Penetration Testing mailing list archives
AW: Government Compliance
From: Jörg Maaß <joerg.maass () gmx de>
Date: Thu, 16 Jun 2005 18:04:17 +0200
Dear Dave, I read your post with interest, not only because I live in a different country with different legislation, but also because the problems you mention are somewhat typical for large organizations, be they governmental or business. I do not know the exact content of the regulations you refer to, but the basic point here is that both vulnerability scans and penetration testing serve the only purpose of helping to ensure that the computer systems of said agency comply with or exceed the regulations and are secure. If the definition of penetration testing adopted by the agency fulfils those goals, complies with the regulations and is sufficient to help achieve regulation compliance for the computer systems, fine. If they do not (and I assume that they do not), then you have a point and it was absolutely correct to address this fact through the chain of command. This is totally beside the point of professional conduct, however. In fact, from a professional point of view, you are correct in assuming that only running vendor products and call that a penetration test is not sufficient. Your chain of command's reaction is very typical for a large organization. "Hey, it's not so important. I have my budget discussion coming up, and Mr. X from the affected department will kick my ass in those discussions if I point the finger at him." Typical management reaction. Perhaps the best course of action is to point out the legal consequences to you and your boss, as well as the agency, to your chain of command and tell them that in your opinion, the definition is not sufficient and might conflict with legal requirements (if that is the case). If they turn you down, ask for a written confirmation. If they refuse that, you have three choices: - Swallow it and continue to work there: Not a good idea, since this obviously conflicts with your work ethic (which I regard as very high, BTW :-). - Address the issue higher up in the chain of command or at a complaints commission, if there is any, informing your immediate supervisor of your course of action beforehand: Potentially dangerous for your career and only feasible if you have your flanks solidly covered. - Leave the agency: This is the boldest and most ethical step. Make sure that the recommendation you get is not affected. Ultimately, the decision is up to you. Since I don't know the environment, I can't give recommendations (and since it's a personal decision anyway, it would not be wise to give recommendations, even if I could). I don't think you are overreacting or exaggerating. Your conduct has been professional throughout, but keep in mind that security is always a means towards a goal, and that goal is the fulfilment of business objectives. If there are regulations in place to ensure that, as is the case in the agency and other violate those regulations, then this should not be accepted by the organization and management. However, ultimately it boils down to a management decision (sometimes at the highest rank in an organization). If that management has no backbone or is not doing its job properly, then it is time to move on. Kind regards Jörg Maaß -----Ursprüngliche Nachricht----- Von: Dave [mailto:dave.anon () gmail com] Gesendet: Mittwoch, 15. Juni 2005 16:51 An: pen-test () securityfocus com Betreff: Government Compliance Hello everyone. I know some will view this as a rant and other as informative, but I am making this post as a sanity check. For the purposes here, I currently work as an IT Security professional for the US government. I work at the Department of Government, within a component named AgencyX. Yes, these names are fictional. To give an outline or basic background, all government computer systems are governed by strict requirements for designing, implementing, maintaining, and securing them. Many of these are mandatory and are not up for negotiation. Some examples include NIST SP's, FISMA, DCID 6/3, etc..... OK....so I received and email from a "IT Security professional" (qualifications and knowledge very questionable) at the Department in response to a question I had. I had asked for the definition the Department was adopting for penetration testing. The response I received was (scrubbed for anonymity): "... The guidance for penetration testing was reviewed at [department committee] meeting... penetration testing shall consist of [product name deleted] vulnerability scans and running [product name deleted] for cracking passwords... if this has been done AgencyX shall get credit for penetration testing...." Ok, I have big problems with this. There are seperate and distinct requirements for maintaining password complexity, performing vuln scans, AND performing penetration testing. Any industry guideline or resource would never allow this "definition". Am I wrong? Am I over reacting? When I brought this up to my chain of command I was told "don't rock the boat". They fully admitted that they knew the definition to be incorrect in that it was not meeting the intent of the requirement, but that I should not say anything to rock the boat and just accept this. Obviously, for ethical reasons, I am leaving the agency and the department. Feedback? Thoughts? -- Dave
Current thread:
- Government Compliance Dave (Jun 16)
- Re: Government Compliance Kevin Lee (Jun 16)
- Re: Government Compliance David J. Bianco (Jun 16)
- Re: Government Compliance Diego Kellner (Jun 16)
- RE: Government Compliance Robert Hines (Jun 16)
- Re: Government Compliance Jay D. Dyson (Jun 16)
- Re: Government Compliance R. DuFresne (Jun 16)
- AW: Government Compliance Jörg Maaß (Jun 16)
- <Possible follow-ups>
- Government Compliance Security Professional (Jun 16)
- RE: Government Compliance Kasyan, Walter A (Tony) (Jun 16)
- RE: Government Compliance Smith, Michael J. (Jun 16)
- Re: Government Compliance Tim Adams (Jun 16)
- RE: Government Compliance Keith T. Morgan (Jun 16)
- RE: Government Compliance Todd Towles (Jun 16)
- Re: Government Compliance frank_kenisky (Jun 16)
- Re: Government Compliance Jeffrey Denton (Jun 16)
- RE: Government Compliance L. Walker (Jun 20)
- Re: Government Compliance Jeffrey Denton (Jun 16)