Re: [PEN-TEST] Testing a "rogue site"

["Alexander Sarras (SEA)" <Alexander.Sarras () SEA ERICSSON SE>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> Listen to your instincts.  I believe you're trying to be
> cooperative and
> a team player, and you're clearly interested in security and
> learning as
> much as you've can, but you've already figured out what the problem is
> in the title of your email - 'rogue sites'.  They're not
> playing on the
> team, or you wouldn't be using the word 'rogue'.
>
> The company is evidently not quite behind the idea of having
> a security
> policy actually in effect, or they wouldn't allow any 'rogue sites'.
> IMO that means they won't back you up as Security Manager
> when - not if
> - there's trouble.  Those sites could eventually endanger the rest of
> the network if they're tied in, which you *are* responsible for.

Basically I concur, but if you want to stick: Get your company's written
approval of your responibilities. If this rogue site is inside your
responibility tell them (in writing) it's either your authority as well or
no responsibility. If it's the later, firewall them off your site! As long
as it's not your job (and that's what having the authority means), don't do
any more scanning or the like, it might be constructed as something
sinister!

A couple of rules to go by:
        1) SECURITY has the last say! EVER!
        2) if SECURITY say's no, it stays that way. Otherwise quit.

If possible get that in writing.

SaS

-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.1 Int.
Comment: Even paranoiacs have enemies!

iQA/AwUBObx9IvNEKPH/spuMEQLW5ACg/LEvNDG5LLDsn/QIczpaQp+I4jEAoJRg
XL+EcNzogW/d4qnm9SQvhkbj
=FaRQ
-----END PGP SIGNATURE-----