Penetration Testing mailing list archives
Re: [PEN-TEST] finding offensive material
From: "E, M" <freehold () EROLS COM>
Date: Wed, 7 Mar 2001 09:23:51 -0800
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Caveat: I'm no lawyer. I don't even play one on TV. Treat it as a risk to the company, not a moral judgment. There are enough instances now of emails and material stored on computers causing legal difficulties for corporations -- even if they have prevailed in the end, they still faced the embarrassment, cost, and disruption of a court battle. You can probably find several instances that suit your situation - use your favorite search engine. The closer you can get to the specific business/culture/situation, the more management will be able to relate to the threat. [Perkins-Coie (and others I'm sure) has a helpful 'internet case digest' that links to each case.] In addition to the 'technology risk', I would discuss a company's 'social risk profile' ahead of the actual pentest: do they have a media position? What is their culture? Do they keep legal counsel on retainer? Have they been to court in the past on a regular basis? Do they have an acceptable legal risk in mind? A 200-workstation group staffed by labor organizers may have a very different profile and culture from a 200-workstation group staffed by engineers and scientists. :) Keeping in mind that (admittedly nebulous and much bandied-about!) statement that 'somewhere between 60% - 80% of all security risks come from *inside* a group' and that a security risk is more than just a password that never expires, a thorough pen test should include more than examining a firewall. Your company should understand this ahead of time. Leaving out the 'people aspect' means the result is limited to holes in technology, resulting in a kind of tunnel vision. :) 'Layered security' requires 'layered pentesting'. I would keep all judgments out of my report. Present social/legal risks the same as technical risks, with assessments of their weight/threat based on published cases, and allow management to make the decision. JMO :) Missy c -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 5.5.3i for non-commercial use <http://www.pgpi.com> iQA/AwUBOqZsjbs7QqFiUlmlEQKLhQCgomhfsgxIGcS5jZPozR/gm9SruhwAoMnq lngR0btVwWV68hZueswy5jex =lLHN -----END PGP SIGNATURE-----
Current thread:
- [PEN-TEST] finding offensive material Sheila (Mar 06)
- Re: [PEN-TEST] finding offensive material E, M (Mar 07)
- Re: [PEN-TEST] finding offensive material Laudon Williams (Mar 07)
- <Possible follow-ups>
- Re: [PEN-TEST] finding offensive material Andrew Walls (Mar 07)
- Re: [PEN-TEST] finding offensive material Alexander Sarras (SEA) (Mar 07)