[GRLUG] PCI v1.2 Compliance.

dagda at pathwaynet.com dagda at pathwaynet.com
Thu Dec 11 18:38:05 EST 2008


>> On Dec 10, 2008, at 6:29 PM, Greg Folkert wrote:
>> > Of course, the penetration tester asked for a username and password on
>> > these machines and the ports the consoles were running on. And I
>> > didn't
>> > give them to him.
>> >
>> > I gave him a Debian SID machine with a minimal install (but a public
>> > interface and a private interface with SSHD running on the public side
>> > only), with out any obvious way to get things onto the machine. No
>> > FTP,
>> > no SCP (ssh client stuff), no wget, no curl... in fact the only thing
>> > available was netcat and a few other "networking" tools left around.
>> > He
>> > called me immediately and asked that I install this and that with a
>> > smattering these things with a compiler and other nice to haves. I
>> > said:
>> > "No, you are the penetration tester. I gave you a machine that I'd
>> > place
>> > on the Internet straight and I even gave you tools I'd typically not
>> > leave on the machine."
>> >
>> > He reported us as non-compliant, I challenged that declaration. I
>> > won as
>> > I was able to demonstrate the idiot wasn't a good penetration
>> > tester.

I'm trying to be delicate in responding to this because I work for a
competitor to TrustWave (not that I ever heard of them before your post).

TrustWave's site indicates- "For internal testing the most common test
design is to have a Trustwave consultant "report for work" as a regular
employee or contractor, and utilizing normal to minimal system access
levels that would be given to the role being simulated, iteratively test
all access controls in an attempt to acquire critical data."

I've been doing mostly penetration tests and application/network
vulnerability assessments the past five years.  The only time we would be
given accounts is if we were doing an application vulnerability
assessment.  For penetration tests, we are given an IP on the typical user
network.  In all but one case, I've used my own attack laptops (the
exception being a high security facility and included an extra day to
prepare the attack machine).  I don't get why you'd want to spend $200/hr
to have someone install basic scan/attack tools on one of your boxes. 
<end ramble>

Anyhow, I am in full agreement with you.  That consultant needs to be
shown the door and I would seriously consider a discussion with TrustWave
about a refund/retest.

-Brian



More information about the grlug mailing list