Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

On Outside Security Audits

From: "Martin, James E." <martin () more net>
Date: Thu, 6 Sep 2001 13:16:31 -0500 
I've seen a couple of our downstream networks do this, and the reasons I've
heard are as follows:

A. We have no internal capability to do so ourselves (or if we do, we've
spoken up about it so often we're seen as having an agenda), and
B. We've had enough "learning experiences" with malware, default configs,
intrusions and other excitement that we've managed to convince someone with
a little money to fund a one-shot audit, and
C. If we do this and raise awareness internally, maybe we can get a budget
to do it, because management is more focused on deliverables than risks.

There may be flaws in this logic, but it seems to work. I'm not claiming the
outsider is always right or accurate - I've got an audit report on my desk
at the moment forwarded by a customer who wanted a second opinion. There are
good consultants and bad. 

In terms of bringing in outsiders to do an audit, we brought in a couple of
CERT/CC members as outside consultants five years ago. Best investment we
ever made...

Your local mileage may vary!

Jim Martin
MOREnet
University of Missouri System

-----Original Message-----
From: Dave Wray [mailto:davew () sec-tec com]
Sent: Wednesday, September 05, 2001 4:27 PM
To: pen-test () securityfocus com
Subject: Re: Security Audit

<snip>

I think a more suitable question is why would you pay a 'Consultant' good
money to hit a big green go button and print the results?

Regards to all

Dave Wray
Sec-Tec Ltd
www.sec-tec.co.uk


----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/
Previous By Date Next
Previous By Thread Next

Current thread: