Page 2 of 3 FirstFirst 123 LastLast
Results 11 to 20 of 23

Thread: Data Mining

  1. #11
    Junior Member skidmarq's Avatar
    Join Date
    Jan 2010
    Posts
    88

    Default Re: Data Mining

    Quote Originally Posted by morpheous View Post
    Data mining should be in a pentesters arsenal anyway right?

    Morpheous
    The argument could be made that data mining is more important to marketers than pen testers. Generally speaking mining data is an activity done which may require long periods of time (something pen testers typically don't have)...

    The key point here is that there are many things that should be focused on before mining data.

  2. #12
    Member xX_Spiidey_Xx's Avatar
    Join Date
    Jan 2010
    Location
    /dev/urandom
    Posts
    256

    Default Re: Data Mining

    Quote Originally Posted by skidmarq View Post
    The argument could be made that data mining is more important to marketers than pen testers.
    yeppers! companies are built on data mining. the information exchange industry is _huge_ when it comes to buying and selling _your_ personal information. marketing and information companies typically collect data on _you_ from your activities online using several different methods. data mining cookies is a good example. several businesses, credit agencies (such as Equifax) and federal government agencies (CSIS, FBI, CIA for example) buy this data from these mining companies to build personal profiles and profit from your activities surreptitiously.

    more on the topic here: CNBC Special: Big Brother, Big Business - CNBC TV- msnbc.com

    it's definitely worth a watch.
    thou shalt treat all computers as thou wouldst treat thyself, for thou art the creator of thine own problems.

  3. #13
    Junior Member Valkyrie's Avatar
    Join Date
    Jan 2010
    Posts
    49

    Default Re: Data Mining

    Quote Originally Posted by xX_Spiidey_Xx View Post
    yeppers! companies are built on data mining. the information exchange industry is _huge_ when it comes to buying and selling _your_ personal information. marketing and information companies typically collect data on _you_ from your activities online using several different methods. data mining cookies is a good example. several businesses, credit agencies (such as Equifax) and federal government agencies (CSIS, FBI, CIA for example) buy this data from these mining companies to build personal profiles and profit from your activities surreptitiously.

    more on the topic here: CNBC Special: Big Brother, Big Business - CNBC TV- msnbc.com

    it's definitely worth a watch.
    I use various data mining tools at work for forecasting business / trend analysis. If you really wanted to do data mining, you would need to use someones company username and password to access the companies data minining tools.
    Last edited by Valkyrie; 02-18-2010 at 12:48 PM.

  4. #14
    Junior Member
    Join Date
    Jan 2010
    Posts
    80

    Default Re: Data Mining

    So say you're an expert pentester, when a company hires you to do a thorough audit/pentest of their computing state, does one usually have to sign a contract that permits any activity or tests so long as informative and truthful reports are returned. What is the general procedure, basically..?

  5. #15
    Senior Member Thorn's Avatar
    Join Date
    Jan 2010
    Location
    The Green Dome
    Posts
    1,509

    Default Re: Data Mining

    Quote Originally Posted by sagaci View Post
    So say you're an expert pentester, when a company hires you to do a thorough audit/pentest of their computing state, does one usually have to sign a contract that permits any activity or tests so long as informative and truthful reports are returned. What is the general procedure, basically..?
    Yes, there is usually a contract. That contract (or associated appendices) will detail a number of things including the types of tests to be done, the scope of those tests, and just as importantly, what activities will not be done. It basically comes down to being a set of Rules of Engagement. I've never heard of a contract that allows "any activity or tests". Frankly, that would be pretty foolish for the client to allow "any" tests. Truthful reports are always expected, and by their nature, reports have to be informative. As to how informative that they are is usually subject to some interpretation, and the audience receiving the report. For the C-level executives, it is usually a summary of what generic things are the trouble spots, while a internal network team would be more interested in the actual technical details.
    Thorn
    Stop the TSA now! Boycott the airlines.

