Re: "The organization I belong to doesn't have initals" (that evil dude in Heroes)

["Steve Manzuik" <smanzuik () juniper net>]

I agree with both of you guys to a point.

When I was a consultant my shtick was that a "pen-test" is a complete
waste of time if you don't have your other ducks in line.  This was
based on the un-scientific research conducted by myself that basically
concluded that 99/100 pen-tests are almost always successful.  So, I
could tell the client, without even looking at their network that there
was a 99% chance that they could be compromised by either a pen-test
team or malicious individual.  So why spend your already small budget on
something that has results that can be assumed.

Don't get me wrong, there is a huge value in pen-tests especially when
you have someone with real skills (not someone who simply tells you
about your ICMP timestamps as Dave said) doing a pen-test for you but
why not have this sort of work done after you have done the compliance
and patch management dance.  Only then will it bring out the real value
which, as Dave said, is popping zero days in your infrastructure instead
of simply telling you that you need to patch more.  The other caveat
here of course is that there is no use in popping zero day on someone if
you are unable to help them actually remediate the risk and protect from
it.  

Just my $.02 (Canadian so more like $.0175782)

-Steve

PS: Don't even get me started on my rant on the "ICMP timestamp" guys.
Dave and the rest of you in the pen-test game should be eating those
guy's lunch among other things.  Especially in this day and age.
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave