I started thinking about some of the findings we make and the recommendations around them – and how unrealistic we’re being as penetration testers. Take ‘Information Leakage’ for instance. How plausible is it to prevent ALL information leakage? Is that something that we should be asking clients to strive for? What about the best use of their time / resources? wouldn’t that time be better spent monitoring for anomalous events, in general?
what about the social engineering findings where we demonstrate that it’s possible to gather internal company usernames, but is there realistically any way to /prevent/ username enumeration? well, yes, but at what cost / effort? Are we really asking folks to prevent their usernames from reaching the outside world — and what are they thinking when they read that?? aren’t we just reporting this as an informational thing (i think so). I mean, we’re calling for PREVENTION here, but what about the other aspects of security? Detection / Reaction? Wouldn’t it make more sense to recommend clients spend those resources monitoring for mass email blasts from an external address, or for anomalous activity on the internal network?
I think there’s an open question here on how to fit detection / reaction testing into penetration-testing in a meaningful way.
I’ll choose to do business with a company that’s put effort into detection and reaction capabilities as opposed to 100% prevention any day.