Penetration Testing mailing list archives
RE: felons as pen testers
From: "Charlton, Ceri (CSS)" <Ceri.Charlton () capita co uk>
Date: Fri, 10 Dec 2010 10:31:34 -0000
Another angle to consider: Scenario 1) You run thorough checks on a promising candidate, they come back clean. You hire them and shortly afterwards, they commit a crime using the information they've been given access to. There's an investigation, it's found you did everything right other than trust this individual. Scenario 2) An otherwise promising candidate is upfront about a past criminal conviction for computer crime. You run thorough checks on them and this is confirmed, but no other offences are listed. After careful consideration, you give them the benefit of the doubt and hire them. They then commit a crime using the information they've been given access to. There's an investigation, it's found you did everything right other than trust this individual. The grilling you would get from the auditors, senior management and your customers would be *far* worse in scenario 2. Any individuals within those groups who were of the opinion that "a wolf is always a wolf" would likely feel their stance is completely vindicated by this breach and you would be in a very weak position to argue this with them. Personally, I would not be totally against hiring an ex-convict on principle, but the above point is one of the main things that would dissuade me. If I was convinced that they were reformed and the right person for the job, I would consider them. They would have to be markedly better than the other candidates for me to be prepared to take this risk and also serve a longer time in a less privileged post to build that level of trust before being given access to the crown jewels. Then nature of the offence would be a huge factor too: Someone convicted of shoplifting a CD as a teenager is a thief too, but it's less relevant than someone who had a prior conviction for, say, stealing large volumes of customer data from a previous employer. Psychologists have been saying, "The best indicator of future behaviour is past behaviour" for decades. There are notable exceptions and it is only an indicator after all, but it is a strong one. -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of CTLucca () wlrk com Sent: 08 December 2010 13:22 To: kbcboy () gmail com; shadrazar () gmail com Cc: pen-test () securityfocus com Subject: RE: felons as pen testers It's a tough decision to make. On the one hand you want a pen tester who is capable of providing the best assessment possible of your environment. On the other, you need to be certain your staff doesn't go rogue and essentially abuse the relationship. Look at the Albert Gonzalez case, the government thought they had a wolf in sheep's clothing , turned out he was still a wolf. I would also like bring up a story relayed to me by a colleague who said a company hired a person previously convicted of identity theft only to have that person do it again. I'm not saying every convicted felon is certainly going to return to a life of crime, but in this industry our ethical standards and our integrity must, above all else, be beyond reproach. Having a convicted felon on your staff, while it may help prove you have one of the best pen testers on your team, will always carry a higher degree of risk that they may be doing more than you want. Another thing to consider, who audits the auditors? A good risk program will have proper checks and balances to make sure access isn't abused and that everyone is more or less monitored. If your best pen tester is a felon, how can you be sure that you are able to watch them? That's my two cents. This email and any attachment to it are confidential. Unless you are the intended recipient, you may not use, copy or disclose either the message or any information contained in the message. If you are not the intended recipient, you should delete this email and notify the sender immediately. Any views or opinions expressed in this email are those of the sender only, unless otherwise stated. All copyright in any Capita material in this email is reserved. All emails, incoming and outgoing, may be recorded by Capita and monitored for legitimate business purposes. Capita exclude all liability for any loss or damage arising or resulting from the receipt, use or transmission of this email to the fullest extent permitted by law. ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- RE: felons as pen testers CTLucca (Dec 10)
- RE: felons as pen testers Charlton, Ceri (CSS) (Dec 10)