|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Aarón Mizrachi (unmanarc
gmail.com)
Date: Wed Apr 29 2009 - 12:02:10 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Domingo 19 Abril 2009 15:09:10 Elizabeth Tolson escribió:
> THANKS EVERYONE!!!! I really received some valuable information.
>
> One thing I did not state clearly --- when this guy "Ethically Hacked"
> without employees knowing it, he did it with the permission of the CEO
> or owner of the company. Apparently, he meets with the CEOs and they
> are the only ones aware of his Pen Testing.
This have a name.
perfect external blackbox pentesting audit.
---------------------------------------
* Perfect: Because the it department are also tested on their natural responce
and the conditions are good. This must also be tested on a pentest. Today, you
must evaluate the it security team responce, not only the "patched or not
patched" devices.
If the attack were advised to it department, the it department could "over-
react" and distort the test result.
* External: because its done by an external men.
* Blackbox: Completly blinded attack, simulating an attacker
----------------------------------------------
Finally, an a real attacker, would not ask to the it department for their
actions...
----------------------------------------------
Who need to know about it?
- CEO in conjuction with Legal department
----------------------------------------------
What terms are commonly involved?
- To protect company operations, attacks should not involve "Denial of
Service".
----------------------------------------------
What protections should take the pentester?
- Use anonymizing mechanisms to prevent actions against him while the pentest
are being executed.
- CEO must redirect all legal actions to the legal department.
----------------------------------------------
Its ethical for the CEO not to say anything during the pentest?
There could be an intense debate... I think yes and not. But could be
reasonable because, a real hacker wont never ask you before an attack.
----------------------------------------------
What are the final risks on two sides (CEO and Pentester)?
- For the pentester: If something happens during the pentest, the pentester
have to be over-protected by legal documents (from NDA to permissions), but,
this also have to be considered that this servers could be already hacked, and
are difficult to probe that any damage are caused by the pentester or a real
attacker, or inclusive by internal people.
- For the CEO: Their company have to be prepared to "information recovery
plan" in case that something goes wrong. And have this in mind: Something
could goes wrong.
----------------------------------------------
Owner of the company can ask for a pentest?
- Short answer: NO directly (Better: should not direcly).
- Answer: owners means accionists, first of all, you have to be the "legal
control" of the company, then, the right way is to plan this with the CEO and
legal department.
This is like the owner of the company likes to play with fire and burn their
own company for fun. On some countries this could be taken as "Deliberate
Bankruptcy", and the owner/director assume the legal consecuences.
----------------------------------------------
This pentest are a silver bullet?
No.
this is a perfect blackbox pentest, and are blinded pentest. The logical way
to protect your company is to do this:
1.- A perfect blackbox pentest (Then: inform, and solve detected issues)
2.- A blackbox pentest (Then: inform, and solve detected issues)
3.- A whitebox pentest (Then: inform, and solve detected issues)
4.- Do an exhaustive audit, something like ISO 27001 should work. Make the
documents, plans, etc. (Then: inform, and solve detected issues)
5.- Audit code's, internal applications, and more. (Then: inform, and solve
detected issues)
6.- Repeat step 1,2,3 periodically. And repeat steps 4 and 5 when is required.
7.- Periodically audit documents with the reality (completly whitebox)
8.- Have a people dedicated to follow the plan (updates, checks, etc)
****
Not a definitive guide because every company have their own priorities. The
step zero is measure the risk of information security hazards, calcule
probabilities, and adjust a budget...
----------------------------------------------
What you can do to get a balance between all your worries?
1. As CEO, inform to your IT department that this test could happen yearly
without any advice. Then, this can increase the responce and responsability
over real attacks, because the IT department dont know when it is an excersice
or not.
2. Prepare a disaster recovery plan and backup policy. This is too important,
because you will delegate some legal rights to the pentester that could expose
your plataform to unexpected stress, and if something goes wrong... you as
company, must be prepared (also... this is the final objective, be prepared,
because a real attacker will not take any considerations)
3. Then... Hope for the best
>
> Anyway, I do appreciate the advice. Yes, I did receive my fair share
> of questions of "Do you know this ...... Do you know that ..... Do you
> know how to do this ........ Do you know what xxxxxxx means, etc."
> Sometimes I find that computer geeks run hot and cold --- many are so
> eager to help others and on the other hand, many want to feel that
> they are the only ones who can do a certain job or should be the only
> ones doing a job. Again, I really appreciate all the advice you all
> gave me.
>
> Someone asked about experience. That is the one thing I am REALLY
> lacking in. However, I feel I can safely say that no one on this list
> was born knowing how to PenTest --- you learned somehow and
> somewhere....... and that is what I am doing now.
>
> I graduated from College with a Bachelors Degree in Social Work. For
> 20 years, I have been a Child Protective Social Worker, an Adult
> Protective Services Social Worker, and now I am a Social Worker for
> the Terminally Ill. The abuse was bad enough of Children and Elderly,
> but now I lose several clients per month and burn out has set in. Oh,
> not to mention the pay --- after 20 years, last year I finally made
> over the $30,000.00 salary.
