How to Cheat at Managing Information Security

The purpose of this chapter is to:
Provide a working definition of penetration testing (pen testing) and show how it differs from a hacker attack
Outline a methodology and overview of the techniques for doing pen tests
Describe the paperwork you need to protect yourself
In 1996, when pen testing was very new to the commercial world and covert pen testing was unheard of, I was part of a team that was doing a covert test on a major securities business in Luxembourg.
It was one of the best jobs of my life. Knee-tremblingly exciting work, three weeks in a five-star-plus hotel, flying back home every Friday afternoon on business class flights with free champagne a real consultant s dream.
But the client really got their money s worth. After about two weeks we had hacked our way into everything (apparently one of the systems directly affected the Dow Jones and various exchanges), but it wasn t difficult. The Solaris boxes all ran unsecured NFS, RLOGIN, with Rhosts files on NFS-mountable home directories. It was really adventurous to do a Mitnick-style hack at a time when most of the full details of his exploits were not public. Even the IBM mainframe had a user named IBM with a password of IBM.
Eventually, we called up the head of security and invited him over to where we were working to show him the bad news. He wasn t able to come at once, so we busied ourselves while we waited, trying new tools and...