-----BEGIN PGP SIGNED MESSAGE----- On Wed, 30 May 2001, Steve Skoronski wrote: > This divides pen tests into a few shades, black - to white. Black hat > testing meaning that only a few key people inside know it's happening. > This has the element of real world testing. White hat meaning everyone > knowing the attack is in progress. This can sometimes hinder testing as > staff will attempt to raise security for the test, and in some cases > I've been involved with, full counterstrikes are initiated. Okay, I'm going to pick nits. For all intents and purposes, any penetration test should simulate a "black hat" attack. The difference is whether there is knowledge aforehand (crystal box) or not (black box). The "black *box*" test is closer to real world conditions when dealing with a malicious outsider. The "crystal box" is more a situation of dealing with a malicious insider. I typically take the two-pronged approach: the black-box test first to determine whether or not the customer has their butts hanging out in the wind; the crystal-box test to determine whether or not they'd get ripped to the ground if their admin were to get his walking papers tomorrow. I personally think it's beyond stupid for the customer to have people watching over the penetration test and changing the conditions of the test in mid-stream. For one thing, unless the customer has a dedicated IDS crew at the helm at all hours, the whole test is no longer representative of the real world threat and the customer will walk away with an utterly bogus sense of security. For another thing, I've seen those sorts of situations and have more than merrily run automated (and really loud) penetration attempts on irrelevant services while manually initiating stealth penetration attempts in parallel on other services. In an ideal sense, only two or three people at the customer's site should know when and from where the "attacks" will be coming, and they should be the go-to people for the rest of the staff. The grunts don't need to know that the "intruder" is genuine or staged. What's important is that they handle it appropriately. (Appropriately means only defensive countermeasures. Initiating counterstrikes is just plain stupid.) - -Jay ( ( _______ )) )) .- "There's always time for a good cup of coffee" -. >====<--. C|~~|C|~~| (>------ Jay D. Dyson -- jdysonat_private ------<) | = |-' `--' `--' `---- "Get in. Sit down. Hold on. Shut up." ----' `------' -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: See http://www.treachery.net/~jdyson/ for current keys. iQCVAwUBOxcAW9CClfiU/BIVAQHySgQAwX600lh/QfqsGTw/WuSVZ+hkitYCahAt rrFyA49mw/kgOJi+/0uNw53FsSzJwo38FPeBaD94ybtLy0RDGbs74xnVHJbuZYA3 d4mSTg8FbAWvfqJVu6He1qI7NdDMMDxgOY4OaoXGbSkJQVr7T1KKVjVEFdoj4xvE 7k0hjgxIOFk= =bPDT -----END PGP SIGNATURE-----
This archive was generated by hypermail 2b30 : Fri Jun 01 2001 - 14:26:54 PDT