Looking For Security Holes Is Dangerous

One of the very first things that is mentioned on any course on penetration testing (or related fields) is that any use of “hacking” tools is dangerous. Even if it is your job to look for security holes, you really need a “get out of gaol” card to explicitly grant you permission to use such tools. The consequences of unauthorised use of such tools can be drastic, and take many years to fade away. There are a number of stories of the consequences of not paying attention to this, but the most recent is :-

http://nakedsecurity.sophos.com/2013/01/21/computer-science-student-first-praised-then-expelled-for-poking-around/

I would really hope that we would not react in such a way.

Of course this student was doing something wrong, and he deserved some sort of action after scanning the vulnerable web site a second time. But not being kicked out!

In fact in addition to being an example of what could happen when using security tools without authorisation, it is also an example of how dealing with security incidents can be tricky. Security incidents need a proportionate response; in this case the response was more damaging to the institution than the incident itself.

This entry was posted in Uncategorized. Bookmark the permalink.