[prev in list] [next in list] [prev in thread] [next in thread] 

List:       isn
Subject:    [ISN] Re: They Break Into Computers To Keep The Bad Guys Out
From:       jericho () dimensional ! com
Date:       1998-03-31 22:17:02
[Download RAW message or body]


[Moderator: Interesting post.. gives you a little more realism behind
 controlled penetration testing.]

---------- Forwarded message ----------
From: Priest <priest@exo.com>

> These tech wizards are called "ethical hackers," and their job is to keep
> cyberspace safe.
>
> Following Charles Palmer into his workspace is like finding yourself in
> the middle of Mission Impossible. He slips his electronic badge into a
> computerized card-reader that verifies his identity and allows him to open
> the door. He has 20 seconds to close it behind him before an alarm goes
> off. He punches a code into a security device inside the room and takes a
> seat, careful to move just enough so that the motion detectors don't sound
> a warning. "If you sit at the computer screen without moving for 12
> minutes, they'll go off," Palmer explained. The security is necessary, he
> added, "because the technology in this room could wreak havoc in the wrong
> hands."

Look Noid! They bought the marketing hype!

But seriously, I am the service line leader and a senior IT Architect for
IBM's Area 11 (Western 11 state) Information Security services. Previous to
this position I was the Manager for Info Sec and Network Consulting for
Coopers & Lybrand's equivalent to IBM's Area 11 and previous to that I have
over 8 years of professional exper. in IT Sec. The facility quoted in this
article does exist (there is another one in Florida) and there are some cool
tools in there. However, the "technology that could wreak havoc in the wrong
hands" is available today to you, John Q. Public, if you wanted to spend the
time and money to set up a similar lab. So while I salute the marketing and PR
folks for this article, I wanted to add a little dose of reality and truth be
told, do a little venting on the concept of Penetration Testing.

The truth about penetration testing, while very sexy and real cool, does not
serve the client very well.  Their money is much better spent on a security
audit with a penetration test as a component.  When we do a penetration test,
our lawyers require that we inform clients that we 1. may not break in
(depending on the criteria of the test) and 2. We WILL NOT uncover ALL of the
potential weaknesses.  Thus my above statement about about value of the test.
With an audit, we look at ALL aspects of a given area from the inside and the
outside of the area as opposed to just the outside.

My two cents.

...Priest



-o-
Subscribe: mail majordomo@sekurity.org with "subscribe isn".
Today's ISN Sponsor: Repent Security Incorporated

[prev in list] [next in list] [prev in thread] [next in thread]