From: mr.nasty@ix.netcom.com
Date: Tue May 16 2006 - 10:29:37 EDT
As far as a pen-test contract is concerned, I’d want to make sure that I get my money’s worth. Speaking from the standpoint of a taxpayer, shareholder or CEO. Hence from this perspective I wouldn’t want to see what I would consider WASTE.
What is “Fraud, Waste & Abuse”? Three terms used by organizations to keep an eye on the bottom line. If organizations had to disclose the ROE (and I don’t mean the entire contract), in their prospectus to support the financial statements wouldn’t that help to assure investors (taxpayers and shareholders) of the financial environment.
Let’s take a look at two organizations whose Auditors were tried and convicted of fixing the books; ENRON and World Com. This was as the news can only surmise and comprehend a financial disaster. Correct. But the main reason was the disclosure of the sheltered companies that were being used to launder money through that were not disclosed publicly.
What on earth does this have to do with PEN-TESTING? I’m an AUDITOR, just like a MARINE, you are never and ex-MARINE, you are never an ex-AUDITOR! I currently work as an ISO for a large organization who oversees PEN-TESTS in my organization. When these folk visit a site and perform their tests, I want them to find the low hanging fruit. Then I don’t just want them to take screen shots I want them to leave behind a gift, a worm in the apple. (Not a Morris worm – it’s a euphemism)
Now how is all this related you ask? Just like any organization there is a method and certain requirements that logically fall into place. Before a financial auditor can perform any type of confidence testing on your internal controls or transactions they must be assured that the mechanism (the network – IT) in place is secure within a specific confidence level.
If however the organization dictates the methods of pen-tests to provide a favorable result without disclosure the financial auditors sample calculation will be wrong. (We’re not addressing the ROE of the financial auditors at this point.)
What do we mean by ROE of the pen-test? That’s probably the first step in addressing this question before it wanders off into 360 different directions. In my experience I’ve seen organizations dictate how they want the pen-test done to the point of restricting the testers to a specific IP and to alert IDS prior to any testing.
As a pen-tester myself I was given an edict, restricting me to not connect to the network, and not to touch a keyboard at the facility I was testing. Yet I was to perform a pen-test. So how did I break in? I thought like a hacker and social engineered my way right in front of the director, chief of security and my escort and took their sam file through locked doors and a “secure” network all within the confines of the letter. But then that’s because I’m good; another story for a later date.
The point I’m trying to make here is that these tests (risk analysis, vulnerability tests, pen-test) are for a purpose and not in themselves a goal. They are there to support the reliability of the information security of the organization through its financial statements.
Believe me no one (taxpayer or shareholder) is going to review the pen-test. They rely on the financial statements. Without full disclosure of this ROE within their financial statements this, in my opinion, is considered FRAUD, WASTE & ABUSE. It is misleading to the financial audit and to the taxpayer and shareholders alike.
Sorry to take so much bandwidth but I’m very sensitive to this.
------------------------------------------------------------------------------
This List Sponsored by: Cenzic
Concerned about Web Application Security?
Why not go with the #1 solution - Cenzic, the only one to win the Analyst's
Choice Award from eWeek. As attacks through web applications continue to rise,
you need to proactively protect your applications from hackers. Cenzic has the
most comprehensive solutions to meet your application security penetration
testing and vulnerability management needs. You have an option to go with a
managed service (Cenzic ClickToSecure) or an enterprise software
(Cenzic Hailstorm). Download FREE whitepaper on how a managed service can
help you: http://www.cenzic.com/news_events/wpappsec.php
And, now for a limited time we can do a FREE audit for you to confirm your
results from other product. Contact us at request@cenzic.com for details.
------------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:58 EDT