Penetration Testing mailing list archives
Re: [PEN-TEST] Testing a "rogue site"
From: Karyn Pichnarczyk <karyn () SANDSTORM NET>
Date: Mon, 11 Sep 2000 12:47:26 -0400
"Alexander Sarras (SEA)" wrote: (previous message deleted to save bandwidth)
Basically I concur, but if you want to stick: Get your company's written
approval of your responibilities. If this rogue site is inside your
responibility tell them (in writing) it's either your authority as well or
no responsibility. If it's the later, firewall them off your site! As long
as it's not your job (and that's what having the authority means), don't do
any more scanning or the like, it might be constructed as something
sinister!
A couple of rules to go by:
1) SECURITY has the last say! EVER!
2) if SECURITY say's no, it stays that way. Otherwise quit.
If possible get that in writing.
SaS
I totally disagree with the two rules stated above. yes, You need your company's written approval of your responsibilities. But unless you go by the One and Only rule, you will not last long in the security trade: 1. Business Must Continue. If this rule is not followed, then it doesn't matter how good or bad the security posture is: the company just won't exist! Therefore, the Business Demands of the company must be met, AT ALL COSTS including, regretfully and occasionally, the cost of bad security. I am not saying that security must be bad by any stretch of the imagination. I'm just saying that there are times that, due to Business Reasons, the security professional must make provisions within the security archetecture to wince with pain, inform superiors that the security is awful, and propose a plan to upgrade to the better security posture. Just be sure to CYA and make sure that the superiors who have made the decision to ignore security have written this down somewhere. THEY are the one who made the decision based upon the Risk Analysis of the security department, and therefore THEY are responsible if the security is compromised. Karyn ps: this is another reason for security to be involved in all aspects of the company from the start on any project. If you know what's going on early enough in a project, you may be able to keep the worst of the problems at bay. Of course, this doesn't help one whit with regards to the topic of this thread in pen-test.
Current thread:
- [PEN-TEST] Testing a "rogue site" Kelly, Mike (Sep 08)
- Re: [PEN-TEST] Testing a "rogue site" Peter Van Epp (Sep 09)
- Re: [PEN-TEST] Testing a "rogue site" Missy, E (Sep 10)
- <Possible follow-ups>
- Re: [PEN-TEST] Testing a "rogue site" Mitch James (Sep 08)
- Re: [PEN-TEST] Testing a "rogue site" Rich Richenberg (Sep 08)
- Re: [PEN-TEST] Testing a "rogue site" Alexander Sarras (SEA) (Sep 11)
- Re: [PEN-TEST] Testing a "rogue site" Karyn Pichnarczyk (Sep 11)
- Re: [PEN-TEST] Testing a "rogue site" Missy, E (Sep 12)
- Re: [PEN-TEST] Testing a "rogue site" Wandering One (Sep 13)
- Re: [PEN-TEST] Testing a "rogue site" Karyn Pichnarczyk (Sep 11)
- Re: [PEN-TEST] Testing a "rogue site" Peter Van Epp (Sep 09)
- Re: [PEN-TEST] Testing a "rogue site" Meritt, Jim (Sep 11)
- Re: [PEN-TEST] Testing a "rogue site" Alexander Sarras (SEA) (Sep 13)