Home page logo
/

pen-test logo Penetration Testing mailing list archives

RE: Blue Team ROE
From: "Dave Sanford" <dsanford () austin rr com>
Date: Sun, 4 Mar 2007 22:06:32 -0600

They are the customer - they get to create whatever constraints
they want to maintain the security of their system. If you want
the work - not only do you need to go along with the constraints
- but as a professional, you need to write up as part of the
pen test report, the implications of those constraints, i.e.

If you believe that an attacker who was not constrained, could
have loaded malicious software, removed hashes/files, etc. and
compromised the system - then your report should indicate:

1) the inability of the constraints to allow you to identify
some of the weaknesses of the system
2) the files/hashes, etc. that you were able to view and not
remove - and what you think removing them would have resulted
in
3) what the customer should do to respond to the things you
learned
4) what the customer might do to protect against things they
wouldn't allow you to do

In other words, be a professional, it is not about your ego
in being able to get in or not - it is providing the best
information to the customer about how to secure themselves
in the future, but also both from a CYA perspective and
to best serve the customer you need to clearly document
the constraints put on you that because they don't exist
on a malicious attacker - could allow the customer's
systems to be compromised in ways your penetration testing
is not allowed to show.

Dave

"We cannot ensure success, but
we can deserve it." John Adams 

List,

I wanted to send out a general email asking the members of 
this list their professional opinions on being limited during 
a Blue Team pen-test.  I have a govt customer that is trying 
deny us the ability to remove password hashes/files from the 
system for cracking, write procedures for every tool/exploit 
that could be possibly executed, not allow the loading of any 
tools/exploits on target systems, things like that.....  Of 
course my reaction is that my company will not perform the 
assessment with such restrictions, what are some thoughts 
from this list on this subject?


------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.

http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]