From: mr.nasty@ix.netcom.com
Date: Fri May 19 2006 - 15:35:58 EDT
"The original author (Mr. Nasty) equated defining the scope of a penetration test to committing (or attempting to commit) fraud on the basis that if you define a precise scope then you are purposely leaving out things that may be important to the general public (I am assuming that he intended to apply that rational to government,public service organization and public companies).
So you are talking about a different thing: Fraud (or is it phraud?) ommitted by the penetration tester because she exceed the scope of what she
was allowed to do, whereas Mr. Nasty proposed that having a scope defined by the organization subject to the test is somehow equivalent to fraud (if the
results of the test are not made public)"
The only rational that I can see from what Ivan's written is that he has been there. Most others have not. That's why there is a complete disconnect between logic and reason.
Omar Huerra (wrote)
"I've been an auditor myself for one of the remaining big 4 (doing security assessments in support of financial audits, started as consultant, then Sr. consultant and finally as manager) and I'm not convinced that you perception is at all correct.
If you are referring to information security people that do assessments during a financial audit (brought in by the auditors) then their job is definitely not what you say. They are there to support the financial auditors, not to find the low hanging fruit. If you want this then simply
hire a pentest team for this specific purpose. "
Hence my point that the pen test is in support of the financial statements. In a perfect world you might be able to establish ROE on a pen-test and feel confident to rely on the results. As the commercial states, “we don’t live in Perfect”.
I don't want to deliberate on this too much more.
Since I receive information on specific audit requirements here is the most recent from ISACA;
The Standards Board has issued the following IS Auditing Standards, which become effective for IS audits commencing after 1 July 2006:
· S12 Audit Materiality
· S13 Using the Work of Other Experts *****
· S14 Audit Evidence
My concerns with ROE's are defined within S13. Any big 4 or maybe big 3 now, manager should know this. Audit Managers are brought to the back room by the CFO or CEO presented a pentest within the past 12 months that covered dialup issues. The Everyone smiles and the Audit Manager is lead out of the room with the cover letter stating that the pen-test performed was in conformance with all ROE. The Audit Manager, knowing he has to cut costs or it's coming out of his budget, will accept the pen-test as support and reduce the confidence sample.
REALITY? Yes. FRAUD? With a good attorney like Ken Lay's or if your a cute Florida school teacher you just clean up your resume and work for the big 2.
------------------------------------------------------------------------------
This List Sponsored by: Cenzic
Concerned about Web Application Security?
Why not go with the #1 solution - Cenzic, the only one to win the Analyst's
Choice Award from eWeek. As attacks through web applications continue to rise,
you need to proactively protect your applications from hackers. Cenzic has the
most comprehensive solutions to meet your application security penetration
testing and vulnerability management needs. You have an option to go with a
managed service (Cenzic ClickToSecure) or an enterprise software
(Cenzic Hailstorm). Download FREE whitepaper on how a managed service can
help you: http://www.cenzic.com/news_events/wpappsec.php
And, now for a limited time we can do a FREE audit for you to confirm your
results from other product. Contact us at request@cenzic.com for details.
------------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:59 EDT