RE: Remote Desktop Security - Compliance VS Pen-Test

["Rivest, Philippe" <PRivest () transforce ca>]

(I don't want to branch out this conversation)
Don't you belive that compliance and Pen-Test is 2 different domains?

Let me explain what I think, compliance is for marketability but it also
ensure that a client is doing at least the MINIMUM. The goal is always to aim
to at least the minimum. But it is minimum at everything, and this is
important (everything important..)

Pen-Test will do a maximum damage with minimal effort I know. It will
probably succeed, but Pen-Test is covered in a compliance check as of SOX and
COBIT. A Pen-Test is aiming at proving security can still improve and should
be used as such because we all know that most if not every network can be
penetrated. It should be a mean with which you can prove to management that
you still need some funding.

I'd like to point out to the quote I use in my emails:
"Everything that can fail, will fail. If something can't fail, it will fail
anyway" - Murphy

Merci / Thanks
Philippe Rivest, CEH, Network+, Server+, A+
Vérificateur interne en sécurité de l'information
Courriel: Privest () transforce ca
Téléphone: (514) 331-4417
www.transforce.ca

Vous pourriez imprimer ce courriel, mais faire pousser un arbre c'est long.
You could print this email, but it does takes a long time to grow trees.
"Everything that can fail, will fail. If something can't fail, it will fail
anyway" - Murphy
-----Message d'origine-----
De : listbounce () securityfocus com [mailto:listbounce () securityfocus com] De la
part de Kish Pent
Envoyé : 2 septembre 2008 03:14
À : Nate McFeters
Cc : webappsec () securityfocus com; jaredmalthus
Objet : Re: Remote Desktop Security


Hi Nate,

The point of having compliance as I understand is to "be marketable" to your
customers (from their perspective) ... most people than not who've passed
compliance will fail a thorough pen-test, hands down ;)

We all know that compliance is crap to begin with, but that's the sad
reality.

Cheers :)
Kish

--
Kishore Parthasarathy, 
Penetration Tester, Smart Security,
17/1,Upstairs, Sarojini St,T.Nagar, 
Chennai - 600 017

Phone: 91 98841 80767


--- On Sun, 8/31/08, Nate McFeters <nate.mcfeters () gmail com> wrote:

> From: Nate McFeters <nate.mcfeters () gmail com>
> Subject: Re: Remote Desktop Security
> To: kish_pent () yahoo com
> Cc: webappsec () securityfocus com, "jaredmalthus" <jared.malthus () gmail com>
> Date: Sunday, August 31, 2008, 5:50 PM
> Hard to believe someone would PCI certify LogMeIn.  Makes me
> lose my faith
> in PCI... oh wait, I never had any faith in it to begin
> with.
>
> -Nate
>
> On Sun, Aug 31, 2008 at 5:45 AM, Kish Pent
> <kish_pent () yahoo com> wrote:
>
> > Try RSASecurID or Phonefactor's two factor
> authentication scheme.
> > Overview of what is available in LogMeIn Pro version
> can be found here,
> > https://secure.logmein.com/security.asp
> >
> > Documentation of security features for LogMeIn can be
> found here...
> >
> https://secure.logmein.com/documentation/Security/wp_lmi_security.pdf
> > Cheers :)
> > Kish
> >
> >
> > --
> > Kishore Parthasarathy,
> > Penetration Tester, Smart Security,
> > 17/1,Upstairs, Sarojini St,T.Nagar,
> > Chennai - 600 017
> >
> > Phone: 91 98841 80767
> >
> > --- On Sat, 8/30/08, jaredmalthus
> <jared.malthus () gmail com> wrote:
> > > From: jaredmalthus
> <jared.malthus () gmail com>
> > > Subject: Remote Desktop Security
> > > To: webappsec () securityfocus com
> > > Date: Saturday, August 30, 2008, 6:47 PM
> >  > I need to be PCI compliant using a remote access
> program
> > > called LogMeIn.
> > > Does anyone have any suggestions on two-factor
> > > authentication solutions that
> > > work with LogMeIn?
> > > --
> > > View this message in context:
> http://www.nabble.com/Remote-Desktop-Security-tp19238126p19238126.html
> > > Sent from the Web App Security mailing list
> archive at
> > > Nabble.com.
> -------------------------------------------------------------------------
> > > Sponsored by: Watchfire
> > > Methodologies & Tools for Web Application
> Security
> > > Assessment
> > > With the rapid rise in the number and types of
> security
> > > threats, web application security assessments
> should be
> > > considered a crucial phase in the development of
> any web
> > > application. What methodology should be followed?
> What tools
> > > can accelerate the assessment process? Download
> this
> > > Whitepaper today!
> https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F
> > >
> -------------------------------------------------------------------------
> >
> -------------------------------------------------------------------------
> > Sponsored by: Watchfire
> > Methodologies & Tools for Web Application Security
> Assessment
> > With the rapid rise in the number and types of
> security threats, web
> > application security assessments should be considered
> a crucial phase in the
> > development of any web application. What methodology
> should be followed?
> > What tools can accelerate the assessment process?
> Download this Whitepaper
> > today!
> https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F
> >
> -------------------------------------------------------------------------
> >


      

-------------------------------------------------------------------------
Sponsored by: Watchfire 
Methodologies & Tools for Web Application Security Assessment 
With the rapid rise in the number and types of security threats, web
application security assessments should be considered a crucial phase in the
development of any web application. What methodology should be followed? What
tools can accelerate the assessment process? Download this Whitepaper today! 

https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F
-------------------------------------------------------------------------


-------------------------------------------------------------------------
Sponsored by: Watchfire
Methodologies & Tools for Web Application Security Assessment
With the rapid rise in the number and types of security threats, web application security assessments should be 
considered a crucial phase in the development of any web application. What methodology should be followed? What tools 
can accelerate the assessment process? Download this Whitepaper today!

https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F
-------------------------------------------------------------------------