Penetration Testing mailing list archives
RE: Government Compliance
From: "Smith, Michael J." <Michael.J.Smith () unisys com>
Date: Thu, 16 Jun 2005 11:06:08 -0400
-----Original Message----- From: Dave [mailto:dave.anon () gmail com] Sent: Wednesday, June 15, 2005 10:51 AM To: pen-test () securityfocus com Subject: Government Compliance Hello everyone. I know some will view this as a rant and other as informative, but I am making this post as a sanity check.
As far as government compliance works, it's at the discretion of the DAA/AO. Part of your effort should be a Security Test and Evaluation plan, which will state your approach. If the DAA/AO buys off on such a weak ST&E plan that you mention, then it's their problem when the General Accounting Office or Office of Management and Budget comes around for an audit and finds that they did not exercise due diligence. It's also your responsibility to stand up and say that their ST&E plan is not sufficient. Here's what I would recommend: Offer up your own ST&E plan with what you really want to do and what your goals are. If you have to, take it directly to the system owner and the DAA/AO. THE guidance you have is SP 800-42 which is available at: http://csrc.nist.gov/publications/nistpubs/800-42/NIST-SP800-42.pdf All the other stuff, like FISMA, just says that you will do testing. The NIST pubs actually detail the execution. SP800-42 even lists typical tools to use, things like dsniff and L0phtcrack. Section 3.10 is the "official" description of what activities you should be doing during a pen test. I know it's tough to stay when you are surrounded by people like this, but we need more security guys with a conscience working in the government. Michael J Smith michael.j.smith () unisys com Information Security Specialist 703.419.3109 W 703.855.0890 C
Current thread:
- Government Compliance Dave (Jun 16)
- Re: Government Compliance Kevin Lee (Jun 16)
- Re: Government Compliance David J. Bianco (Jun 16)
- Re: Government Compliance Diego Kellner (Jun 16)
- RE: Government Compliance Robert Hines (Jun 16)
- Re: Government Compliance Jay D. Dyson (Jun 16)
- Re: Government Compliance R. DuFresne (Jun 16)
- AW: Government Compliance Jörg Maaß (Jun 16)
- <Possible follow-ups>
- Government Compliance Security Professional (Jun 16)
- RE: Government Compliance Kasyan, Walter A (Tony) (Jun 16)
- RE: Government Compliance Smith, Michael J. (Jun 16)
- Re: Government Compliance Tim Adams (Jun 16)
- RE: Government Compliance Keith T. Morgan (Jun 16)
- RE: Government Compliance Todd Towles (Jun 16)
- Re: Government Compliance frank_kenisky (Jun 16)
- Re: Government Compliance Jeffrey Denton (Jun 16)
- RE: Government Compliance L. Walker (Jun 20)
- Re: Government Compliance Jeffrey Denton (Jun 16)