Wednesday, April 30, 2008

Penetration Testing Scheduling


There is a thread over on the pentest list about Penetration Testing Scheduling
http://seclists.org/pen-test/2008/Apr/index.html#135

The question posed was "I've heard a lot of folks say that telling your customers exactly when you will begin the testing is not suitable, but I'm not sure as to why they that... Can anyone define for me the right approach? -- Do you plan the assessment and let them know it's within a week or so, or do you simply inform them the date and time specifically?"

The obvious answer to this question is that it depends on scope and ROE.

If the client is testing to see how far you can go with a single shell/vulnerability/phish attack or how/if an IDS/Incident Response team reacts to your scans or attacks then it wouldn't make sense to tell them your hours of operations. Your "guy"inside should probably know whats going on or be able to call you to do deconfliction if necessary but in that situation you certainly wouldn't want the email going out to all users or all admins to ignore all malicious traffic coming from IP W.X.Y.Z.

There is also good reason not to give specifics because people tend to go on their patch frenzy right before or, even worse, during your pentest. Nothing sucks more is to come back the next day to see a vulnerable host was patched over night when it was some old ass exploit like 06-040 or DCOM. Hope you already did all your data mining!

But, if you are there to find EVERY damn vulnerability you can find, everyone knows you are there, and you are probably going to run with credentials to check patch versions and what not, then i wouldn't see any reason not to tell people your schedule to minimize any undue stress or freaking out by the IDS/IH team

The first two examples simulate a determined attacker and arent necessarily there to find EVERY vulnerability on a network. I personally feel most organization can get most of the low hanging fruit like that themselves running nessus or vulnerability scanner X on their network. You dont need to bring someone in to run nessus, but i'll gladly do it and take your money.

A pentest should be another set of eyes to see what you missed and to see what can happen once that initial foothold is gained or to test the "exploitability" of vulnerabilities, things that scanners can not and do not do.
CG

No comments: