Dailydave mailing list archives
RE: Pentesters giving away Client information
From: "Steve W. Manzuik" <steve () security-sensei com>
Date: Tue, 4 May 2004 16:10:11 -0600
Hey guys. First of all this is completely unethical to do although I know for a fact that is has and still does happen because unfortunately not everyone in this industry (obviously) shares the same ethics as the rest. In fact, I was involved (can't talk about details of course) with an incident where a CISSP was busted doing something very similar to this. Way to go CISSP/ISC2 ethics! It wasn't a leak but more of an intentional act in this case.
Anyway, this makes me want to consider other two possible scenarios: 1) the pen tester could be owned later on, even some months after the assignment, but still leak highly-confidential data he left on his hard disk;
To me there are some simple guidelines that any "professional" should adhere to when dealing with client data. In my case, when a pen-test is completed all working papers output etc is burned to a CD and given to the client. The data on the pen-test boxes (be it my laptop or boxes in the lab) is then moved PGPed and burned to a second CD and locked in a fireproof safe only to be looked at again if there is a new engagement for that same client and that the data is relevant. This includes all reports and client deliverables. Mind you I have the luxury of being a small enough team that this is easy to police. I am sure the larger outfits have a nightmare with trying to deal with this.
2) the customer could (and often would) leak that data anyway (with the next random-mailer worm for example ?).
I have had customers show me the previous outfits deliverables and reports before. I usually do my best to not mock them but offer constructive criticism on how and why I will do better. Hehe. ;-) -Steve _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://www.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Pentesters giving away Client information Nexus (May 04)
- Re: Pentesters giving away Client information wirepair (May 04)
- Re: Pentesters giving away Client information Daniele Muscetta (May 04)
- RE: Pentesters giving away Client information Steve W. Manzuik (May 04)