Penetration Testing mailing list archives
On Outside Security Audits
From: "Martin, James E." <martin () more net>
Date: Thu, 6 Sep 2001 13:16:31 -0500
I've seen a couple of our downstream networks do this, and the reasons I've heard are as follows: A. We have no internal capability to do so ourselves (or if we do, we've spoken up about it so often we're seen as having an agenda), and B. We've had enough "learning experiences" with malware, default configs, intrusions and other excitement that we've managed to convince someone with a little money to fund a one-shot audit, and C. If we do this and raise awareness internally, maybe we can get a budget to do it, because management is more focused on deliverables than risks. There may be flaws in this logic, but it seems to work. I'm not claiming the outsider is always right or accurate - I've got an audit report on my desk at the moment forwarded by a customer who wanted a second opinion. There are good consultants and bad. In terms of bringing in outsiders to do an audit, we brought in a couple of CERT/CC members as outside consultants five years ago. Best investment we ever made... Your local mileage may vary! Jim Martin MOREnet University of Missouri System -----Original Message----- From: Dave Wray [mailto:davew () sec-tec com] Sent: Wednesday, September 05, 2001 4:27 PM To: pen-test () securityfocus com Subject: Re: Security Audit <snip> I think a more suitable question is why would you pay a 'Consultant' good money to hit a big green go button and print the results? Regards to all Dave Wray Sec-Tec Ltd www.sec-tec.co.uk ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/ ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
Current thread:
- On Outside Security Audits Martin, James E. (Sep 07)