One Article Review
| Source |  NoticeBored |
|---|---|
| Identifiant | 1495748 |
| Date de publication | 2019-11-15 16:47:06 (vue: 2020-01-03 15:00:04) |
| Titre | NBlog Nov 15 - risky business |
| Texte |  Physical penetration testing is a worthwhile extension to classical IT network pentests, since most technological controls can be negated by physical access to the IT equipment and storage media. In Iowa, a pentest incident that led to two professional pentesters being jailed and taken to court illustrates the importance of the legalities for such work. A badly-drafted pentest contract and 'get out of jail free' authorization letter led to genuine differences of opinion about whether the pentesters were or were not acting with due authority when they broke into a court building and were arrested. With the court case now pending against the pentesters, little errors and omissions, conflicts and doubts in the contract have taken on greater significance than either the pentest firm or its client appreciated, despite both parties appreciating the need for the contract. They thought they were doing the right thing by completing the formalities. Turns out maybe they hadn't.I hope common sense will prevail and all parties will learn the lessons here, and so should other pentesters and clients. The contract must be air-tight (which includes, by the way, being certain that the client has the legal authority to authorize the testing as stated), and the pentesters must act entirely within the scope and terms as agreed (in doubt, stay out!). Communications around the contract, the scope and nature of work, and the tests themselves, are all crucial, and I will just mention the little matter of ethics, trust and competence.PS An article about the alleged shortage of pentesters casually mentions:"The ideal pen tester also exhibits a healthy dose of deviancy. Some people are so bound by the rules of a system that they can't think beyond it. They can't fathom the failure modes of a system. Future penetration testers should have a natural inclination toward pushing the boundaries – especially when they are told, in no uncertain terms, not to do so."Hmm. So pentesters are supposed to go beyond the boundaries in their testing, but remain strictly within the formally contracted scope, terms and condi |
| Envoyé | Oui |
| Condensat | a with about access act acting against agreed air all alleged also appreciated appreciating are around arrested article authority authorization authorize badly being beyond bound boundaries broke building business but can case casually certain classical client clients common communications competence completing conditions conflicts contract contracted controls court court illustrates crucial despite both deviancy differences doing dose doubt doubts drafted due either entirely equipment errors especially ethics exhibits extension failure fathom firm formalities formally free future genuine get greater hadn has have healthy here hmm hope ideal importance incident inclination includes iowa its jail jailed just learn led legal legalities lessons letter little matter maybe media mention mentions: modes most must natural nature nblog need negated network not nov now nuff omissions opinion other out parties pen pending penetration pentest pentesters pentests people physical prevail professional ps pushing remain right risky rules said scope sense shortage should significance since some stated stay storage strictly such supposed system taken technological terms tester testers testing tests than themselves thing think thought tight told toward trust turns two uncertain way were when whether which will within work worthwhile |
| Tags | |
| Stories | |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.