.

Physical pentesting - do pentesting companies shy from physical pentesting?

<<

PenTestMag

User avatar

Newbie
Newbie

Posts: 2

Joined: Mon Jun 20, 2011 8:04 am

Post Mon Jun 20, 2011 8:35 am

Physical pentesting - do pentesting companies shy from physical pentesting?

Pentesters - do pentesting companies shy from physical pentesting? How do you, pentesters, perceive this part of the job? Do you consider it the integral part of your profession, just like you do with vulnerability scanning and managment? Or is it just "something different"?
<<

tturner

User avatar

Sr. Member
Sr. Member

Posts: 435

Joined: Thu Jun 26, 2008 4:50 pm

Post Mon Jun 20, 2011 10:20 am

Re: Physical pentesting - do pentesting companies shy from physical pentesting?

If a security guard carries firearms or even a taser, I won't do physical pentesting. It's important, but I refuse to accept the risk.
Certifications:
CISSP, CISA, GPEN, GWAPT, GAWN, GCIA, GCIH, GSEC, GSSP-JAVA, OPSE, CSWAE, CSTP, VCP

WIP: Vendor WAF stuff

http://sentinel24.com/blog @tonylturner http://bsidesorlando.org
<<

millwalll

Post Tue Jun 21, 2011 6:22 am

Re: Physical pentesting - do pentesting companies shy from physical pentesting?

hmm I think is all depends on the scope of the work. Like anything with Pen testing if you don't have permission you just don't do it as it could get you into  trouble.

I personal think that all companies should take physical security and social engineer attack serious. I have read many books when all attacks on the network have failed however by walking in the company or ringing them 9 times out of 10 they have gained access this way.
<<

tturner

User avatar

Sr. Member
Sr. Member

Posts: 435

Joined: Thu Jun 26, 2008 4:50 pm

Post Tue Jun 21, 2011 9:28 am

Re: Physical pentesting - do pentesting companies shy from physical pentesting?

Definitely agree Jamie.R, I just don't want to be that guy. Let's say i have permission and a signed authorization from the CEO but an overzealous security guard decides he needs to take me down. He may not wait for me to fish a piece of paper out of my pocket. No thanks.
Certifications:
CISSP, CISA, GPEN, GWAPT, GAWN, GCIA, GCIH, GSEC, GSSP-JAVA, OPSE, CSWAE, CSTP, VCP

WIP: Vendor WAF stuff

http://sentinel24.com/blog @tonylturner http://bsidesorlando.org
<<

dalepearson

Sr. Member
Sr. Member

Posts: 357

Joined: Thu Nov 09, 2006 10:03 am

Post Mon Aug 01, 2011 3:49 pm

Re: Physical pentesting - do pentesting companies shy from physical pentesting?

There is risk involved of course.
However the realities are that not many companies are good at Physical Security.
If you have these concerns I would have some additional clauses in the engagement contract to cover the event of your own personal damage.

It doesnt stop it happening granted, but it gives you some insurance.
<<

idr0p

Newbie
Newbie

Posts: 49

Joined: Fri Jun 17, 2011 8:46 pm

Post Tue Aug 02, 2011 1:52 am

Re: Physical pentesting - do pentesting companies shy from physical pentesting?

Here are some physical Pen testers
http://laresconsulting.com/action.php
GCIA GCIH GPEN GWAPT
Up Next: CISA CISSP

Return to Physical Security

Who is online

Users browsing this forum: No registered users and 0 guests

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software