Security Basics mailing list archives
RE: Would you bet your life on your security?
From: "MacDougall, Shane" <smacdougall () idanalytics com>
Date: Thu, 2 Oct 2003 16:45:17 -0700
As a former pen-tester with over 13 years experience, I can say that many companies (large and small) offer this as an incentive (I've worked with all types). In fact, in the past when some potential clients bragged that their networks didn't need pentests because they were secure, we'd offer a "double or nothing" option - if we gained root access they'd pay double our initial quoted price. If we didn't get in, they'd pay only our travel costs and we'd eat the rest. Most would balk, and instead opt to go with the initial fee. Just because ISECOM forbids it means nothing in the real world. I've met **many** "pen-testers" who couldn't hack their way out of a wet paper computer. They'd do a basic scan of a network, not notice obvious vulns staring them in the face, then write a report saying the network was secure. The only people that gained anything from the exercise were the "consultants". The clients still had vulnerable networks, yet were blissfully unaware of the fact, and were out the money for the "review". I've seen "Big 5" (or Big 4 I guess now) firms throwing IIS scripts at verified Apache servers, and "boutique" pen test firms reporting routers as secure when their config files (passwords and all) were open to the world. Offering a money back guarantee protects companies from hiring firms that know how to run ISS, nmap and nessus, but can do f**k all with the results. If you can't back your work, get out of the arena. The only real concern here is defining what discovered vulnerabilities are "critical". This can easily become a quagmire for the consultant unless the ground rules are clearly established before the engagement begins. Does a host running ECHO/CHARGEN qualify as a critically vulnerable system? That depends on whether or not the system's data is critical, or its availability is critical. I've had many clients who couldn't give a rat's ass if their network could be DOS'd - as long as the data on the hosts was intact they could sleep soundly. My $.02 ($.028 Canadian) SET FLAMES=ON =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Shane MacDougall Chief Security Officer ID Analytics San Diego, California USA Direct: (858) 427-2860 Toll Free: 866-240-4484 x 2860 Fax: 858-427-2899 -----Original Message----- From: Eric Brown [mailto:ericbrow () ziplip com] Sent: Wednesday, October 01, 2003 7:04 PM To: simon; security-basics () securityfocus com Subject: Re: Would you bet your life on your security? Hello Simon, I'm pretty new to security, but this is discouraged by the ISECOM in their most current Open Source Security Testing Methodology Manual, p. 18, "2. The offering of free services for failure to penetrate or provide trophies from the target is forbidden." I wouldn't know this if I hadn't just read it though. Eric --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- Would you bet your life on your security? simon (Oct 01)
- Re: Would you bet your life on your security? Jimi Thompson (Oct 10)
- <Possible follow-ups>
- Re: Would you bet your life on your security? Eric Brown (Oct 02)
- RE: Would you bet your life on your security? David Gillett (Oct 02)
- Re: Would you bet your life on your security? simon (Oct 06)
- Re: Would you bet your life on your security? Ranjeet Shetye (Oct 02)
- Re: Would you bet your life on your security? simon (Oct 02)
- Re: Would you bet your life on your security? David Moisan (Oct 03)
- RE: Would you bet your life on your security? David Gillett (Oct 03)
- RE: Would you bet your life on your security? David Gillett (Oct 02)
- RE: Would you bet your life on your security? MacDougall, Shane (Oct 03)
- RE: Would you bet your life on your security? MacDougall, Shane (Oct 03)
- RE: Would you bet your life on your security? David Gillett (Oct 06)
- Re: Would you bet your life on your security? simon (Oct 06)
- RE: Would you bet your life on your security? David Gillett (Oct 06)