.

Post Pen Test Hack Question

<<

seawolve1

User avatar

Newbie
Newbie

Posts: 6

Joined: Sun Aug 03, 2008 11:58 am

Post Wed Jun 06, 2012 9:35 pm

Post Pen Test Hack Question

I have not come across this (still learning) but I always think ahead. You preform an official pen test, etc,,, for a client, and you present your findings, suggestions and collect PAYMENT for services. Six months later the client calls and advises his network was hacked. The hacker used or created an exploit that you didn't find.

Question:How do you cover this in the contract you present to the client prior to conducting testing?
<<

dynamik

Recruiters
Recruiters

Posts: 1119

Joined: Sun Nov 09, 2008 11:00 am

Location: Mile High City

Post Wed Jun 06, 2012 10:10 pm

Re: Post Pen Test Hack Question

A penetration test is intended to provide reasonable assurance within the scope that it's defined. The length of the engagement, testers' knowledge/experience, and other limiting factors (i.e. removing critical systems from the scope, using a test/dev network instead of production, disallowing social engineering/client-side attacks, etc.) all factor into the equation. Your lawyer/legal team should explicitly state that this is a "best-effort" service within the contract, and you (and/or sales reps/PMs) should also clearly communicate the level of assurance such an engagement will provide to the client.
The day you stop learning is the day you start becoming obsolete.
<<

seawolve1

User avatar

Newbie
Newbie

Posts: 6

Joined: Sun Aug 03, 2008 11:58 am

Post Wed Jun 06, 2012 10:42 pm

Re: Post Pen Test Hack Question

Outstanding! Thanks for the advice! 
<<

cd1zz

User avatar

Recruiters
Recruiters

Posts: 566

Joined: Sun Oct 03, 2010 9:01 pm

Post Thu Jun 07, 2012 9:09 am

Re: Post Pen Test Hack Question

Also, a PT is simply a test at a point in time. Things can change the second you walk out the door so the language in the contract should stress that its simply a point in time.
<<

sil

User avatar

Hero Member
Hero Member

Posts: 551

Joined: Thu Mar 20, 2008 8:01 am

Location: ::1

Post Thu Jun 07, 2012 9:24 am

Re: Post Pen Test Hack Question

ajohnson wrote:A penetration test is intended to provide reasonable assurance within the scope that it's defined. The length of the engagement, testers' knowledge/experience, and other limiting factors (i.e. removing critical systems from the scope, using a test/dev network instead of production, disallowing social engineering/client-side attacks, etc.) all factor into the equation. Your lawyer/legal team should explicitly state that this is a "best-effort" service within the contract, and you (and/or sales reps/PMs) should also clearly communicate the level of assurance such an engagement will provide to the client.


On the flip side of this, the reality is, if someone compromised a glaring vulnerability, chances are the tester sucked (for lack of better words). Sorry I call it how I see it. In an instance where this occurs (you do a test and leave gaping holes) kiss any future business goodbye as well as introducing a huge black eye on your company. http://mailman.nanog.org/pipermail/nano ... 48786.html
<<

alucian

User avatar

Full Member
Full Member

Posts: 228

Joined: Mon Dec 29, 2008 2:01 pm

Location: Montreal, Canada

Post Thu Jun 07, 2012 11:29 am

Re: Post Pen Test Hack Question

I see that seawolve1 had the answer, and while reading other guys posts an old question came back to me "When are you good enough to go out and perform penetration testing ?" . Sil's link confirmed my problem.

Doing "penetration testing" for your own company is a thing. You are their colleague, you can screw things up, but.. they are not perfect, too, so you can play around and do and learn. If you have a senior guy to supervise and teach you... you are the luckiest man in the industry.

But calling yourself a penetration tester and going out and asking for the big buck... is a totally different animal. Years ago a read a book about the differences between the visual and auditory people. What stroked me is that the auditory ones will not start a project unless they have at least 80 - 90 % of the information and skills. Visual people only need 10 - 20% to consider themselves good enough to do the job. While there are advantages to both types, I wold definitely don't want a visual guy come and test my security.

So, question number two, when a security pro is ready to become a penetration testing consultant??


