From: Pete Herzog (lists@isecom.org)
Date: Wed Feb 08 2006 - 11:22:12 EST
Leif's correct as have been much of the talk on this topic. However....
Leif Ericksen wrote:
<snip>
> SHORT AND SWEET:
<snip>
What should or should not be in a pen-test has been right in the OSSTMM
(www.osstmm.org) all along under the Rules of Engagement that say pretty
much this but a bit more extended.
The problem isn't whether to give S.E. or not though, really, as it's
clear it's part of it; the question is whether it should be included if
done wrong. What is valid S.E. to include. And that's more than just
the tests (range from James Bond all the way to out-right, dangerous
fraud) because it's also the timing. If the tester achieves the goal
through S.E. (my assumption is a pen-test has a goal unlike a security
test) then ill attempts through the network be minimized? Will they
spend more time on S.E. because it has a greater chance of reaching the
goal and that reduces the amount of time they have for testing other
channels? I think S.E. can be a pen-test but to combine it with a test
or a vector of a test is dangerous if it doesn't clearly have its own
time limit in the SoW.
And for the James Bond fans, I find the "Bond" test type to be very much
needed and I do know of many companies buying them. They just don't
advertise it as such. It's usually companies looking to hire
plain-clothes detectives or plants to uncover types of loss or
subversion. Some retail chains even pay to have you steal to test their
in-store detectives. I have worked a few of them pre-ISECOM and there
is nothing glamorous about them. I talked about this at length 2 years
ago at ISESTORM in Barcelona-- even gave some business leads to a few
who asked later about pursing this. I have to say it does give an odd
sense of Bond-like intrigue and mystery, unfortunately you can't revel
in it or else you'll blow your cover and the job. But if you're looking
for that kind of work, I recommend putting a nice presentation together
with the right facts and going after the retail, hotel, and restaurant
market. If your work has the right pay to loss ratio, you may just find
yourself a regular gig. Be prepared to actually have to do the work
you're in the role for. Bond never had to vacuum floors or take out the
trash. And Bob, the less we actually look like Bond and more like
regular (albeit odd) folk, the better our chances of getting hired.
Sincerely,
-pete.
------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:
Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:
http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:28 EDT