  6. #16
    Junior Member skidmarq's Avatar
    Join Date
    Jan 2010
    Posts
    88

    Default Re: Data Mining

    Quote Originally Posted by Thorn View Post
    . I've never heard of a contract that allows "any activity or tests". Frankly, that would be pretty foolish for the client to allow "any" tests. .
    I would make the argument that it wouldn't be foolish. Let me ask this, would a malicious user worry about the types of test he's running against your system?

    As a management-type, wouldn't you want the piece of mind knowing that a real world attack scenario took place?

  7. #17
    Senior Member streaker69's Avatar
    Join Date
    Jan 2010
    Location
    Virginville, BlueBall, Bird In Hand, Intercourse, Paradise, PA
    Posts
    3,535

    Default Re: Data Mining

    Quote Originally Posted by skidmarq View Post
    I would make the argument that it wouldn't be foolish. Let me ask this, would a malicious user worry about the types of test he's running against your system?

    As a management-type, wouldn't you want the piece of mind knowing that a real world attack scenario took place?
    There are certain kinds of devices that at known to completely fall over with certain types of scans, and there is nothing you can do about it to protect them other than to keep a malicious person out. The rules of engagement in vuln assessments can be worded that certain devices will not be scanned other wise very bad things can happen. It is an accepted risk that these devices exist and everything possible many times is done to protect these devices from attack.

    Having someone scan these devices during an assessment isn't going to prove anything that isn't already known. Read this if you want to see something that almost happened at my site.
    A third party security audit is the IT equivalent of a colonoscopy. It's long, intrusive, very uncomfortable, and when it's done, you'll have seen things you really didn't want to see, and you'll never forget that you've had one.

  8. #18
    Very good friend of the forum Gitsnik's Avatar
    Join Date
    Jan 2010
    Location
    The Crystal Wind
    Posts
    851

    Default Re: Data Mining

    Quote Originally Posted by skidmarq View Post
    I would make the argument that it wouldn't be foolish. Let me ask this, would a malicious user worry about the types of test he's running against your system?

    As a management-type, wouldn't you want the piece of mind knowing that a real world attack scenario took place?
    As a manager I would be very pissed to find that the real world attack of:

    TRUNCATE TABLE tblAuditData;
    TRUNCATE TABLE tblPatientRecords;

    Had been executed.

    It is foolish to run any attack. You should never, ever, DoS every machine you come across. You should be crazily careful on SCADA and/or life support systems.

    There are lots of reasons to limit the scope.
    Still not underestimating the power...

    There is no such thing as bad information - There is truth in the data, so you sift it all, even the crap stuff.

  9. #19
    Junior Member skidmarq's Avatar
    Join Date
    Jan 2010
    Posts
    88

    Default Re: Data Mining

    I was more along the lines of playing devil's advocate and why managing risk by using pen testing can be a double edged sword. I just always imagine a nefarious user using the same rules of engagement as the pen tester....

    Streaker, that was an enjoyable read thanks for sharing. I run into folks like that as well, and it really just causes you to sit back and shake your head....I'm glad nothing bad came out of that experience.

  10. #20
    Senior Member streaker69's Avatar
    Join Date
    Jan 2010
    Location
    Virginville, BlueBall, Bird In Hand, Intercourse, Paradise, PA
    Posts
    3,535

    Default Re: Data Mining

    Quote Originally Posted by skidmarq View Post
    I was more along the lines of playing devil's advocate and why managing risk by using pen testing can be a double edged sword. I just always imagine a nefarious user using the same rules of engagement as the pen tester....
    It's ok to imagine that, but in real world practice it isn't something that you really want to do. There's a lot of bad things that can happen if we lose control of machinery. You'd hope that it would fail to a safe mode, but that is not always guaranteed. People could get hurt or killed by some equipment failing, so it's best to protect those vulnerable devices as best as you can from such attacks and don't intentionally invite danger.
    A third party security audit is the IT equivalent of a colonoscopy. It's long, intrusive, very uncomfortable, and when it's done, you'll have seen things you really didn't want to see, and you'll never forget that you've had one.

Page 2 of 3 FirstFirst 123 LastLast

Similar Threads

  1. Fatal error occurred - BT3 data not found
    By etreal in forum Beginners Forum
    Replies: 3
    Last Post: 02-15-2010, 07:07 PM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •