Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Off-Topic: Memo of Understanding for Using an , Ethical Hacker

From: Adam Graham <agraham () datastreamcowboys net>
Date: Mon, 30 Aug 2004 09:08:47 -0500
this is a topic that i know well... I used to be one of the pen testers in which you refer... As far as the "hired gun" is concerned on occasion systems have had short outages caused by the pen test. For example, one instance was from a machine that was never patched, straight out of the box NT 4.0 install... no service pack.. this machine had to be rebooted because during the pen test the processor shot up to 100% utilization and was useless as the SQL 6.5 server until rebooted. I have never first hand witnessed any thing more long term outage but have heard nightmare stories. So, any written authorization, YES WRITTEN AUTHORIZATION, to pen test a network should reflect that there is a possibility for outages and such. Weather the pen test team plans on it or not, there can be outages. We had a form for the customer that stated without confusion what was to be tested, to what degree it was tested (everything has a breaking point), and what may occur from the testing. CYA... in today's world, battles aren't fought int he trenches, but in the courtrooms... so, document everything in such a simple way non-egghead people can understand what is involved. Most the people on this list i bet, when talking to other IT professionals use a language that would give a non-techy management person a brain cramp. As for your comment about team hitting the wrong address... unfortunately I have been there... partially my fault and the customers... My mistake is I did not double check an IP range that a customer reversed 2 numbers in the Class C range. So instead of looking at their class C, I got a nasty email from an ISP about hitting their addresses. I replied back and explained to them what had happened and got another nasty email back telling me not to let it happen again... Just goes to show Murphy's Law is going good and strong in the IT realm. A real good source for more info on this subject is Security Focus's list on pen testing.. 

So, here's what we learned:
   1. document everything
   2. make info in all documents simple for non-techies to understand
   3. make customer aware of possible outages (even though unplanned)
   4. beware of Murphy




_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: