From: David Swafford (dswafford@alterhighschool.org)
Date: Mon Mar 05 2007 - 09:55:43 EST
Hi Barry,
Here are my suggestions regarding your message.
In terms of approaching an "insecure" organization, I would not suggest
that you do this outright. Most organizations/clients that I have
worked with would immediately take the offensive side if you were to
approach them out of the blue regarding their network. Some feel that
this is an invasion of privacy, etc. In talking with others I have
heard that it is best to let them find you via word of mouth and from
other clients that you have worked with, also publishing research
information in the community helps spread your name as well.
In terms of the legal perspective (I am not an attorney nor is this the
absolute truth) but in my opinion I think your cross the line of doing
ethical hacking and into black hat hacking when you start to probe a
network without the appropriate contract / "get out of jail free"
documentation. If you were to approach a company whom you never worked
for and present evidence of a port scan or even a further probe they may
take the offensive and immediately see you as the bad guy, also keep in
mind that probing a network is all that you need to have the possibility
of a lawsuit against you.
I think that a client who thinks they are secure though they are not is
one of the more challenging ones to work with. I would not try to
convince them that their network is insecure directly but show them
commonly misunderstood insecurities from a sales pitch perspective. For
example contact a company and ask to have a meeting and come in and
demonstrate that you have knowledge that can help them--show them some
common items that are often forgotten in terms of the security view
point and explain to them that you would be willing to help bring
another perspective in to aid them in protecting their network. It also
helps if you have already done similiar work with other companies as
then you have some better references to provide to new clients (with the
previous client's permission of course).
Hope this insight helps, I'm interested in what others have to say as
well as I'm still relatively new to the security field though I've done
network specific work for a few years now.
David.
CEH, CCNA, SECURITY+, NETWORK+
>>> Barry Fawthrop <barry@ttienterprises.org> 3/1/2007 8:46 pm >>>
Hi All
Curious to hear other views, where does the legal and illegal line
stand
in doing a pen test on a third party company?
Does it start at the IP Address/Port Scanning Stage or after say once
access is gained?? very vague I know
I'm also curious to hear from other external/3rd party pen-test
consultants, how they have managed to solve the problem
Where they approach a client who is convinced they have security, and
yet there is classic signs that they don't?
You know that if you did a simple pen-test you would have the evidence
to prove your point all would be mute
But from my current point that would be illegal, even if no access was
gained. (maybe I'm wrong) ??
Perhaps this is just a problem here where I am or perhaps it exists
elsewhere also?
I look forward to your input
Barry
------------------------------------------------------------------------
This List Sponsored by: Cenzic
Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------
------------------------------------------------------------------------
This List Sponsored by: Cenzic
Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:57:38 EDT