Mark makes a good point.
You need to look for people w/ talent, not companies w/ big billing rates.
I will say that E&Y & PwC had a lot of good people, yet most of the good
ones, the ones that know their stuff, eventually leave to go to more
specialized firms.
As to E&Y, they have imploded in the last year. We used them but they lost
ALL of their good people. Many went Foundstone or Global Integrity or other
boutique firms.
We had a meeting w/ E&Y recently and they are running real low (on fumes) on
talent. We had them in last year and they did do excellent, albeit
expensive work. But all of the senior technical guys as I said are gone.
So we are going to pass on them. As to PwC, we are getting together w/ them
on the 29th, so I can’t comment.
Allan
----Original Message Follows----
From: [EMAIL PROTECTED]
To: Clarence <[EMAIL PROTECTED]>
CC: [EMAIL PROTECTED], [EMAIL PROTECTED],
Robert McMahon <[EMAIL PROTECTED]>
Subject: Re: [FW1] Issues in hiring a company that employs ex-hackers or
current hackers
Date: Mon, 19 Jun 2000 08:14:44 -0700
Actually
I disagree with your statement. I think there are many ex-hackers or
hackers elite that have gained recognition that they would be a
considerable asset during a penetration study.. Price Waterhouse, Coopers
now PWC , Ernst & Young created their whole business model and selling
methodology preying on the fact that Fortune 500 companies cringe at the
thought of hiring ex-hackers to conduct a intrusion test. The fact of the
matter is that "ethical" hackers are no better than ex-chackers. The
definition of an "ethical" hacker has been written about over ad over
again. For a really great definition of what a hacker is: check out the
www.atstake.com FAQ. They have put together a very simple explanation of
what a hacker is and why they deem it such.
Hiring a Big Six firm to conduct an intrusion study or a Internet
footprint analysis in my mind is much more dangerous than hiring
ex-hackers, probably because I worked for one a while back and thought
their methodology/approach and deliverable was pretty much vapor (lots of
smoke and mirrors) and no real value.
The secret to a successful security assessment is not to point out the
various different ways one can gain access to a particular organization
but how to state recommendations that are specific to the organization on
improving their security posture.
Since my departure from the Big Six world, I have yet to see any
improvements in their methodology, and I have seen severe plagiarism from
PWC to E&Y and other non ethical behavior that tend to make hiring an
ex-hacker a much more pleasurable endeavor, since it is a one time thing.
Hiring a Big Six firm to conduct a penetration analysis is like swimming
with piranha.
/mark
Clarence <[EMAIL PROTECTED]>
Sent by: [EMAIL PROTECTED]
06/19/00 12:26 AM
To: [EMAIL PROTECTED],
[EMAIL PROTECTED]
cc:
Subject: Re: [FW1] Issues in hiring a company that employs
ex-hackers or current
hackers
I consider this to be a bad practice when there is enough ethical hackers
out there who can do the job with much less worry.
[EMAIL PROTECTED] wrote:
Hello,
We are looking to have a penetration test done on our infrastructure, this
includes the firewall, servers, etc.
Are there any issues I should be concerned with in hiring a company that
employs ex-hackers or current hackers?
Thanks!
allan
________________________________________________________________________
Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com
===============================================================================
=
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
===============================================================================
=
================================================================================
To unsubscribe from this mailing list, plea! se see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
Clarence Irons, Jr.
Information Security Engineer
Do You Yahoo!?
Send instant messages with Yahoo! Messenger.
________________________________________________________________________
Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
