How to Cheat at Managing Information Security

Chapter 12: Network Penetration Testing

Overview

The purpose of this chapter is to:

  • Provide a working definition of penetration testing (pen testing) and show how it differs from a hacker attack

  • Outline a methodology and overview of the techniques for doing pen tests

  • Describe the paperwork you need to protect yourself

Anecdote

In 1996, when pen testing was very new to the commercial world and covert pen testing was unheard of, I was part of a team that was doing a covert test on a major securities business in Luxembourg.

It was one of the best jobs of my life. Knee-tremblingly exciting work, three weeks in a five-star-plus hotel, flying back home every Friday afternoon on business class flights with free champagne a real consultant s dream.

But the client really got their money s worth. After about two weeks we had hacked our way into everything (apparently one of the systems directly affected the Dow Jones and various exchanges), but it wasn t difficult. The Solaris boxes all ran unsecured NFS, RLOGIN, with Rhosts files on NFS-mountable home directories. It was really adventurous to do a Mitnick-style hack at a time when most of the full details of his exploits were not public. Even the IBM mainframe had a user named IBM with a password of IBM.

Eventually, we called up the head of security and invited him over to where we were working to show him the bad news. He wasn t able to come at once, so we busied ourselves while we waited, trying new tools and...

UNLIMITED FREE
ACCESS
TO THE WORLD'S BEST IDEAS

SUBMIT
Already a GlobalSpec user? Log in.

This is embarrasing...

An error occurred while processing the form. Please try again in a few minutes.

Customize Your GlobalSpec Experience

Category: Chart Recording Paper and Consumables
Finish!
Privacy Policy

This is embarrasing...

An error occurred while processing the form. Please try again in a few minutes.