P.L. Steinbruch wrote:
> Now,about to contract a "security professional" :
> " (hmm.... I have to admit that nowadays a lot of such
services are
> being
> offered by "professionals" while in reality they are not much more
than
> script kiddies themselves....But that's the universal problem of
"seperating
> the wheat from the chaff" and is another discussion....)"
That might be difficult..... Many so-called security professionals use a
tactic by impressing you with difficult technical terms, acronyms, etc...
Don't be impressed. Let the pro explain to you what he will do during the
penetration test/audit in a language *you*, or even better: your boss, can
understand. If he is not able to do that, don't hire him. I believe that a
real master is able to explain the intricacies of his craft in a simple
man's language.
Also ask for references, ask for example reports (perhaps you should first
try to find an example report as generated by ISS, Cybercop, etc. --- and
then find the differences :-)). Ask for his working practices, etc....
(As an aid: ask him to explain to you in a simple man's language what the
following mean:
OS fingerprinting
buffer overflows
perl
666
FIN scan
Xmas tree
bpf
overlapping fragments
STATE transitions
libc
cg6 drivers
1777)
Gr. Arjan
p.s. before I get flames..... The "checklist" items are bit of a joke, but I
am also a bit serious though...
**********************************************************************
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.
This footnote also confirms that this email message has been swept by
MIMEsweeper for the presence of computer viruses.
www.mimesweeper.com
**********************************************************************
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
