Jump to content
Sign in to follow this  
robertray

Interesting blog post about Pen testing

Recommended Posts

Bluntlee

Enjoyed the read. thanks for the link. I strongly agree with the part about getting past the million dollar security by just going straight to the user on the other side. B)

Share this post


Link to post
kojack

Good read. However, I strongly disagree with the point that "nothing is out of scope". Pen testing is always limited in scope by what is agreed on at the beginning of the engagement. Going beyond the agreed to scope leads to enormous liability for the testing professional. In my opinion, if you go outside of the scope you have broken a legal contract and are borderline criminal.

That being said, all engagements should include a full network VA. Vulnerabilities found during that phase should be reported. The only exploits that should be attempted are those against the systems "in scope".

I completely agree that the "human elements" should always be tested. However, this must be done in a way that does not lead to embarrassment of those who fail the test. We are trying to educate people through our efforts not alienate them.

Share this post


Link to post
robertray

I agree about the human elements in what you have said Kojack about not alienate them. This is true with all technology training, you should be looking for "buy in"

I am sure a private chat after a fail would be best. Followed by additional training and advice. Perhaps taken from a point of view of them doing better to protect themselves personally and not just from a business point of view. Good practice at home, will carry onto the work place I think

Share this post


Link to post

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
Sign in to follow this  
×