The B3TA Detective Agency
Universalpsykopath tugs our coat and says: Tell us about your feats of deduction and the little mysteries you've solved. Alternatively, tell us about the simple, everyday things that mystified you for far too long.
( , Thu 13 Oct 2011, 12:52)
Universalpsykopath tugs our coat and says: Tell us about your feats of deduction and the little mysteries you've solved. Alternatively, tell us about the simple, everyday things that mystified you for far too long.
( , Thu 13 Oct 2011, 12:52)
« Go Back | See The Full Thread
A truly comprehensive test of security would require penetration testing, yes, but would also test to see whether each user role (e.g. administrator) could only do the things they're supposed to do, instead of (for example) hoovering up every visitor's credit card numbers, genetic fingerprint and preferred sexual position.
( , Fri 14 Oct 2011, 21:35, 1 reply)
Then they should use each person's logon with them sitting there.
Rule number one is you never give out a privileged password. I used to work as an admin and the only way I'd knowingly allow someone to test my access would be to check it whilst I watched.
I suppose another way to do it is to change the passwords of the affected accounts to ones known by the auditors for a brief window for testing and change them back afterwards. This, however, would require an air-tight contract to protect both the company concerned and the auditors.
( , Sat 15 Oct 2011, 0:12, closed)
Rule number one is you never give out a privileged password. I used to work as an admin and the only way I'd knowingly allow someone to test my access would be to check it whilst I watched.
I suppose another way to do it is to change the passwords of the affected accounts to ones known by the auditors for a brief window for testing and change them back afterwards. This, however, would require an air-tight contract to protect both the company concerned and the auditors.
( , Sat 15 Oct 2011, 0:12, closed)
You're right about both.
Temporary passwords and sitting over the shoulder.
Truth be told, that type of testing should first take place in a sandboxed environment with test (not production) data.
( , Sat 15 Oct 2011, 0:23, closed)
Temporary passwords and sitting over the shoulder.
Truth be told, that type of testing should first take place in a sandboxed environment with test (not production) data.
( , Sat 15 Oct 2011, 0:23, closed)
« Go Back | See The Full Thread