Firewall Wizards mailing list archives
Re: Off-Topic: Memo of Understanding for Using an Ethical Hacker
From: "Kerry Thompson" <kez () crypt gen nz>
Date: Fri, 27 Aug 2004 10:20:23 +1200 (NZST)
Hi Bruce I've had experience in both sides of Ethical Hacking ( I prefer the term "Penetration Testing" ) and wrote some comments about it all a while ago at http://www.crypt.gen.nz/papers/requesting_pen_test.html which may be of interest. Most notably, there must be written agreement as to what the target is, the date and time of the testing, and how to call "Uncle!" to get it stopped immediately. Also, the attacking IP address(es) should be defined so operations staff don't go into full incident response mode ( unless you really want to test incident response ). My worst experience was when I was network admin for a large commercial site, and our management had requested a test from an outside group without notifying anyone in the Ops area. The test threw so much traffic at the (rather old) FW1 perimeter firewall that it collapsed under the logging load. Of course, the ops staff went into full incident response mode - isolating the firewall, tracing packets, notifying upstream ISPs, etc. The enterprise was disconnected for about 6 hours. It really wasn't much fun. I've also heard tales of when the testing team gets the target wrong, and that is downright scary. Kerry -- Kerry Thompson, CCNA CISSP Information Systems Security Consultant http://www.crypt.gen.nz kerry () crypt gen nz Bruce Platt said:
Without starting a huge flaming thread ... Have any of you used a "Memo of Understanding" or "Contract" (shudder) when asked to do some "ethical hacking" for a company on their resources, systems, and networks? I'd like to skip over the topic of Certification for Ethical Hackers and get to the issue of what one might want to include in such a document to protect both oneself and the company. What comes to mind quickly are many of the same sorts of indemnifications, hold-harmless, and liability issues which would apply for a non security related consulting agreement, but with the various sorts of damage which can be done by mistake or carelessness and so forth when asking one to assess a company's security profile, I would think that some of you might have used a document with which you are comfortable in the past, or have a pointer to one. I know what I have done when I was a full-time employee within my own company, but have yet to find a document which seems comfortable for use with an external consultant. (And no, I am not looking to start yet another new career :-) sigh ) Thanks and regards Bruce
_______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Off-Topic: Memo of Understanding for Using an Ethical Hacker Bruce Platt (Aug 26)
- Re: Off-Topic: Memo of Understanding for Using an Ethical Hacker Kerry Thompson (Aug 27)
- Re: Off-Topic: Memo of Understanding for Using an Ethical Hacker Paul D. Robertson (Aug 28)
- Re: Off-Topic: Memo of Understanding for Using an Ethical Hacker Devdas Bhagat (Aug 28)
- Re: Off-Topic: Memo of Understanding for Using an Ethical Hacker Matt Curtin (Aug 28)