Hi Jeffrey et all,
I fully agree with what you wrote in the email, but only if that was
agreed in the pen-test contract. It can be that the critical data is not
meant to be covered, even with a NDA.
In general, it should be enough to demonstrate that the pen-tester is able
to reach complete system compromise, because this means that he/she will
be able to get/tamper/delete any information in the system(s) affected.
But there's one important point you haven't mentioned: system misuse.
It can be launching attacks from the compromised systems, storing nasty
images/videos/warez in their webservers, etc. In any case you can
seriously (even legally) harm the victim company.
To do that, the attacker need ONLY system compromise, and he/she doesn't
care about the company's information assets.
Cheers,
Miguel Dilaj (Nekromancer)
Vice-President of IT Security Research, OISSG
PD: kudos to Debasis, excellent paper.
Jeffrey Denton <dentonj@gmail.com>
11/12/2004 09:31
Please respond to Jeffrey Denton
To: Debasis Mohanty <mail@hackingspirits.com>,
pen-test@securityfocus.com
cc: (bcc: Miguel Dilaj/PH/Novartis)
Subject: Fwd: Article Announcement - Demystifying Penetration
Testing
Jeffrey wrote:
This presentation is targeted for all security practitioners (i.e.
Security
Officers / Sys Admins / Security Auditors / Security Enthusiasts.etc).
This
presentation will give a clear picture on how pen testing is done and
what
are the expected results. Various screenshots are provided as a proof
of
concepts to give a brief picture of possible end-results.
Nice, but it doesn't cover the "So what?" question.
{excellent considerations skipped}
