Penetration Testing: RE: physical security pentesting procedures, tips, audit programs?

["Todd Towles" <toddtowles () brookshires com>]

Well, I do not work as a pen-tester so you may have more direct
knowledge on the subject. I can't speak for Xyberpix, but mine was only
a idea offered to a person looking for ideas. Ideas are debatable. 

Frank has a good point tho, pictures could serve the same purpose as
Xyberpix's card idea. Cameras will put the date and time on each photo
so that would be usefully. But then you have to hide the camera. =)

The general staff should be kept in the dark. The management will
decided what to do and what to change and then make that happen. Only
persons connected to the test should be aware of it. The changes that
come out of it on the other hand may be felt by the general staff. =) 

I never suggested the public should be aware of the problems. That would
be crazy.

Hey Frank, you are on FD right? Do you know anything about it? It
doesn't seem to be working. Everyone I talk to hasn't received a message
on FD since yesterday morning.

-Todd

> -----Original Message-----
> From: Frank Knobbe [mailto:frank () knobbe us] 
> Sent: Thursday, December 09, 2004 2:18 PM
> To: Todd Towles
> Cc: xyberpix; Vic N; Pen-Test[List]
> Subject: RE: physical security pentesting procedures, tips, 
> audit programs?
>
> On Thu, 2004-12-09 at 14:12, Todd Towles wrote:
> > Frank, If I remember correctly Xyberpix stated that they should be 
> > hidden. St8r from his e-mail
> >
> >  " be allowed, stick a business card somewhere out of site, 
> and make a 
> > note of it."
> Ah, okay. I still think it's a bad idea :)
>
> > [...] The general staff
> > wouldn't know what is going on...and sorry to say it but 
> the test is 
> > designed to find the sorry security, not hide it.
> Sure, but you show it to management/sponsor. You don't show 
> it to the people affected unless they are involved in a test 
> (like branch managers having you detained in their office).
>
> Penetration Testing is all about showing flaws, but to the 
> sponsor, not the folks who commit the violations. It's the 
> responsibility of the sponsors to take action in a way they see fit.
>
> Discretion is paramount in these engagements. You just don't 
> leave stuff behind.
>
>
> But hey, if that works for you, more power to you ;)
>
> Cheers,
> Frank