I've seen a couple of our downstream networks do this, and the reasons I've heard are as follows: A. We have no internal capability to do so ourselves (or if we do, we've spoken up about it so often we're seen as having an agenda), and B. We've had enough "learning experiences" with malware, default configs, intrusions and other excitement that we've managed to convince someone with a little money to fund a one-shot audit, and C. If we do this and raise awareness internally, maybe we can get a budget to do it, because management is more focused on deliverables than risks. There may be flaws in this logic, but it seems to work. I'm not claiming the outsider is always right or accurate - I've got an audit report on my desk at the moment forwarded by a customer who wanted a second opinion. There are good consultants and bad. In terms of bringing in outsiders to do an audit, we brought in a couple of CERT/CC members as outside consultants five years ago. Best investment we ever made... Your local mileage may vary! Jim Martin MOREnet University of Missouri System -----Original Message----- From: Dave Wray [mailto:davew@sec-tec.com] Sent: Wednesday, September 05, 2001 4:27 PM To: pen-testat_private Subject: Re: Security Audit <snip> I think a more suitable question is why would you pay a 'Consultant' good money to hit a big green go button and print the results? Regards to all Dave Wray Sec-Tec Ltd www.sec-tec.co.uk ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/ ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
This archive was generated by hypermail 2b30 : Fri Sep 07 2001 - 10:50:48 PDT