Allan,
Why Thank you for your compliment.
As I just discussed with the senior Security management where I work, is
that one should really examine what an organization is after. If the need
to hire "ethical" hackers or x-hackers is to prove to an organization's
management to validate issues that the security group or IT group has
raised concerns about that is ok. It is more of an issue to free up
"budgetary" dollars to start addressing the security concerns of an
organization
I am not sure who is left at the Big Six firms, some of the people have
left for obvious reasons and some others for less obvious reasons. There
are still few good people out there, but finding them and also if they are
available. If they are good, they are most likely unavailable for the
next x months.
Boutique firms is a very interesting term. One of the Partners ( or
almost Partner at the time) informed me that people like myself would do
quite well at a boutique shop versus working for a large Big Six firm. A
Big Six firm InfoSec staff is mostly likely made up of people from
Boutique firms, so therefore his statement never really made any sense.
/m
"Allan Pratt" <[EMAIL PROTECTED]>
06/19/00 09:09 AM
To: [EMAIL PROTECTED], [EMAIL PROTECTED]
cc: [EMAIL PROTECTED], [EMAIL PROTECTED]
Subject: Re: [FW1] Issues in hiring a company that employs ex-hackers
or current
hackers
Mark makes a good point.
You need to look for people w/ talent, not companies w/ big billing rates.
I will say that E&Y & PwC had a lot of good people, yet most of the good
ones, the ones that know their stuff, eventually leave to go to more
specialized firms.
As to E&Y, they have imploded in the last year. We used them but they
lost
ALL of their good people. Many went Foundstone or Global Integrity or
other
boutique firms.
We had a meeting w/ E&Y recently and they are running real low (on fumes)
on
talent. We had them in last year and they did do excellent, albeit
expensive work. But all of the senior technical guys as I said are gone.
So we are going to pass on them. As to PwC, we are getting together w/
them
on the 29th, so I can't comment.
Allan
----Original Message Follows----
From: [EMAIL PROTECTED]
To: Clarence <[EMAIL PROTECTED]>
CC: [EMAIL PROTECTED], [EMAIL PROTECTED],
Robert McMahon <[EMAIL PROTECTED]>
Subject: Re: [FW1] Issues in hiring a company that employs ex-hackers or
current hackers
Date: Mon, 19 Jun 2000 08:14:44 -0700
Actually
I disagree with your statement. I think there are many ex-hackers or
hackers elite that have gained recognition that they would be a
considerable asset during a penetration study.. Price Waterhouse, Coopers
now PWC , Ernst & Young created their whole business model and selling
methodology preying on the fact that Fortune 500 companies cringe at the
thought of hiring ex-hackers to conduct a intrusion test. The fact of the
matter is that "ethical" hackers are no better than ex-chackers. The
definition of an "ethical" hacker has been written about over ad over
again. For a really great definition of what a hacker is: check out the
www.atstake.com FAQ. They have put together a very simple explanation of
what a hacker is and why they deem it such.
Hiring a Big Six firm to conduct an intrusion study or a Internet
footprint analysis in my mind is much more dangerous than hiring
ex-hackers, probably because I worked for one a while back and thought
their methodology/approach and deliverable was pretty much vapor (lots of
smoke and mirrors) and no real value.
The secret to a successful security assessment is not to point out the
various different ways one can gain access to a particular organization
but how to state recommendations that are specific to the organization on
improving their security posture.
Since my departure from the Big Six world, I have yet to see any
improvements in their methodology, and I have seen severe plagiarism from
PWC to E&Y and other non ethical behavior that tend to make hiring an
ex-hacker a much more pleasurable endeavor, since it is a one time thing.
Hiring a Big Six firm to conduct a penetration analysis is like swimming
with piranha.
/mark
Clarence <[EMAIL PROTECTED]>
Sent by: [EMAIL PROTECTED]
06/19/00 12:26 AM
To: [EMAIL PROTECTED],
[EMAIL PROTECTED]
cc:
Subject: Re: [FW1] Issues in hiring a company that employs
ex-hackers or current
hackers
I consider this to be a bad practice when there is enough ethical hackers
out there who can do the job with much less worry.
[EMAIL PROTECTED] wrote:
Hello,
We are looking to have a penetration test done on our infrastructure, this
includes the firewall, servers, etc.
Are there any issues I should be concerned with in hiring a company that
employs ex-hackers or current hackers?
Thanks!
allan
________________________________________________________________________
Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com
===============================================================================
=
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
===============================================================================
=
================================================================================
To unsubscribe from this mailing list, plea! se see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
Clarence Irons, Jr.
Information Security Engineer
Do You Yahoo!?
Send instant messages with Yahoo! Messenger.
________________________________________________________________________
Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
