Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Risk of Redirecting Email.

From: JoePete <joepete () joepete com>
Date: Fri, 03 Apr 2009 23:01:55 -0400
On Tue, 2009-03-31 at 17:54 +0200, M.D.Mufambisi wrote:

I have seen on some clients of mine, that when an employee leaves the
organisation, they request IT to redirect their emails to a particular
email address....personal.
What are the risks of this? I can only think of company information
being directed to this individual....which could be bad if he/she has
gone to work for a competitor. 


Before worrying about the technical issues here, these clients have much
larger fish to fry. There should be some sort of policy detailing email,
expectations, treatment of company information, non-compete agreements,
etc.


From a pen-test standpoint, what data might be emailed to these

individuals regarding password reset, support information (e.g. server
down time, network changes, etc.)? As an organization you can control
how people access your mail server and how that data might be stored.
You lose that control once it goes to some other mail server.

--
JoePete


------------------------------------------------------------------------
This list is sponsored by: InfoSec Institute

No time or budget for traveling to a training course in this fiscal year? Check out the online penetration testing 
courses available at InfoSec Institute. More than a boring "talking head", train in our virtual labs for a total 
hands-on training experience. Get the certs you need as well: CEH, CPT, CEPT, ECSA, LPT. 

http://www.infosecinstitute.com/request_online_training.html
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: