RE: felons as pen testers

["Charlton, Ceri (CSS)" <Ceri.Charlton () capita co uk>]

Another angle to consider:

Scenario 1)
You run thorough checks on a promising candidate, they come back clean.
You hire them and shortly afterwards, they commit a crime using the
information they've been given access to. There's an investigation, it's
found you did everything right other than trust this individual. 

Scenario 2)
An otherwise promising candidate is upfront about a past criminal
conviction for computer crime. You run thorough checks on them and this
is confirmed, but no other offences are listed. After careful
consideration, you give them the benefit of the doubt and hire them.
They then commit a crime using the information they've been given access
to. There's an investigation, it's found you did everything right other
than trust this individual.

The grilling you would get from the auditors, senior management and your
customers would be *far* worse in scenario 2. Any individuals within
those groups who were of the opinion that "a wolf is always a wolf"
would likely feel their stance is completely vindicated by this breach
and you would be in a very weak position to argue this with them.

Personally, I would not be totally against hiring an ex-convict on
principle, but the above point is one of the main things that would
dissuade me. If I was convinced that they were reformed and the right
person for the job, I would consider them. They would have to be
markedly better than the other candidates for me to be prepared to take
this risk and also serve a longer time in a less privileged post to
build that level of trust before being given access to the crown jewels.
Then nature of the offence would be a huge factor too: Someone convicted
of shoplifting a CD as a teenager is a thief too, but it's less relevant
than someone who had a prior conviction for, say, stealing large volumes
of customer data from a previous employer.

Psychologists have been saying, "The best indicator of future behaviour
is past behaviour" for decades. There are notable exceptions and it is
only an indicator after all, but it is a strong one.

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of CTLucca () wlrk com
Sent: 08 December 2010 13:22
To: kbcboy () gmail com; shadrazar () gmail com
Cc: pen-test () securityfocus com
Subject: RE: felons as pen testers

It's a tough decision to make.  On the one hand you want a pen tester
who is capable of providing the best assessment possible of your
environment.  On the other, you need to be certain your staff doesn't go
rogue and essentially abuse the relationship.  Look at the Albert
Gonzalez case, the government thought they had a wolf in sheep's
clothing , turned out he was still a wolf.  I would also like bring up a
story relayed to me by a colleague who said a company hired a person
previously convicted of identity theft only to have that person do it
again.  I'm not saying every convicted felon is certainly going to
return to a life of crime, but in this industry our ethical standards
and our integrity must, above all else, be beyond reproach.  Having a
convicted felon on your staff, while it may help prove you have one of
the best pen testers on your team, will always carry a higher degree of
risk that they may be doing more than you want.

Another thing to consider, who audits the auditors?  A good risk program
will have proper checks and balances to make sure access isn't abused
and that everyone is more or less monitored.  If your best pen tester is
a felon, how can you be sure that you are able to watch them?  That's my
two cents.

This email and any attachment to it are confidential.  Unless you are the intended recipient, you may not use, copy or 
disclose either the message or any information contained in the message. If you are not the intended recipient, you 
should delete this email and notify the sender immediately.

Any views or opinions expressed in this email are those of the sender only, unless otherwise stated.  All copyright in 
any Capita material in this email is reserved.

All emails, incoming and outgoing, may be recorded by Capita and monitored for legitimate business purposes. 

Capita exclude all liability for any loss or damage arising or resulting from the receipt, use or transmission of this 
email to the fullest extent permitted by law.

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------