Penetration Testing mailing list archives
Re: rules of engagement scope
From: mr.nasty () ix netcom com
Date: 19 May 2006 19:35:58 -0000
Ivan Arce is correct. "The original author (Mr. Nasty) equated defining the scope of a penetration test to committing (or attempting to commit) fraud on the basis that if you define a precise scope then you are purposely leaving out things that may be important to the general public (I am assuming that he intended to apply that rational to government,public service organization and public companies). So you are talking about a different thing: Fraud (or is it phraud?) ommitted by the penetration tester because she exceed the scope of what she was allowed to do, whereas Mr. Nasty proposed that having a scope defined by the organization subject to the test is somehow equivalent to fraud (if the results of the test are not made public)" The only rational that I can see from what Ivan's written is that he has been there. Most others have not. That's why there is a complete disconnect between logic and reason. Omar Huerra (wrote) "I've been an auditor myself for one of the remaining big 4 (doing security assessments in support of financial audits, started as consultant, then Sr. consultant and finally as manager) and I'm not convinced that you perception is at all correct. If you are referring to information security people that do assessments during a financial audit (brought in by the auditors) then their job is definitely not what you say. They are there to support the financial auditors, not to find the low hanging fruit. If you want this then simply hire a pentest team for this specific purpose. " Hence my point that the pen test is in support of the financial statements. In a perfect world you might be able to establish ROE on a pen-test and feel confident to rely on the results. As the commercial states, we dont live in Perfect. I don't want to deliberate on this too much more. Since I receive information on specific audit requirements here is the most recent from ISACA; The Standards Board has issued the following IS Auditing Standards, which become effective for IS audits commencing after 1 July 2006: · S12 Audit Materiality · S13 Using the Work of Other Experts ***** · S14 Audit Evidence My concerns with ROE's are defined within S13. Any big 4 or maybe big 3 now, manager should know this. Audit Managers are brought to the back room by the CFO or CEO presented a pentest within the past 12 months that covered dialup issues. The Everyone smiles and the Audit Manager is lead out of the room with the cover letter stating that the pen-test performed was in conformance with all ROE. The Audit Manager, knowing he has to cut costs or it's coming out of his budget, will accept the pen-test as support and reduce the confidence sample. REALITY? Yes. FRAUD? With a good attorney like Ken Lay's or if your a cute Florida school teacher you just clean up your resume and work for the big 2. ------------------------------------------------------------------------------ This List Sponsored by: Cenzic Concerned about Web Application Security? Why not go with the #1 solution - Cenzic, the only one to win the Analyst's Choice Award from eWeek. As attacks through web applications continue to rise, you need to proactively protect your applications from hackers. Cenzic has the most comprehensive solutions to meet your application security penetration testing and vulnerability management needs. You have an option to go with a managed service (Cenzic ClickToSecure) or an enterprise software (Cenzic Hailstorm). Download FREE whitepaper on how a managed service can help you: http://www.cenzic.com/news_events/wpappsec.php And, now for a limited time we can do a FREE audit for you to confirm your results from other product. Contact us at request () cenzic com for details. ------------------------------------------------------------------------------
Current thread:
- RE: rules of engagement scope, (continued)
- RE: rules of engagement scope StyleWar (May 15)
- Re: rules of engagement scope Ivan Arce (May 17)
- Re: rules of engagement scope Michael Sierchio (May 18)
- Re: rules of engagement scope Ivan Arce (May 18)
- Re: rules of engagement scope Sol Invictus (May 18)
- Re: Re: rules of engagement scope mr . nasty (May 16)
- RE: Re: rules of engagement scope Omar A. Herrera (May 17)
- Re: rules of engagement scope Marco Ivaldi (May 17)
- Re: rules of engagement scope (DoS testing) Martin Mačok (May 18)
- Re: rules of engagement scope Hylton Conacher(ZR1HPC) (May 21)
- Re: rules of engagement scope mr . nasty (May 21)
- RE: rules of engagement scope Omar A. Herrera (May 23)