Chapter 14Letter of Authority
How do I do my job and not get arrested? The key factor is, of course, that I have permission. But it's easy to say that; how do I prove it? Imagine a scenario where you are trying to break into a bank and steal millions. Halfway through breaking in, security rolls up and starts screaming at you and trying to take you into custody. How do you prove that you are indeed there doing what you are doing under the remit of the very place you are trying to break into?
The letter of authority is the single most important document you can have when doing this type of assessment. So what is it?
Essentially, the letter of authority is the only proof I take on an assessment to prove that what I am doing is, in fact, an assessment—and not a crime.
The letter should include both your name and company as well as a very detailed explanation of what you are doing (known as the scope). This is then followed with detailed instructions as to what the security team at the company should do if you are “caught.” The instructions often include contacting key C-suite persons at their listed emergency contact numbers.
My letters always say that the security team should use their internal communication methods to contact the staff listed and not use the numbers printed on the letter itself. You might find this odd, as their names and numbers are included right there on the letter. The reason is that I always make sure I have created a fake letter along with the two real ...
Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.
Read now
Unlock full access