Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Pen-Test
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Government Compliance

from [Kasyan, Walter A (Tony)] Network Security [Permanent Link]
Subject: RE: Government Compliance
Date: Thu, 16 Jun 2005 08:01:45 -0500 
If this is in fact the case, they are not really interested in true
security but rather a minimal compliance with what the chain of command
views as "Security". This way they can assure their compliance and get
good evals and assure the continued march up the promotional ladder. But
be careful, there was once a Commander R. Marcinko, USN who did some
Security Scans with a group called Red Cell and his chain of command
didn't like the results. It may be OK to rock the boat gently, but be
careful not to tip it over.

Tony


-----Original Message-----
From: Dave [mailto:dave.anon@gmail.com] 
Sent: Wednesday, June 15, 2005 9:51 AM
To: pen-test@securityfocus.com
Subject: Government Compliance

Hello everyone. I know some will view this as a rant and other as
informative, but I am making this post as a sanity check.

For the purposes here, I currently work as an IT Security professional
for the US government. I work at the Department of Government, within a
component named AgencyX. Yes, these names are fictional.

To give an outline or basic background, all government computer systems
are governed by strict requirements for designing, implementing,
maintaining, and securing them. Many of these are mandatory and are not
up for negotiation. Some examples include NIST SP's, FISMA, DCID 6/3,
etc.....

OK....so I received and email from a "IT Security professional"
(qualifications and knowledge very questionable) at the Department in
response to a question I had. I had asked for the definition the
Department was adopting for penetration testing. The response I received
was (scrubbed for anonymity):

"... The guidance for penetration testing was reviewed at [department
committee] meeting... penetration testing shall consist of [product name
deleted] vulnerability scans and running [product name deleted] for
cracking passwords... if this has been done AgencyX shall get credit for
penetration testing...."


Ok, I have big problems with this. There are seperate and distinct
requirements for maintaining password complexity, performing vuln scans,
AND performing penetration testing. Any industry guideline or resource
would never allow this "definition". Am I wrong? Am I over reacting?

When I brought this up to my chain of command I was told "don't rock the
boat". They fully admitted that they knew the definition to be incorrect
in that it was not meeting the intent of the requirement, but that I
should not say anything to rock the boat and just accept this.

Obviously, for ethical reasons, I am leaving the agency and the
department.

Feedback? Thoughts?

-- Dave
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Government Compliance, Diego Kellner
Next by Date:  RE: Government Compliance, Robert Hines
Previous by Thread:  Government Compliance, Security Professional
Next by Thread:  RE: Government Compliance, Smith, Michael J.
Indexes:  [Date] [Thread] [Top] [All Lists]