Re: The legal / illegal line?

From: Tim Shea (tim@tshea.net)
Date: Mon Mar 05 2007 - 13:55:28 EST


The short answer is that you don't.

If you feel there may be an issue uncovered via your due diligence about a
third party - then document your concern and the follow up steps that you
feel may be required to verify that concern. Then move on. Do not
attempt to "knock on the door" of a third party without permission from
the third party and your client.

Some people will never be convinced. Just do the job as outlined in the
contract and you fulfilled your end of the deal. If they ignore you -
then you are on record and if something goes down - well its their fault.
In this industry - you will be ignored often.

> Thanks All
>
> I agree totally, that it is a line that should be kept away from
> But then how do you "prove" to someone that their system isn't as secure
> as they "feel"/assume it is?
> I have run into many companies where you can see the security is not
> what it should be.
> Yet you ask the IT director and they are so convinced they have perfect
> security and even report that to their
> bosses. Yet the signs are clear they don't?
>
> How do you convince them, when they won't give permission because isn't
> warning them removing them from
> Due Diligence to Due Negligence?
>
> Thanks again
> Barry
>
> Barry Fawthrop wrote:
>> Hi All
>>
>> Curious to hear other views, where does the legal and illegal line stand
>> in doing a pen test on a third party company?
>> Does it start at the IP Address/Port Scanning Stage or after say once
>> access is gained?? very vague I know
>>
>>
>> I'm also curious to hear from other external/3rd party pen-test
>> consultants, how they have managed to solve the problem
>> Where they approach a client who is convinced they have security, and
>> yet there is classic signs that they don't?
>> You know that if you did a simple pen-test you would have the evidence
>> to prove your point all would be mute
>>
>> But from my current point that would be illegal, even if no access was
>> gained. (maybe I'm wrong) ??
>>
>> Perhaps this is just a problem here where I am or perhaps it exists
>> elsewhere also?
>>
>> I look forward to your input
>>
>> Barry
>>
>>
>> ------------------------------------------------------------------------
>> This List Sponsored by: Cenzic
>>
>> Need to secure your web apps?
>> Cenzic Hailstorm finds vulnerabilities fast.
>> Click the link to buy it, try it or download Hailstorm for FREE.
>>
>> http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
>> ------------------------------------------------------------------------
>>
>>
>>
>
> --
>
> ------------------------------------------------------------------------
> This List Sponsored by: Cenzic
>
> Need to secure your web apps?
> Cenzic Hailstorm finds vulnerabilities fast.
> Click the link to buy it, try it or download Hailstorm for FREE.
>
> http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
> ------------------------------------------------------------------------
>
>

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.

http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:57:38 EDT