NB: this is a question from the point of view of the customer of a pen-test; if that's off-topic for this list my apologies and I'll go away. I've had an interesting circumstance arise. I was a customer of a pen test, and had the happy outcome that the testers found absolutely nothing, despite the fact that they'd been provided with complete documentation --- addresses, device functions (indicative of services running on them), device platforms, routing domains, interconnectivity, etc. Nicer still, we had alarms go off and get escalated detecting their activities. I can't say that this was an unexpected outcome, the plant being tested didn't suck. And the testers very kindly expanded their report to provide extensive details on exactly what they did, far more than would have been necessary in the expected case that they could report a lot of goo that needed reconciling. But the thought occurred to me that a really nice approach to take the next time it comes around again on the guitar would be to position a honeypot in the facility, just to give the poor scuppers something to find, and of course to let us collect positive documentation of our own confirming what was done. Has anybody done this before? How did you choose what services to publish in your honeypot? How do you make it believable --- and how do you avoid making it so juicy that it blinds the testers to any real substance that might actually be there to find elsewhere in the tested plant? -Bennett
This archive was generated by hypermail 2b30 : Fri May 31 2002 - 14:03:42 PDT