Home page logo
/

pen-test logo Penetration Testing mailing list archives

Re: [PEN-TEST] Testing a "rogue site"
From: "Alexander Sarras (SEA)" <Alexander.Sarras () SEA ERICSSON SE>
Date: Mon, 11 Sep 2000 09:36:53 +0200

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Listen to your instincts.  I believe you're trying to be
cooperative and
a team player, and you're clearly interested in security and
learning as
much as you've can, but you've already figured out what the problem is
in the title of your email - 'rogue sites'.  They're not
playing on the
team, or you wouldn't be using the word 'rogue'.

The company is evidently not quite behind the idea of having
a security
policy actually in effect, or they wouldn't allow any 'rogue sites'.
IMO that means they won't back you up as Security Manager
when - not if
- there's trouble.  Those sites could eventually endanger the rest of
the network if they're tied in, which you *are* responsible for.

Basically I concur, but if you want to stick: Get your company's written
approval of your responibilities. If this rogue site is inside your
responibility tell them (in writing) it's either your authority as well or
no responsibility. If it's the later, firewall them off your site! As long
as it's not your job (and that's what having the authority means), don't do
any more scanning or the like, it might be constructed as something
sinister!

A couple of rules to go by:
        1) SECURITY has the last say! EVER!
        2) if SECURITY say's no, it stays that way. Otherwise quit.

If possible get that in writing.

SaS

-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.1 Int.
Comment: Even paranoiacs have enemies!

iQA/AwUBObx9IvNEKPH/spuMEQLW5ACg/LEvNDG5LLDsn/QIczpaQp+I4jEAoJRg
XL+EcNzogW/d4qnm9SQvhkbj
=FaRQ
-----END PGP SIGNATURE-----


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]