Actually
I disagree with your statement. I think there are many ex-hackers or
hackers elite that have gained recognition that they would be a
considerable asset during a penetration study.. Price Waterhouse, Coopers
now PWC , Ernst & Young created their whole business model and selling
methodology preying on the fact that Fortune 500 companies cringe at the
thought of hiring ex-hackers to conduct a intrusion test. The fact of the
matter is that "ethical" hackers are no better than ex-chackers. The
definition of an "ethical" hacker has been written about over ad over
again. For a really great definition of what a hacker is: check out the
www.atstake.com FAQ. They have put together a very simple explanation of
what a hacker is and why they deem it such.
Hiring a Big Six firm to conduct an intrusion study or a Internet
footprint analysis in my mind is much more dangerous than hiring
ex-hackers, probably because I worked for one a while back and thought
their methodology/approach and deliverable was pretty much vapor (lots of
smoke and mirrors) and no real value.
The secret to a successful security assessment is not to point out the
various different ways one can gain access to a particular organization
but how to state recommendations that are specific to the organization on
improving their security posture.
Since my departure from the Big Six world, I have yet to see any
improvements in their methodology, and I have seen severe plagiarism from
PWC to E&Y and other non ethical behavior that tend to make hiring an
ex-hacker a much more pleasurable endeavor, since it is a one time thing.
Hiring a Big Six firm to conduct a penetration analysis is like swimming
with piranha.
/mark
Clarence <[EMAIL PROTECTED]>
Sent by: [EMAIL PROTECTED]
06/19/00 12:26 AM
To: [EMAIL PROTECTED], [EMAIL PROTECTED]
cc:
Subject: Re: [FW1] Issues in hiring a company that employs ex-hackers
or current
hackers
I consider this to be a bad practice when there is enough ethical hackers
out there who can do the job with much less worry.
[EMAIL PROTECTED] wrote:
Hello,
We are looking to have a penetration test done on our infrastructure, this
includes the firewall, servers, etc.
Are there any issues I should be concerned with in hiring a company that
employs ex-hackers or current hackers?
Thanks!
allan
________________________________________________________________________
Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com
===============================================================================
=
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
===============================================================================
=
================================================================================
To unsubscribe from this mailing list, plea! se see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
Clarence Irons, Jr.
Information Security Engineer
Do You Yahoo!?
Send instant messages with Yahoo! Messenger.
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
