mailing list archives
Re: [PEN-TEST] Testing a "rogue site"
From: "Alexander Sarras (SEA)" <Alexander.Sarras () SEA ERICSSON SE>
Date: Mon, 11 Sep 2000 09:36:53 +0200
-----BEGIN PGP SIGNED MESSAGE-----
Listen to your instincts. I believe you're trying to be
a team player, and you're clearly interested in security and
much as you've can, but you've already figured out what the problem is
in the title of your email - 'rogue sites'. They're not
playing on the
team, or you wouldn't be using the word 'rogue'.
The company is evidently not quite behind the idea of having
policy actually in effect, or they wouldn't allow any 'rogue sites'.
IMO that means they won't back you up as Security Manager
when - not if
- there's trouble. Those sites could eventually endanger the rest of
the network if they're tied in, which you *are* responsible for.
Basically I concur, but if you want to stick: Get your company's written
approval of your responibilities. If this rogue site is inside your
responibility tell them (in writing) it's either your authority as well or
no responsibility. If it's the later, firewall them off your site! As long
as it's not your job (and that's what having the authority means), don't do
any more scanning or the like, it might be constructed as something
A couple of rules to go by:
1) SECURITY has the last say! EVER!
2) if SECURITY say's no, it stays that way. Otherwise quit.
If possible get that in writing.
-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.1 Int.
Comment: Even paranoiacs have enemies!
-----END PGP SIGNATURE-----