Penetration Testing mailing list archives
RE: Papers on Sex as an audit tool?
From: "Green, Neale S" <neale.green () eds com>
Date: Wed, 10 Mar 2004 10:24:26 +1100
There are some information feeds that are required for the audits, the point was that more information is requested, and provided, than SHOULD be provided. As a general rule, auditors, like developers and many other people, will often ask for "the lot", so that they can pick what they need out of one big bucket of information, rather than have to make multiple, specific, requests for the information that they should be reviewing. That "big bucket" will often include many pieces of information which should not be general knowledge. The issue isn't so much of why the audit firm would attack the customer's environment, but that an excessive amount of information which should be kept controlled ( as it provides details that COULD be used for an attack ) is circulated where other parties could get access to it, because the requests are not controlled as they should be. As for the checklist point, it has been pointed out by a senior audit person who had a long standing relationship with a number of the "Big 4 Audit" audit firms, that the customer will often request specific items which are not covered by the generic checklists, which then require additional requests to be made. If the audit team in question do not have the technical basis for the specific environment, the request will often be, once again, much "broader" than necessary to extract the specific information to answer the specific request of the customer. Regards, Neale Green CISSP Information Security Phone: +61 2 937 80225 Mobile: 0414 979 627 Fax: +61 2 9312 6116 Email: neale.green () eds com -----Original Message----- From: Vel [mailto:vel () sympatico ca] Sent: Wednesday, 10 March 2004 12:49 PM To: Green, Neale S; pen-test () securityfocus com Subject: Re: Papers on Sex as an audit tool? Sorry, Might be a silly question. But what is the gain to Big Audit firms from the gathering of such sensitive info from their clients ? Another naive question; but why would the "Audit firm" want to attack their client's network ??? If it is an audit why aren't they using their checklist ? Thx. --------------------------------------------------------------------------- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html ----------------------------------------------------------------------------
Current thread:
- Papers on Sex as an audit tool? Green, Neale S (Mar 09)
- RE: Papers on Sex as an audit tool? Jerry Shenk (Mar 10)
- Re: Papers on Sex as an audit tool? ttz (Mar 11)
- <Possible follow-ups>
- RE: Papers on Sex as an audit tool? Botwick, Jason (GEI, MORT, Contractor) (Mar 09)
- Re: Papers on Sex as an audit tool? Daniel (Mar 10)
- RE: Papers on Sex as an audit tool? Green, Neale S (Mar 10)
- RE: Papers on Sex as an audit tool? Sriram Lakshmanan (Mar 10)
- RE: Papers on Sex as an audit tool? no-google (Mar 11)
- Re: Papers on Sex as an audit tool? Raven Alder (Mar 11)
- Re: Papers on Sex as an audit tool? Yassir Ab (Mar 11)
- Re: RE: Papers on Sex as an audit tool? countz3r0 (Mar 11)
- Re: RE: Papers on Sex as an audit tool? Walter Wart (Mar 12)
- RE: Papers on Sex as an audit tool? Flory Jeffrey D Contr 59 MDSS/MSISI (Mar 12)
- RE: Papers on Sex as an audit tool? Jerry Shenk (Mar 10)