.

How do you feel about pentests without SE attacks?

<<

Eleven

User avatar

Full Member
Full Member

Posts: 121

Joined: Thu Nov 10, 2011 6:47 pm

Post Thu Nov 10, 2011 6:58 pm

How do you feel about pentests without SE attacks?

Hey guys, I was wondering about your thoughts on how necessary SE attacks are during a pentest.

Personally, I'd want a pentest done to show me threats/vulnerabilities that I don't know about.  I've read Kevin Mitnick's books and I know darn well SE attacks would work.  I'd rather the pentester give recommendations on how to mitigate it and focus their time on other areas.  What do you think?
<<

cd1zz

User avatar

Recruiters
Recruiters

Posts: 566

Joined: Sun Oct 03, 2010 9:01 pm

Post Thu Nov 10, 2011 8:56 pm

Re: How do you feel about pentests without SE attacks?

SE is a major problem for most places. You can have the best security technology in the world, but that could all be thwarted through SE. Problem is, SE isn't always in scope. For example if a company is just doing a PT to fulfill a compliance requirement, they probably wont get SE since they're just trying to "check the box."

SE is still the easiest way in.
<<

venom77

User avatar

Hero Member
Hero Member

Posts: 1905

Joined: Mon Dec 11, 2006 3:23 pm

Post Fri Nov 11, 2011 12:25 am

Re: How do you feel about pentests without SE attacks?

...and then you get to hear the whole "well you were doing your test internally, so that means someone would have to come into my building and plug in, pfft, they can't do that" argument.. ::)
<<

hayabusa

User avatar

Hero Member
Hero Member

Posts: 1662

Joined: Mon Jan 29, 2007 2:59 pm

Post Fri Nov 11, 2011 7:13 am

Re: How do you feel about pentests without SE attacks?

BillV wrote:...and then you get to hear the whole "well you were doing your test internally, so that means someone would have to come into my building and plug in, pfft, they can't do that" argument.. ::)


LOL!  <nod>
~ hayabusa ~ 

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'


OSCE, OSCP , GPEN, C|EH
<<

shaqazoolu

User avatar

Newbie
Newbie

Posts: 8

Joined: Tue Aug 03, 2010 2:09 pm

Location: Baton Rouge, La

Post Fri Nov 11, 2011 9:29 am

Re: How do you feel about pentests without SE attacks?

In my previous job, I worked for a company that provided pen testing, SE, risk assessment, audit, etc. services.  A SE test and an internal pen test were two very different products for us.  There were a couple of customers that felt they would get more out of a combination of the services and had us SE our way into a network connection before we could perform the pen test.  That was a very custom statement of work and I am sure they paid well for it though.

They are usually separated because most places want to either focus on fortifying their network based controls (pen test) or further developing their policies and procedures (SE).  It is very difficult to do both at the same time for a variety of reasons, especially if you don't have a large staff dedicated to information security.
Learning mode engaged.
<<

Eleven

User avatar

Full Member
Full Member

Posts: 121

Joined: Thu Nov 10, 2011 6:47 pm

Post Fri Nov 11, 2011 4:43 pm

Re: How do you feel about pentests without SE attacks?

@shaqazoolu I was under the impression that pen testers thought companies were making a big mistake when SE wasn't within scope.  I understand how hacking systems and hacking people could be done separately, but are they really kept separate during most pentests?
<<

Triban

User avatar

Hero Member
Hero Member

Posts: 620

Joined: Fri Feb 19, 2010 4:17 pm

Post Fri Nov 11, 2011 9:28 pm

Re: How do you feel about pentests without SE attacks?

If a TRUE penetration test is conducting, all aspects of security should be considered for scope.  SE should be part of the test regardless since it can be used as viable method into the system regardless if they tester comes through the front door posing as a fire marshal or if they send an email to a user posing as help desk.  SE should be on the table. 

My last job, they ran an internal and external test but they didn't want to use SE because they didn't want to alarm users.  Really???  Don't you want to know if your Security awareness is working??  I just shook my head.  The external network had a very limited attack surface.  Only VPN and a Citrix portal was available.  No OWA or any other web services were allowed in.  Mail was filtering through our spam/av hosts so those ports weren't open directly.  Granted if you compromised those anti-spam hosting provider you might be able to sneak in that way, but it is another hurdle for the attacker.

Needless to say, a well placed phishing email would most likely be the entry way in.  No one will come to the front door.  Even a phone call may work.  Well regardless they CIO thought it was a good idea to outsource everything, including security so not my problem anymore.  :-p 

But yes, SE should be done, if not during the main test, then at least a couple times a year to test your security awareness training. 

Today at BsidesDE we had a great panel discussion on why Info Sec sucks and if it was the fault of the users or us.  We agreed that it was a little of both.  And a point came up about testing the users to know if your message is really getting through.

Sorry for the long post.  been up for 16 hours so... yeah, I need sleep.
Certs: GCWN
(@)Dewser
<<

venom77

User avatar

Hero Member
Hero Member

Posts: 1905

Joined: Mon Dec 11, 2006 3:23 pm

Post Fri Nov 11, 2011 9:32 pm

Re: How do you feel about pentests without SE attacks?

separate tests = separate charges ;)

Some clients choose to do it, some don't.

Return to Network Pen Testing

Who is online

Users browsing this forum: No registered users and 1 guest

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software