Penetration Testing mailing list archives
RE: Bank Audit Best practices
From: Frank Knobbe <frank () knobbe us>
Date: Wed, 24 Mar 2004 02:05:39 -0600
On Tue, 2004-03-23 at 10:19, Mike Shaw wrote:
* It's about *risk*management*. FI's don't understand many technical things, but they understand this. Thus, many consultants end up looking pretty silly to FI's when they can't tie technical benefit to risk reduction.
In addition, links owned by processors etc are typically excluded from vulnerability studies, and sure as hell from pentests. But you can inquire about copies of the processors assessment. There are few technical solutions to the issues raised by linking via a router to a processor. If that link can be segmented and firewalled, fine. If not, then this is something that should be highlighted in a risk assessment. A vulnerability assessment should clearly mark it as excluded -- it can not make any assertions about it, regarding vulnerabilities or otherwise. It's a business decision. After all, it's a business partner, not a business scumbag, that they link up with. They may talk with each other, they may know something about their networks, they may work together, they may strive for security together, they rise and fall together. And I bet there are agreements and insurance policies that protect them from each other :) Regards, Frank
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- Re: Bank Audit Best practices, (continued)
- Re: Bank Audit Best practices Jeff Lumley (Mar 19)
- Re: [security] Bank Audit Best practices rsh (Mar 19)
- Re: Bank Audit Best practices wirepair (Mar 19)
- RE: Bank Audit Best practices Michael Bitow (Mar 19)
- Re: Bank Audit Best practices Mike Shaw (Mar 19)
- RE: Bank Audit Best practices Michael Iseyemi (Mar 19)
- RE: Bank Audit Best practices Keith Pachulski (Mar 22)
- RE: Bank Audit Best practices Mike Shaw (Mar 22)
- RE: Bank Audit Best practices Gault, Brian (Mar 23)
- RE: Bank Audit Best practices Mike Shaw (Mar 23)
- RE: Bank Audit Best practices Frank Knobbe (Mar 24)
- RE: Bank Audit Best practices Roman Draconus <roman (Mar 24)
- RE: Bank Audit Best practices Gault, Brian (Mar 24)