RE: Spam: what to do it illegal activity found during pen-test

From: Craig Wright (cwright@bdosyd.com.au)
Date: Fri Jun 02 2006 - 18:33:30 EDT

Hi,
One of the issues with people who have never worked as auditor but are in pen testing occurs in this situation.
 
There are a few things to be considered. In cases where there is a serious criminal offense you have no choice (at least legally) but to go to senior management and the police. Senior management need to be approached first and the incident needs to be handled in a manner which will not impune the integrity of the evidence. If senior management are likely to be involved this must be escalated to board level.
The nature of these types of crimes are those such as child porn. Serious offenses are defined under the Crimes Act.
 
In other cases, the response will vary dependant on the level of materiality. Any incident that may have a material impact on the company must be actioned. In cases where there is no material impact the incident must be escalated.
 
Additionally, if the company has a (valid) incident response policy and procedure, than this should be used where applicable.
 
As a final note, remember that if you fail in your duty to report this and it later comes out, you could be criminally liable yourself and at the least liable for tortious negligence civilly.
 
Regards,
Craig

        -----Original Message-----
        From: Robin Wood [mailto:dninja@gmail.com]
        Sent: Fri 2/06/2006 6:50 PM
        To: pen-test@securityfocus.com
        Cc:
        Subject: Spam: what to do it illegal activity found during pen-test
        
        

        Hi
        I was wondering the other day, what should I do if during a pen test I
        found some illegal activity (internal, not from hackers) on the
        network being tested. My initial
        thought was report it to the police and let them sort it out but then
        thought I suppose that depends on the activity taking place. One one
        hand you could find a ftp site with a couple of movies on, the other
        you could find a website full of child porn. The first may just need a
        mention to the company IT staff, the second would definitely warrant
        police attention.
        
        Talking to someone they suggested the case where a web cam was being
        used to watch women's toilets. Should that be reported to the company
        first to stop the activity, then to the police, or could reporting it
        to the company give the perpetrator time to clean up their activities.
        
        All this is just idle questions at the moment but I'm curious to see
        if anyone has come across this kind of situation and how did they
        dealt with it. As I'm in the UK I'm particularly interested in any UK
        stories.
        
        Robin
        
        ------------------------------------------------------------------------------
        This List Sponsored by: Cenzic
        
        Concerned about Web Application Security?
        Why not go with the #1 solution - Cenzic, the only one to win the Analyst's
        Choice Award from eWeek. As attacks through web applications continue to rise,
        you need to proactively protect your applications from hackers. Cenzic has the
        most comprehensive solutions to meet your application security penetration
        testing and vulnerability management needs. You have an option to go with a
        managed service (Cenzic ClickToSecure) or an enterprise software
        (Cenzic Hailstorm). Download FREE whitepaper on how a managed service can
        help you: http://www.cenzic.com/news_events/wpappsec.php
        And, now for a limited time we can do a FREE audit for you to confirm your
        results from other product. Contact us at request@cenzic.com for details.
        ------------------------------------------------------------------------------
        
        

Liability limited by a scheme approved under Professional Standards Legislation in respect of matters arising within those States and Territories of Australia where such legislation exists.

DISCLAIMER
The information contained in this email and any attachments is confidential. If you are not the intended recipient, you must not use or disclose the information. If you have received this email in error, please inform us promptly by reply email or by telephoning +61 2 9286 5555. Please delete the email and destroy any printed copy.

Any views expressed in this message are those of the individual sender. You may not rely on this message as advice unless it has been electronically signed by a Partner of BDO or it is subsequently confirmed by letter or fax signed by a Partner of BDO.

BDO accepts no liability for any damage caused by this email or its attachments due to viruses, interference, interception, corruption or unauthorised access.

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:56:02 EDT