Home page logo
/

pen-test logo Penetration Testing mailing list archives

Re: The legal / illegal line?
From: "Matthew Snider" <Matthew.Snider () SPARROW ORG>
Date: Thu, 08 Mar 2007 15:52:40 -0500

Well this topic has certainly been covered, but let me add a new
perspective.

I'm fairly new to pen testing, but have been at the security game for
over 7 years, and I've learned a bit in that time.  To me the most
important aspect of being a security consultant, especially a pen
tester, is your reputation.  Your clients must be able to trust you.  If
they can't, they won't hire you, and won't accept your advice.  

For that reason, to be successful you must protect your ethical
reputation vigilantly.  Engaging in testing without a pre-established
relationship to me is patently unethical.  I don't see much value in
trying to differentiate between a "scan" and an "intrusion attempt".  If
you send traffic for an unauthorized purpose to a device you do not own,
that is not ethical.  If I connect to a web server for any other purpose
than to view its web page, that is not ethical.  Again my opinion only. 
Laws vary, and enforcment varies, but as Paul R. says, ethics stay the
same.  I agree with Dotzero that the best way to generate business is to
offer a free secur evaluation, then get a contract, then perform the
evaluation.  

On the topic of:
"I'm also curious to hear from other external/3rd party pen-test
consultants, how they have managed to solve the problem
Where they approach a client who is convinced they have security, and
yet there is classic signs that they don't?
You know that if you did a simple pen-test you would have the evidence
to prove your point all would be mute"

Another factor to consider is risk.  Just because a vulnerability
exists does not mean that the risk justifies action by a company. 
Here's an example.  

Say there's a vulnerability in my backup (non production) web server,
and an attacker can cause the HTTP service to fail by sending a
malformed packet.  I study logs and find out I'm being hit twice a day
by the attack.  I perform a risk assessment that shows two options. 
First is to spend $1000 to hire the security guy to test the vuln, break
my server, then fix it with a patch.  Second option is to spend nothing,
set the HTTP service on my web server to restart after a failure, and go
about my business.  As long as the "downtime" caused by the second
option is minimal, that is the best risk-based (and therefore
security-based) decision.  Security like all business functions in a
for-profit business is driven by finance.  Managers who pay $1000 to
"fix" something which could be "fixed" for free will not keep their jobs
very long.  So these companies who seem to have have "bad" or "no"
Internet security might have the appropriate level of security for their
business--how would you know unless you worked there and participated in
their risk assessment? 

The best security is what is appropriate for a given business, with
their particular situation.  Sometimes that means hiring a pen tester,
sometimes not.  Just because a company does not want to hire a pen
tester does not mean they are ignoring security.  Companies either
embrace or avoid risk, based on their business.  You can point out as
many vulnerabilities as you want, that doesn't mean it's in the
company's best interest to fix them.  It just depends on the particular
business situation.   

Matt


Barry Fawthrop <barry () ttienterprises org> 3/1/2007 8:46 PM >>>
Hi All

Curious to hear other views, where does the legal and illegal line
stand
in doing a pen test on a third party company?
Does it start at the IP Address/Port Scanning Stage or after say once
access is gained?? very vague I know


I'm also curious to hear from other external/3rd party pen-test
consultants, how they have managed to solve the problem
Where they approach a client who is convinced they have security, and
yet there is classic signs that they don't?
You know that if you did a simple pen-test you would have the evidence
to prove your point all would be mute

But from my current point that would be illegal, even if no access was
gained. (maybe I'm wrong) ??

Perhaps this is just a problem here where I am or perhaps it exists
elsewhere also?

I look forward to your input

Barry


------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.

http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW

------------------------------------------------------------------------


------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.

http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]