Penetration Testing mailing list archives
Pen test - Attorney client Privilege?
From: rob havelt <rob () cobal org>
Date: Sat, 15 Oct 2005 17:04:05 -0400
Hi All,Lately I've been seeing some stuff on the legal end of Penetration Testing, and have had some clients ask, and I thought that it would be an interesting question to pose to the list.
Mainly I've been seeing articles like this one:<http://webmail.intelligentconnections.net/exchange/rhavelt/Inbox/FW:%20Contract%20Question.EML//exchweb/bin/redir.asp?URL=http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1131713,00.html?track=NL-358%26ad=530198USCA>http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1131713,00.html?track=NL-358&ad=530198USCA
That suggest that a penetration test should be commissioned by, and the results delivered to an organization's legal department in such a way where the results of the test will be covered by attorney client privilege...
The main crux of the suggestion was to insulate an organization against the liability of not implementing all the suggestions and recommendations in the report - I.E. if they were sued later the results of the penetration test would be available to the plaintiff during the discovery process under normal circumstances - the test was commissioned by the IT or Risk Management department, but it would be privilege info if it were commissioned by legal...
Has anyone faced this in their client interactions? Or done this before? How does setting that up look exactly? And does anyone have any thought of the effectiveness of this?To me it seems like that would be a very easy way to get an unfavorable report buried very quickly so that it ostensibly has no visibility in the organization. I've also wondered how the results are communicated between say, legal and the IT group or the rest of the organization in this case?
Anyway, just something I though was interesting is all... -- oOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOo It's a Kafka high. You feel like a bug. --------------------------------------------------------------- rob () cobal org rob.havelt ------------------------------------------------------------------------------Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at:
http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------------------------
Current thread:
- Pen test - Attorney client Privilege? rob havelt (Oct 15)
- Re: Pen test - Attorney client Privilege? Paul Robertson (Oct 16)
- Message not available
- Re: Pen test - Attorney client Privilege? rob havelt (Oct 16)
- Message not available
- RE: Pen test - Attorney client Privilege? Lyal Collins (Oct 19)
- Re: Pen test - Attorney client Privilege? Paul Robertson (Oct 19)
- Re: Pen test - Attorney client Privilege? ma.teo (Oct 19)
- Re: Pen test - Attorney client Privilege? Thor (Hammer of God) (Oct 19)
- Re: Pen test - Attorney client Privilege? Paul Robertson (Oct 16)
- <Possible follow-ups>
- RE: Pen test - Attorney client Privilege? Craig Wright (Oct 19)
- RE: Pen test - Attorney client Privilege? Craig Wright (Oct 19)
- RE: Pen test - Attorney client Privilege? Craig Wright (Oct 19)
- RE: Pen test - Attorney client Privilege? Craig Wright (Oct 19)