You have hit the nail on the head. Any effective penetration test needs to be done without the knowledge of the staff whose equipment is being tested. I can see the network admin now - "Looks like we're getting a VA done over the weekend so I'll turn off my UT2003 server and close the gaping holes in the firewall...."

We may think we're walking on fairly new ground here but look at financial auditing. Does a board of directors ask the permission of their accounts department to do an audit. No. Definately not. To do so is self-defeating.

In exactly the same way we security professionals should be looking to the top level of an organisation to get a mandate to run tests. In the examples that Mark gave it was the embarassment that really irked the targets. I like to see lazy admins and poor coders embarrassed. And when they complain to their boss they are told it was them that sanctioned it.

I suggest we look to the PWCs and KPMGs of this world to see how they go about their business when auditing. No need to reinvent the wheel.




[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/167/20543#20543