From: "H Carvey" <keydet89at_private> > Generally (and in order to set the playing field > here) a pen test is done in the blind, or with > very little information. The more prior knowledge > a pen tester has, the less 'fair' the test is > going to be. However, the lack of prior knowledge > can extend the time of the pen test, depending on > what was contracted. This is really important, and I completly agree. A zero knowledge pen test should be the starting point of an audit, where the auditor will not know anything (except a hostname or IP address, for what he just have to know what client is it). The conditions for doing the test MUST be the same that an external attacker may have access or can discover. After that, and now with the feedback of the first reports (and of course after ALL reported problems being fixed), and with a little more knowledge provided by the client (from interviews, etc...), other audit can be done, where the external attacker can be a potencial dissatisfied and evil ex-employee. Regarding studies like CSI/FBI survey, more or less, the 1st test will cover about 20-30% of the potencial attackers while the 2nd will cover the others 70-80%. The 1st test should be much longer in time and resources, and usually the clients here don't understant quiet well where their money goes. So most of the times clients prefer to contract the 2nd test only, because it takes less time and money. Also, that's why after that their systems are still vulnerable. It is important for the client that a little education is provided, at least regarding why the need of this diferent kinds of tests, what are they covering regarding the real world problems in the security field. And also, why pen tests should be regular, each month or 2 or 6 or whatever ... An audit will only cover a specific period of time, so it is not anyway and not anyhow a garantee that in the (short) future problems will not happen. At the technical side and at the commercial side for both parts (consultant and client), the more audits in a period of time are made, the better the investiment and the results. For example, with 12 audits a year the price for each will be easy 50%, where the other 50% will be paid with those 2/3 salaries from internal guys that are not needed anymore (those two can even join the consultant company and after some trainning they can do the job for half the price, because they will be in other projects too ... and everybody will be happy). > One way of doing it is to ask the consulting firm > for references...but they'd be fools to give you > negative references, wouldn't they? So when > you're talking to them, find out what their model > is, how they go about doing things. Some security consulting companies will not give away clients references, because keeping confidential other companies with past or present security problem is part of the contract with a client. What they can give is the "Curriclula" of their auditors that whould be in some project; or projets made public by the client on his own. Other problem can be also giving away models and methods, because there are many smartasses that are just looking after knowledge to do the job themselfs. [ ]'s bacano ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
This archive was generated by hypermail 2b30 : Mon Sep 10 2001 - 13:03:23 PDT