Abstract
The Ice-Pick package is a window driven program that provides a multi-layered approach
to network testing. The automated tool is used to identify frquently exploited security
problems present on well known UNIX based operating systems. Information provided by
testing is used to determine what protective mechanisms need to be implemented by network
administrators.
The paper deals with two issues of primary concern, the user's legal basis for performing
vulnerabliity identification testing, and the consequences of unauthorized use or
release of the software itself. It is essential for self protection that the tester
understands what he or she can legally do with a tool such as Ice-Pick. The issue of trust
can also effect users. Trusting each user to protect Ice-Pick against unauthorized release
is essential for absolute control of the technology involoved.
The structure of this document allows traceablility from top level law through applicable
Navy regulation. The most important points are the understanding of what monitoring
involves, and knowing what the Ice-Pick test tool can be used for. The use of other
pentration type testing tools, such as SATAN, will not be discussed, nor will the
regulatory requirements of non-Navy organizations. However, the discussion can be applied
to using similar test tools in other organizations.