.

Avoiding Pentest DOOM

<<

tturner

User avatar

Sr. Member
Sr. Member

Posts: 435

Joined: Thu Jun 26, 2008 4:50 pm

Post Mon Sep 24, 2012 12:36 pm

Avoiding Pentest DOOM

I just had a blog post I wrote published at the SANS Pentest Blog entitled Avoiding Pentest DOOM: Protecting Customer Data where I discuss several ways you may be violating NDA's or mishandling customer data along with well defined solutions for addressing these very common failings. Check it out and tell me what you think.

http://pen-testing.sans.org/blog/2012/0 ... tomer-data
Last edited by tturner on Mon Sep 24, 2012 12:43 pm, edited 1 time in total.
Certifications:
CISSP, CISA, GPEN, GWAPT, GAWN, GCIA, GCIH, GSEC, GSSP-JAVA, OPSE, CSWAE, CSTP, VCP

WIP: Vendor WAF stuff

http://sentinel24.com/blog @tonylturner http://bsidesorlando.org
<<

hayabusa

User avatar

Hero Member
Hero Member

Posts: 1661

Joined: Mon Jan 29, 2007 2:59 pm

Post Mon Sep 24, 2012 12:56 pm

Re: Avoiding Pentest DOOM

Good read...  Loved the opener:

"They want you to simulate a real attacker which means you can harvest credit card numbers and sell them on carder forums, post their password hashes on Pastebin and tweet about how lamebrain they are. Right?"

I've seen too many pentesters who do NOT safeguard the customer data, before / during / after a test, and in ONE case that I can recall, they got hammered for it, in the end, because said data DID get leaked.  I think you're spot on with your recommendations.   :)

(Edit - in the paragraph below, I'm referring to physical copies, as well as digital)

The one thing I'd add is that, when I complete a test, I completely destroy EVERY copy I have of ALL the data, including the end report.  Once I've delivered it to the customer, whether in writing, face-to-face presentation, or BOTH, I completely remove any copy I had in my possession.  Additionally, all of my tests (where applicable) are done from VM's, which are destroyed afterwards.  If my own physical machines are used, I wipe them clean following the engagement.  The ONLY time a machine remains in existence, is if it's their own (when I'm doing whitebox tests simulating employee access, etc,) though while I won't fdisk THEIR machines, I still remove all copies of anything I've done, while using their box(es).

I make it very clear to them that they have the ONLY copies of ANY data that remains, and as such, if they require me to re-test anything, in the future, it's their responsibility to present said data to me, if in fact, re-testing 'specific' past issues is in scope.   Otherwise, I approach them as a fresh customer, for every future engagement.
Last edited by hayabusa on Mon Sep 24, 2012 12:57 pm, edited 1 time in total.
~ hayabusa ~ 

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'


OSCE, OSCP , GPEN, C|EH
<<

tturner

User avatar

Sr. Member
Sr. Member

Posts: 435

Joined: Thu Jun 26, 2008 4:50 pm

Post Mon Sep 24, 2012 2:13 pm

Re: Avoiding Pentest DOOM

Agreed Hayabusa, but there are instances where the contract stipulates the pentester maintain copies of the report and associated notes for a predetermined period. We do this sometimes because we get 3 or 4 months into a remediation cycle and someone has a question about a particular finding and I know of some organizations that have to do this because remediation cycles are horrendously long, think Big Pharma for instance. Pentesters can't always remember why a particular finding wound up in the report, especially if it was a less than stellar report but if they can go back to tool output or notes, packet captures, etc they can provide additional clarification around the issue ar at least provide enough context where the organization can make a conscious risk decision regarding the finding. Ideally, sufficient context goes into the report to make this a a non-issue but ops will frequently look for any reason to not have to fix whatever it is we are telling them to fix. I'd prefer it always be like you said, but the reality is the operational side of the business doesn't always feel we are on the same side. Antagonistic relationships can develop especially when you are calling someone's baby ugly or asking them to do more work.

It's probably the best idea to have the pentest firm destroy all data and require all associated notes, pcaps, etc be delivered to customer as part of the deliverable package (but not in the report). I have been known to change requirements around depending on who was conducting the test or which assets were within the scope as a conscious risk decision. (external business partner stakeholders, scope too narrowly defined that doesn't take into account other contextual activities, etc)
Certifications:
CISSP, CISA, GPEN, GWAPT, GAWN, GCIA, GCIH, GSEC, GSSP-JAVA, OPSE, CSWAE, CSTP, VCP

WIP: Vendor WAF stuff

http://sentinel24.com/blog @tonylturner http://bsidesorlando.org
<<

RoleReversal

User avatar

Hero Member
Hero Member

Posts: 928

Joined: Fri Jan 04, 2008 8:54 am

Location: UK

Post Mon Sep 24, 2012 2:53 pm

Re: Avoiding Pentest DOOM

Thanks for sharing the advice; and perfect timing, been meaning to look at improving data retention/destruction provisions, this should be a great foundation.

