Re: [PEN-TEST] War Dialling - Limited Scope

[mshines <mshines () purdue edu>]

Then I presume the results will be duly qualified also?  How much assurance
could one give if the whole of the orgranization is not examined?  In an
auditors terms - your independence and scope has been limited, which leads
to a qualified opinion.  Certainly, technically, the work can be done - but
what is the value of the results.

For example - if you have strong security in IT, but allow file transfers -
it's a trivial task to FTP a file to a desktop and send it outside the
organization from there (with absolutely no protection).

In the end, security is only as good as the weakest link...  which speaks
strongly for an organizational wide review.

But, of course, you have to do what you contracted for.
-----------------------------------
Michael S Hines
OS/390 Systems Programmer
Management Information
1061 Freehafer Hall
West Lafayette, IN 47907-1061
phone 765-494-5875
fax 765-496-1380








-----Original Message-----
From: Penetration Testers [mailto:PEN-TEST () SECURITYFOCUS COM]On Behalf
Of Scott, Mick
Sent: Thursday, November 16, 2000 12:31 PM
To: PEN-TEST () SECURITYFOCUS COM
Subject: War Dialling


Quite rightly most of you have high lighted the need to wardial the whole
of acme.com.  However, and i should of explained this, the scope of the
engagement does not permit this and must be concentrated in this one area.

Thanks for the responses.

Regards,
Mick Scott,
Information Security
e-business Services, IBM Global Services
Hursley
Telephone: 01962 818265 - Internal: 248265
E-mail: mick_scott () uk ibm com  - PGP key available