RE: Pentesters giving away Client information

["Steve W. Manzuik" <steve () security-sensei com>]

Hey guys.  First of all this is completely unethical to do although I know
for a fact that is has and still does happen because unfortunately not
everyone in this industry (obviously) shares the same ethics as the rest.
In fact, I was involved (can't talk about details of course) with an
incident where a CISSP was busted doing something very similar to this.  Way
to go CISSP/ISC2 ethics! It wasn't a leak but more of an intentional act in
this case.

> Anyway, this makes me want to consider other two possible scenarios:
> 1) the pen tester could be owned later on, even some months after the 
> assignment, but still leak highly-confidential data he left on 
> his hard disk;

To me there are some simple guidelines that any "professional" should adhere
to when dealing with client data.  In my case, when a pen-test is completed
all working papers output etc is burned to a CD and given to the client.
The data on the pen-test boxes (be it my laptop or boxes in the lab) is then
moved PGPed and burned to a second CD and locked in a fireproof safe only to
be looked at again if there is a new engagement for that same client and
that the data is relevant.  This includes all reports and client
deliverables.  Mind you I have the luxury of being a small enough team that
this is easy to police.  I am sure the larger outfits have a nightmare with
trying to deal with this.


> 2) the customer could (and often would) leak that data anyway 
> (with the 
> next random-mailer worm for example ?).

I have had customers show me the previous outfits deliverables and reports
before.  I usually do my best to not mock them but offer constructive
criticism on how and why I will do better. Hehe.  ;-)


-Steve

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://www.immunitysec.com/mailman/listinfo/dailydave