Re: Would you bet your life on your security?

[Ranjeet Shetye <ranjeet.shetye2 () zultys com>]

On Wed, 2003-10-01 at 19:04, Eric Brown wrote:
> Hello Simon,
>
> I'm pretty new to security, but this is discouraged by the ISECOM in their most current Open Source Security Testing 
> Methodology Manual, p. 18, "2. The offering of free services for failure to penetrate or provide trophies from the 
> target is forbidden." 
>
> I wouldn't know this if I hadn't just read it though.  
> Eric
>
> > -----Original Message-----
> > From: simon [mailto:simon () snosoft com]
> > Sent: Wednesday, October 01, 2003, 4:18 PM
> > To: security-basics () securityfocus com
> > Subject: Would you bet your life on your security?
> >
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > All,
> >     I'm not sure how many of you have had good security audits in the 
> > recent past so I thought I'd show you this. In summary Secure Network 
> > Operations, Inc. will do an external security audit of your network for 
> > approx $1000.00.  If they don't find any vulnerabilities, then the audit 
> > is FREE and they send you a letter of validation. If they do find 
> > vulnerabilities, then they charge you and send you a formal report that 
> > details their finds and grades your network.
> >
> >     Given some of the new laws that have been passed this seems like a 
> > pretty good service and a VERY cheap way to validate your companies 
> > security. Secure Network Operations also has a flawless track record and 
> > has the references to prove it.
> >
> > Why do I think this is a good idea? Well, the California identity theft 
> > law (Civil Code 1798.82),The new federal banking regulations are two 
> > reasons. They both  make disclosure of a compromise MANDITORY. You need 
> > to tell ALL of your clients, by law, that you have been compromised and 
> > that their identities may have been stolen.
> >
> > So anyway, I'll shut up.  For those of you that are interested check out 
> > the link below. For those of you that arent, I'm just trying to help 
> > people out so don't flame me or I'll /dev/null your mail.
> >
> > http://www.secnetops.com/pesa-form_html.html
> >
> > Their web site is: http://www.secnetops.com
> > - -- 
> > Regards,
> >          -simon-
> >
> >
> > -----BEGIN PGP SIGNATURE-----
> > Version: GnuPG v1.2.1 (GNU/Linux)
> > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
> >
> > iD8DBQE/e0/Nf3Elv1PhzXgRAqczAJ9jLoYmBi1aCs6DA49cB7nusXhv2QCgzeF6
> > 0kewAu0Xz4t6+F5Px6kfKc8=
> > =9AWM
> > -----END PGP SIGNATURE-----
> >
> >
> > ---------------------------------------------------------------------------
> > ----------------------------------------------------------------------------
>
>
> To do is to be.  -Socrates
> To be is to do.  -Satre
> Do be do be do.  -Sinatra
>
> ---------------------------------------------------------------------------
> ----------------------------------------------------------------------------

Actually, no respectable professional really advertizes his/her services
in a forum where other professionals are reading/teaching/learning
unless its something specially setup for the purpose of advertizing
one's needs/wants e.g. the security-jobs mailing list. I think that's
standard etiquette for mailing lists.

On these grounds, I find Simon's advertizing pretty unprofessional -
despite the solid reasons (or FUD ?) given as to why insecure networks
can cause a financial liability. I wish he had chosen a more objective
and less FUD approach. Right subject matter, wrong approach - IMHO.

But to object on the grounds that 'ISECOM' forbids it is difficult to
understand. The word 'forbid' is too strong, dont you think ? How can
you 'forbid' anyone from doing legal things in a free country ?? esp.
considering the 'stubborn' profile that most people from the infosec
industry have!! (by stubborn I mean it in a good sense, i.e. you have
continued banging your head against the wall till you understood things,
while others would have walked away from the challenge and taken on less
demanding jobs).

-- 

Ranjeet Shetye
Senior Software Engineer
Zultys Technologies
Ranjeet dot Shetye2 at Zultys dot com
http://www.zultys.com/
 
The views, opinions, and judgements expressed in this message are solely
those of the author. The message contents have not been reviewed or
approved by Zultys.



---------------------------------------------------------------------------
----------------------------------------------------------------------------