PS The more I study the more I consider myself... no so skilled  ::) :'(
Last edited by alucian on Thu Jun 07, 2012 11:34 am, edited 1 time in total.
CISSP ISSAP, CISM/A, GWAPT, GCIH, GREM, GMOB, OSWP
<<

Dark_Knight

User avatar

Sr. Member
Sr. Member

Posts: 294

Joined: Mon Aug 11, 2008 7:03 pm

Post Thu Jun 07, 2012 12:15 pm

Re: Post Pen Test Hack Question

@alucian - I think that one will always be able to find a reason to justify their not being ready to take on a pen tester role. Especially with ALL of the security rockstars that exist today. Everybody is an expert these days.

At some point you are just going to have to take a leap of faith and step out. You will make mistakes - even the gurus do - but then that is just apart of the game.
CEH, OSCP, GPEN, GWAPT, GCIA
http://sector876.blogspot.com
<<

impelse

Hero Member
Hero Member

Posts: 585

Joined: Mon Feb 16, 2009 3:40 pm

Post Thu Jun 07, 2012 7:19 pm

Re: Post Pen Test Hack Question

I always got the idea, that you're going to be comfortable with one system and you will begin to test according what you learned and experience, from there you will build up slowly until you be a better pentester.
CCNA, Security+, 70-290, 70-291
CCNA Security
Taking Hackingdojo training

Website: http://blog.thehost1.com/
<<

dynamik

Recruiters
Recruiters

Posts: 1119

Joined: Sun Nov 09, 2008 11:00 am

Location: Mile High City

Post Thu Jun 07, 2012 9:00 pm

Re: Post Pen Test Hack Question

sil wrote:On the flip side of this, the reality is, if someone compromised a glaring vulnerability, chances are the tester sucked (for lack of better words). Sorry I call it how I see it. In an instance where this occurs (you do a test and leave gaping holes) kiss any future business goodbye as well as introducing a huge black eye on your company. http://mailman.nanog.org/pipermail/nano ... 48786.html


No need to apologize. I was speaking from the perspective of someone competent doing a reasonably thorough job given whatever circumstances. If you're negligent or incompetent, events will unfold exactly as you described.
The day you stop learning is the day you start becoming obsolete.
<<

sil

User avatar

Hero Member
Hero Member

Posts: 551

Joined: Thu Mar 20, 2008 8:01 am

Location: ::1

Post Fri Jun 08, 2012 8:01 am

Re: Post Pen Test Hack Question

alucian wrote:What stroked me is that the auditory ones will not start a project unless they have at least 80 - 90 % of the information and skills.


I will share with you guys a gig I did about 3 weeks ago. Went to another state to perform an assessment slash test against a videoconferencing system. Client is a financial trading information powerhouse who's revenue is in the billions. Premise for the test: "We get on conf calls with the SEC, we want to make sure our conference is secure, untappable, etc. we are using X system" Nothing else was given to me.

I was NOT able to arbitrarily plug in anything without their IT staff getting a whiff of things and literally running to the location were a device was plugged in. I had zero knowledge of the infrastructure outside of: "this is the vendor we use, this is how we make these teleconference calls...."

Under 5 minutes... Trusted laptop on the network, bootable operating system, no DHCP, sniffing the network. Seriously? ... Nice MAC addresses flying by in tcpdump, think I will take one. No MIS guys running to find a rogue device. Teleconferencing? Game over. Credentials were horrible. Gone in under 3-5 minutes. Could I have escalated - sure, but I was only there focusing on the video/voip side of the equation but I mentioned it to them.

Moral of the story: Know your systems and protocols. Had I not understood how voice and video worked, I would likely be intimidated and not known where to begin. Had I not understood how switching, routing, VLANs work - I would not have been able to sniff, hijack a MAC and get on the network. Had I not understood matters of timing, any password cracking would have been detected from excess packets flooding the network. Had I not the ingenuity to created a quick targeted wordlist, I would not have gotten the password and credentials. I sat down and in less than a maximum of about 15 minutes, I had access to do whatever an admin did to their teleconferencing system. As an attacker I could have re-routed the registrar to a rogue server, recorded the calls, took pictures of anyone in a call and so on. What's the big deal you ask? Imagine a conference call before earnings are reported where I was recording. One could make millions, take a company out of business, and so on and so forth.

