RE: Conflict of interests



Al,

If you have not verified their patch levels at this point, and sounds like you probably have done no auditing at his organization, how are you sure that it is safe to pass along domain admin credentials credential across the network. Might be prudent to review written policies (especially logging), followed by the domain controllers, and then the domain and domain controllers security policies.
You can always follow-up in writing as to which systems you entered, the timestamp, and what tests you performed.


Respectfully,

Dave Kleiman - http://www.DigitalForensicExpert.com
http://www.ComputerForensicExaminer.com - http://www.DigitalForensicAnalyst.com

4371 Northlake Blvd #314
Palm Beach Gardens, FL 33410
561.310.8801

Digital Computer Forensics + Data Recovery + Electronic Discovery


-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx] On Behalf Of s0h0us
Sent: Tuesday, May 05, 2009 12:19
To: Richard Thomas
Cc: security-basics@xxxxxxxxxxxxxxxxx
Subject: Re: Conflict of interests


Hi Richard Thanks for the feedback, I thought I had included a name in the original posting but I guess I didn't. You can call me Al. (like in the song :P )
Anyway, my role? the million dollar question. One man show, trying to do many things. From policy writing, to internal risk assessments of third party vendors, contract reviews, vendor management, etc.
Somewhere along the line I review IT's functions as they relate to security. In this case I want to review their patch management process by making sure devices are proactively being updated as needed. Using tools like Nessus, GFI Languard, etc. I have a separate computer, outside the corporate AD to perform some of these tests. This is simply an example of a way in which I'm wondering if privileged access is required. I'm not so much trying to perform a pen test, more wanting to make sure internal devices are not vulnerable.
hope this helps. thanks again!



----- Original Message ----
From: Richard Thomas <austindad@xxxxxxxxx>
To: s0h0us@xxxxxxxxx
Cc: security-basics@xxxxxxxxxxxxxxxxx
Sent: Tuesday, May 5, 2009 11:37:06 AM
Subject: Re: Conflict of interests

First, a request. Please give us a name to use, even if it's false.
To answer your question, we need to know the type of security role you
play. Is it operational security or more compliance related?
Generally, you should not require either domain admin access or root.
Most IT staff never need this level of access. If you could provide
us more information regarding the situation and your role, I think we
could offer more useful input.

Richard Thomas

On Mon, May 4, 2009 at 1:16 PM, <s0h0us@xxxxxxxxx> wrote:
As a security guy, not part of the IT department, I require a level of access in order to perform my job. Certain types of tools require privileged access in order to work. Like having domain admin access and/or similar privileged access for unix and linux systems. Is it reasonable to request this type of access without causing any type of conflict of interest that internal auditors might question? I guess audit trails would come in handy here.
Thanks for the feedback.




------------------------------------------------------------------------
This list is sponsored by: InfoSec Institute

Learn all of the latest penetration testing techniques in InfoSec Institute's Ethical Hacking class.
Totally hands-on course with evening Capture The Flag (CTF) exercises, Certified Ethical Hacker and Certified Penetration Tester exams, taught by an expert with years of real pen testing experience.

http://www.infosecinstitute.com/courses/ethical_hacking_training.html
------------------------------------------------------------------------



------------------------------------------------------------------------
This list is sponsored by: InfoSec Institute

Learn all of the latest penetration testing techniques in InfoSec Institute's Ethical Hacking class.
Totally hands-on course with evening Capture The Flag (CTF) exercises, Certified Ethical Hacker and Certified Penetration Tester exams, taught by an expert with years of real pen testing experience.

http://www.infosecinstitute.com/courses/ethical_hacking_training.html
------------------------------------------------------------------------



Relevant Pages

  • RE: Log Management
    ... InfoSec Institute ... Learn all of the latest penetration testing techniques in InfoSec ... Institute's Ethical Hacking class. ... Certified Ethical Hacker and Certified Penetration Tester exams, ...
    (Security-Basics)
  • RES: Log Management
    ... InfoSec Institute ... Learn all of the latest penetration testing techniques in InfoSec ... Institute's Ethical Hacking class. ... Certified Ethical Hacker and Certified Penetration Tester exams, ...
    (Security-Basics)
  • Re: forensics procedure for PC analysis
    ... InfoSec Institute ... Learn all of the latest penetration testing techniques in InfoSec Institute's Ethical Hacking class. ... Totally hands-on course with evening Capture The Flag exercises, Certified Ethical Hacker and Certified Penetration Tester exams, taught by an expert with years of real pen testing experience. ...
    (Security-Basics)
  • Re: Security Checklist
    ... InfoSec Institute ... Learn all of the latest penetration testing techniques in InfoSec Institute's Ethical Hacking class. ... Totally hands-on course with evening Capture The Flag exercises, Certified Ethical Hacker and Certified Penetration Tester exams, taught by an expert with years of real pen testing experience. ...
    (Security-Basics)
  • Re: Nessus Reporting frontend options - scan management
    ... InfoSec Institute ... Learn all of the latest penetration testing techniques in InfoSec Institute's Ethical Hacking class. ... Totally hands-on course with evening Capture The Flag exercises, Certified Ethical Hacker and Certified Penetration Tester exams, taught by an expert with years of real pen testing experience. ...
    (Security-Basics)