Home page logo
/

basics logo Security Basics mailing list archives

Re: Conflict of interests
From: s0h0us <s0h0us () yahoo com>
Date: Tue, 5 May 2009 05:36:30 -0700 (PDT)


well, i guess, but let's say i'm just trying to verify that the IT department is properly patching their systems 
(server, wkstations, etc) and I want to use a tool like GFI Languard or Nessus to do this or to check for other 
vulnerabilities by actually passing system credentials.



----- Original Message ----
From: Chip Panarchy <forumanarchy () gmail com>
To: s0h0us () yahoo com
Sent: Tuesday, May 5, 2009 7:08:34 AM
Subject: Re: Conflict of interests

Hi

Isn't that the whole point of a Pen-Test (the kind your doing)?

That you DON'T have root/domain access?

That you acquire access...

I know this isn't with all types of penetration testing, but this is a
textbook example, eh?

On Tue, May 5, 2009 at 4:16 AM,  <s0h0us () yahoo com> wrote:
As a security guy, not part of the IT department, I require a level of access in order to perform my job. Certain 
types of tools require privileged access in order to work. Like having domain admin access and/or similar privileged 
access for unix and linux systems. Is it reasonable to request this type of access without causing any type of 
conflict of interest that internal auditors might question? I guess audit trails would come in handy here.
Thanks for the feedback.

------------------------------------------------------------------------
This list is sponsored by: InfoSec Institute

Learn all of the latest penetration testing techniques in InfoSec Institute's Ethical Hacking class.
Totally hands-on course with evening Capture The Flag (CTF) exercises, Certified Ethical Hacker and Certified 
Penetration Tester exams, taught by an expert with years of real pen testing experience.

http://www.infosecinstitute.com/courses/ethical_hacking_training.html
------------------------------------------------------------------------







------------------------------------------------------------------------
This list is sponsored by: InfoSec Institute

Learn all of the latest penetration testing techniques in InfoSec Institute's Ethical Hacking class.
Totally hands-on course with evening Capture The Flag (CTF) exercises, Certified Ethical Hacker and Certified 
Penetration Tester exams, taught by an expert with years of real pen testing experience.

http://www.infosecinstitute.com/courses/ethical_hacking_training.html
------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]