From: Rivest, Philippe (Rivestp@metro.ca)
Date: Tue Jan 08 2008 - 15:24:54 EST
Well I depend on the scope of the test you are doing. Prior to do a test you need to do a statement of what you are going to test and what you are not going to test. In this statement you could state
"The auditors will test if it is possible to do a DOS (system crash) on the system".
If such a statement is done, in the test windows you have full permission to do a scan and make the system crash in the process. Your responsibility would be null since you have the written permission to do so.
You could have a statement saying
"The auditor must ensure at all time system availability and integrity of the data and all equipment."
If the test goes wrong with this statement, you need to have a back up plan. That would be the emergency response list, basically who the auditor needs to call and in what order.
For the responsibility part, I would suggest adding a "No fault under reasonable behaviour & attitude" statement. Word it how you want but it should protect you in the case that you are running a test that normally should not crash a system and it does crash.
Don't dare the Devil; it is very easy to crash a system as we all know. A back up plans and a detail test plan saying what action will be done in what order should be mandatory.
Since you have upper management's approval on the test and these statements, you should be "ok". The responsibility will go on the auditor's team but nothing bad should happen if everything is planned and details well.
That's my 2cents on this.
Merci
Philippe Rivest, Certified Ethical Hacker
Analyste en sécurité de l'information
Métro Richelieu
450-662-3300x3115
P Est-ce vraiment nécessaire d'imprimer cette page ?
-----Message d'origine-----
De : listbounce@securityfocus.com [mailto:listbounce@securityfocus.com] De la part de ahgaber_rehan@yahoo.com
Envoyé : lundi 7 janvier 2008 10:48
À : pen-test@securityfocus.com
Objet : Crash in system scanned
I need to know if internal auditor is scanning a system over the LAN during audit assignment, who should take the responsibility if the scanned system went down/ crashed due to this scan. I am quite sure scanning has to be prearranged with IT and IT Security and approved on the targeted systems, and it's important for IT auditor to perform such scanning to avoid any scope limitations during the audit.
------------------------------------------------------------------------
This list is sponsored by: Cenzic
Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!
http://www.cenzic.com/downloads
------------------------------------------------------------------------
------------------------------------------------------------------------
This list is sponsored by: Cenzic
Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!
http://www.cenzic.com/downloads
------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:58:19 EDT