Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Pen-Test
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Fwd: Article Announcement - Demystifying Penetration Testing

from [Christopher Adickes] Network Security [Permanent Link]
Subject: RE: Fwd: Article Announcement - Demystifying Penetration Testing
Date: Mon, 13 Dec 2004 09:51:11 -0500 
Can someone please resend the link to the paper.  I seemed to have deleted
it.  I am very interested in reading it after seeing some of the discussion
about it.  

Sorry for the interruption.


-----Original Message-----
From: miguel.dilaj@pharma.novartis.com
[mailto:miguel.dilaj@pharma.novartis.com] 
Sent: Monday, December 13, 2004 3:11 AM
To: pen-test@securityfocus.com
Cc: Jeffrey Denton; Debasis Mohanty
Subject: Re: Fwd: Article Announcement - Demystifying Penetration Testing

Hi Jeffrey et all,

I fully agree with what you wrote in the email, but only if that was 
agreed in the pen-test contract. It can be that the critical data is not 
meant to be covered, even with a NDA.
In general, it should be enough to demonstrate that the pen-tester is able 
to reach complete system compromise, because this means that he/she will 
be able to get/tamper/delete any information in the system(s) affected.
But there's one important point you haven't mentioned: system misuse.
It can be launching attacks from the compromised systems, storing nasty 
images/videos/warez in their webservers, etc. In any case you can 
seriously (even legally) harm the victim company.
To do that, the attacker need ONLY system compromise, and he/she doesn't 
care about the company's information assets.
Cheers,

Miguel Dilaj (Nekromancer)
Vice-President of IT Security Research, OISSG

PD: kudos to Debasis, excellent paper.






Jeffrey Denton <dentonj@gmail.com>
11/12/2004 09:31
Please respond to Jeffrey Denton

 
        To:     Debasis Mohanty <mail@hackingspirits.com>,
pen-test@securityfocus.com
        cc:     (bcc: Miguel Dilaj/PH/Novartis)
        Subject:        Fwd: Article Announcement - Demystifying Penetration
Testing


Jeffrey wrote:

This presentation is targeted for all security practitioners (i.e. 

Security

Officers / Sys Admins / Security Auditors / Security Enthusiasts.etc). 

This

presentation will give a clear picture on how pen testing is done and 

what

are the expected results. Various screenshots are provided as a proof 

of

concepts to give a brief picture of possible end-results.


Nice, but it doesn't cover the "So what?" question. 


{excellent considerations skipped}
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: Laptop Considerations, Munoz, Hector
Next by Date:  RE: Laptop Considerations, Kris Wingard
Previous by Thread:  Re: Fwd: Article Announcement - Demystifying Penetration Testing, miguel . dilaj
Next by Thread:  XP RDP event log 682 ?, BillyBob
Indexes:  [Date] [Thread] [Top] [All Lists]