With regard to destroying data once report is in client possession, how do you handle client's losing/forgetting the report and then claiming you didn't fulfil contract if you can't provide deliverables down the line? It's the biggest argument I've encountered against destruction of data. I'm assuming project sign-off etc, but curious to know if there are other options I've not thought of.

And I'll apologise now, but I will be stealing Resume Generation Event for future use :)
Last edited by RoleReversal on Mon Sep 24, 2012 2:55 pm, edited 1 time in total.
<<

tturner

User avatar

Sr. Member
Sr. Member

Posts: 435

Joined: Thu Jun 26, 2008 4:50 pm

Post Mon Sep 24, 2012 3:14 pm

Re: Avoiding Pentest DOOM

Andrew Waite wrote:With regard to destroying data once report is in client possession, how do you handle client's losing/forgetting the report and then claiming you didn't fulfil contract if you can't provide deliverables down the line? It's the biggest argument I've encountered against destruction of data. I'm assuming project sign-off etc, but curious to know if there are other options I've not thought of.

And I'll apologise now, but I will be stealing Resume Generation Event for future use :)


Yep Andrew, like anything else requirements may vary from engagement to engagement. Some customers will want you to retain data for a year, others may require that it never leaves the customer site, all testing done from corp owned machines and pay more to allow you to write the report onsite and providing a machine to do so.

As for the RGE line, I think that came from a DR class I took several years ago when I worked in state govt. I've used it ever since. :)
Certifications:
CISSP, CISA, GPEN, GWAPT, GAWN, GCIA, GCIH, GSEC, GSSP-JAVA, OPSE, CSWAE, CSTP, VCP

WIP: Vendor WAF stuff

http://sentinel24.com/blog @tonylturner http://bsidesorlando.org
<<

m0wgli

User avatar

Sr. Member
Sr. Member

Posts: 308

Joined: Fri Jul 20, 2012 3:34 pm

Post Mon Sep 24, 2012 3:29 pm

Re: Avoiding Pentest DOOM

Interesting read, thanks.

With regards to report retention (subject to client requirements), I found the following advice from Andrew Waite useful:

From experience it can also be wise to hash and document any reports provided to clients, I've once been asked from senior management to justify a finding/recommendation that had been edited by an IT ream to support their business-political viewpoint.

http://www.ethicalhacker.net/component/ ... /#msg50675


Although this would be mitigated by the advice already mentioned, I feel it's worth mentioning for those that may not know. When using a VM any files moved between the guest and host are stored in a temporary location on the host that doesn't clean up after itself:

http://pauldotcom.com/2012/08/penetrati ... e-vmw.html
Last edited by m0wgli on Mon Sep 24, 2012 4:57 pm, edited 1 time in total.
Security + | OSWP | eCPPT (Silver & Gold) | CSTA
<<

hayabusa

User avatar

Hero Member
Hero Member

Posts: 1661

Joined: Mon Jan 29, 2007 2:59 pm

Post Mon Sep 24, 2012 4:10 pm

Re: Avoiding Pentest DOOM

Danged session timeouts...  yet another longer post lost...  (Retyped in wordpad, and transferred in)

@Andrew -it's signed off on by the highest level management at the customer, who is responsible for the contract negotiation, and ultimately, the pentest.  (Preferably the CEO / CIO, but if it's work being contracted below their level, then the highest level manager in the chain.

@tturner - I agree with you.  If a client explicitly requires I keep a copy of their data, so be it.  I'm not in the business of turning down business, over something like this.  I just strongly emphasize that my preference is to NOT retain ANY data.

I DO have reasons for being so adamant with my clients about this issue.  While I've NEVER had it come to a head over a pentest, or professional client data, of my own, I HAVE personally been involved with law enforcement cases, where the simple possession of digital / printed information, even remotely related to a case, was enough that law enforcement pointed fingers at an innocent party.  (Credit card fraud, child pornography case)

When I say possession of, I refer to, very literally, the sheer owership of a computer, and the fact that it COULD have been used to perpetrate a crime, with NO pre-existing evidence that it had.  Because the crime was IT-related, and the innocent party's name was even remotely involved (their credit card had been stolen, and used to open a child pornography site), I witnessed law enforcement confiscate EVERY piece of electronic equipment and media (including those that could NOT hold evidence), from them.  The innocent party was left to prove their own innocence, because law enforcement very literally had no clue what they were doing, in said investigation.  I watched the involved parties get dragged through the mud.  Even when I was brought into the investigation, by the authorities, in order to help them gather information, when I proved the party wasn't involved, they continued to hold the materials until their 'investigation' concluded.  Said investigation caused the innocent party's property to be held for almost 3 months, even when I showed, without a shadow of a doubt, that they could have had no involvement, by the end of day 3.  (I literally handed law enforcement the IP addresses and names of the real perpetrator, from ISP records, research, etc, and was later told that jurisdiction on the case, from that point on, took any and all visibility away, as to whether they arrested the real offender.  From what I have later learned from others in the law enforcement community, this isn't as uncommon as you'd hope.)

