Penetration Testing mailing list archives
RE: Government Compliance
From: "Kasyan, Walter A (Tony)" <wakasyan () purdue edu>
Date: Thu, 16 Jun 2005 08:01:45 -0500
If this is in fact the case, they are not really interested in true security but rather a minimal compliance with what the chain of command views as "Security". This way they can assure their compliance and get good evals and assure the continued march up the promotional ladder. But be careful, there was once a Commander R. Marcinko, USN who did some Security Scans with a group called Red Cell and his chain of command didn't like the results. It may be OK to rock the boat gently, but be careful not to tip it over. Tony -----Original Message----- From: Dave [mailto:dave.anon () gmail com] Sent: Wednesday, June 15, 2005 9:51 AM To: pen-test () securityfocus com Subject: Government Compliance Hello everyone. I know some will view this as a rant and other as informative, but I am making this post as a sanity check. For the purposes here, I currently work as an IT Security professional for the US government. I work at the Department of Government, within a component named AgencyX. Yes, these names are fictional. To give an outline or basic background, all government computer systems are governed by strict requirements for designing, implementing, maintaining, and securing them. Many of these are mandatory and are not up for negotiation. Some examples include NIST SP's, FISMA, DCID 6/3, etc..... OK....so I received and email from a "IT Security professional" (qualifications and knowledge very questionable) at the Department in response to a question I had. I had asked for the definition the Department was adopting for penetration testing. The response I received was (scrubbed for anonymity): "... The guidance for penetration testing was reviewed at [department committee] meeting... penetration testing shall consist of [product name deleted] vulnerability scans and running [product name deleted] for cracking passwords... if this has been done AgencyX shall get credit for penetration testing...." Ok, I have big problems with this. There are seperate and distinct requirements for maintaining password complexity, performing vuln scans, AND performing penetration testing. Any industry guideline or resource would never allow this "definition". Am I wrong? Am I over reacting? When I brought this up to my chain of command I was told "don't rock the boat". They fully admitted that they knew the definition to be incorrect in that it was not meeting the intent of the requirement, but that I should not say anything to rock the boat and just accept this. Obviously, for ethical reasons, I am leaving the agency and the department. Feedback? Thoughts? -- Dave
Current thread:
- Government Compliance Dave (Jun 16)
- Re: Government Compliance Kevin Lee (Jun 16)
- Re: Government Compliance David J. Bianco (Jun 16)
- Re: Government Compliance Diego Kellner (Jun 16)
- RE: Government Compliance Robert Hines (Jun 16)
- Re: Government Compliance Jay D. Dyson (Jun 16)
- Re: Government Compliance R. DuFresne (Jun 16)
- AW: Government Compliance Jörg Maaß (Jun 16)
- <Possible follow-ups>
- Government Compliance Security Professional (Jun 16)
- RE: Government Compliance Kasyan, Walter A (Tony) (Jun 16)
- RE: Government Compliance Smith, Michael J. (Jun 16)
- Re: Government Compliance Tim Adams (Jun 16)
- RE: Government Compliance Keith T. Morgan (Jun 16)
- RE: Government Compliance Todd Towles (Jun 16)
- Re: Government Compliance frank_kenisky (Jun 16)
- Re: Government Compliance Jeffrey Denton (Jun 16)
- RE: Government Compliance L. Walker (Jun 20)
- Re: Government Compliance Jeffrey Denton (Jun 16)