RE: What is your policy on customers particapating in a pen test?

From: Steve Hutchins (Steve.Hutchinsat_private)
Date: Thu Jun 21 2001 - 14:46:04 PDT

  • Next message: Stephen Friedl: "Re: pen testing iis 5"

    At last, someone with a common sense approach.
    There's nothing wrong with the customer being there,
    but if they want to watch closely, then they should
    *PAY* for the training!
    If they are asking for a realistic pen-test from the net,
    then why should they get any warning about when it's
    going to happen? They wouldn't normally get this from 
    an anonymous hacker.
    
    If the customer watches you get onto a box, what's the
    betting that they will stay all night patching all the
    other similar boxes so you can't exploit them.
    
    After the initial pen test has taken place and any
    follow-on rectification work has taken place, they might
    want a closer working relationship, but in forming this
    relationship, you will probably be excluding your company
    from the next anonymous test that they want.
    
    IMHO
    Steve
    
    -----Original Message-----
    From: Gary Warner [mailto:garat_private]
    Sent: Thursday, 21 June 2001 8:50 a.m.
    To: Joe Klein; pen-testat_private
    Subject: Re: What is your policy on customers particapating in a pen
    test?
    
    
    My observations have been that when IT folk want to be part of a PenTest,
    they are
    trying to study your techniques so they can make sure of two things:
     1)  they know what is going to be attacked and when, so if they can't
    defend they
    can at least react with due diligence.
     2)  they know how the attack was performed so that in a follow-up test
    there is no
    way in hell you are going to get in.  (Or better yet, that there won't be a
    follow-up test, because they can report that they could do it themselves for
    far
    less money.
    
    This comes largely from the misperception that the purpose of a Pen-Test is
    to slap
    the hands of IT and say "bad doggie".   Face it.  Our profession pits our
    skills as
    violators against their skills as defenders.  That's why it is so critical
    to help
    them understand that this is A PART of a much larger project.
    
    In our methodology, the IT department is usually made aware of PenTest when
    their
    alarms start going off OR when two weeks later we present our findings from
    phase
    one and two, and prepare to work with the IT staff for phases three and
    four.
    
    Involving IT in the PenTest creates an artificial world.  It would be like
    calling
    and making an appointment to burglarize someone's home.  Just as part of the
    PenTest
    is to analyze security vulnerabilites in their "normal state", part of the
    PenTest
    should be to analyze the responsiveness of IT to intrustions in their
    "normal
    state".
    
    Unfortunately, IT  usually wants to be very involved in the PenTest planning
    and
    knows you are coming and when.  You want to avoid this.  First, the more
    they tell
    you about their network, the more artificial your PenTest becomes.  Its
    impressive
    to own every box when they document all the servers first.  Its more
    impressive to
    start with a blank sheet of paper.  The first and second phases of our
    PenTest
    involve *NO* data provided from the customer.  They want to be involved?
    Great!
    Promise them full disclosure during the Gap Analysis, and stroke their egos
    and tell
    them how critical their input will be during later phases of the PenTest.
    As for
    the timing, try to work the engagement where the PenTest will be begun
    WITHIN 45
    DAYS.  Don't tell them when its going to start.  Have a coordination point,
    at the
    highest management level possible, who will receive daily briefings on
    planned
    activities, so they don't go calling the FBI when they shouldn't, or vice
    versa.
    But let them sweat.  Let them wonder for 30 days when the attack is coming.
    Let
    them see some activity, but save the serious punching for the later rounds,
    when you
    are fresh, and they are exhausted from this uncustomary watching and
    waiting.
    
    _-_
    gar
    



    This archive was generated by hypermail 2b30 : Fri Jun 22 2001 - 14:45:50 PDT