Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Penetration Testing: Re: [PEN-TEST] finding offensive material

Re: [PEN-TEST] finding offensive material

From: Andrew Walls <Andrew.Walls_at_AU.COFLEXIP.COM>
Date: Wed, 7 Mar 2001 01:04:20 +0100

My advice is to grab a copy of everything and then burn it onto a CD. In
your penetration report mention that you encountered potentially offensive
material that may or may not violate the company's policies regarding the
storage/transmittal of files and that you can provide the client with a copy
of these files if they so desire.

The potential policy violation is unrelated to the penetration test, so the
actual materials should not be included in the report. If the client wants
to deal with it, they can, but they can also choose to ignore the issue. By
retaining a CD of the material, you are able to provide a frozen record of
the material. If you have strong feelings about this, you could have an
off-the-record conversation with someone in HR, but this could effect your
relationship with your primary client in the company, so take care.

> -----Original Message-----
> From: Penetration Testers <PEN-TEST_at_SECURITYFOCUS.COM> at csoap-internet
> Sent: Tuesday, 6 March 2001 12:04
> To: PEN-TEST_at_SECURITYFOCUS.COM at CSOAP-Internet
> Subject: [PEN-TEST] finding offensive material
>
> hello,
> If during penetration testing files are found on easily accessible
> business
> shares that could be defined as either sexually or racially offensive,
> how
> should that be presented in the finding in the final report. I assume
> this
> could leave a company open to law suite concerning hostile work
> environment,
> sexual harassment, racial discrimination, etc., so I would feel somewhat
> obligated to include it in the final report. I was hoping that someone
> who's had some experience with this situation could help me tip toe
> through
> this rather politically charged and potentially embarrassing finding in
> the
> final report. I'd like to be thorough in defining the legal risks of
> this
> material to management. Any help with this would be greatly appreciated.
> If there is a more appropriate place to post this question, please let
> me
> know.
>
> TIA,
> Sheila Soulia
> << File: RFC822.TXT >>

This message contains information intended only for the use of the addressee named above. It may also be confidential and/or privileged.
If you are not the intended recipient of this message you are herby notified that you must not disseminate, copy or take any action in reliance on it.
If you have received this message in error please notify the sender.
Received on Mar 07 2001

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos