[Techtalk] Gender as a weapon? Pen-testing and female auditors
Devdas Bhagat
devdas at dvb.homelinux.org
Thu Mar 25 13:49:17 EST 2004
On 24/03/04 22:23 -0500, Walt wrote:
> Raven,
>
> Isn't it a bit of a hole in this kind of security auditing
> that you can be trusted? In other words, since you
Not really. The whole point of a penetration test is that there are bad
guys/girls in your network.
> can be trusted to not do any genuine harm to the
> company, if someone trusts you and lets you know
> a bit of information that you rightfully shouldn't be
> entitled to, they're not actually causing any harm.
> They have not given their trust to an untrustworthy
> person. They have violated the letter of the law,
In this case, yes. However, they are supposed to be untrusting of
people, particularly random strangers. If this particular tester has
been there for a few months, then the trust might even be forgiven under
most circumstances.
> but had you been an actual *evil hacker*, they may
See Kevin Mitnick. He used social engineering as his primary assault
tool.
> have responded differently if only because their
> gut reaction was negative or because they picked
> up a different "vibe" or motive from you.
The whole point of social engineering is to give false vibes.
<snip>
> It is not logical that pen-testing in any non-government,
> minor company should result in the firing of an
> employee. Rather, I'd think it would result in a, "let
> that be a lesson to you!" type of reprimand.
Agreed. This would, of course, depend on the number of errors made.
> Am I way off base here...?
Not really. Not for good management.
Devdas Bhagat
More information about the Techtalk
mailing list