RE: The legal / illegal line?

From: Craig Wright (cwright@bdosyd.com.au)
Date: Mon Mar 05 2007 - 13:50:44 EST

• Next message: Chris Travers: "Re: The legal / illegal line?"
• Previous message: Tim Shea: "Re: The legal / illegal line?"
• In reply to: Barry Fawthrop: "Re: The legal / illegal line?"
• Next in thread: Dotzero: "Re: The legal / illegal line?"
• Reply: Dotzero: "Re: The legal / illegal line?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Simple answer, you don't try to get thier permission. Leave them in their ignorance. It is not your role to save the world.

Most companies know they have imperfect security (law of diminishing returns in all that).

That said, if you truly have to do this... Than you need to have a risk based argument. You need to demonstrate cost of not doing something exceeds the cost of doing something.

Regards,

Craig

________________________________

From: listbounce@securityfocus.com on behalf of Barry Fawthrop
Sent: Tue 6/03/2007 12:28 AM
To: Barry Fawthrop
Cc: pen-test@securityfocus.com
Subject: Re: The legal / illegal line?

Thanks All

I agree totally, that it is a line that should be kept away from
But then how do you "prove" to someone that their system isn't as secure
as they "feel"/assume it is?
I have run into many companies where you can see the security is not
what it should be.
Yet you ask the IT director and they are so convinced they have perfect
security and even report that to their
bosses. Yet the signs are clear they don't?

How do you convince them, when they won't give permission because isn't
warning them removing them from
Due Diligence to Due Negligence?

Thanks again
Barry

Barry Fawthrop wrote:
> Hi All
>
> Curious to hear other views, where does the legal and illegal line stand
> in doing a pen test on a third party company?
> Does it start at the IP Address/Port Scanning Stage or after say once
> access is gained?? very vague I know
>
>
> I'm also curious to hear from other external/3rd party pen-test
> consultants, how they have managed to solve the problem
> Where they approach a client who is convinced they have security, and
> yet there is classic signs that they don't?
> You know that if you did a simple pen-test you would have the evidence
> to prove your point all would be mute
>
> But from my current point that would be illegal, even if no access was
> gained. (maybe I'm wrong) ??
>
> Perhaps this is just a problem here where I am or perhaps it exists
> elsewhere also?
>
> I look forward to your input
>
> Barry
>
>
> ------------------------------------------------------------------------
> This List Sponsored by: Cenzic
>
> Need to secure your web apps?
> Cenzic Hailstorm finds vulnerabilities fast.
> Click the link to buy it, try it or download Hailstorm for FREE.
>
> http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
> ------------------------------------------------------------------------
>
>
>

--
------------------------------------------------------------------------
This List Sponsored by: Cenzic
Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------
Liability limited by a scheme approved under Professional Standards Legislation in respect of matters arising within those States and Territories of Australia where such legislation exists.
DISCLAIMER
The information contained in this email and any attachments is confidential. If you are not the intended recipient, you must not use or disclose the information. If you have received this email in error, please inform us promptly by reply email or by telephoning +61 2 9286 5555. Please delete the email and destroy any printed copy. 
Any views expressed in this message are those of the individual sender. You may not rely on this message as advice unless it has been electronically signed by a Partner of BDO or it is subsequently confirmed by letter or fax signed by a Partner of BDO.
BDO accepts no liability for any damage caused by this email or its attachments due to viruses, interference, interception, corruption or unauthorised access.
------------------------------------------------------------------------
This List Sponsored by: Cenzic
Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------

• Next message: Chris Travers: "Re: The legal / illegal line?"
• Previous message: Tim Shea: "Re: The legal / illegal line?"
• In reply to: Barry Fawthrop: "Re: The legal / illegal line?"
• Next in thread: Dotzero: "Re: The legal / illegal line?"
• Reply: Dotzero: "Re: The legal / illegal line?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:57:38 EDT