I enjoyed listening to the last two @exoticliability podcasts from @indi303 and Ryan Jones.
Podcast #37 covered intel gathering for clients, leaky strippers, and leaky consultants saying stupid things on social networks. Having worked with a couple firms in the past and doing some pentesting, I somewhat agree on their general opinion with information / intelligence gathering during a pentest. In both firms I worked with, information gathering usually received 10% of the budget for the engagement. This was a management decision of the firms, although I'm sure flexible.
Looking back, if I was in a management position, I think I would have been cautious on moving the 10% level higher across the board until I saw the value proposition in the results. If we have been doing X and X has been working, why fix it? To be honest, though, the thought of doing greater than 10% of information gathering never crossed any of our minds. That in and of itself, is probably an issue. Why not do 25, 50, or 75% of the engagement as information gathering (or some other component)? And this goes to a bigger question, what is the right amount for any phase of the engagement? Constraints, such as target scope, types of tests, etc., would play heavily into this, of course. Still, we treat these numbers as sacred and they aren't.
#37 also talked about data leakage. Chris brought up an example of someone leaking the data center location of a possible client. I got two thoughts on this: the knowledge of a data center location should not decrease its security and if the client thinks the secret is important, it is important. I don't use foursquare, but, yeah, tweeting your location whilst at a client is stupid. I disabled my twitter clients from announcing this data a while ago, because, seriously, anyone needing to know where I'm at is just going to call me. They are not going to look up my longitude and latitude on Twitter, paste that into Google Maps, and then call me. Building on my thoughts above, though, sensitive data is perceived to be important by the client, regardless of its actual importance to reality. In our last paychecks, our clients paid our wage in some way, shape or form. Tomorrow, they might not if you don't care about them.
1 comments:
on IG whatever the time is... it should be MORE than exploitation. If not, you are just not identifying the vectors needed.
As fot the management... well... they made that decision based on their goal of profitability. Their inability to budget correctly, I am sure, had a much farther reach than just to the pentesting. This is the main reason why many people who DO solid IG will find WAY more in a test. If pentesting is like sex, the IG would be the rockstar in the sack and the people who spend it on exploitation would be kicked out for shooting the load too early. Its selfish and just down right ineffective.
In the twitter stuff. There is a level of security in obscurity. Why do you think military bases that are high profile don't post their address. This is a layer of protection. Now... with some good IG skills you MAY find it... but as you said above... most people find it "cost ineffective" to do that much IG. heheh..
End of day, it it is not published and you blurt it out there... YOU are the prick... not them.
On the note for " if the client thinks it's important... than it is " YOU HIT THE NAIL ON THE HEAD WITH THAT. DAMN RIGHT MAN!!!!
At the end of all this.. i want people to think about attacking more. Attackers spend 90% or more of their time on Intel.. .and VERY little on execution. Why are we so backwards? Aren't pentests and many of these testing exercises supposed to replicate the attack of a real world event?
Post a Comment