in fact be able to be
exploited to gain illegal//unwanted entry into an org's systems and to
their core data and apps. At lesat tince Mitnick's days social
engineering has shown to be a major gateway to resources that should be
better protected.
A company asking for a mere set of potentials wants a sweet little report
done on a port/vuln scan that anyone with minimal skills can accomplish.
A companyt actually wishing to determine how well they have done their job
of protecting assests might opt for a full pentest, with all the stops out
of the bag. Advance warnings of each and every step is not a level
playing filed and certainly does not resemble reality for sure.
Thanks,
Ron DuFresne
On Mon, 22 Mar 2004, Kevin wrote:
> Well, human are the weakest link in the security ring.. and social
> engineering is always the easiest (if not the best) technique to open up
> loopholes in a security system.
>
> Although it's an area which requires most emphasizes and concern, it is
> also the most sensitive area where security managers get stuck often in.
>
> If the company is ok with social engineering in the pen test, then I
> suppose it's ok.. It's ethical as long as you're doing it for a cause
> not malicious and harmful.
>
>
> -----Original Message-----
> From: Blake [mailto:netspan@hotmail.com]
> Sent: Sunday, March 21, 2004 12:22 AM
> To: pen-test@securityfocus.com
> Subject: Email Pen-testing
>
>
>
> Wanted to get your opinion on something...
>
> Doing a pen-test for a small bank which was proving very difficult to
> get it. A friend of mine suggested I send a backdoor trojan attachment
> via an email. If they clicked on it, the backdoor performs maybe a
> boxscan, grab passwords, and connects out to the Internet. --Much like a
> virus.
>
> I think this type of testing is becoming more relevant nowadays,
> especially with whats out there. It reinforces properly configured
> antivirus software and user awareness.
>
> I spoke with a previous customer of mine about the idea. He said he
> would be very upset if he was not told prior to that type of test as
> part of normal pen-testing.
>
> Generally speaking, my code of ethics doesn't allow me to social
> engineer. I don't like lying and misleading people. Also people tend to
> hate you after they've been punk'd.
>
> What's your ideas on the email pen-tesing?
>
>
> -Blake
>
> ------------------------------------------------------------------------
> ---
> Ethical Hacking at the InfoSec Institute. Mention this ad and get $545
> off
> any course! All of our class sizes are guaranteed to be 10 students or
> less
> to facilitate one-on-one interaction with one of our expert instructors.
> Attend a course taught by an expert instructor with years of
> in-the-field
> pen testing experience in our state of the art hacking lab. Master the
> skills
> of an Ethical Hacker to better assess the security of your organization.
> Visit us at:
> http://www.infosecinstitute.com/courses/ethical_hacking_training.html
> ------------------------------------------------------------------------
> ----
>
>
> ---------------------------------------------------------------------------
> You're a pen tester, but is google.com still your R&D team?
> Now you can get trustworthy commercial-grade exploits and the latest
> techniques from a world-class research group.
> www.coresecurity.com/promos/sf_ept1
> ----------------------------------------------------------------------------
>
-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ admin & senior security consultant: sysinfo.com http://sysinfo.com "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart testing, only testing, and damn good at it too! --------------------------------------------------------------------------- You're a pen tester, but is google.com still your R&D team? Now you can get trustworthy commercial-grade exploits and the latest techniques from a world-class research group. www.coresecurity.com/promos/sf_ept1 ----------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:51 EDT