I am planning to engage a vendor to do pen test on my external systems. I know t
ID: 657093 • Letter: I
Question
I am planning to engage a vendor to do pen test on my external systems. I know that pen test has a set of systematic steps .. just would like to gather some industry experience. Normally, at which stage of the pen test would you most likely stop, to give you enough justification that your system is indeed vulnerable. In my technical requirement specs I could just state, "if manage to breach, touch a file, make it hidden etc" and stop. OR i could jolly well say, "proof to us you can get root and then stop the pentest".
What are some of your own experiences in this? thanks
Explanation / Answer
The "scope" generally does not state something like "You can't root the machines", as a client you want to know if this is possible IMHO. Once root access is acquired it's basically game over anyway.
What the scope should say is the amount of servers and its server names / IP's and that it the assessment is restricted to these devices only. This to prevent that once a machine is compromised, the security consultants start to work their way in to the rest of the network.
Let's asume that there is a buffer overflow in a daemon or an application. Would you want them to spend time on exploiting this buffer overflow or find more vulnerabilities?
Generally, as a security consultant, I explain the situation to the client that given enough time the buffer overflow could most likely be exploited. I will ask if they want us to continue on exploiting this or spend time in to looking at other parts of the system.
Also, we report high and critical vulnerabilities immediately and have a daily evaluation on the findings.
Talk to the consultant(s) on a daily basis, communication is key here (something the consultant(s) should do towards their clients anyway IMHO).
Related Questions
Navigate
Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.