RE: Why Penetration Test?

["Erin Carroll" <amoeba () amoebazone com>]

Just a quick note for list members from your friendly Moderator:

Pete makes some excellent points in this email regarding how to address
security/business process failures in reports but please bear in mind that
most ethical questions/discussions are considered inappropriate to the list
(they tend to get bogged down in ideology and flamefests after a while). I
don't particularly forsee that happening here but am giving a heads-up as a
reminder.

Snipped from the pen-test list charter:

0.1.3 What is inappropriate content?

* Ethics or morality discussions. This list will facilitate discussions not
for the weak of heart. Its goal is to provide information to people who are
professionals or whose job demands they must break into computers. If you
have a moral or ethical dilemma around this topic please do not sign up to
the list.




Erin Carroll
"Do Not Taunt Happy-Fun Ball"

> -----Original Message-----
> From: Pete Herzog [mailto:lists () isecom org] 
> Sent: Thursday, June 16, 2005 1:19 AM
> To: pen-test () securityfocus com
> Cc: intel96; julie.holmwood () securityfocus com
> Subject: Re: Why Penetration Test?
>
> Hi,
>
> > intel96 wrote:
> > One question I have not seen yet concerning is why PenTest is: To
> justify your job and a budget.
>
> It's not uncommon to meet ethical challenges on any job. 
> Fudging data to meet your economic gains or to help someone 
> else do so always becomes a harder decision when the economic 
> gains increases. The argument is also true that if yu don't 
> help them achieve their goals then they will find someone 
> else who will as the world is full of financially rewarded 
> yet ethically-challenged people. And business is business, 
> right? And it's not like you're a doctor, right?
>
> I just finished the Foreword to a college textbook focused 
> heavily on OSSTMM Security Testing due out in 
> September/October from Thomson Learning where I challenge 
> this notion as a non-personal one because we are all reliant 
> on each other when it comes to security (unless you happily 
> spend your days out of the sun in your deep, self-sustaining 
> bomb shelter).
>
> A small quote so I don't have to put forward the challenge again:
>
> "We are all victims of other people's bad security decisions 
> all the time. At best it's just the inconvenience of the 
> security guard checking our receipt as we leave the store. At 
> worst, there's no limit to the annoyances, inconveniences, 
> problems, deaths, and destruction that can result. I don't 
> want to be in that position where I failed to open your eyes 
> to the problem only to have it become my problem. I don't 
> know where any of you will be in 5 or 10 years but I'm sure 
> even if you are not a security professional you will have the 
> ability to affect security in my life through commentary, 
> decision, vote, or inaction."
>
>
> > Now the biggest questions that I get from the customer is how did you
> bypass by filters (IDS, IPS) and I need you to >rewrite the 
> final report so I can obtain more funding.........to buy more 
> security and hire more people.....the biggest hole >that I 
> found was the lack of security internal process. These things 
> require leadership to fix not more funding!!!!!!!!! >How do 
> you state that in a report?
>
> By pointing out the processes which failed rather than the equipment.
> Analysis will show the clear cause and effect in many of 
> these situations and while it may be leadership, you may have 
> more success by building a case but stops short of 
> finger-pointing unless you really know 100% that it is 
> leadership alone that causes the problems. Base your report 
> on facts and objective analysis of those facts.
>
>
> > So IMHO every project is different based on the customer's 
> needs (more
> funding and more head count). The other issue is >how to set 
> the clowns apart from the professionals, which is becoming 
> harder to do because there are more clowns and not >enough 
> professional and the clowns are hurting the rest of us....
>
> Every project is different but how much you are willing to 
> sell your compromised integrity for should be static. Treat 
> every project like it's the one you may be remembered for and 
> try to make sure you're clear with yourself and your company 
> what exactly you want to be remembered for. If you want to be 
> different from the clowns then you can't let economic gain 
> differentiate for you. The sad truth is that there's a lot of 
> rich clowns with wonderful lives.
>
> Sincerely,
> -pete.
>
> --
> Pete Herzog - Managing Director - pete () isecom org ISECOM - 
> Institute for Security and Open Methodologies www.isecom.org 
> - www.osstmm.org www.hackerhighschool.org - www.isestorm.org
> -------------------------------------------------------------------
> ISECOM is the OSSTMM Professional Security Tester (OPST), 
> OSSTMM Professional Security Analyst (OPSA), and Hacker 
> Highschool Teacher certification authority.