RE: felons as pen testers

[<CTLucca () wlrk com>]

It's a tough decision to make.  On the one hand you want a pen tester who is capable of providing the best assessment 
possible of your environment.  On the other, you need to be certain your staff doesn't go rogue and essentially abuse 
the relationship.  Look at the Albert Gonzalez case, the government thought they had a wolf in sheep's clothing , 
turned out he was still a wolf.  I would also like bring up a story relayed to me by a colleague who said a company 
hired a person previously convicted of identity theft only to have that person do it again.  I'm not saying every 
convicted felon is certainly going to return to a life of crime, but in this industry our ethical standards and our 
integrity must, above all else, be beyond reproach.  Having a convicted felon on your staff, while it may help prove 
you have one of the best pen testers on your team, will always carry a higher degree of risk that they may be doing 
more than you want.

Another thing to consider, who audits the auditors?  A good risk program will have proper checks and balances to make 
sure access isn't abused and that everyone is more or less monitored.  If your best pen tester is a felon, how can you 
be sure that you are able to watch them?  That's my two cents.

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Fred
Sent: Friday, December 03, 2010 8:55 PM
To: amir shadrazar
Cc: pen-test () securityfocus com
Subject: Re: felons as pentesters

For whatever it's worth ...
My old boss was convicted of felony computer crimes after breaking into federally funded systems at a university, while 
a student in '91.
 He pleaded and paid a fine plus probation but still had a felony on record.  Well after working at an ISP that turned 
into consulting company he hired me.  He had a secret clearance and we worked many a pentest gig.  Yes I'd hire someone 
with a felony.  It only matters what they are doing now, not what they did ten or twenty years ago.
Well he started his own company and it did well enough he doesn't work anymore.  It's important to be up front with the 
gov't if that is the type of consulting that you are going for.  They will make their own determination based on many 
factors.  Those factors being - references, financial status, drug use, criminal record A board makes a final decision.


On Thu, Dec 2, 2010 at 11:57 AM, amir shadrazar <shadrazar () gmail com> wrote:
> I have a personal friend who has recently asked for my advice. He was 
> convicted of a felony for grand theft auto when he was 21 or so back 
> in the early 1990's and a separate misdemeanor charge for fraud. He 
> served his time, less than 1 year, paid restitution and completed 
> probation successfully in the mid '90s. Since then he has not had any 
> run-ins with the law with the exception of a misdemeanor drunk in 
> public charge 4 years ago that was the result of unfortunate 
> circumstances (he was a passenger in a car that was pulled over and 
> the police officer asked him to step out of the car and then he was
> arrested) and is definitely a reformed individual. He is always honest 
> about his record and has worked in state government in sensitive 
> positions in IT security requiring background checks with fingerprint, 
> and holds industry certifications with Ethics requirements from ISC2 
> and ISACA. Both organizations were made aware of his history and after 
> legal review decided to grant the credentials. His record cannot be 
> expunged because there is no realistic process to do so in the state 
> he was convicted.
>
> The questions are this (answer depending on the sector you work in):
>
> Would you hire this person to work for your company providing internal 
> security and pentest services?
>
> Would you (as a consulting firm) hire this person to perform 
> consulting and pentest services on behalf of your firm?
>
> Would he ever be able to receive a security clearance (even a low 
> level secret clearance) and employment from the Federal government?
>
> Why or why not?
>
> Thanks, I know this isn't the typical question on this list but he's a 
> smart guy that's learned from his mistakes and I'd like to help him 
> out if I could.
>
> -Shad
>
> ----------------------------------------------------------------------
> -- This list is sponsored by: Information Assurance Certification 
> Review Board
>
> Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
> and CEPT certs require a full practical examination in order to become certified.
>
> http://www.iacertification.org
> ----------------------------------------------------------------------
> --

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------

**********************************************************************
Any tax advice contained in this communication is not intended or
written to be used, and cannot be used, for the purpose of avoiding
tax penalties and is not intended to be used or referred to in
promoting, marketing or recommending a partnership or other entity,
investment plan or arrangement.
**********************************************************************
Please be advised that this transmittal may be a confidential
attorney-client communication or may otherwise be privileged or
confidential. If you are not the intended recipient, please do not
read, copy or re-transmit this communication. If you have received
this communication in error, please notify us by e-mail
(helpdesk () wlrk com) or by telephone (call us collect at
212-403-4357) and delete this message and any attachments. Thank
you in advance for your cooperation and assistance. www.wlrk.com
**********************************************************************


------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------