I had a conversation recently with an ethical hacker who does pentesting. They kept talking about how they can't cross certain lines when trying to break in to hardware manufactured by certain companies or going past the scope of the engagement even if they saw a blaring hole right in front of their faces. It was all about the legalities and that those companies would file lawsuits against you for breaking in to their systems. Isn't that the whole point though?
My question was... Do you think that anyone with malicious intent cares about those boundaries or are they going to keep plowing through barriers until they take the place down?
I likened it to this: Let's say the Three Little Pigs hired a penetration tester. Their scope of testing was to make sure that the brick house can withstand the power of whatever breeze The Big Bad Wolf could throw at it. They tested for up to ten wolves blowing at the same time and everything was great. It didn't even budge. Thumbs up! However, what they did not know was that Mr. Wolf now has a jackhammer and is coming back for them and taking that brick wall right down. Why didn't they test for the jackhammers? Did the brick company prohibit them from doing so? Was the scope of the engagement too narrow?
It makes no sense. Why hire an ethical hacker and give them rules? Let's see what ya got and let me know how to fix it.
[link] [comments]
from hacking: security in practice https://ift.tt/pWZXw0q
Comments
Post a Comment