Penetration Testing mailing list archives
RE: What a security test should do?- from thinking about: Ethical Hacking Training
From: "Jerry Shenk" <jshenk () decommunications com>
Date: Fri, 23 Jan 2004 19:02:10 -0500
When I do a pen-test, I specifically tell them to contact me before they dig too deeply into a suspected incident. I then record that in the pen-test report. If they pick up on what I'm doing early (or ever actually), that's good and I report that in the report. I am constantly amazed at the number of places that NEVER notice anything. When I go through 500,000 scripted login attempts over a weekend and nobody every notices....that's a problem! -----Original Message----- From: Rob Shein [mailto:shoten () starpower net] Sent: Friday, January 23, 2004 4:39 PM To: pete () isecom org; 'Jeff Shawgo'; pen-test () securityfocus com Subject: RE: What a security test should do?- from thinking about: Ethical Hacking Training Policy strength (there might be no policy requiring password changes, or there might be one, which isn't enforced), internal controls (what if an employee hacks from inside...then what?), contractor handling, mostly other policy-related things come to mind. It's also hard to be sure how good their response to incidents is as well, since a pen-tester will (hopefully) avoid doing many things that a malicious hacker would do, even deliberately. --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- What a security test should do?- from thinking about: Ethical Hacking Training Pete Herzog (Jan 23)
- RE: What a security test should do?- from thinking about: Ethical Hacking Training Rob Shein (Jan 23)
- RE: What a security test should do?- from thinking about: Ethical Hacking Training Jerry Shenk (Jan 25)
- Re: What a security test should do?- from thinking about: Ethical Hacking Training Meritt James (Jan 23)
- Re: What a security test should do?- from thinking about: Ethical Hacking Training James Fields (Jan 25)
- Re: What a security test should do?- from thinking about: Ethical Hacking Training Frank Knobbe (Jan 25)
- RE: What a security test should do?- from thinking about: Ethical Hacking Training Rob Shein (Jan 23)