Penetration Testing mailing list archives

Re: [PEN-TEST] finding offensive material

From: "E, M" <freehold () EROLS COM>
Date: Wed, 7 Mar 2001 09:23:51 -0800

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Caveat:  I'm no lawyer.  I don't even play one on TV.

Treat it as a risk to the company, not a moral judgment.  There are
enough instances now of emails and material stored on computers
causing legal difficulties for corporations -- even if they have
prevailed in the end, they still faced the embarrassment, cost, and
disruption of a court battle.  You can probably find several instances
that suit your situation - use your favorite search engine.  The
closer you can get to the specific business/culture/situation, the
more management will be able to relate to the threat.  [Perkins-Coie
(and others I'm sure) has a helpful 'internet case digest' that links
to each case.]

In addition to the 'technology risk', I would discuss a company's
'social risk profile' ahead of the actual pentest:  do they have a
media position?  What is their culture?  Do they keep legal counsel on
retainer?  Have they been to court in the past on a regular basis?  Do
they have an acceptable legal risk in mind?  A 200-workstation group
staffed by labor organizers may have a very different profile and
culture from a 200-workstation group staffed by engineers and
scientists. :)

Keeping in mind that (admittedly nebulous and much bandied-about!)
statement that 'somewhere between 60% - 80% of all security risks come
from *inside* a group' and that a security risk is more than just a
password that never expires, a thorough pen test should include more
than examining a firewall.  Your company should understand this ahead of
time.  Leaving out the 'people aspect' means the result is limited to
holes in technology, resulting in a kind of tunnel vision. :)

'Layered security' requires 'layered pentesting'.  I would keep all
judgments out of my report.  Present social/legal risks the same as
technical risks, with assessments of their weight/threat based on
published cases, and allow management to make the decision.

JMO :)

Missy

c
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 5.5.3i for non-commercial use <http://www.pgpi.com>

iQA/AwUBOqZsjbs7QqFiUlmlEQKLhQCgomhfsgxIGcS5jZPozR/gm9SruhwAoMnq
lngR0btVwWV68hZueswy5jex
=lLHN
-----END PGP SIGNATURE-----

Current thread:

[PEN-TEST] finding offensive material Sheila (Mar 06)
- Re: [PEN-TEST] finding offensive material E, M (Mar 07)
- Re: [PEN-TEST] finding offensive material Laudon Williams (Mar 07)
- <Possible follow-ups>
- Re: [PEN-TEST] finding offensive material Andrew Walls (Mar 07)
- Re: [PEN-TEST] finding offensive material Alexander Sarras (SEA) (Mar 07)