Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Pen-Test
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Pen test - Attorney client Privilege?

from [rob havelt] Network Security [Permanent Link]
Subject: Pen test - Attorney client Privilege?
Date: Sat, 15 Oct 2005 17:04:05 -0400 
Hi All,

Lately I've been seeing some stuff on the legal end of Penetration Testing, and have had some clients ask, and I thought that it would be an interesting question to pose to the list.

Mainly I've been seeing articles like this one:
<http://webmail.intelligentconnections.net/exchange/rhavelt/Inbox/FW:%20Contract%20Question.EML//exchweb/bin/redir.asp?URL=http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1131713,00.html?track=NL-358%26ad=530198USCA>http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1131713,00.html?track=NL-358&ad=530198USCA


That suggest that a penetration test should be commissioned by, and the results delivered to an organization's legal department in such a way where the results of the test will be covered by attorney client privilege...

The main crux of the suggestion was to insulate an organization against the liability of not implementing all the suggestions and recommendations in the report - I.E. if they were sued later the results of the penetration test would be available to the plaintiff during the discovery process under normal circumstances - the test was commissioned by the IT or Risk Management department, but it would be privilege info if it were commissioned by legal...

Has anyone faced this in their client interactions?  Or done this before?
How does setting that up look exactly?

And does anyone have any thought of the effectiveness of this?

To me it seems like that would be a very easy way to get an unfavorable report buried very quickly so that it ostensibly has no visibility in the organization. I've also wondered how the results are communicated between say, legal and the IT group or the rest of the organization in this case?

Anyway, just something I though was interesting is all...




--
oOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOoOo
It's a Kafka high. You feel like a bug.
---------------------------------------------------------------
rob@cobal.org                                      rob.havelt


------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:

Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Oracle 11i nmap scan results, Tim
Next by Date:  Re: bypassing firewalls with NAT, Chris Brenton
Previous by Thread:  bypassing firewalls with NAT, hannibal blog
Next by Thread:  Re: Pen test - Attorney client Privilege?, Paul Robertson
Indexes:  [Date] [Thread] [Top] [All Lists]