Security Basics mailing list archives
Re: How does a customer get PCI audited?
From: Adriel Desautels <adriel () netragard com>
Date: Sat, 07 Jun 2008 00:16:59 -0400
Hi Dan, Comments embedded below. Regards, Adriel T. Desautels Chief Technology Officer Netragard, LLC. Office : 617-934-0269 Mobile : 617-633-3821 http://www.linkedin.com/pub/1/118/a45 Join the Netragard, LLC. Linked In Group: http://www.linkedin.com/e/gis/48683/0B98E1705142 --------------------------------------------------------------- Netragard, LLC - http://www.netragard.com - "We make IT Safe" Penetration Testing, Vulnerability Assessments, Website Security Netragard Whitepaper Downloads: ------------------------------- Choosing the right provider : http://tinyurl.com/2ahk3j Three Things you must know : http://tinyurl.com/26pjsn Dan Anderson wrote:
On Wed, Jun 4, 2008 at 11:08 AM, Adriel Desautels <adriel () netragard com> wrote:In order to properly defend a network you must first know what you need to defend it against. You must have a strong understanding of the threat and how the threat might align with your risk and exposure profile. The only way to do that is to either have good threat intelligence, or work with a qualified penetration testing team that has REAL threat intelligence.Are you suggesting that you should hire a pen-tester to do your risk-analysis?
No.In my opinion, the job of a penetration testing company is to test the security of an existing IT Infrastructure and the effectiveness of policies and procedures to a degree. For example, some of our customers have very specific incident response policies in place. Those customers hire us to launch unannounced penetration tests against their infrastructure as a means to test how well their personnel follow the incident response policies.
Another example. Many of our customers have managed security providers that monitor their networks for unauthorized access (IDS/IPS monitoring etc.). Those customers bring us in to perform unannounced stealth/evasive penetration testing to see how effective their managed security providers are.
That said, penetration tests and vulnerability assessments do not perform complete reviews of a businesses controls, but they can challenge them to a degree.
It's a novel idea, but don't you normally do risk analysis with your and a consultant or two?
Why are you assuming that I was talking about a risk-analysis?
Once you've identified such a firm your IT Infrastructure, personnel, policies, etc. need to be tested at the same or higher threat level as you'd face in the real world. That will identify your risks and help you to build the proper CONTROLS to counter those risks. Suggesting that anyone build controls without first having a GOOD and REAL assessment is horrible advice. That would be akin to building defenses against Russia during the cold war with no intelligence about their capabilities.
Never mind, I see why. What I wrote there came out like total horse shit. Penetration Tests and vulnerability assessments help to test some existing controls to make certain that they are working properly. New controls can be created from the results of a penetration test, but penetration testing is not the tool for creating all controls.
Isn't it more cost effective to use pen-testing to validate your preventative controls? I mean - if you have no controls in place what value are you getting from letting the "hackers" break in? Isn't architecting your controls based on pen-test results kind of like building your entire security program based on audit findings? (and a bad idea for the same reasons?)With respect to your paper, I still need to go read it. That said, even if Penetration Testing is 30% of the total solution, it is clearly the foundation to building the solution. Else you are building a blind defense that most probably won't work.I still don't get it...Is NetraGard a pen-test outfit? The foundation to building a secure solution is more about risk analysis, sound policies, procedures, methodologies, training and frameworks - not hiring pen-testers.
Penetration testing is a part of *maintaining* a secure foundation.
Certainly there is a point to pen-testing to validate controls, but it's not the "foundation" of any security effort.Its common sense Craig, know your enemy, know yourself, and then you can build a good defense.Isn't this called a "risk analysis"? Nobody needs to penetrate anything to do a risk analysis. There is an old saying, "When all you have is a hammer, everything looks like a nail." On the other hand - I guess you would sell a lot more pen-tests if you convince anyone that you are right.
Well, under any other circumstance I'd be insulted, but what I wrote before was not at all what I intended to write, please accept my apologies.
Analogies usually suck, mine more then most, but here goes: Imagine you need to protect a valuable object from theft or destruction. So, you do no risk analysis, and just put it on a vacant lot...Then you hire pen-testers to see if they can get it. They walk onto the lot and take it. So, you realize that maybe a fence would be a good idea...you install it, Then you hire pen-testers to see if they can still get it. They climb the fence and take it. So, you realize a building might be a neat idea... Is this really the "common sense" approach? Wouldn't you be better off getting a few people who know about the object, a few people who know about protecting objects, and even a few people who know about stealing objects together in a room and analyzing the risks and then designing controls to mitigate those risks? Dan
Current thread:
- RE: How does a customer get PCI audited?, (continued)
- RE: How does a customer get PCI audited? Erin Carroll (Jun 04)
- RE: How does a customer get PCI audited? Craig Wright (Jun 05)
- Re: How does a customer get PCI audited? Adriel Desautels (Jun 05)
- Pen tested ... Compliant??? Craig Wright (Jun 05)
- The economics of testing Craig Wright (Jun 05)
- Message not available
- RE: The economics of testing Craig Wright (Jun 06)
- RE: How does a customer get PCI audited? Craig Wright (Jun 04)
- Re: How does a customer get PCI audited? Adriel Desautels (Jun 05)
- RE: How does a customer get PCI audited? Craig Wright (Jun 05)
- RE: How does a customer get PCI audited? Craig Wright (Jun 05)
- Message not available
- Re: How does a customer get PCI audited? Adriel Desautels (Jun 09)
- RE: How does a customer get PCI audited? Craig Wright (Jun 06)
- RE: How does a customer get PCI audited? Scott Race (Jun 06)
- RE: How does a customer get PCI audited? Craig Wright (Jun 06)