Full Disclosure mailing list archives
RE: Scandal: IT Security firm hires...
From: <Glenn_Everhart () bankone com>
Date: Mon, 20 Sep 2004 14:57:13 -0400
Think of this not so much as criminal vs. noncriminal but in warfare terms. Security defenders have to design fortifications to keep out attackers. If I am trying to build field fortifications and my forces have captured one of the enemy's designers of attacks, I might very reasonably want to pick his brain to help me get better defensive designs. That doesn't mean I will (or should) believe he has come over to my side of the conflict, nor does it mean I would have him design any part of my defenses, lest he build in weaknesses. Yet if I tell him of various defenses and he tells me of attacks on them which I had not considered, I may find value in his advice. What I have to validate for myself, even though I distrust its source, still has some usefulness. The thing is, if I am fighting a war I can probably find people to guard this guy and make sure he doesn't see anything but what I show him, and keep him from escaping back to rejoin or inform his old friends. A company wanting to do this had better be more confident than most in its ability to build internal barriers to information, and in its ability to watch what of its sensitive information gets into the enemy or ex-enemy hands, and what leaves them for where. They should remember: if the captured enemy designer should retain his old loyalty and report their secrets to other enemies, the value of that company's secrets will be lost. So how good is the internal security being practiced by the hiring firm? Does this indicate, perhaps, some overconfidence? Glenn Everhart -----Original Message----- From: full-disclosure-admin () lists netsys com [mailto:full-disclosure-admin () lists netsys com]On Behalf Of Harlan Carvey Sent: Monday, September 20, 2004 1:20 PM To: full-disclosure () lists netsys com Subject: RE: [Full-disclosure] Scandal: IT Security firm hires...
Does it not strike anyone that there is adisturbing trend inmalicious hackers (yes, yes, I know, they are nothackers ifthey are malicious, so call em whatever you want)gettinghired to security firms,
Regardless of the reason for hiring these individuals, this fact should be noted by any organization subject to legal or regulatory compliance with regards to computer/information security. While the laws in the US do not specifically stipulate that reputable firms must be used when seeking compliance with vuln/risk assessments, etc., one would hope that the professional reputation of the assessing firm would be considered, as well. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html ********************************************************************** This transmission may contain information that is privileged, confidential and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is STRICTLY PROHIBITED. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format. Thank you ********************************************************************** _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- RE: Scandal: IT Security firm hires... Glenn_Everhart (Sep 20)
- Re: Sick of stupid analogies Stryc9 _ (Sep 20)
- Re: Sick of stupid analogies Byron Copeland (Sep 20)
- Re: Sick of stupid analogies Jeffrey Denton (Sep 20)
- RE: Scandal: IT Security firm hires... ktabic (Sep 21)
- Re: Scandal: IT Security firm hires... Charles Heselton (Sep 21)
- Re: Sick of stupid analogies Stryc9 _ (Sep 20)