mailing list archives
Re: [PEN-TEST] War Dialling - Limited Scope
From: mshines <mshines () purdue edu>
Date: Thu, 16 Nov 2000 14:49:18 -0500
Then I presume the results will be duly qualified also? How much assurance
could one give if the whole of the orgranization is not examined? In an
auditors terms - your independence and scope has been limited, which leads
to a qualified opinion. Certainly, technically, the work can be done - but
what is the value of the results.
For example - if you have strong security in IT, but allow file transfers -
it's a trivial task to FTP a file to a desktop and send it outside the
organization from there (with absolutely no protection).
In the end, security is only as good as the weakest link... which speaks
strongly for an organizational wide review.
But, of course, you have to do what you contracted for.
Michael S Hines
OS/390 Systems Programmer
1061 Freehafer Hall
West Lafayette, IN 47907-1061
From: Penetration Testers [mailto:PEN-TEST () SECURITYFOCUS COM]On Behalf
Of Scott, Mick
Sent: Thursday, November 16, 2000 12:31 PM
To: PEN-TEST () SECURITYFOCUS COM
Subject: War Dialling
Quite rightly most of you have high lighted the need to wardial the whole
of acme.com. However, and i should of explained this, the scope of the
engagement does not permit this and must be concentrated in this one area.
Thanks for the responses.
e-business Services, IBM Global Services
Telephone: 01962 818265 - Internal: 248265
E-mail: mick_scott () uk ibm com - PGP key available