RE: Getting Permission to Use Security Tools

From: Josh Hung (techguy@science.sjsu.edu)
Date: 03/19/02


From: Josh Hung <techguy@science.sjsu.edu>
To: "'SKMiller@trusecure.com'" <SKMiller@trusecure.com>, security-basics@securityfocus.com
Date: Tue, 19 Mar 2002 09:23:09 -0800

I totally agree with you.

-----Original Message-----
From: SKMiller@trusecure.com [mailto:SKMiller@trusecure.com]
Sent: Monday, March 18, 2002 8:41 AM
To: security-basics@securityfocus.com
Subject: RE: Getting Permission to Use Security Tools

I have followed this subject with interest and Tony, your latest email is
most disturbing. First of all, there is no such thing as a 'get out of jail
free' card when dealing with security issues, especially with a major
financial institution. Its called RESPONSIBILITY. And from the tone of
your post, "boy, am I going to have fun," let me ask you this: do you really
think that patching all the vulnerabilities you hope to find will be 'fun'?
Or do you plan to run your scans, uncover vulns and then just drop them in
the respective sys admins' laps and say "here, fix these now."

Whether or not you have permission, with an attitude such as yours, you may
not get sued but you will definitely be fired. To salvage your career, you
better be able to mitigate any vulnerabilities you might find with your
scans rather than pointing out the lacking of others. Any wannabe can run a
scan, but it takes responsibility to fix the problem.

Sandra Kay Miller
Content Security Lab Analyst

-----Original Message-----
From: tony toni [mailto:tony572001@hotmail.com]
Sent: Friday, March 15, 2002 6:05 PM
To: tony572001@hotmail.com; security-basics@securityfocus.com
Subject: Getting Permission to Use Security Tools

Folks,

I appreciate all of your input on the my original email (Political
Challenges Using Nessus)....on the dilemma I was facing in using Nessus in
the
*politically correct way*. In generally, the consensus opinion was that I
needed to make sure I obtained written permission and inform everyone of my
plans when I do my scans.

The advice was great...and I have since drafted up a letter that I am
getting
ready to fire off to my Director. In the letter I am asking for permission
to use any security tool, on any production device, any time and from any
direction (i.e. inside or outside of our network). I will use due diligence

in testing the tools.

A new job description/responsibilities covering these points was also
requested. I went on to explain, why I want everything to be *so formal*.

I am very concerned about being fired and/or sued. There is a business and

technology risk in using security tools and I want a "get out of jail card"
in case anything went wrong.

The final paragraph, contains a request that the permission letter and my
new job description be signed by my director, his boss, the VP of the
Networking and Server Area, and HR.

Do you agree with my approach? Think it is a good idea to ask for the
*world* and see what happens? Worse case is he will reduce the scope of
*white hat hacker* activities. If he agrees with everything and I get
everyone's approval...boy am I going to have fun!!

_________________________________________________________________
Join the world's largest e-mail service with MSN Hotmail.
http://www.hotmail.com



Relevant Pages

  • RE: Getting Permission to Use Security Tools
    ... your post, "boy, am I going to have fun," let me ask you this: ... Getting Permission to Use Security Tools ... contains a request that the permission letter and my ...
    (Security-Basics)
  • Re: Duty Calls
    ... I'm going to forward them to your friends and family. ... I didn't give you permission to invade more of my families privacy. ... "Have fun with that" sure seems like such an admission. ... Monica Lewinsky speaks out on the election: "I'm going to vote ...
    (comp.sys.mac.advocacy)
  • Re: [PATCH 3/7] SLIM main patch
    ... the file write permission using do_mprotect. ... and there are other fun cases where you can "park" ... More majordomo info at http://vger.kernel.org/majordomo-info.html ... Please read the FAQ at http://www.tux.org/lkml/ ...
    (Linux-Kernel)
  • Re: Secure Lists within an area?
    ... administrator) I don't have permission. ... "Shane Young" wrote: ... > Writing SharePoint training classes is fun! ... >> Is there a way to secure a list within an area? ...
    (microsoft.public.sharepoint.portalserver)