On Outside Security Audits

From: Martin, James E. (martinat_private)
Date: Thu Sep 06 2001 - 11:16:31 PDT

Next message: Renaud Deraison: "Re: Security Audit"

Previous message: H D Moore: "Re: Microsoft Security Bulletin MS01-047"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I've seen a couple of our downstream networks do this, and the reasons I've
heard are as follows:

A. We have no internal capability to do so ourselves (or if we do, we've
spoken up about it so often we're seen as having an agenda), and
B. We've had enough "learning experiences" with malware, default configs,
intrusions and other excitement that we've managed to convince someone with
a little money to fund a one-shot audit, and
C. If we do this and raise awareness internally, maybe we can get a budget
to do it, because management is more focused on deliverables than risks.

There may be flaws in this logic, but it seems to work. I'm not claiming the
outsider is always right or accurate - I've got an audit report on my desk
at the moment forwarded by a customer who wanted a second opinion. There are
good consultants and bad. 

In terms of bringing in outsiders to do an audit, we brought in a couple of
CERT/CC members as outside consultants five years ago. Best investment we
ever made...

Your local mileage may vary!

Jim Martin
MOREnet
University of Missouri System

-----Original Message-----
From: Dave Wray [mailto:davew@sec-tec.com]
Sent: Wednesday, September 05, 2001 4:27 PM
To: pen-testat_private
Subject: Re: Security Audit

<snip>

I think a more suitable question is why would you pay a 'Consultant' good
money to hit a big green go button and print the results?

Regards to all

Dave Wray
Sec-Tec Ltd
www.sec-tec.co.uk


----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

Next message: Renaud Deraison: "Re: Security Audit"
Previous message: H D Moore: "Re: Microsoft Security Bulletin MS01-047"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Sep 07 2001 - 10:50:48 PDT