Penetration Testing: Re: [PEN-TEST] Penetration X Auditing Teste & other misteries

["St. Clair, James" <JStClair () VREDENBURG COM>]

Personally, I would set the time and date of the test. If they run around
and spend the night installing patches, then they end up doing their job
anyway. A pen test is not a game to embarrass your client or impress them
with your hacking skills - either they have properly administered security
or they haven't, and you are there to assist them in fixing it.

James St. Clair


-----Original Message-----
From: Mark Teicher [mailto:mark.teicher () NETWORKICE COM]
Sent: Friday, October 06, 2000 9:51 AM
To: PEN-TEST () SECURITYFOCUS COM
Subject: Re: [PEN-TEST] Penetration X Auditing Teste & other misteries


This is a very good point, since an adverserial pen test can create a very
different dynamic with the customer than coming in as a consultant to work
on a particular project.  Use some made up project name, set up a tap and
start your penetration testing.

Remember the whole goal of penetration assessment is to gather information
and provide helpful information to the organization you have been engaged
by to help them get healthy not sick.. :)

/mark

At 05:03 PM 8/25/00 -0400, Christopher M. Bergeron wrote:
> > > I can still guarantee that 'agreed' test will be much more productive
than
> > > the 'stealth' one.
> > > Vanja Hrustic
> Is it possible that if the Net admins 'know' you'll be trying to get, they
> may try even harder to make it difficult for you?  I.e. they go out of
> their way to apply the last 42 patches that they've been neglecting before
> you can find something... and thus produce an "inaccurate" portrait of the
> network.  Had the admins not been aware of the test, the network would
> have been left in a "truer" state.  A state more like what a potential
> black-hat would find in a real world scenario.  Or do you consider this a
> "special case" and not typical?