The Prime Directive in pentesting... "Don't do anything outside the scope document". It's like the Fight Club rule. You don't go outside the scope of the pentest. You don't go playing around in environments you shouldn't, even if it's there.
But what happens when the scope document was made by someone other than people with an intimate knowledge of the assets involved, and can be called ambiguous at best? Is this like Star Trek, where breaking the Prime Directive is bad, but you do your best to notify as best you can, and stop when or if someone raises a flag?
When your organization engages a company to do a pentest, defining what systems are being tested and locking your scope down is paramount to having a good operation. Even after the document is agreed upon, speaking with the pentester doing the operation can clear up any issues that can arise. If the pentester does happen to exceed scope, don't berate him unnecessarily. Thank him for notifying them of the findings, and then explain to them that they are outside of scope. If they continue to do so, you should report them. Often, they may have seen something so glaring that they are ethically bound to mention it. I know that if I was doing a pentest or evaluation and it was a bank or business I used, I would definitely find a way to let them know.
You want to get the most bang for your money, so you give the pentester a decent amount of time to test things. You may even want to run preliminary nmap scans, nikto scans (if web apps are involved), or vulnerability scanners. This is very important info for the beginning of a pentest, but often takes the longest to do by the pentester. This is menial stuff that is a waste of good pentesting time. Plus, a professional pentest shouldn't be adversarial in nature. Unless, of course, it's supposed to be... :)
I know in my last post, we were going to have an interview with Michael Gough (Twitter @hackerhurricane) from MI2 Security about Malware and APT attacks. In talking with him after our monthly ISSA meeting, we figured out that we could do a multi-part interview on Malware and APT. He also mentioned in our ISSA meeting that there had been 6 additional retailers that had been breached. We found out today (25 January) in a blog post from Brian Krebs, that Michaels' and it's subsidiary Aaron's Brothers were hit. That leaves 5 more retailers to through.
My guess is that WalMart is involved, and the only other one I'd imagine would be Kohl's... I don't know why, but those two are always on my mind when this story keeps coming up.
I never have had as much fun doing security as when I started this podcast, blog, and learning how to market ourselves. We are learning a lot about different subjects. It's also taken me out of my comfort zone quite a bit, because I'm not good at talking with people that I don't know, or soliciting input from strangers. I want to get my name, my brand out there, and my palms get sweaty just asking people if they'd like to come on our podcast. I'm sure that it will get easier. It's like learning to edit audio or video, you're gonna suck at it at first.
Episode 3 will be up late tomorrow night, just in time for your earballs to enjoy on your Monday morning commute. Hope you enjoy it. Our meeting with Michael Gough will take place Wednesday, and we'll be able to bring you that two or three parter in the weeks to come...