Re: Volunteer pen testing

[Richard Rager <kb8rln () penguinmaster com>]

On Tue, 14 Dec 2004, Matt Bellizzi wrote:

> Just wanted to bounce an idea off on this list.   Lately I've been 
> thinking of doing some charity work.   However I generally avoid 
> physical labor.  The idea has entered my brain to provide pen 
> testing/security audit services to non profits.    I am by no means a 
> pet test expert.   Although I do have  solid networking/security skills 
> (I'm a QA engineer for IPSec VPNs and firewalls).  Obviously for a non 
> profit to be eligible they would either need a constant-on connection or 
> a co-located host.  Just thought it would be a fun way to learn more 
> about pen testing, help the community and helping organizations that are 
> generally straped for cash.


   I really hate to say this.  Get a lawyer.  This is the reasons.

   You need to define what you will test.

      What types of test will you do.
      What Systems you will test. 
        IE Routers, Web Servers, Mail server
        IDS?
     

   What will hapen if you do any harm?

     I have done pen testing and was trying to get there IDS mad at me.  
     The web server die.  Who do you call?

     Get out of jail free card is good to have here.

     Limit your liablities.

  What will you do with the information that you collect?

     Who will you give it too?

     How long with you keep the information?

  
  Stay away with anything close to GLB or HIPPA

   It really a can of worms.


  Just let me say.  It nice idea, please remember no good deed goes 
unpunished.


Enjoy,

Richard Rager
penguinman.com