Re: What is your policy on customers particapating in a pen test?

From: Jonathan Rickman (jonathanat_private)
Date: Wed Jun 20 2001 - 12:11:52 PDT

Next message: Ken Pfeil: "RE: What is your policy on customers particapating in a pen test?"

Previous message: Conor: "Re: pcanywhere passwd capture"
In reply to: Vanja Hrustic: "Re: What is your policy on customers particapating in a pen test?"
Next in thread: Vanja Hrustic: "Re: What is your policy on customers particapating in a pen test?"
Next in thread: Dom De Vitto: "RE: What is your policy on customers participating in a pen test?"
Next in thread: David Rosenthal: "Re: What is your policy on customers particapating in a pen test?"
Reply: Vanja Hrustic: "Re: What is your policy on customers particapating in a pen test?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, 20 Jun 2001, Vanja Hrustic wrote:

> There is no reason you shouldn't let them see what you are doing.
>
> In some cases, you don't even have a choice. In some countries (at least in Asia-Pacific region) banks (or insurance companies) must have a 3rd
> party 'audit' (as they call pen-test) performed from their premises, or at least from the 'soil' where the company is located. Sounds silly, but
> it's true. Usually, you'd have to do it in their offices, with few people watching what you're doing. Granted, 1st day they might be staring at your
> screen, but next day they might be just reading newspapers while you're doing your stuff.
>
> In case you're doing some work for govts, you will have to do the job from their office, using their equipment, with their people never leaving you
> alone in a room.
>
> Some companies argue that they can't let anyone see what they're doing, because of their 'proprietary techniques'. Right - pentesting is really a
> rocket science, isn't it? ;) That's pretty crappy argument, and from what I've "heard", few companies basically use that argument in order to make
> sure the clients don't see that pentest consists of running ISS or CyberCop or Nessus.

On that note...

Personally, I agree that there is much more involved in penetration
testing than running "can scans" like ISS. However, I do have to point out
that showing up without some of these tools handy is a mistake. Nessus is
pretty good. Passing up on the opportunity to save yourself time is kinda
foolish. I like to start out with nmap, nessus, and sara/saint to identify
potential targets. After mapping and documenting everything, the
"proprietary techniques" (bunch of perl scripts) come out to play. Don't
bash the point and click scanners...some of them do a better job than
"proprietary techniques" ever will. What would you think if a pen-test
team showed up without nmap?

-- 
Jonathan Rickman
X Corps Security
http://www.xcorps.net

>
> Bottom line: get used to requests like this, since it's becoming a requirement (as a part of a law) in some countries.
>
> Vanja
>

Next message: Ken Pfeil: "RE: What is your policy on customers particapating in a pen test?"
Previous message: Conor: "Re: pcanywhere passwd capture"
In reply to: Vanja Hrustic: "Re: What is your policy on customers particapating in a pen test?"
Next in thread: Vanja Hrustic: "Re: What is your policy on customers particapating in a pen test?"
Next in thread: Dom De Vitto: "RE: What is your policy on customers participating in a pen test?"
Next in thread: David Rosenthal: "Re: What is your policy on customers particapating in a pen test?"
Reply: Vanja Hrustic: "Re: What is your policy on customers particapating in a pen test?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Jun 21 2001 - 12:14:39 PDT