RE: Getting Permission to Use Security Tools

From: Josh Hung (
Date: 03/19/02

From: Josh Hung <>
To: "''" <>,
Date: Tue, 19 Mar 2002 09:23:09 -0800

I totally agree with you.

-----Original Message-----
From: []
Sent: Monday, March 18, 2002 8:41 AM
Subject: RE: Getting Permission to Use Security Tools

I have followed this subject with interest and Tony, your latest email is
most disturbing. First of all, there is no such thing as a 'get out of jail
free' card when dealing with security issues, especially with a major
financial institution. Its called RESPONSIBILITY. And from the tone of
your post, "boy, am I going to have fun," let me ask you this: do you really
think that patching all the vulnerabilities you hope to find will be 'fun'?
Or do you plan to run your scans, uncover vulns and then just drop them in
the respective sys admins' laps and say "here, fix these now."

Whether or not you have permission, with an attitude such as yours, you may
not get sued but you will definitely be fired. To salvage your career, you
better be able to mitigate any vulnerabilities you might find with your
scans rather than pointing out the lacking of others. Any wannabe can run a
scan, but it takes responsibility to fix the problem.

Sandra Kay Miller
Content Security Lab Analyst

-----Original Message-----
From: tony toni []
Sent: Friday, March 15, 2002 6:05 PM
Subject: Getting Permission to Use Security Tools


I appreciate all of your input on the my original email (Political
Challenges Using Nessus)....on the dilemma I was facing in using Nessus in
*politically correct way*. In generally, the consensus opinion was that I
needed to make sure I obtained written permission and inform everyone of my
plans when I do my scans.

The advice was great...and I have since drafted up a letter that I am
ready to fire off to my Director. In the letter I am asking for permission
to use any security tool, on any production device, any time and from any
direction (i.e. inside or outside of our network). I will use due diligence

in testing the tools.

A new job description/responsibilities covering these points was also
requested. I went on to explain, why I want everything to be *so formal*.

I am very concerned about being fired and/or sued. There is a business and

technology risk in using security tools and I want a "get out of jail card"
in case anything went wrong.

The final paragraph, contains a request that the permission letter and my
new job description be signed by my director, his boss, the VP of the
Networking and Server Area, and HR.

Do you agree with my approach? Think it is a good idea to ask for the
*world* and see what happens? Worse case is he will reduce the scope of
*white hat hacker* activities. If he agrees with everything and I get
everyone's approval...boy am I going to have fun!!

Join the world's largest e-mail service with MSN Hotmail.