Re: Network scan tool/appliance horror stories

[Joakim Aronius <joakim () aronius se>]

* Jones, Barry (BEJones () semprautilities com) wrote:
> I can share with you several stories personnel (both IT or vendors), who have scanned Electric Utility environments 
> with or without permission; and hence caused multiple failures - including electro-mechanical systems and related 
> applications. Utilities typically utilize many industrial controllers - some of which many IT personnel have no 
> knowledge, and some are not robust enough to weather the storm.
>
> 1. Know your environment.
> 2. Know your tools.
> 3. Communicate.

Second that. First agree on what rate they are allowed to scan your network, then let them come back with what they 
find before they point other tools at the found nodes. Then inform the owners of said nodes of what is going to happen.

In a previous life I found an publicly available SQL server on a network belonging to a medical institution that I was 
pen testing. I pointed Nessus at it and it just died... 

BR
/Joakim