From: Green, Neale S (neale.green@eds.com)
Date: Tue Mar 09 2004 - 18:24:26 EST
There are some information feeds that are required for the audits, the point
was that more information is requested, and provided, than SHOULD be
provided. As a general rule, auditors, like developers and many other
people, will often ask for "the lot", so that they can pick what they need
out of one big bucket of information, rather than have to make multiple,
specific, requests for the information that they should be reviewing. That
"big bucket" will often include many pieces of information which should not
be general knowledge.
The issue isn't so much of why the audit firm would attack the customer's
environment, but that an excessive amount of information which should be
kept controlled ( as it provides details that COULD be used for an attack )
is circulated where other parties could get access to it, because the
requests are not controlled as they should be.
As for the checklist point, it has been pointed out by a senior audit person
who had a long standing relationship with a number of the "Big 4 Audit"
audit firms, that the customer will often request specific items which are
not covered by the generic checklists, which then require additional
requests to be made. If the audit team in question do not have the technical
basis for the specific environment, the request will often be, once again,
much "broader" than necessary to extract the specific information to answer
the specific request of the customer.
Regards,
Neale Green CISSP
Information Security
Phone: +61 2 937 80225
Mobile: 0414 979 627
Fax: +61 2 9312 6116
Email: neale.green@eds.com
-----Original Message-----
From: Vel [mailto:vel@sympatico.ca]
Sent: Wednesday, 10 March 2004 12:49 PM
To: Green, Neale S; pen-test@securityfocus.com
Subject: Re: Papers on Sex as an audit tool?
Sorry,
Might be a silly question.
But what is the gain to Big Audit firms from the gathering of such sensitive
info from their clients ?
Another naive question; but why would the "Audit firm" want to attack their
client's network ???
If it is an audit why aren't they using their checklist ?
Thx.
---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:50 EDT