Re: Off-Topic: Memo of Understanding for Using an Ethical Hacker

["Kerry Thompson" <kez () crypt gen nz>]

Hi Bruce

I've had experience in both sides of Ethical Hacking ( I prefer the term
"Penetration Testing" ) and wrote some comments about it all a while ago
at http://www.crypt.gen.nz/papers/requesting_pen_test.html which may be of
interest.

Most notably, there must be written agreement as to what the target is,
the date and time of the testing, and how to call "Uncle!" to get it
stopped immediately. Also, the attacking IP address(es) should be defined
so operations staff don't go into full incident response mode ( unless you
really want to test incident response ).

My worst experience was when I was network admin for a large commercial
site, and our management had requested a test from an outside group
without notifying anyone in the Ops area. The test threw so much traffic
at the (rather old) FW1 perimeter firewall that it collapsed under the
logging load. Of course, the ops staff went into full incident response
mode - isolating the firewall, tracing packets, notifying upstream ISPs,
etc. The enterprise was disconnected for about 6 hours. It really wasn't
much fun.

I've also heard tales of when the testing team gets the target wrong, and
that is downright scary.

Kerry

-- 
Kerry Thompson, CCNA CISSP
Information Systems Security Consultant
http://www.crypt.gen.nz  kerry () crypt gen nz


Bruce Platt said:
> Without starting a huge flaming thread ...
>
> Have any of you used a "Memo of Understanding" or "Contract" (shudder)
> when
> asked to do some "ethical hacking" for a company on their resources,
> systems, and networks?
>
> I'd like to skip over the topic of Certification for Ethical Hackers and
> get
> to the issue of what one might want to include in such a document to
> protect
> both oneself and the company.
>
> What comes to mind quickly are many of the same sorts of indemnifications,
> hold-harmless, and liability issues which would apply for a non security
> related consulting agreement, but with the various sorts of damage which
> can
> be done by mistake or carelessness and so forth when asking one to assess
> a
> company's security profile, I would think that some of you might have used
> a
> document with which you are comfortable in the past, or have a pointer to
> one.
>
> I know what I have done when I was a full-time employee within my own
> company, but have yet to find a document which seems comfortable for use
> with an external consultant.
>
> (And no, I am not looking to start yet another new career :-)  sigh )
>
> Thanks and regards
>
> Bruce

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards