Woo! lets open the floodgates for the ethics arguments.. But my argument against hiring a "hacker" is this.. A penetration test at any level is not going to find you a cure for your security problems.. its not even going to find them all - since most of your real security problems will be related to your staff and their attitudes, not to your technical security. In short "Security is a people problem" so by hiring a hacker all you do is : 1. expose your organisation to possibly un-ethical people 2. gain an assessment that does not give any positive assurance (ie. it can only show what the hacker found - if the hacker is not good then he won't find the holes that a better hacker will find) 3. waste your orgs money (penetration testing is _always_ expensive and if its cheap then why not go and buy ISS yourself - its all they are doing - sometimes the expensive ones are too) You would be better to start with a controls based audit of your security to see if the mechanisms are in place to ensure the security like: change control on the firewall rulesets ensuring that user's accesses get changed as their employment changes ensuring that there are well known "usage guidelines" ensuring that there are good procedures for handling calls from users asking for passwrods to be renewed (aka "social engineering") once the org passes a controls audit - then you can start doing hard testing against the controls to see if they are effective. And its then that you need someone with a good technical knowledge - I avoid "Hacker" now days as it implies some idiot who's seen "Sneakers" or is a member of 2600 rather than a competent tester/auditor >> To carry the idea further, the only REAL security assessment you are >> going to get is going to be from a "hacker" (and this may require a >> definition of a hacker), not someone who has read alot of books. :} Cheers, Bret Technical Incursion Countermeasures [EMAIL PROTECTED] http://www.ticm.com/ ph: (+61)(041) 4411 149(UTC+8 hrs) fax: (+61)(08) 9454 6042 The Insider - a e'zine on Computer security Vol 3 Issue 1 out now http://www.ticm.com/info/insider/index.html - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.]
Re: AW: AW: AW: Hacking Contest ?
Technical Incursion Countermeasures Sat, 10 Apr 1999 05:14:04 -0400
- AW: AW: AW: Hacking Contest ? Peter . Kunz
- penetration test and audit (was: ... Technical Incursion Countermeasures
- penetration test and audit (w... Arjan Vos
