Nick,
You'll have to insist on an analysis test plan ahead of time to ensure that
boundaries have been defined. I would also demand to be in on any meetings
which discuss the test(s), i.e. what will be/was done, what vulnerabilities,
if any, were found, and how, if it's known, can they be resolved. Also,
yourself, the boss, and maybe someone else with some security knowledge is
on hand during ALL testing. By that I mean, looking over the guy's shoulder.
Ahead of time I would install a network sniffer, a key capture app, and
produce a full backup of the server with a checksum. By doing these things
you can monitor what the guy does, how he does it, and if he is honest about
things. I would guess that he is going to try and screw you royally. For
instance, if he is smart and vindictive, he probably won't report every
remote upload vulnerability or root hack so that he can install a root kit
and really screw you later on. He could root the server, get your password,
login as you, kill the server at a critical time and then come to the rescue
by amazingly recovering all of the company's critical data when, in fact, he
had simply mirrored the server before killing it. This way you truly look
like crap, probably get fired, and he is the wonder boy ... and gets the
girl :) Any other relatively benign or very convoluted hacks that he may
find can be written off to the fact that security is a moving target and an
ongoing battle. But, if he can make it look like you created a situation
where the company was at risk then the boss is much more likely to take his
side.
Personally, I would approach your boss ahead of time and professionally lay
these concerns out. It's one thing to have an unbiased, professional
security analysis team come in and perform a test for you. But, to have an
obviously biased person with a personal agenda against you and no
credentials come in is just asking for trouble. No matter what, it's in his
interest to make you look bad. So whether your boss knows it or not, he's
hiring someone to come in and try to get you fired. Good luck.
In the meantime, find out what you can about this guy and his l33t $k!11z.
Steve
p.s. On the social engineering tip, how do we know you're not the boyfriend?
-----Original Message-----
From: Steve Pierce [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, April 04, 2000 12:31 PM
To: [EMAIL PROTECTED]
Subject: RE: Security holes revisited -- reward offered
How about just turn off the system. Seriously, is this for an unlimited
period and did your boss be stupid and pay in advance or will pay upon
success.
Make sure you are not vulnerable to social engineering where the guy calls
and gets passwords from another employee.
- Steve
------------------------------------------------------------------------------
Archives: http://www.eGroups.com/list/cf-talk
To Unsubscribe visit
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or send a
message to [EMAIL PROTECTED] with 'unsubscribe' in the body.
