Dave,
Pen testing is indeed just that a sanity check to verify that the overall
security policy is compliant with management's/regulatory mandates. I tend
to agree with you that password cracking is a whole new topic, however, pen
testing IMHO can and should include man in the middle attack scenarios and
appliance supervisory access as well. True this is not traditionally the
port scan/fingerprinting perimeter stuff; nor is it the even the more
advanced tunnel in and smash the stack or covert channel vulnerabilities,
but having said this, being able to understand and perform man in the middle
scenarios or appliance supervisory port crack, and thus gain a password,
would be gold to a real or otherwise cracker want a be, particularly in the
case of sensitive government information. I would also imagine that a strong
two factor login would be required in your case ensuring that the user is
whom they claim to be. Pen testing does not really belong in the socially
sensitive arena of identity management, but it may in the future as more
people turn up missing fingers. The bad guys do not follow any rules and the
agreed upon rules and policies implemented should be able to evolve as the
techniques, tools and motives of the bad guys become more devious/malicious
and aloof.
However, if this type of pen testing is required, it should, again in my
opinion, be treated with an understanding of the methods, motives and a goal
that may prevent an asset compromise. I believe pen testing just like policy
should be approached in levels for specific goal and metric reasons, not
just lumped together in a huge pen test policy pile. There is no 100%, if
there were, there would be no risk, and without risk there is no business,
but with the appropriate mitigation some of us may sleep better.
Bob
-----Original Message-----
From: Dave [mailto:dave.anon@gmail.com]
Sent: Wednesday, June 15, 2005 10:51 AM
To: pen-test@securityfocus.com
Subject: Government Compliance
Hello everyone. I know some will view this as a rant and other as
informative, but I am making this post as a sanity check.
For the purposes here, I currently work as an IT Security professional
for the US government. I work at the Department of Government, within
a component named AgencyX. Yes, these names are fictional.
To give an outline or basic background, all government computer
systems are governed by strict requirements for designing,
implementing, maintaining, and securing them. Many of these are
mandatory and are not up for negotiation. Some examples include NIST
SP's, FISMA, DCID 6/3, etc.....
OK....so I received and email from a "IT Security professional"
(qualifications and knowledge very questionable) at the Department in
response to a question I had. I had asked for the definition the
Department was adopting for penetration testing. The response I
received was (scrubbed for anonymity):
"... The guidance for penetration testing was reviewed at [department
committee] meeting... penetration testing shall consist of [product
name deleted] vulnerability scans and running [product name deleted]
for cracking passwords... if this has been done AgencyX shall get
credit for penetration testing...."
Ok, I have big problems with this. There are seperate and distinct
requirements for maintaining password complexity, performing vuln
scans, AND performing penetration testing. Any industry guideline or
resource would never allow this "definition". Am I wrong? Am I over
reacting?
When I brought this up to my chain of command I was told "don't rock
the boat". They fully admitted that they knew the definition to be
incorrect in that it was not meeting the intent of the requirement,
but that I should not say anything to rock the boat and just accept
this.
Obviously, for ethical reasons, I am leaving the agency and the department.
Feedback? Thoughts?
-- Dave
