Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Pen-Test
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Re: rules of engagement scope

from [mr . nasty] Network Security [Permanent Link]
Subject: Re: Re: rules of engagement scope
Date: 16 May 2006 14:29:37 -0000 
Some of the pro ROE responses appear to have a serious disconnect between 
?reality? and the seriousness of the subject.

As far as a pen-test contract is concerned, I?d want to make sure that I get my 
money?s worth.  Speaking from the standpoint of a taxpayer, shareholder or CEO. 
 Hence from this perspective I wouldn?t want to see what I would consider WASTE.

What is ?Fraud, Waste & Abuse??  Three terms used by organizations to keep an 
eye on the bottom line.  If organizations had to disclose the ROE (and I don?t 
mean the entire contract), in their prospectus to support the financial 
statements wouldn?t that help to assure investors (taxpayers and shareholders) 
of the financial environment.

Let?s take a look at two organizations whose Auditors were tried and convicted 
of fixing the books; ENRON and World Com.  This was as the news can only 
surmise and comprehend a financial disaster.  Correct.  But the main reason was 
the disclosure of the sheltered companies that were being used to launder money 
through that were not disclosed publicly.

What on earth does this have to do with PEN-TESTING?  I?m an AUDITOR, just like 
a MARINE, you are never and ex-MARINE, you are never an ex-AUDITOR!  I 
currently work as an ISO for a large organization who oversees PEN-TESTS in my 
organization.  When these folk visit a site and perform their tests, I want 
them to find the low hanging fruit.  Then I don?t just want them to take screen 
shots I want them to leave behind a gift, a worm in the apple.  (Not a Morris 
worm ? it?s a euphemism)

Now how is all this related you ask?  Just like any organization there is a 
method and certain requirements that logically fall into place.  Before a 
financial auditor can perform any type of confidence testing on your internal 
controls or transactions they must be assured that the mechanism (the network ? 
IT) in place is secure within a specific confidence level.

If however the organization dictates the methods of pen-tests to provide a 
favorable result without disclosure the financial auditors sample calculation 
will be wrong.  (We?re not addressing the ROE of the financial auditors at this 
point.)

What do we mean by ROE of the pen-test?  That?s probably the first step in 
addressing this question before it wanders off into 360 different directions.  
In my experience I?ve seen organizations dictate how they want the pen-test 
done to the point of restricting the testers to a specific IP and to alert IDS 
prior to any testing.

As a pen-tester myself I was given an edict, restricting me to not connect to 
the network, and not to touch a keyboard at the facility I was testing.  Yet I 
was to perform a pen-test.  So how did I break in?  I thought like a hacker and 
social engineered my way right in front of the director, chief of security and 
my escort and took their sam file through locked doors and a ?secure? network 
all within the confines of the letter.  But then that?s because I?m good; 
another story for a later date.

The point I?m trying to make here is that these tests (risk analysis, 
vulnerability tests, pen-test) are for a purpose and not in themselves a goal.  
They are there to support the reliability of the information security of the 
organization through its financial statements.

Believe me no one (taxpayer or shareholder) is going to review the pen-test.  
They rely on the financial statements.  Without full disclosure of this ROE 
within their financial statements this, in my opinion, is considered FRAUD, 
WASTE & ABUSE.  It is misleading to the financial audit and to the taxpayer and 
shareholders alike.

Sorry to take so much bandwidth but I?m very sensitive to this.

------------------------------------------------------------------------------
This List Sponsored by: Cenzic

Concerned about Web Application Security? 
Why not go with the #1 solution - Cenzic, the only one to win the Analyst's 
Choice Award from eWeek. As attacks through web applications continue to rise, 
you need to proactively protect your applications from hackers. Cenzic has the 
most comprehensive solutions to meet your application security penetration 
testing and vulnerability management needs. You have an option to go with a 
managed service (Cenzic ClickToSecure) or an enterprise software 
(Cenzic Hailstorm). Download FREE whitepaper on how a managed service can 
help you: http://www.cenzic.com/news_events/wpappsec.php 
And, now for a limited time we can do a FREE audit for you to confirm your 
results from other product. Contact us at request@cenzic.com for details.
------------------------------------------------------------------------------
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  SV: Security Test Definitions, Carl-Johan Bostorp
Next by Date:  Re: CISSP-ISSMP, Dan Catalin Vasile
Previous by Thread:  Re: rules of engagement scope, Sol Invictus
Next by Thread:  RE: Re: rules of engagement scope, Omar A. Herrera
Indexes:  [Date] [Thread] [Top] [All Lists]