On 5/29/07, Pete Ehlke <pde+nanog@ehlke.net> wrote:
On Tue, 2007-05-29 at 08:21 -0700, Matthew Black wrote: What would you do if a major US computer security firm attempted to hack your site's servers and networks? Would you tell the company or let their experts figure it out?
Personally, I would treat it like any other attack. You do have policy and procedures for responding to intrusions and intrusion attempts? convene your CERT, preserve logs, document the time and other costs, contact the law enforcement, your lawyers, and their ISP.
Personally, I would try to find out who at my site- potentially including S-OX, PCI, other auditors, and the Board- contracted for them to do it.
Even if this were a contracted penetration test, you can't go wrong by treating it as if this were an actual hostile attack. If I were conducting a "pen test" and the target had managed to get an FBI case started and convinced ISP to terminate connectivity due to AUP violations, I would have to give them straight A's for their response :) Kevin