Security Basics mailing list archives
RE: Conflict of interests
From: "James Flaherty" <jflaherty () itsfac com>
Date: Tue, 5 May 2009 13:19:50 -0400
If you're using a tool like Nessus or Retina, you'll need to have an agreement between your section (the CERT, IR, or whatever you label yourselves) and the IT Dept. If your job includes auditing your own systems (and it rightfully should) this should be an easy explanation and you should receive minimal resistance. I would draft a security report citing the IT dept's uncooperative nature and send it to the appropriate authority above the IT Dept. I'd mention the benefits of running these scans, create an SOP for running said scans, create a schedule, and mention the effect running a scan during working hours will have. Hope this helps. -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of s0h0us Sent: Tuesday, May 05, 2009 8:37 AM To: Chip Panarchy Cc: security-basics () securityfocus com Subject: Re: Conflict of interests well, i guess, but let's say i'm just trying to verify that the IT department is properly patching their systems (server, wkstations, etc) and I want to use a tool like GFI Languard or Nessus to do this or to check for other vulnerabilities by actually passing system credentials. ----- Original Message ---- From: Chip Panarchy <forumanarchy () gmail com> To: s0h0us () yahoo com Sent: Tuesday, May 5, 2009 7:08:34 AM Subject: Re: Conflict of interests Hi Isn't that the whole point of a Pen-Test (the kind your doing)? That you DON'T have root/domain access? That you acquire access... I know this isn't with all types of penetration testing, but this is a textbook example, eh? On Tue, May 5, 2009 at 4:16 AM, <s0h0us () yahoo com> wrote:
As a security guy, not part of the IT department, I require a level of access in order to perform my job. Certain types of tools require privileged access in order to work. Like having domain admin access and/or similar privileged access for unix and linux systems. Is it reasonable to request this type of access without causing any type of conflict of interest that internal auditors might question? I guess audit trails would come in handy here. Thanks for the feedback. ------------------------------------------------------------------------ This list is sponsored by: InfoSec Institute Learn all of the latest penetration testing techniques in InfoSec Institute's Ethical Hacking class. Totally hands-on course with evening Capture The Flag (CTF) exercises, Certified Ethical Hacker and Certified Penetration Tester exams, taught by an expert with years of real pen testing experience. http://www.infosecinstitute.com/courses/ethical_hacking_training.html ------------------------------------------------------------------------
------------------------------------------------------------------------
This list is sponsored by: InfoSec Institute
Learn all of the latest penetration testing techniques in InfoSec Institute's Ethical Hacking class.
Totally hands-on course with evening Capture The Flag (CTF) exercises, Certified Ethical Hacker and Certified
Penetration Tester exams, taught by an expert with years of real pen testing experience.
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
------------------------------------------------------------------------
Important Notice: This email message and any attachments may contain information and/or trade secrets that are private,
and are meant to be delivered solely for the use of the intended recipient(s). If you are not the intended recipient,
please do not read, copy, use, forward or disclose the contents of this communication to others. Interception of e-mail
is a crime under the Electronic Communications Privacy Act, 18 U.S.C. 2510-2522 and 2701-2709. If you have received
this email in error, please immediately notify us by return email or by telephone at [703-221-0200 Ext 51119] and
promptly delete this message. Thank You.
------------------------------------------------------------------------
This list is sponsored by: InfoSec Institute
Learn all of the latest penetration testing techniques in InfoSec Institute's Ethical Hacking class.
Totally hands-on course with evening Capture The Flag (CTF) exercises, Certified Ethical Hacker and Certified
Penetration Tester exams, taught by an expert with years of real pen testing experience.
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
------------------------------------------------------------------------
Current thread:
- Conflict of interests s0h0us (May 04)
- RE: Conflict of interests Ian Bradshaw (May 05)
- RE: Conflict of interests Nick Vaernhoej (May 05)
- Re: Conflict of interests Sebastien MAHIEUX (May 05)
- Message not available
- Re: Conflict of interests s0h0us (May 05)
- RE: Conflict of interests James Flaherty (May 05)
- Re: Conflict of interests s0h0us (May 05)
- RE: Conflict of interests James Flaherty (May 05)
- Re: Conflict of interests David Schekaiban (May 05)
- Re: Conflict of interests Richard Thomas (May 05)
- Re: Conflict of interests s0h0us (May 05)
- Re: Conflict of interests Richard Thomas (May 05)
- Re: Conflict of interests Aarón Mizrachi (May 06)
- RE: Conflict of interests Dave Kleiman (May 06)
- Re: Conflict of interests s0h0us (May 05)
- Re: Conflict of interests Adam Pal (May 05)
- <Possible follow-ups>
- Re: Conflict of interests aaa . bbb (May 05)
- Re: Re: Conflict of interests raketomet (May 11)