Penetration Testing mailing list archives

Re: Government Compliance

From: frank_kenisky () psc uscourts gov
Date: 16 Jun 2005 19:09:05 -0000

Thanks goodness they changed the forums fomat. Someone is using their heads for something other than a place to hang a
sweater cap.

That said, I have replied to Dave and sympathize with his plight. I too am with a "Gov Agency". Probably not the one
Dave's associated with. Through my years I have learned one thing within the Gov, power and knowledge are not one and
the same.

Information Security within the gov is an oximoron. Most agency CIO's and CISO's have about as much knowledge of
Information Security as the half a sleep rent a cop downstairs checking badges.

Now I don't want to get off on a rant here but, one agency I worked with as an Information Security Auditor (for the
Inspector General) investigated me after I supervised a contracted pen test team for breaking into the email of the
agency IG. Short story, apparently at one of the sites we tested there had been a problem with an employee embezzling
funds in excess of $500,000.00. The IG was investigating the problem on site and also had a presence there. When one
of the pen testers asked me, 'What does OIG stand for?' it quickly raised a red flag with me.

I asked who were the emails from and to? The pen tester stated the names of the IG himself and other investigators. I
made the decision to take the information as evidence to show the IG that we needed to have our own domain and separate
subnets and use encryption for communications. Instead of realizing the benefit of this they put me through two years
of an incitement by a Federal Grand Jury.

Today they have retired and are living quietly with their grand children all the while the legacy they left behind has
only got worse.

I now work as the Security Specialist with a different agency. My job is simple. I pen test our web sites. Policy,
Requirements and legal stuff are not my concern. The sooner he realizes that the power within the Government can only
make your life miserable and cost you and your family a lot of heartache and unrecoverable mondy, the sooner he will
begin to live a long life.

The Government was here before us and it will be here a long time afterwards without us.

It's frustrating to read the next days headlines about the latest hacked Gov agency. We just had one. Why?, because
the powers that be have no knowledge why.

Current thread:

RE: Government Compliance, (continued)
- RE: Government Compliance Robert Hines (Jun 16)
- Re: Government Compliance Jay D. Dyson (Jun 16)
  - Re: Government Compliance R. DuFresne (Jun 16)
- AW: Government Compliance Jörg Maaß (Jun 16)
- Government Compliance Security Professional (Jun 16)
- RE: Government Compliance Kasyan, Walter A (Tony) (Jun 16)
- RE: Government Compliance Smith, Michael J. (Jun 16)
- Re: Government Compliance Tim Adams (Jun 16)
- RE: Government Compliance Keith T. Morgan (Jun 16)
- RE: Government Compliance Todd Towles (Jun 16)
- Re: Government Compliance frank_kenisky (Jun 16)
  - Re: Government Compliance Jeffrey Denton (Jun 16)
    - RE: Government Compliance L. Walker (Jun 20)