Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Penetration Testing: Re: [PEN-TEST] finding offensive material

Re: [PEN-TEST] finding offensive material

From: E, M <freehold_at_EROLS.COM>
Date: Wed, 7 Mar 2001 09:23:51 -0800

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Caveat: I'm no lawyer. I don't even play one on TV.

Treat it as a risk to the company, not a moral judgment. There are
enough instances now of emails and material stored on computers
causing legal difficulties for corporations -- even if they have
prevailed in the end, they still faced the embarrassment, cost, and
disruption of a court battle. You can probably find several instances
that suit your situation - use your favorite search engine. The
closer you can get to the specific business/culture/situation, the
more management will be able to relate to the threat. [Perkins-Coie
(and others I'm sure) has a helpful 'internet case digest' that links
to each case.]

In addition to the 'technology risk', I would discuss a company's
'social risk profile' ahead of the actual pentest: do they have a
media position? What is their culture? Do they keep legal counsel on
retainer? Have they been to court in the past on a regular basis? Do
they have an acceptable legal risk in mind? A 200-workstation group
staffed by labor organizers may have a very different profile and
culture from a 200-workstation group staffed by engineers and
scientists. :)

Keeping in mind that (admittedly nebulous and much bandied-about!)
statement that 'somewhere between 60% - 80% of all security risks come
from *inside* a group' and that a security risk is more than just a
password that never expires, a thorough pen test should include more
than examining a firewall. Your company should understand this ahead of
time. Leaving out the 'people aspect' means the result is limited to
holes in technology, resulting in a kind of tunnel vision. :)

'Layered security' requires 'layered pentesting'. I would keep all
judgments out of my report. Present social/legal risks the same as
technical risks, with assessments of their weight/threat based on
published cases, and allow management to make the decision.

JMO :)

Missy

c
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 5.5.3i for non-commercial use <http://www.pgpi.com>

iQA/AwUBOqZsjbs7QqFiUlmlEQKLhQCgomhfsgxIGcS5jZPozR/gm9SruhwAoMnq
lngR0btVwWV68hZueswy5jex
=lLHN
-----END PGP SIGNATURE-----
Received on Mar 07 2001

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos