Security Basics mailing list archives
Re: Conflict of interests
From: s0h0us <s0h0us () yahoo com>
Date: Tue, 5 May 2009 05:36:30 -0700 (PDT)
well, i guess, but let's say i'm just trying to verify that the IT department is properly patching their systems (server, wkstations, etc) and I want to use a tool like GFI Languard or Nessus to do this or to check for other vulnerabilities by actually passing system credentials. ----- Original Message ---- From: Chip Panarchy <forumanarchy () gmail com> To: s0h0us () yahoo com Sent: Tuesday, May 5, 2009 7:08:34 AM Subject: Re: Conflict of interests Hi Isn't that the whole point of a Pen-Test (the kind your doing)? That you DON'T have root/domain access? That you acquire access... I know this isn't with all types of penetration testing, but this is a textbook example, eh? On Tue, May 5, 2009 at 4:16 AM, <s0h0us () yahoo com> wrote:
As a security guy, not part of the IT department, I require a level of access in order to perform my job. Certain types of tools require privileged access in order to work. Like having domain admin access and/or similar privileged access for unix and linux systems. Is it reasonable to request this type of access without causing any type of conflict of interest that internal auditors might question? I guess audit trails would come in handy here. Thanks for the feedback. ------------------------------------------------------------------------ This list is sponsored by: InfoSec Institute Learn all of the latest penetration testing techniques in InfoSec Institute's Ethical Hacking class. Totally hands-on course with evening Capture The Flag (CTF) exercises, Certified Ethical Hacker and Certified Penetration Tester exams, taught by an expert with years of real pen testing experience. http://www.infosecinstitute.com/courses/ethical_hacking_training.html ------------------------------------------------------------------------
------------------------------------------------------------------------ This list is sponsored by: InfoSec Institute Learn all of the latest penetration testing techniques in InfoSec Institute's Ethical Hacking class. Totally hands-on course with evening Capture The Flag (CTF) exercises, Certified Ethical Hacker and Certified Penetration Tester exams, taught by an expert with years of real pen testing experience. http://www.infosecinstitute.com/courses/ethical_hacking_training.html ------------------------------------------------------------------------
Current thread:
- Conflict of interests s0h0us (May 04)
- RE: Conflict of interests Ian Bradshaw (May 05)
- RE: Conflict of interests Nick Vaernhoej (May 05)
- Re: Conflict of interests Sebastien MAHIEUX (May 05)
- Message not available
- Re: Conflict of interests s0h0us (May 05)
- RE: Conflict of interests James Flaherty (May 05)
- Re: Conflict of interests s0h0us (May 05)
- RE: Conflict of interests James Flaherty (May 05)
- Re: Conflict of interests David Schekaiban (May 05)
- Re: Conflict of interests Richard Thomas (May 05)
- Re: Conflict of interests s0h0us (May 05)
- Re: Conflict of interests Richard Thomas (May 05)
- Re: Conflict of interests Aarón Mizrachi (May 06)
- RE: Conflict of interests Dave Kleiman (May 06)
- Re: Conflict of interests s0h0us (May 05)
- Re: Conflict of interests Adam Pal (May 05)
- <Possible follow-ups>
- Re: Conflict of interests aaa . bbb (May 05)