Covert pen testers
"... the SVR is also posing as legitimate red-team pentesters ..."
On one bid, the HMG Agency client insisted (and I mean insisted) that their IT people should have the right to conduct unannounced technical security testing on the supplier's network management system (which was used to support other clients) including DoS attacks.
I refused point blank. I pointed out that this would provide an attack vector for a subverted IT person in their team to probe defences. If caught (s)he would claim it was an unannounced pen test, and still gain valuable information. I further pointed out that if while monitoring their network, it appeared to be under attack from something like, Melissa, or 'The Love Bug', the appropriate action to protect the network might just be to turn it all off, without notice. And whilst the sales team really wanted to comply with the client's repeated insistence on this (they were motivated by a 'win bonus', I think), they were somewhat unwilling to insert a contract clause that the client would indemnify us, the supplier, against any adverse effects the client's 'unannounced technical security testing' had on their own and other clients' networks supported from the same service desk. The sales team were similarly unwilling to inform other existing clients that their service desk would suddenly be contractually attackable by a new client (probably without compensation).
Other issues, of course, include whether we could have obtained relief from SLAs had there been an attack by them, and the service had fallen below required levels, if we couldn't prove it was the client, rather than a failing on our part. And of course, selling a service one client has the contractual right to attack without notice to other clients would be an 'interesting' legal challenge.
Eventually, after much effort, I did get my way (the clause giving them unannounced pen testing rights was deleted). But of all the BONE-HEADED, IDIOTIC and DOWNRIGHT STUPID things to ask for, this one has got to take the biscuit, in my experience. I don't think any of them worked for the SVR, or whatever they were calling themselves then, but it would have made sense.
Anyone beat that?
"D'oh" icon for idiocy, I wanted to include the explosion and the FAIL icons too, but you're only allowed one per post, it seems :o(