Re: Info collection

From: H Carvey (keydet89@yahoo.com)
Date: Thu Aug 12 2004 - 07:12:56 EDT

Next message: Brian Erdelyi: "Client/Server application that does not authenticate users"
Previous message: H D Moore: "Metasploit Framework v2.2"
Maybe in reply to: Jeff Gercken: "Info collection"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

('binary' encoding is not supported, stored as-is) In-Reply-To: <20040811092548.GA2978@josefina.dcit.cz>

>Because (at least in our local environment) the customers (be it
>managers or IT security staff) are used to pay for "Penetration Tests"
>(as a general common name product) and they expect that the final report is
>comprehensive (every IP & every port & known/common vulnerability is
>covered, like in VA).

When I've done these, the issue of the customer's expectations is usually handled by the sales rep. The last thing that the engineers want to deal with is a customer who signs up for a pen-test, but expects something as comprehensive as a VA.

Also, service definitions help a lot.

>They are also expecting that the consultants attemtp to exploit some
>vulnerabilities, escalate priviledges through more layers of security,
>brute-force user/passwords, exploit SQL injections etc. and see how
>deep they can break and how much info they can gather (like in
>a pen-test) because they need to get some "real" (demonstrable)
>results and use them to speed up fixing the issues, upgrading, give
>reasons for bigger budget for security and to get their
>vendors/providers under pressure.

Even with vulnerability assessments, I'd shy away from such things. However, in some cases, the sales guys do the right thing and call us (engineers) before anything is signed by the customer. Once on site, we can easily identify the low-hanging fruit, and provide the demonstrable results with minimal impact to the infrastructure.

>Shortly, customers pay for "Penetration Tests" (with or without prior
>knowledge) but actually want VA with pen-test included.

Again, that really needs to be dealt with up front...service definitions, and sales reps (and even the engineers themselves) setting the customer expectations. Sure, if the customer wants it...fine, no problem. However, my experience has been that while the customer admins may want the "demonstrable results", management (ie, check signers) would rather simply stick to what allows them to be in compliance (HIPAA, SEC, etc.)

...just my $0.02...

Next message: Brian Erdelyi: "Client/Server application that does not authenticate users"
Previous message: H D Moore: "Metasploit Framework v2.2"
Maybe in reply to: Jeff Gercken: "Info collection"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:58 EDT