End of the day, I made my report based on 2 days at the client. I was not allowed to perform a full blown penetration test as many departments had to be involved and the original individual tasked with the test was out of office so the coordination to do the test never came to fruition. They however were spooked enough to understand I needed to really go no further from there. On a conf call with an entire security team, many of whom are visible in the industry (I know of them, the books they've written, what colleges they TEACH at, etc.), not one challenged me on anything I said. I was able to explain the technical risk and swap into the management scope of risk management.

Experience is everything. Not a cert, not a college. When you're comfortable standing your ground with any security engineer, then you're ready to do consulting on your own. When you don't necessarily need to do any research in a quick scenario like this, then you're at your at the top of the game. I am fortunate enough to be such a pain in the ... that I have been able to collaborate with, talk with, learn from some of the top in the industry (and I mean top). This comes from years upon years upon years of studying and dabbling in the industry.

As for money, comes with the territory. Its not everything, there are times I am more curious and in a tinkering kind of mode for the sake of STILL learning something. Those times I can lower a price if I see a benefit (learning something new, testing a unique environment, etc.) Last thing I do though, is ever bite off more than I can chew. If I have trouble understanding a concept, technology, I take a step back rather than make an idiot out of myself pretending to be able to do something I can't. I had to avoid a test that was out of my league that involved satellites, yachts (really big mega millionaire type yachts) and a whole bunch of marine communications. I had to avoid an ATM (airline traffic management) test because its a whole different ballgame. Know your limits, be truthful with yourself. If you have to ask one too many questions and are shaky going into an environment, you might not be ready for this type of work yet.
<<

ZeroOne

Jr. Member
Jr. Member

Posts: 59

Joined: Tue Apr 24, 2012 7:41 am

Post Fri Jun 08, 2012 12:06 pm

Re: Post Pen Test Hack Question

sil wrote:... Nice MAC addresses flying by in tcpdump

That line cracked me up ;D
<<

sil

User avatar

Hero Member
Hero Member

Posts: 551

Joined: Thu Mar 20, 2008 8:01 am

Location: ::1

Post Fri Jun 08, 2012 12:37 pm

Re: Post Pen Test Hack Question

ZeroOne wrote:That line cracked me up ;D


Zero switchport security (their entire innards were Cisco down)
<<

impelse

Hero Member
Hero Member

Posts: 585

Joined: Mon Feb 16, 2009 3:40 pm

Post Fri Jun 08, 2012 4:58 pm

Re: Post Pen Test Hack Question

Sil, I like your post. Know your protocols, your limits, be curios, good. Thanks for your experience.
CCNA, Security+, 70-290, 70-291
CCNA Security
Taking Hackingdojo training

Website: http://blog.thehost1.com/
<<

Triban

User avatar

Hero Member
Hero Member

Posts: 620

Joined: Fri Feb 19, 2010 4:17 pm

Post Sat Jun 09, 2012 10:24 am

Re: Post Pen Test Hack Question

Man the "CISSP" and "Backtrack CD" in the same sentence made me chuckle.  It is not just security that they screw up.  I have dealt with some as "Infrastructure Architects" spouting off about how iSCSI is an up-and-coming tech for the SAN storage on a VMware infrastructure.  Sadly the world is full of charlatans and snake oil salesmen.  The best thing one can do is learn to smell the BS.  Also some have just been doing the same job for so long that they feel they don't need to educate themselves.  I was on a con call with an IR company and when asked about the network, the senior manager for the networking team spoke up and said, "yes we are segmented, we have different domains between the business units"  /facepalm 
Certs: GCWN
(@)Dewser
<<

dynamik

Recruiters
Recruiters

Posts: 1119

Joined: Sun Nov 09, 2008 11:00 am

Location: Mile High City

Post Sun Jun 17, 2012 6:53 pm

Re: Post Pen Test Hack Question

It's also interesting when the client provides documentation, but things like the network diagrams are out-of-date and inaccurate. It's like starting with negative information; starting from scratch would put you ahead in those situations ;)
The day you stop learning is the day you start becoming obsolete.
Next

Return to Network Pen Testing

Who is online

Users browsing this forum: No registered users and 0 guests

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software