From: mis@seiden.com
Date: Tue Nov 26 2002 - 20:37:26 EST
i agree with all of the explanation and education part. it's part
of the sales process.
insurance is to protect against unexpected liability. if neither you
nor your client believe there will be a meltdown, who's insisting on
insurance? and the deductibles are so high, chances are you'll never
use your coverage.
i try to get my clients to give permission and to assume the
liabilities for my infosec testing. (their business interruption
insurance will often protect against something awful.)
of course, if my ordinary testing crashes their systems, so can bugs or
insiders, and they typically assume those liabilities, so why not the
costs involved in my testing?
for physical security testing (which i do) there are often 3rd parties
involved (e.g. colo or hosting facilities, and other tenants in the
facility), and i need multiple permissions, and i need to act as the
agent of the tenant in the facility. i agree not to cause damage to
people or property in my testing. (i suppose i could get electrocuted
crawling around in the ceiling or the floor, and that's my risk. i
cracked a ceiling tile once. that was my cost, but they said
"don't bother".).
i don't typically test whether the UPS switchover works by turning off
the colo building power, because of the exposure to other tenants
whose permission i'm unable to get. i've been surprised by how long ago
this sort of thing has been tested.
in many cases, my testing is intended to test the time-to-detect,
time-to-recover or incident response. the cost of the test is a
measure of the preparedness of the target of evaluation. advance
warning resulting in heightened awareness or artificial minimization
of the test just to minimize possible costs etc. reduces the realism
of testing.
On Tue, Nov 26, 2002 at 05:57:29PM -0000, David Wray wrote:
> HI Lisa
>
> In our experience (In the UK at least), the Insurance side of pen testing is
> much like the Legal side, i.e. you have to patiently explain to someone
> that's never heard of pen testing what you do, why you do it, who you do it
> for, the pitfalls of pen testing, the likely outcome, expected turnover etc
> etc. We have also had to show our working practises, how we update the
> testing, the CVs of the testers, our contracts etc etc.
>
> Our "You missed something and we've been hacked" insurance is covered under
> our Professional Indemnity insurance, as is our "You've just killed our
> e-commerce platform and it won't restart" insurance. In my experience, it's
> the experience and time served by your testing team that seems to have the
> biggest swing on premiums. How much cover you get is a good question, it's
> never enough!
>
>
> Regards
>
> Dave Wray
> Sec-Tec Ltd
> www.sec-tec.co.uk
>
> ----- Original Message -----
> From: "Lisa Dokes" <securitylists@hotmail.com>
>
>
>
>
> ________________________________________________________________________
> Sec-Tec Ltd, CLAS Government listed specialists in information security professional services. Visit http://www.sec-tec.co.uk for more information on our services. This e-mail has been scanned for possible virus contamination. However, we recommend that all recipients also scan this message.
>
> ----------------------------------------------------------------------------
> This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
> Service. For more information on SecurityFocus' SIA service which
> automatically alerts you to the latest security vulnerabilities please see:
> https://alerts.securityfocus.com/
----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:26 EDT