Penetration Testing mailing list archives
RE: Fwd: Why suing auditors won't solve the data breach epidemic
From: "Nick Vaernhoej" <nick.vaernhoej () capitalcardservices com>
Date: Tue, 23 Jun 2009 08:24:01 -0500
I don't see how you can reward the essential compliance failure of the audited company. Nick -> -----Original Message----- -> From: listbounce () securityfocus com -> [mailto:listbounce () securityfocus com] On Behalf Of Barry Fawthrop -> Sent: Monday, June 22, 2009 10:15 AM -> To: pen-test () securityfocus com -> Cc: Security Focus -> Subject: Re: Fwd: Why suing auditors won't solve the data breach -> epidemic -> -> To All, -> -> I would agree that suing them is *not* the answer, that is only going -> to force auditor/audit companies -> to raise rates and thus make auditing more expensive and thus the -> first thing dropped by companies -> in a tight economy. -> -> I would put forward the suggestion that the Auditors are paid a bonus -> based on the number of *VALID* findings that they put in their report. -> -> As auditors we need to start reporting the below average incidents as -> average, and list more valid findings. -> But I must stress *VALID* findings, not just insignificant or trivial. -> -> Too often we overlook items and decide not to report them when they -> should have. -> -> my 2c -> -> Barry Fawthrop BSc CISSP, CISA, GCIH -> -> -> Jeffrey Walton wrote: -> > From the folks at Attrition and the DataLossDB. -> > -> > ---------- Forwarded message ---------- -> > From: security curmudgeon <jericho () attrition org> -> > Date: Jun 4, 2009 2:23 PM -> > Subject: Why suing auditors won't solve the data breach epidemic -> > To: dataloss-discuss () datalossdb org, dataloss () datalossdb org -> > -> > http://www.betanews.com/article/Why-suing-auditors-wont-solve-the- -> data-breach- -> epidemic/1244068439?awesm=betane.ws_13&utm_campaign=betanews&utm_conte -> nt=api&utm_medium=betane.ws-twitter&utm_source=direct-betane.ws -> > or http://preview.tinyurl.com/pahfub -> > -> > Why suing auditors won't solve the data breach epidemic -> > Something's got to be done, but this isn't necessarily it. -> > By Angela Gunn | Published June 4, 2009, 10:26 AM -> > -> > The life of a security auditor has its high points, of course -- -> travel, -> > getting paid to break stuff, and more travel -- but there's a lot -> about -> > that job that doesn't recommend it. You're going into someone -> else's place -> > of business and trying to figure out what they're doing wrong, so -> you can -> > write a big report that goes to their bosses? I don't care how -> personable -> > you are, this isn't on the Dale Carnegie list of How To Win -> Friends. -> > -> > Nor, in a disturbing number of situations, is it on the list of -> ways to -> > Influence People. Take a pack of security auditors out for a beer -> > sometime. (You will not have to ask twice, and if you get two beers -> in -> > them they'll tell you about that mid-sized city whose network is -> > end-to-end pwned right now and that international airport that has -> an -> > ongoing problem with stolen IDs -- no names, of course, but plenty -> of -> > other detail. After that, you'll want another beer just for -> yourself.) -> > When they're done scaring you, they'll start trading tales of -> clients who -> > simply refused to accept a bad audit. -> > -> > No one likes to be told that his IT operation has weaknesses, let -> alone -> > critical-stop problems. Some companies will retain a security firm -> and, -> > when bad results start coming back, terminate the contract and send -> > everyone home. Some companies will hire a crew and, when they get -> there, -> > manage to be so disorganized and cranky that the auditors spend -> half their -> > time attempting to simply get started. And some, presented with a -> report -> > saying that their company isn't security-compliant, will simply ask -> that -> > the report be changed. -> > -> > [..] -> > _______________________________________________ -> > Dataloss Mailing List (dataloss () datalossdb org) -> > -> > Get business, compliance, IT and security staff on the same page -> with -> > CREDANT Technologies: The Shortcut Guide to Understanding Data -> Protection -> > from Four Critical Perspectives. The eBook begins with -> considerations -> > important to executives and business leaders. -> > http://www.credant.com/campaigns/ebook-chpt-one-web.php -> > -> > -------------------------------------------------------------------- -> ---- -> > This list is sponsored by: InfoSec Institute -> > -> > Need to pass the CISSP? InfoSec Institute's CISSP Boot Camp in both -> Instructor-Led and Online formats is the most concentrated exam prep -> available. Comprehensive course materials and an expert instructor -> means you pass the exam. Gain a laser like insight into what is -> covered on the exam, with zero fluff! -> > -> > http://www.infosecinstitute.com/courses/cissp_bootcamp_training.html -> > -------------------------------------------------------------------- -> ---- -> > -> -> -> ---------------------------------------------------------------------- -> -- -> This list is sponsored by: InfoSec Institute -> -> Need to pass the CISSP? InfoSec Institute's CISSP Boot Camp in both -> Instructor-Led and Online formats is the most concentrated exam prep -> available. Comprehensive course materials and an expert instructor -> means you pass the exam. Gain a laser like insight into what is -> covered on the exam, with zero fluff! -> -> http://www.infosecinstitute.com/courses/cissp_bootcamp_training.html -> ---------------------------------------------------------------------- -> -- This electronic transmission is intended for the addressee (s) named above. It contains information that is privileged, confidential, or otherwise protected from use and disclosure. If you are not the intended recipient you are hereby notified that any review, disclosure, copy, or dissemination of this transmission or the taking of any action in reliance on its contents, or other use is strictly prohibited. If you have received this transmission in error, please notify the sender that this message was received in error and then delete this message. Thank you. ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- Fwd: Why suing auditors won't solve the data breach epidemic Jeffrey Walton (Jun 20)
- Message not available
- RE: Fwd: Why suing auditors won't solve the data breach epidemic Nick Vaernhoej (Jun 24)
- Re: Fwd: Why suing auditors won't solve the data breach epidemic Jeffrey Walton (Jun 24)
- RE: Fwd: Why suing auditors won't solve the data breach epidemic Nick Vaernhoej (Jun 24)
- Re: Fwd: Why suing auditors won't solve the data breach epidemic Jeffrey Walton (Jun 26)
- RE: Fwd: Why suing auditors won't solve the data breach epidemic Nick Vaernhoej (Jun 24)
- Message not available