lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-Id: <50D36FD3-A5B0-4432-8C47-C6607D0C51EF@cernproductions.com>
Date: Mon, 7 Jul 2014 20:44:19 +0100
From: Jim Credland <jim@...nproductions.com>
To: lists@...com.org
Cc: fulldisclosure@...lists.org
Subject: Re: [FD] new pen-test tool!


I like it.  It's short - which is a blessing in these things.

However, the bigger the company the easier it is to answer positively to a general question. And generally people want to give you a positive answer.

SO, for a quick win make it shorter, but demand hard evidence that relates to the service you are buying. 

For example:

For insurance: check the certificate.  

For backups: check for records of tests. Backups don't count unless there's a test.  And only check the backups of the data that you care about.  Not any old tests the vendor happens to find a good result for.

The focused questions which require evidence are ten times as valuable - and you'll get a more consistent metric no matter what the company size or who you interview.

J.



On 3 Jul 2014, at 12:44, Pete Herzog <lists@...com.org> wrote:

> Hi!
> 
> I have been working on a means for testing parties that we may not be
> able to legally directly test yet gives a clear answer for decision
> making. The idea was to use an interview like a pen-test to get
> information from the subject like a tester would where "asking them"
> was considered just one of the 4 means of getting information, treated
> much like throwing packets to get system responses does in a pen test.
> 
> This allows you to get an idea of an attack surface of the target
> before you even probe them for an attack. You can also find the weak
> areas of trust to exploit. It also serves as an intro to a client's
> security on the first meeting and enhances the final report.
> 
> The app has 2 parts - a trust metric and an attack surface metric (how
> much you can trust them and how protected they are). Eventually this
> will also combine into a final analysis. But until then...
> 
> You can try it out here:
> 
> http://archon.thewatchers.net/ISECOM/
> 
> 
> 
> *************
> For those who want some more background about it:
> 
> The hardest part was to craft reasonable questions to answer in a
> short list that didn't require much time or technical expertise. So it
> is written for the office manager or similar to execute. It also meant
> the questions had to be really loaded so as to answer multiple things
> at once, both pro and con security/trust. I am still not satisfied
> with the wording of the questions and I'm sure it may still have bugs
> but we turned it from a document into a web app that allowed basic
> clicking to get the answer.
> 
> Now the client had this to save in a file to revisit for annual vendor
> reviews as well as for quarterly self-assessment of how they stand in
> their own services and offerings. This app doesn't have that
> functionality yet. They also wanted clear instructions on how to
> improve the score if it was low (rudimentary analysis/resolution)
> which this app also doesn't have yet.
> 
> So the Vendor Checklist uses the RAV scoring from OSSTMM 3 derived
> from answers made in the checklist. The Trust Metric is a score based
> on trust metrics from the same place. But both have had the OSSTMM 4
> updates which include 2 new trust properties and changes in the
> calculation of operational controls.
> 
> http://archon.thewatchers.net/ISECOM/
> 
> Sincerely,
> -pete.
> 
> -- 
> Pete Herzog - Managing Director - pete@...com.org
> ISECOM - Institute for Security and Open Methodologies
> www.isecom.org - www.osstmm.org
> www.hackerhighschool.org - www.badpeopleproject.org
> -- 
> Pete Herzog - Managing Director - pete@...com.org
> ISECOM - Institute for Security and Open Methodologies
> www.isecom.org - www.osstmm.org
> www.hackerhighschool.org - www.badpeopleproject.org
> 
> _______________________________________________
> Sent through the Full Disclosure mailing list
> http://nmap.org/mailman/listinfo/fulldisclosure
> Web Archives & RSS: http://seclists.org/fulldisclosure/


_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