Penetration Testing mailing list archives
Re: The legal / illegal line?
From: "Matthew Snider" <Matthew.Snider () SPARROW ORG>
Date: Thu, 08 Mar 2007 15:52:40 -0500
Well this topic has certainly been covered, but let me add a new perspective. I'm fairly new to pen testing, but have been at the security game for over 7 years, and I've learned a bit in that time. To me the most important aspect of being a security consultant, especially a pen tester, is your reputation. Your clients must be able to trust you. If they can't, they won't hire you, and won't accept your advice. For that reason, to be successful you must protect your ethical reputation vigilantly. Engaging in testing without a pre-established relationship to me is patently unethical. I don't see much value in trying to differentiate between a "scan" and an "intrusion attempt". If you send traffic for an unauthorized purpose to a device you do not own, that is not ethical. If I connect to a web server for any other purpose than to view its web page, that is not ethical. Again my opinion only. Laws vary, and enforcment varies, but as Paul R. says, ethics stay the same. I agree with Dotzero that the best way to generate business is to offer a free secur evaluation, then get a contract, then perform the evaluation. On the topic of: "I'm also curious to hear from other external/3rd party pen-test consultants, how they have managed to solve the problem Where they approach a client who is convinced they have security, and yet there is classic signs that they don't? You know that if you did a simple pen-test you would have the evidence to prove your point all would be mute" Another factor to consider is risk. Just because a vulnerability exists does not mean that the risk justifies action by a company. Here's an example. Say there's a vulnerability in my backup (non production) web server, and an attacker can cause the HTTP service to fail by sending a malformed packet. I study logs and find out I'm being hit twice a day by the attack. I perform a risk assessment that shows two options. First is to spend $1000 to hire the security guy to test the vuln, break my server, then fix it with a patch. Second option is to spend nothing, set the HTTP service on my web server to restart after a failure, and go about my business. As long as the "downtime" caused by the second option is minimal, that is the best risk-based (and therefore security-based) decision. Security like all business functions in a for-profit business is driven by finance. Managers who pay $1000 to "fix" something which could be "fixed" for free will not keep their jobs very long. So these companies who seem to have have "bad" or "no" Internet security might have the appropriate level of security for their business--how would you know unless you worked there and participated in their risk assessment? The best security is what is appropriate for a given business, with their particular situation. Sometimes that means hiring a pen tester, sometimes not. Just because a company does not want to hire a pen tester does not mean they are ignoring security. Companies either embrace or avoid risk, based on their business. You can point out as many vulnerabilities as you want, that doesn't mean it's in the company's best interest to fix them. It just depends on the particular business situation. Matt
Barry Fawthrop <barry () ttienterprises org> 3/1/2007 8:46 PM >>>
Hi All Curious to hear other views, where does the legal and illegal line stand in doing a pen test on a third party company? Does it start at the IP Address/Port Scanning Stage or after say once access is gained?? very vague I know I'm also curious to hear from other external/3rd party pen-test consultants, how they have managed to solve the problem Where they approach a client who is convinced they have security, and yet there is classic signs that they don't? You know that if you did a simple pen-test you would have the evidence to prove your point all would be mute But from my current point that would be illegal, even if no access was gained. (maybe I'm wrong) ?? Perhaps this is just a problem here where I am or perhaps it exists elsewhere also? I look forward to your input Barry ------------------------------------------------------------------------ This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW ------------------------------------------------------------------------ ------------------------------------------------------------------------ This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW ------------------------------------------------------------------------
Current thread:
- Re: The legal / illegal line?, (continued)
- Re: The legal / illegal line? Chris Travers (Mar 05)
- Re: The legal / illegal line? Justin Ross (Mar 05)
- RE: The legal / illegal line? Craig Wright (Mar 05)
- RE: The legal / illegal line? Craig Wright (Mar 05)
- Re: The legal / illegal line? Chris Travers (Mar 06)
- RE: The legal / illegal line? Craig Wright (Mar 05)
- Re: The legal / illegal line? Higinio Orsini (Mar 06)
- RE: The legal / illegal line? Craig Wright (Mar 06)
- Message not available
- RE: The legal / illegal line? Craig Wright (Mar 09)
- Message not available
- RE: The legal / illegal line? Craig Wright (Mar 09)
- Message not available