Security Basics mailing list archives
Re: Opinions on vulnerability scanning practice?
From: krymson () gmail com
Date: 4 Aug 2006 13:46:04 -0000
From everything I have heard, you are not wrong for being upset. They performed a possibly intrusive vulnerability scan on your systems without asking your permission. This is reasonably no different than a malicious user doing the same thing. They could have easily caused a DoS on your system or found holes in your armor. If you have alerts set up, it takes manhours to isolate and address the issue. Normal courses of action could have caused you to block their site from reaching your servers, which may have impacted your own hosted non-profits, especially if e-commerce had already been turned on.
As always with issues like this, I would at least mention it to your lawyers and see what they have to say as well. There is the possibility your non-profits thought that the server effectively belonged to them, and they were right in authorizing scans. This might warrant a quick look at any contracts you and they have. I would definitely contact them and let them and the risk mgmt firm know that this sort of action was not requested nor permissed. They should admit their fault and apologize, and hopefully they won't do it again. I think it will be enough to say, "hey, you didn't get permission for this, if you do it again without permission, we will block service, which could impact e-commerce operations." Seek contact information for IT/security managers at the non-profits and the rick management firm so that if this happens again, you can quickly get to a source. --------------------------------------------------------------------------- This list is sponsored by: Norwich University EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life. http://www.msia.norwich.edu/secfocus ---------------------------------------------------------------------------
Current thread:
- Opinions on vulnerability scanning practice? rgutter (Aug 03)
- RE: Opinions on vulnerability scanning practice? David Gillett (Aug 04)
- Re: Opinions on vulnerability scanning practice? Mitch Pope (Aug 04)
- Re: Opinions on vulnerability scanning practice? Ansgar -59cobalt- Wiechers (Aug 05)
- Re: Opinions on vulnerability scanning practice? Eric Furman (Aug 05)
- Re: Opinions on vulnerability scanning practice? Irwan Ismail (Aug 04)
- <Possible follow-ups>
- RE: Opinions on vulnerability scanning practice? Jeffrey Wei (Aug 04)
- Re: Opinions on vulnerability scanning practice? krymson (Aug 04)
- RE: Opinions on vulnerability scanning practice? Krpata, Tyler (Aug 04)
- Re: Opinions on vulnerability scanning practice? knox . justin (Aug 04)
- Re: Opinions on vulnerability scanning practice? benjaminz (Aug 04)
- Re: Opinions on vulnerability scanning practice? gazwj (Aug 04)
- Re: Opinions on vulnerability scanning practice? simonis (Aug 04)