Would it cripple the organization as a whole? What hurts them the most?
Since when did a penetration test primarily become automated tool driven? Scanners are an aid but not a full supplemental for us as penetration testers.
Since when did a penetration test primarily become automated tool driven? Scanners are an aid but not a full supplemental for us as penetration testers.
Handing a sixty page 'penetration test' report with five hundred vulnerabilities does absolutely nothing for a company aside from a check mark for whatever regulatory and compliance initiatives they have underway. It's time for a reality check:
- Good hackers don't need to utilize expensive vulnerability scanners.
- Good hackers don't use automated penetration testing.
- Attackers don't have a scope or timeframes.
- Attackers don't stop after they get root.
- Attackers don't have portions taken out of scope.
In simplistic terms there's no focus on business risk, but instead focused on the vulnerability and the exposure of the attack. We aren't hitting companies where it hurts, what makes their business run.
Learn your target, understand your target, develop your attack specifically around your target, nothing is out of scope.
Where can I have the most impact on the organization and how do I represent that? WOW I GOT DOMAIN ADMIN!!!!!! OMG I GOT ROOT! That's fantastic buddy, I'm happy for you but that doesn't mean squat to me. Present them with their intellectual property, future projections, show the ability to change their product, confidential and trade secret information or whatever you identify as what hurts them the most. Some questions to answer in Pen-testing includes but not limited to: would that impact them in a negative manner? Would it cripple the organization as a whole? What hurts them the most?
We need to hire qualified people that get it, I will pay extra for a group that knows what they are doing vs. a super cheap scan. The industry is bleeding, let's step it up and do it the right way.
No comments:
Post a Comment