> I disagree (somewhat). While I think the boss is throwing
> money away if he paid before success, lots of highly successful
> companies pay "Tiger Teams" to break into their networks. It's
> a VERY lucrative talent if you can do it.
While it's true that there are network security consultants who will break
in to demonstrate security flaws, this isn't what's being done here. There
are several serious issues being ignored when you make this comparison.
If you hire a company to test your security, and they're qualified, you and
they will have lots of legal hurdles to cross. For example, you probably
wouldn't want to test your production system directly - there might be
accidental damage, or a service outage as a result. You'd need full logging
of everything they tried. You'd need them to sign non-disclosure agreements,
and they'd need you to sign theirs as well. You'd want background on their
employees. In short, there are lots of i's to dot and t's to cross. A
security audit is a non-trivial process, and an on-going one - it's not done
when the server is compromised and the problem is fixed.
In this case, some guy is going to find some other guy to hack the site. Who
knows what this other guy is going to do? Will he leave a message on it
saying it's "owned"? While it's running and presumably fulfilling some
important business function? Will this other guy leave a rootkit on it, so
that when this is all over, he can stash a couple hundred Mbs of porn and
warez there without your knowledge, or use it as a platform to attack other
machines? Will other parts of the network be compromised? Who will pay for
the outage when he causes a buffer overflow to crash a service and execute
his little code snippet, and the machine doesn't restart? There are many
more problems than these.
If I were put in the position that Nick's boss put him in, I'd give the boss
this full warning. If the boss wants a security audit, hire the pros, and
don't get the boss's girlfriend's boyfriend's college buddy to try first.
> What's worse is these teams usually get in. Many sites are built on
> servers that aren't properly secured. Whether it's because they were
> in a hurry or just learned HTML and now CFML and don't have time to
> learn system security, the doors are there. You'll also be amazed how
> many employees will actually give things out over the phone. It's scary.
These teams will always "usually get in". It is practically impossible to
completely secure a computer on a network. Given enough time, resources, and
patience, any server is vulnerable. The only secure computer is the one
that's turned off, put into a big iron box, and dropped to the bottom of the
ocean.
Dave Watts, CTO, Fig Leaf Software
http://www.figleaf.com/
voice: (202) 797-5496
fax: (202) 797-5444
------------------------------------------------------------------------------
Archives: http://www.eGroups.com/list/cf-talk
To Unsubscribe visit
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or send a
message to [EMAIL PROTECTED] with 'unsubscribe' in the body.
