Home page logo

pen-test logo Penetration Testing mailing list archives

Re: Crash in system scanned
From: DaKahuna <da.kahuna () gmail com>
Date: Tue, 8 Jan 2008 19:49:20 -0500

On Jan 7, 2008, at 10:48 AM, ahgaber_rehan () yahoo com wrote:

I need to know if internal auditor is scanning a system over the LAN during audit assignment, who should take the responsibility if the scanned system went down/ crashed due to this scan. I am quite sure scanning has to be prearranged with IT and IT Security and approved on the targeted systems, and itÂ’s important for IT auditor to perform such scanning to avoid any scope limitations during the audit.

It depends. In my company, Corporate IT Security has the right, by policy, to scan the network at any time without notifying anyone. We make sure that we do not DOS scans but other than that there is no guarantee. We have a requirement for all systems to be scanned on a monthly basis using one of a variety of tools and that scanning is done by IT / IT Security staff supporting the business. Corporate IT Security is the only group authorized to scan across the WAN with out prior notification. Internal audit in my company does not do network scanning. If they want a network scan as part of the audit they are conducting, they get one of my staff or an SME from the business to support them.

As to who is responsible, in my opinion it is the application owner. Why should a nessus or nmap scan bring down a properly configured and fully patched application?

This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]