Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Pen-Test
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Government Compliance

from [Jay D. Dyson] Network Security [Permanent Link]
Subject: Re: Government Compliance
Date: Thu, 16 Jun 2005 07:48:15 -0700 (PDT) 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wed, 15 Jun 2005, Dave wrote:

Ok, I have big problems with this. There are seperate and distinct requirements for maintaining password complexity, performing vuln scans, AND performing penetration testing. Any industry guideline or resource would never allow this "definition".

It's said that the Giraffe was a Horse designed by committee. With that in mind, what you're seeing are security decisions made by committee as well.

Sadly, a lot of agencies (government, corporate and alleged institutions of higher learning) have the same approach. Managerial politics and sales drones are more influential in policy decisions than the input of clued security people. That's why we have 99% of the messes we see today.

As a consequence, rather than having said organizations do some serious legwork and construct a solution appropriate to IT requirements, the managerial types tend to simply buy the sizzle of a salesman and go with Brand X's COTS solution (sic). Similarly, Open Source solutions and methodologies (most of which are far superior to COTS in most every respect) are eschewed because "they cannot be trusted" and "they have no tech support." (Their reasons, not mine.)

The solution? If you can find one, I'll put in a good word for you at the Norwegian Nobel Committee. My successes in this area have been limited to picking up the pieces after things go to hell and slowly cultivating opportunities in which I can influence, alter, or annihilate said policies. It ain't for the faint of heart.

Am I wrong? Am I over reacting? 

    If you are, then I am as well.

- -Jay

   (    (                                                      _______
   ))   ))  .-"There's always time for a good cup of coffee"-.  >====<--.
 C|~~|C|~~| \----- Jay D. Dyson -- jdyson@treachery.net -----/ |    = |-'
  `--' `--'  `-- Pardon me, but am I on the right planet? --'  `------'

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (TreacherOS)
Comment: See http://www.treachery.net/~jdyson/ for current keys.

iD8DBQFCsZE4xzN3WIW0edsRAgFpAJ9h6YoMygSv6dAcV+AxEavLgeMggACcD+tx
lUPVcpbRhBpCtbADt2so5nU=
=0i8c
-----END PGP SIGNATURE-----

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: Government Compliance, Robert Hines
Next by Date:  AW: Why Penetration Test?, Jörg Maaß
Previous by Thread:  RE: Government Compliance, Robert Hines
Next by Thread:  Re: Government Compliance, R. DuFresne
Indexes:  [Date] [Thread] [Top] [All Lists]