i agree with all of the explanation and education part. it's part of the sales process. insurance is to protect against unexpected liability. if neither you nor your client believe there will be a meltdown, who's insisting on insurance? and the deductibles are so high, chances are you'll never use your coverage. i try to get my clients to give permission and to assume the liabilities for my infosec testing. (their business interruption insurance will often protect against something awful.) of course, if my ordinary testing crashes their systems, so can bugs or insiders, and they typically assume those liabilities, so why not the costs involved in my testing? for physical security testing (which i do) there are often 3rd parties involved (e.g. colo or hosting facilities, and other tenants in the facility), and i need multiple permissions, and i need to act as the agent of the tenant in the facility. i agree not to cause damage to people or property in my testing. (i suppose i could get electrocuted crawling around in the ceiling or the floor, and that's my risk. i cracked a ceiling tile once. that was my cost, but they said "don't bother".). i don't typically test whether the UPS switchover works by turning off the colo building power, because of the exposure to other tenants whose permission i'm unable to get. i've been surprised by how long ago this sort of thing has been tested. in many cases, my testing is intended to test the time-to-detect, time-to-recover or incident response. the cost of the test is a measure of the preparedness of the target of evaluation. advance warning resulting in heightened awareness or artificial minimization of the test just to minimize possible costs etc. reduces the realism of testing. On Tue, Nov 26, 2002 at 05:57:29PM -0000, David Wray wrote: > HI Lisa > > In our experience (In the UK at least), the Insurance side of pen testing is > much like the Legal side, i.e. you have to patiently explain to someone > that's never heard of pen testing what you do, why you do it, who you do it > for, the pitfalls of pen testing, the likely outcome, expected turnover etc > etc. We have also had to show our working practises, how we update the > testing, the CVs of the testers, our contracts etc etc. > > Our "You missed something and we've been hacked" insurance is covered under > our Professional Indemnity insurance, as is our "You've just killed our > e-commerce platform and it won't restart" insurance. In my experience, it's > the experience and time served by your testing team that seems to have the > biggest swing on premiums. How much cover you get is a good question, it's > never enough! > > > Regards > > Dave Wray > Sec-Tec Ltd > www.sec-tec.co.uk > > ----- Original Message ----- > From: "Lisa Dokes" <securitylistsat_private> > > > > > ________________________________________________________________________ > Sec-Tec Ltd, CLAS Government listed specialists in information security professional services. Visit http://www.sec-tec.co.uk for more information on our services. This e-mail has been scanned for possible virus contamination. However, we recommend that all recipients also scan this message. > > ---------------------------------------------------------------------------- > This list is provided by the SecurityFocus Security Intelligence Alert (SIA) > Service. For more information on SecurityFocus' SIA service which > automatically alerts you to the latest security vulnerabilities please see: > https://alerts.securityfocus.com/ ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
This archive was generated by hypermail 2b30 : Sat Nov 30 2002 - 12:46:57 PST