The point to my story is this...  While not all law enforcement are as anally remiss about how to investigate IT-related crimes, the less responsibility I or my company maintain, and the more that is LEGALLY left in the customer's possession / rsponsibility, the easier it is to defend, in the event of any issues.  That's not to say we STILL won't ever end up having to deal with a similar situation, nor that we absolutely won't hold data from a pentest, but it minimizes the chances of future headache, greatly, when all I's have been dotted and T's crossed, in a legally binding document.
Last edited by hayabusa on Mon Sep 24, 2012 4:12 pm, edited 1 time in total.
~ hayabusa ~ 

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'


OSCE, OSCP , GPEN, C|EH
<<

tturner

User avatar

Sr. Member
Sr. Member

Posts: 435

Joined: Thu Jun 26, 2008 4:50 pm

Post Mon Sep 24, 2012 4:21 pm

Re: Avoiding Pentest DOOM

m0wgli wrote:
Although this would be mitigated by the advice already mentioned, I feel it's worth mentioning for those that may not know. When using a VM any files moved between the guest and host are stored in a temporary location on the host that doesn't clean up after itself:

http://pauldotcom.com/2012/08/penetrati ... e-vmw.html


That's pretty awesome m0wgli, thanks for the share. Definitely something that needs to be considered. I'll have to check out my own machine when I get to the office. :)
Certifications:
CISSP, CISA, GPEN, GWAPT, GAWN, GCIA, GCIH, GSEC, GSSP-JAVA, OPSE, CSWAE, CSTP, VCP

WIP: Vendor WAF stuff

http://sentinel24.com/blog @tonylturner http://bsidesorlando.org
<<

hayabusa

User avatar

Hero Member
Hero Member

Posts: 1661

Joined: Mon Jan 29, 2007 2:59 pm

Post Mon Sep 24, 2012 4:24 pm

Re: Avoiding Pentest DOOM

PS - also to tturner's point, he mentioned being able to go back and review packet captures, etc., and I completely agree.  In all cases where I am handing over "ALL" data to the customer, said data includes encrypted storage, containing ALL captures, etc, which were taken / utilized in the test.

&@m0wgli - agreed with tturner on the great link.  Good share!
Last edited by hayabusa on Mon Sep 24, 2012 4:42 pm, edited 1 time in total.
~ hayabusa ~ 

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'


OSCE, OSCP , GPEN, C|EH
<<

hayabusa

User avatar

Hero Member
Hero Member

Posts: 1661

Joined: Mon Jan 29, 2007 2:59 pm

Post Mon Sep 24, 2012 4:47 pm

Re: Avoiding Pentest DOOM

Also, while on the topic of information handling, tturner should've also posted (or did you, previously in another thread and I missed it COMPLETELY) a link to the following:

http://sentinel24.com/blog/?p=134

Titled "Bad Pentest Reports Part 1"

For those who are up-and-coming, this is a good one to pay attention to.
~ hayabusa ~ 

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'


OSCE, OSCP , GPEN, C|EH
<<

tturner

User avatar

Sr. Member
Sr. Member

Posts: 435

Joined: Thu Jun 26, 2008 4:50 pm

Post Mon Sep 24, 2012 5:20 pm

Re: Avoiding Pentest DOOM

I sort of did at http://www.ethicalhacker.net/component/ ... /#msg50370

Thanks for the repost though :)
Certifications:
CISSP, CISA, GPEN, GWAPT, GAWN, GCIA, GCIH, GSEC, GSSP-JAVA, OPSE, CSWAE, CSTP, VCP

WIP: Vendor WAF stuff

http://sentinel24.com/blog @tonylturner http://bsidesorlando.org
<<

hayabusa

User avatar

Hero Member
Hero Member

Posts: 1661

Joined: Mon Jan 29, 2007 2:59 pm

Post Mon Sep 24, 2012 5:32 pm

Re: Avoiding Pentest DOOM

<grin> yep...  Completely missed it...  ::)
~ hayabusa ~ 

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'


OSCE, OSCP , GPEN, C|EH

Return to Network Pen Testing

Who is online

Users browsing this forum: No registered users and 1 guest

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software