Am a Pentester and Security analyst, i specialize mostly in penetrating secure networks/computer systems where i simulate an organized professional attack against your organization, where after that a detailed report with weakness and exploited vectors are summarized. This will help you gain control over your infrastructures security and maximize your protection.
There is nothing like Polymorphic Testing, there are three types of testing, Blackbox, Whitebox and Graybox. Polymorphic is part of Advanced Persistence Threat Assessment which is mainly used on a BlackBox Penetration testing. It works together with Social Engineering Assessment, RedTeam Assessment and External Assessment.
b) We will do a BlackBox Assessment
There is nothing ever, forever ever called Blackbox Assessment. This is used by a lot of companies to justify why they can't use other Assessments to issue a full test on your organization. Its called BlackBox Penetration Testing
c) Red Team is not a part of Testing
F%^%&^&& sh%%^%!!! Red team Assessment is part of BlackBox. Blackbox comes from the word Blackhat, and who are the biggest Blackhats ever, yes; the Government. They do all this on you a lot. Protect yourself from these guys especially the Rogue Government operators.
d) We will do a Pentest in 3, 4, 5, 10 days
Holy sh*$^!! Who does that!!!!
e) We need your IP Address and Links to perform the BlackBox
Well, Blackbox is my specialism and i know asking for IPs and system information during a blackbox Penetration testing is a NONONO!!! I have heard companies that do Security ask for these, whenever i hear this and whenever they ask for such info, yes, a Kitten dies.
f) We can do a Code Review in One Day
Actually i heard this the other day i almost puked. Unless its just 100 to 200 lines of code, this is a bullshitter bullshitting other bullshitters
g) Too Much PaperWork
Most of the Pentest reports go to techies in the firm to fix the issues. Do you think they read these reports? This is just a way to show you they worked, when everything on that report is nmap and telnet grabbing banners and the CEOs can't understand anything, so they take advantage of that.
Quality is better than anything to a client, do real Penetration testing, people are reading this blog and others and they will soon know they are getting conned, with their skirts up on the streets.
e) Internal Blackbox
There is nothing like Internal Blackbox Penetration testing. When you are working from a client office, that's either Gray Box or White Box.
Everyone who succeeded in everything they did in life went through handwork. They failed several times, they felt like giving up and shaking it away. They started young, but remember we have wonna-bes, they are out there, and they have money, they want to take you down, and we have people who don't want you make it in this field too.
All these will try bring you down, but if in your life, if you find everything going smooth, then know there is something wrong and you wont be as strong as you are meant to be and that you are doing nothing.
My Father once told me there are three types of people, First group, They have no idea whats going on, Second group, They at least know what going on, but they do nothing or do little. Then we have the first group, or the First class, they plan and execute. They try their best to make sure things do work. But later on, after being introduced to fitness i realized there is another group of people, these people are not just doers or walkers, they change the game.
Keep a way from people who try to Belittle your ambitions, small people always do that, people who cant do it will always try to show you its not possible. But if you are around those people who wonna make it and have made it already, they will make you great. Be a Wolf, be a shark, be a lion and change the game.
The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. The information is for educational use only.
Kenyan Information Security Mailist Archives
MY BEST LINKS
If you wish to join, log in to, http://lists.my.co.ke/cgi-bin/mailman/listinfo/security