No Tech Hacking

dtlokee

Your experiences are different than mine and I will leave it at that, if you want to continue this PM me.

sprkymrk

sexion8 wrote:

On the one hand he wrote:

We choose not to tip off the admins because if they are on heightened alert and securing their systems it does not represent a true measure of normal operating conditions.

On the other he stated:

but there are typically going to be systems they cannot afford to have compromised or the potential for a pen test against to take it offline which sometimes happens.

So here I inferred: "We test all the machines without admins knowing because we want to see a real world view... BUT, because some machines can be taken offline during the course of the pentest, the customer might not want this. Bottom line, if you're not going to test them in this fashion, you're going to have skewed results, how realistic of a pentest is it.

Ok, I'm not going to say I speak for dtlokee, as he apparently prefers to take this offline. However I have to state that for myself I think you "inferred" incorrectly and drew conclusions that are not acurate.

There is a "preferred" method - that of not tipping off the admins. This way you get a realistic veiw of things as they are, rather than allowing admins to do stuff like temporarily increase password complexity, remove filters from ACLs that are loose and only used for admin convenience (and later after the pentest reinstated), turn off remote access, etc. All these things would give the company a false sense of security, not knowing that the admins will go right back to "unsecuring" thier systems after the pentest.

Then there is the "real world" issue of a pen test taking a critical system offline costing the company not only money but also possibly costing the company's reputation with its own customers. Therefore, a company may agree to a "partial" pen test, knowing that it won't tell them everything, but will still help them to better secure their systems. And if you want to argue that only a "tool monkey" would be so dumb as to DOS or otherwise damage a system during a pen test then you have just been very lucky. I don't care how great you are, we all make mistakes, or heck it doesn't even take a mistake to bring down a system, it could be a system was unstable to begin with and something you do that should have had no effect somehow becomes the straw that breaks the camel's back.

If I may present my own analogy, would you as a security professional recommend that if I don't subscribe to a monthly monitoring fee, that I should not install better locks on my windows and doors? After all, someone could still break into my house, and if I didn't have an alarm that was monitored by someone 24/7 then why bother upgrading my locks at all? That seems to be the point you are making.