From: Pete Herzog (lists@isecom.org)
Date: Thu Jun 16 2005 - 04:18:37 EDT
Hi,
>intel96 wrote:
>One question I have not seen yet concerning is why PenTest is: To
justify your job and a budget.
It's not uncommon to meet ethical challenges on any job. Fudging data to
meet your economic gains or to help someone else do so always becomes a
harder decision when the economic gains increases. The argument is also
true that if yu don't help them achieve their goals then they will find
someone else who will as the world is full of financially rewarded yet
ethically-challenged people. And business is business, right? And it's
not like you're a doctor, right?
I just finished the Foreword to a college textbook focused heavily on
OSSTMM Security Testing due out in September/October from Thomson
Learning where I challenge this notion as a non-personal one because we
are all reliant on each other when it comes to security (unless you
happily spend your days out of the sun in your deep, self-sustaining
bomb shelter).
A small quote so I don't have to put forward the challenge again:
"We are all victims of other people’s bad security decisions all the
time. At best it’s just the inconvenience of the security guard checking
our receipt as we leave the store. At worst, there’s no limit to the
annoyances, inconveniences, problems, deaths, and destruction that can
result. I don’t want to be in that position where I failed to open your
eyes to the problem only to have it become my problem. I don’t know
where any of you will be in 5 or 10 years but I’m sure even if you are
not a security professional you will have the ability to affect security
in my life through commentary, decision, vote, or inaction."
>Now the biggest questions that I get from the customer is how did you
bypass by filters (IDS, IPS) and I need you to >rewrite the final report
so I can obtain more funding.........to buy more security and hire more
people.....the biggest hole >that I found was the lack of security
internal process. These things require leadership to fix not more
funding!!!!!!!!! >How do you state that in a report?
By pointing out the processes which failed rather than the equipment.
Analysis will show the clear cause and effect in many of these
situations and while it may be leadership, you may have more success by
building a case but stops short of finger-pointing unless you really
know 100% that it is leadership alone that causes the problems. Base
your report on facts and objective analysis of those facts.
>So IMHO every project is different based on the customer's needs (more
funding and more head count). The other issue is >how to set the clowns
apart from the professionals, which is becoming harder to do because
there are more clowns and not >enough professional and the clowns are
hurting the rest of us....
Every project is different but how much you are willing to sell your
compromised integrity for should be static. Treat every project like
it's the one you may be remembered for and try to make sure you're clear
with yourself and your company what exactly you want to be remembered
for. If you want to be different from the clowns then you can't let
economic gain differentiate for you. The sad truth is that there's a lot
of rich clowns with wonderful lives.
Sincerely,
-pete.
-- Pete Herzog - Managing Director - pete@isecom.org ISECOM - Institute for Security and Open Methodologies www.isecom.org - www.osstmm.org www.hackerhighschool.org - www.isestorm.org ------------------------------------------------------------------- ISECOM is the OSSTMM Professional Security Tester (OPST), OSSTMM Professional Security Analyst (OPSA), and Hacker Highschool Teacher certification authority.
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:25 EDT