Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Re: Importance of being a QSA

From: "Kurt Grutzmacher" <grutz () jingojango net>
Date: Fri, 1 Dec 2006 16:38:54 -0800
On 28 Nov 2006 21:51:56 -0000, mr.nasty () ix netcom com
<mr.nasty () ix netcom com> wrote:

I used to be an IT auditor. That's how I became the IT security officer for two agencies. I do what you guys can't 
because I learned the right way to do it from those check lists.


"You can't hack us, we have been audited and have a waiver!"

Audit always has a place in Business process evaluation, I'll always
argue for that. But Audit != PenTest, the end results are completely
different and, in my opinion, should be viewed differently by
companies.

An audit is a verifcation that a set of guidelines are being followed.
You have logging enabled, it's being monitored and have a process for
handling when things go blip blooop etc. It says it right here in this
document and you showed me the console, the scripts, etc.
Vulnerability Assessments should be a part of an audit and the end
result is a verification that controls are in place so that a
certification can be made.

IT Governance at work.

A penetration test should take that information (or start with no
information) and attack the company's implementation of their people,
computing environment, physical environment, etc. At the end of the
test the company should have a feeling that their environment needs
improvement in certain areas, is strong in other areas, and is sorta
ok in these remaining areas.

No certification is possible because a PT doesn't ask the questions
like "do you have password lockout enabled?" or "what sort of
intrusion detection system have you deployed?" Those kinds of things
may come up in the process of performing the PT but there's no
certainty they will.

Maybe I'm missing some things but where or how can you effectively
"certify" a business with Penetration Testing?

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: