Here's something I've been thinking about...
As this next fiscal round of assessments begins, I'm wondering if we can redefine a little, when exactly an engagement begins. What I'm thinking is, what if it actually begins 30 days before we show up on site? I know we all have day jobs and probably won't get to much of it, but imagine if we are allowed to probe the outside layer a bit with nessus, phish a little, social engineer a bit, all before we get onsite for our noisy portion? It might be nice to show up and have a few credentials in hand already and a few pivots established and ready to go. It also helps add just a touch more realism to the scenario too, I think.
Any thoughts?
Chuck
This. Yes.
Should be at institutional discretion though, I see most being ok with it.
I will run it past the CIOs next week.
On 06/15/2015 11:55 AM, Chuck Kimber wrote:
Here's something I've been thinking about...
As this next fiscal round of assessments begins, I'm wondering if we can redefine a little, when exactly an engagement begins. What I'm thinking is, what if it actually begins 30 days before we show up on site? I know we all have day jobs and probably won't get to much of it, but imagine if we are allowed to probe the outside layer a bit with nessus, phish a little, social engineer a bit, all before we get onsite for our noisy portion? It might be nice to show up and have a few credentials in hand already and a few pivots established and ready to go. It also helps add just a touch more realism to the scenario too, I think.
Any thoughts?
Chuck
USHE-assess mailing list USHE-assess@lists.dixie.edu http://lists.dixie.edu/cgi-bin/mailman/listinfo/ushe-assess
I think that this is a great idea. It helps the audit team so we don’t get sandboxed and the institution can hide the skeletons before we get there.
Thanks for taking it to the CIO’s Andrew.
Dustin
From: Chuck Kimber <chuck.kimber@usu.edumailto:chuck.kimber@usu.edu> Date: MondayJune-2015-15 at 11:55 AM To: "ushe-assess@lists.dixie.edumailto:ushe-assess@lists.dixie.edu" <ushe-assess@lists.dixie.edumailto:ushe-assess@lists.dixie.edu> Subject: [USHE-assess] Assessment Timelines
Here's something I've been thinking about...
As this next fiscal round of assessments begins, I'm wondering if we can redefine a little, when exactly an engagement begins. What I'm thinking is, what if it actually begins 30 days before we show up on site? I know we all have day jobs and probably won't get to much of it, but imagine if we are allowed to probe the outside layer a bit with nessus, phish a little, social engineer a bit, all before we get onsite for our noisy portion? It might be nice to show up and have a few credentials in hand already and a few pivots established and ready to go. It also helps add just a touch more realism to the scenario too, I think.
Any thoughts?
Chuck
participants (3)
-
Andrew Goble -
Chuck Kimber -
Dustin Udy