Re: [PEN-TEST] Help defining job scope

["Tonick, Mike" <Mike.Tonick () PS NET>]

First of all - our "Get Out of Jail Free Cards" are only used internally for
red-team testing.  External Pen-testing authorization is written into a
legal contract, and is quit different.  Get Out of Jail Free Cards are not
likely to work if someone catches a member of your team and the situation
escalates to the point that someone actually gets turned over to the local
police.

Michael D. Tonick, CISSP
Senior Security Consultant
Perot Systems
Dallas, Texas


-----Original Message-----
From: T. Barrick [mailto:tbarrick () HOME COM]
Sent: Wednesday, August 23, 2000 9:51 AM
To: PEN-TEST () SECURITYFOCUS COM
Subject: Re: Help defining job scope


Steven,

Unless I have mis-interpreted what you said, you are basically looking for
the
same thing that our team is seeking from upper management - a "get out of
jail
free card."

That said, I am curious how other members of this list in the corporate
world,
rather than the security consultancy side of the house (that is a separate
discussion entirely) have dealt with this. Do others have this "get out of
jail
free card" written in a document, or is it just an assumed immunity or
expectation
of corporate backed defense should trouble arise?

Our team's concern is that we operate an a world-wide basis - - many
countries
with varying laws and tolerances for network weakness discovery.
Additionally we
sometimes have to deal with 3rd party hosted installations that may or may
not
know that we are the good guys.

I suppose I really could have just said "me too" but I wanted to expand on
your
topic a bit. :-)

Toby

"Steven W. Smith" wrote:

>   I'm transitioning from systems management and programming into a "site
> security person" role.  We don't even have an appropriate job title, yet.
>
>   I've read horror stories about security people prosecuted for performing
> their jobs and I don't want to follow in their footsteps.  I'd like to
write a
> document alluding to job duties that I'm authorized to perform: port
scans,
> probing for vulnerabilities, etc. and get a hardcopy signed by my boss and
> his boss.
>
>   I'm not looking for a laundry list of what I can do, rather, a "this guy
is
> *supposed* to be doing scary stuff" doc.  I'd really appreciate any
> suggestions toward this goal and/or pointers to net resources.  Thanks
much!
> If this is off-topic for the list I trust it won't make it past the
moderator.
> Steve
>
> Steven W. Smith, Systems Programmer
> Glendale Community College. Glendale Az.
> syssws () gc maricopa edu