Penetration Testing mailing list archives

RE: Crash in system scanned

From: "Rivest, Philippe" <Rivestp () metro ca>
Date: Tue, 8 Jan 2008 15:24:54 -0500

Well I depend on the scope of the test you are doing. Prior to do a test you need to do a statement of what you are
going to test and what you are not going to test. In this statement you could state

"The auditors will test if it is possible to do a DOS (system crash) on the system".

If such a statement is done, in the test windows you have full permission to do a scan and make the system crash in the
process. Your responsibility would be null since you have the written permission to do so.

You could have a statement saying

"The auditor must ensure at all time system availability and integrity of the data and all equipment."

If the test goes wrong with this statement, you need to have a back up plan. That would be the emergency response list,
basically who the auditor needs to call and in what order.

For the responsibility part, I would suggest adding a "No fault under reasonable behaviour & attitude" statement. Word
it how you want but it should protect you in the case that you are running a test that normally should not crash a
system and it does crash.

Don't dare the Devil; it is very easy to crash a system as we all know. A back up plans and a detail test plan saying
what action will be done in what order should be mandatory.

Since you have upper management's approval on the test and these statements, you should be "ok". The responsibility
will go on the auditor's team but nothing bad should happen if everything is planned and details well.

That's my 2cents on this.

Merci

Philippe Rivest, Certified Ethical Hacker
Analyste en sécurité de l'information
Métro Richelieu
450-662-3300x3115
P Est-ce vraiment nécessaire d'imprimer cette page ?

-----Message d'origine-----
De : listbounce () securityfocus com [mailto:listbounce () securityfocus com] De la part de ahgaber_rehan () yahoo com
Envoyé : lundi 7 janvier 2008 10:48
À : pen-test () securityfocus com
Objet : Crash in system scanned

I need to know if internal auditor is scanning a system over the LAN during audit assignment, who should take the
responsibility if the scanned system went down/ crashed due to this scan. I am quite sure scanning has to be
prearranged with IT and IT Security and approved on the targeted systems, and it's important for IT auditor to perform
such scanning to avoid any scope limitations during the audit.

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------

Current thread:

Crash in system scanned ahgaber_rehan (Jan 08)
- Re: Crash in system scanned Kelly Keeton (Jan 09)
- Re: Crash in system scanned DaKahuna (Jan 09)
- RE: Crash in system scanned Shenk, Jerry A (Jan 09)
- RE: Crash in system scanned Rivest, Philippe (Jan 09)