>
> Two years ago, I started taking Information Security Courses at the
> Community College knowing I wanted a change. Computer Forensics has
> always interested me --- and I wanted to see what Computer Security
> was all about. From those courses, I became Security+ Certified and
> Network+ Certified.
>
> I decided to pursue my Masters --- either get a teaching job or
> something. The Community College suggested that I get an Associates
> in Info Sec, then transfer and get a Bachelors in Info Sec and then
> pursue my Masters. I knew that if I did that -- and work full time, I
> would be in a nursing home when I graduated!! So I decided to jump
> right in and get my Masters.
>
> EVERYONE in my classes work in some sort of Computer Security Field
> --- either at the Pentagon, Lockheed Martin, Military Bases, or Banks,
> etc. I attend Capitol College in Laurel Maryland. My classes have
> been Network Security, Internal Protection, Computer Forensics,
> Malware, Cryptography, Wireless Security, Applied Wireless Security,
> Complimentary Security, Computer Security Risk Management, Perimeter
> Protection, and Internet Law. I have a 3.97 average.
>
> One thing about me --- I am stubborn --- when someone tells me I
> cannot do something, I dig my heels in and work my tail off to do it.
> That is what I have done at Capitol ---- where some people study three
> hours a week, I have to study 10 because I am not as well versed as
> they are. The labs are coming easier for me, but to begin with, they
> were HARD!!!!!
>
> I will get a better job --- I am determined ---- I know it will be at
> an entry level but I wll do it!!!!!
Im sure that you will :-)
Many congratulations for your degree. Persistence and determination make the
good people and the good professionals.
>
> I will keep you all posted on my next steps.
>
> Thanks friends.
>
> Elizabeth
>
>
> On Fri, Apr 17, 2009 at 10:11 AM, Elizabeth Tolson
>
> <elizabethtolsongmail.com> wrote:
> > Hi Everyone:
> >
> > I am finishing up my Master's Degree in Information Assurance from
> > Capitol College. I had one Penetration Testing Classes which I really
> > enjoyed.
> >
> > I have done some research on Pen Testing and this seems to be
> > something that I might be interested in doing.
> >
> > During my research, I saw someone who was a Licensed Pen
> > Tester/Consultant. Basically, he was hired by companies -- anywhere
> > from banks, law firms, accountants, merchants, etc --- to conduct pen
> > testing. He would "ethically hack" without the employees knowing it.
> > He would also do some pen testing via social engineering. He would
> > conduct Pen Testing during different hours of the day and night to
> > discover vulnerabilities, etc. After the testing, he would submit a
> > report to the president/owner of the company with suggestions on
> > making his network a stronger, more secure network.
> >
As i said before, this is a perfect blackbox pentesting, but, legally, could
have some issues if something goes wrong and you have to be over-protected by
a contract.
This type of pentest is tipically contracted when the IT department says that
their security meassures are the best.
> > Does anyone do this as a consultant? Or, is this guy blowing smoke
> > and this is not a "real job". I have seen some companies that do
> > this, but have not seen any individuals who do this.
It could be a real job. The company model decrease your incomes. but have two
principal benefits:
- protects you because its a legal barrier between the company and you as
pentester.
- gets more clients... this is because pentesting/security company generally
have a sales department...
Doing this as individual, over-expose you against legal responces, but its
perfectly possible. And your income will be great if you have a sufficient CEO
contacts. ALSO _You have to consider also that lawyers cost money_, and its
matter of probabilities being on judges.
> >
> > Also, if I am interested in pursing Pen Testing, what certs would you
> > recommend. What additional training would you recommend. What books
> > would you recommend?
There... CISSP and ethical hacker
CISCO also offers another certifications about security to their plattaform, but
its only if you are interested to specialize on cisco.
> >
> > Thanks a lot.
> >
> > Elizabeth
>
good luck!
> ------------------------------------------------------------------------
> This list is sponsored by: InfoSec Institute
>
> Tired of using other people's tools? Why not learn how to write your own
> exploits? InfoSec Institute's Advanced Ethical Hacking class teaches you
> how to write stack and heap buffer overflow exploits for Windows and Linux.
> Gain your Certified Expert Penetration Tester (CEPT) cert as well.
>
> http://www.infosecinstitute.com/courses/advanced_ethical_hacking_training.h
>tml ------------------------------------------------------------------------
------------------------------------------------------------------------
This list is sponsored by: InfoSec Institute
Tired of using other people's tools? Why not learn how to write your own exploits?
InfoSec Institute's Advanced Ethical Hacking class teaches you how to write stack and heap buffer overflow exploits for Windows and Linux. Gain your Certified Expert Penetration Tester (CEPT) cert as well.
http://www.infosecinstitute.com/courses/advanced_ethical_hacking_training.html
------------------------------------------------------------------------
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]