Firewall Wizards: Re: "Who else picked this one up?"

[Eric Budke <budke () budke com>]

At 01:28 PM 5/1/99 -0400, Paul D. Robertson wrote:
> On Sat, 1 May 1999, R. DuFresne wrote:
>
> > host and or allow IRC to their users will be excluded?  And you will
> > filter out those testing new security scanners, so as to not put their
> > names on a potential future 'blacklist' also.  And those just testing
> Nobody should be "testing" a scanner against a network I administer 
> without my express permission.  The idea that scanning a foreign network 
> for potential vulnerabilities without permission is valid behaviour is 
> just plain wrong.
Well, as someone who participates in these types of scans occasionally with
various levels of permission within a client company.  There are often
times (as well as reasons) why we are scanning networks without their
admins' permission.

The top two reasons that are often cited during such an engagement are:
If you know it is coming, it is it can often be easy to take steps to
temporarily shore up the gaping holes (taking machines down, changing
router rules etc.)

And the second is to see if the escalation procedures for such an "attack"
are followed through properly.  The number of clients where the procedures
failed has been about 10-1 (failed-success) from what I've seen.  We've had
a couple clients sort of skip a few steps in their process, which was taken
a lot better than the norm of nobody hearing about it at all.

For people outside of the SA group, there are business reasons for testing
the SA group.  The people on this list may be the exception, and I'm sure
you will find a lot more SA's who aren't on lists like these keeping
current with issues than the other way around.
--
PGP Key can be found at http://www.panix.com/~budke/pgp/budke_budke_com.txt