Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Pen-Test
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Government Compliance

from [Todd Towles] Network Security [Permanent Link]
Subject: RE: Government Compliance
Date: Thu, 16 Jun 2005 13:33:27 -0500 
I am not going to repeat the words of other posters, most made very good
points.

Most of the people on this list know the difference between a VA (vuln
assessment) test and PT (pen-test), but how much committees know the
difference? If running a VA test fills your credit for a PT test.. Then
something is wrong with the government compliance definitions of both,
it would seem.

VA test  is a subset of PT....IMHO anyways..

-Todd 


-----Original Message-----
From: Dave [mailto:dave.anon@gmail.com] 
Sent: Wednesday, June 15, 2005 9:51 AM
To: pen-test@securityfocus.com
Subject: Government Compliance

Hello everyone. I know some will view this as a rant and 
other as informative, but I am making this post as a sanity check.

For the purposes here, I currently work as an IT Security 
professional for the US government. I work at the Department 
of Government, within a component named AgencyX. Yes, these 
names are fictional.

To give an outline or basic background, all government 
computer systems are governed by strict requirements for 
designing, implementing, maintaining, and securing them. Many 
of these are mandatory and are not up for negotiation. Some 
examples include NIST SP's, FISMA, DCID 6/3, etc.....

OK....so I received and email from a "IT Security professional"
(qualifications and knowledge very questionable) at the 
Department in response to a question I had. I had asked for 
the definition the Department was adopting for penetration 
testing. The response I received was (scrubbed for anonymity):

"... The guidance for penetration testing was reviewed at 
[department committee] meeting... penetration testing shall 
consist of [product name deleted] vulnerability scans and 
running [product name deleted] for cracking passwords... if 
this has been done AgencyX shall get credit for penetration 
testing...."


Ok, I have big problems with this. There are seperate and 
distinct requirements for maintaining password complexity, 
performing vuln scans, AND performing penetration testing. 
Any industry guideline or resource would never allow this 
"definition". Am I wrong? Am I over reacting?

When I brought this up to my chain of command I was told 
"don't rock the boat". They fully admitted that they knew the 
definition to be incorrect in that it was not meeting the 
intent of the requirement, but that I should not say anything 
to rock the boat and just accept this.

Obviously, for ethical reasons, I am leaving the agency and 
the department.

Feedback? Thoughts?

-- Dave
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Why Penetration Test?, R. DuFresne
Next by Date:  Re: Government Compliance, frank_kenisky
Previous by Thread:  RE: Government Compliance, Keith T. Morgan
Next by Thread:  Re: Government Compliance, frank_kenisky
Indexes:  [Date] [Thread] [Top] [All Lists]