Home page logo
/

pen-test logo Penetration Testing mailing list archives

RE: What a security test should do?- from thinking about: Ethical Hacking Training
From: "Jerry Shenk" <jshenk () decommunications com>
Date: Fri, 23 Jan 2004 19:02:10 -0500

When I do a pen-test, I specifically tell them to contact me before they
dig too deeply into a suspected incident.  I then record that in the
pen-test report.  If they pick up on what I'm doing early (or ever
actually), that's good and I report that in the report.  I am constantly
amazed at the number of places that NEVER notice anything.  When I go
through 500,000 scripted login attempts over a weekend and nobody every
notices....that's a problem!

-----Original Message-----
From: Rob Shein [mailto:shoten () starpower net] 
Sent: Friday, January 23, 2004 4:39 PM
To: pete () isecom org; 'Jeff Shawgo'; pen-test () securityfocus com
Subject: RE: What a security test should do?- from thinking about:
Ethical Hacking Training


Policy strength (there might be no policy requiring password changes, or
there might be one, which isn't enforced), internal controls (what if an
employee hacks from inside...then what?), contractor handling, mostly
other
policy-related things come to mind.  It's also hard to be sure how good
their response to incidents is as well, since a pen-tester will
(hopefully)
avoid doing many things that a malicious hacker would do, even
deliberately.



---------------------------------------------------------------------------
----------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]