received this comment to Val's post
"Submitted by Anonymous on Tue, 01/04/2011 - 09:33.
The problem with pentesters phishing ...
The problem with pentesters phishing ... is that it does more harm then good for the organization. Without the education piece following a phish, you setup the organization to ban the practice."Phishing and client-side attacks have been going on for far too long to not allow your testers to use them during test.**
So on one hand you are correct, every phishing exercise done either by an internal team, pentester, or attacker should be followed by an education piece by your internal security/IT team. Every phishing attack is an opportunity to retrain users.
On the other other hand, its how people get in. To broadly call it useless because 1. you are too lazy to educate your users after the fact or 2. didn't think ahead enough to require the PT shop to leave you with education materials or follow up the phish with an education piece doesn't mean it lacks value.
Like I mentioned in the previous post, you need to know how you are going to stand up in realistic scenarios. Does one client-side 0day leave your whole network open to all sorts of badness? you need to know.
**This is assuming that the company's maturity level supports doing a phishing exercise. If your internal security just plain sucks, then you could probably win the argument that no phishing should be conducted but I would counter with why are you getting a Pentest in the first place if things are that bad. Use those consulting dollars to have the consultant help you with your risk plan, internal vulnerability scanning/patching program, workstation/server hardening or teaching you how to scan your internal assets yourself. To steal a Nickerson analogy..."how do you know you can put up a fight if you cant take punch" BUT that doesnt mean you start out getting your ass kicked by starting training with [INSERT MMA BADASS HERE] instead of working your way up.