Thoughts on Recommendations (Prevention vs Detection & Reaction)

I started thinking about some of the findings we make and the recommendations around them – and how unrealistic we’re being as penetration testers. Take ‘Information Leakage’ for instance. How plausible is it to prevent ALL information leakage? Is that something that we should be asking clients to strive for? What about the best use of their time / resources? wouldn’t that time be better spent monitoring for anomalous events, in general?

what about the social engineering findings where we demonstrate that it’s possible to gather internal company usernames, but is there realistically any way to /prevent/ username enumeration? well, yes, but at what cost / effort? Are we really asking folks to prevent their usernames from reaching the outside world — and what are they thinking when they read that?? aren’t we just reporting this as an informational thing (i think so). I mean, we’re calling for PREVENTION here, but what about the other aspects of security? Detection / Reaction? Wouldn’t it make more sense to recommend clients spend those resources monitoring for mass email blasts from an external address, or for anomalous activity on the internal network?

I think there’s an open question here on how to fit detection / reaction testing into penetration-testing in a meaningful way.

I’ll choose to do business with a company that’s put effort into detection and reaction capabilities as opposed to 100% prevention any day.


1 Comment

  1. Zach says:

    I think it’s worth mentioning “minimization”, too (yes, it goes along with prevention, but let’s separate them out a bit, shall we?). That is, vulnerabilities arise and intrusion occurs (and it will occur, deary), the organization has gone through the proper rigmarole to minimize the sphere of influence of the attacker.

Leave a Comment

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s