Re: The legal / illegal line?
- From: "Tim Shea" <tim@xxxxxxxxx>
- Date: Mon, 5 Mar 2007 12:55:28 -0600 (CST)
The short answer is that you don't.
If you feel there may be an issue uncovered via your due diligence about a
third party - then document your concern and the follow up steps that you
feel may be required to verify that concern. Then move on. Do not
attempt to "knock on the door" of a third party without permission from
the third party and your client.
Some people will never be convinced. Just do the job as outlined in the
contract and you fulfilled your end of the deal. If they ignore you -
then you are on record and if something goes down - well its their fault.
In this industry - you will be ignored often.
Thanks All
I agree totally, that it is a line that should be kept away from
But then how do you "prove" to someone that their system isn't as secure
as they "feel"/assume it is?
I have run into many companies where you can see the security is not
what it should be.
Yet you ask the IT director and they are so convinced they have perfect
security and even report that to their
bosses. Yet the signs are clear they don't?
How do you convince them, when they won't give permission because isn't
warning them removing them from
Due Diligence to Due Negligence?
Thanks again
Barry
Barry Fawthrop wrote:
Hi All
Curious to hear other views, where does the legal and illegal line stand
in doing a pen test on a third party company?
Does it start at the IP Address/Port Scanning Stage or after say once
access is gained?? very vague I know
I'm also curious to hear from other external/3rd party pen-test
consultants, how they have managed to solve the problem
Where they approach a client who is convinced they have security, and
yet there is classic signs that they don't?
You know that if you did a simple pen-test you would have the evidence
to prove your point all would be mute
But from my current point that would be illegal, even if no access was
gained. (maybe I'm wrong) ??
Perhaps this is just a problem here where I am or perhaps it exists
elsewhere also?
I look forward to your input
Barry
------------------------------------------------------------------------
This List Sponsored by: Cenzic
Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------
--
------------------------------------------------------------------------
This List Sponsored by: Cenzic
Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------
------------------------------------------------------------------------
This List Sponsored by: Cenzic
Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------
- References:
- The legal / illegal line?
- From: Barry Fawthrop
- Re: The legal / illegal line?
- From: Barry Fawthrop
- The legal / illegal line?
- Prev by Date: RE: The legal / illegal line?
- Next by Date: RE: The legal / illegal line?
- Previous by thread: RE: The legal / illegal line?
- Next by thread: RE: The legal / illegal line?
- Index(es):
Relevant Pages
|
