Ed, when you say "well known vendors," do you mean large organizations like KPMG, IBM, etc. that are well-known generally to the public, or do you mean boutique shops that are well-known only within the security community for pen testing? If the former, it isn't surprising at all... if the latter, I'm intrigued. There is usually a huge gap in expertise for this kind of work (favoring the boutique), but strangely, a large gap in the other direction when it comes down to actually landing big security projects.
--Steve On Tue, Apr 3, 2012 at 11:23 AM, Ziots, Edward <[email protected]> wrote: > Cheer, I aint the only one that is pivved at the current lack of standards > in what is called a Pen test, because a lot of the current vendors that > claim they are giving you a pen-test are just giving you a VA Scan, which > is no where near the same thing. I have seen this 2-3x already from > different well known vendors which shall remain nameless. **** > > ** ** > > Here is the standards I would expect to be utilized in a Penetration test > and how it should go. **** > > ** ** > > Penetration Test Execution Standard: **** > > http://www.pentest-standard.org/index.php/Main_Page**** > > ** ** > > Open Source Security Testing Methodology OSSTMM**** > > http://www.isecom.org/research/osstmm.html**** > > ** ** > > And yes I have been reading up a lot of what your son has been saying Jim, > bright kid you got there, and I agree with about 98% of what he is saying > because I am seeing the same freaking thing all over the place. **** > > ** ** > > Its also why I am starting to do my own Pen-testing with the tools, > because of the risks and the needs to validate security configurations on > systems before they do to production and throughout the SDLC until they are > decommissioned. **** > > ** ** > > Now to Andrew’s comments, I agree most organizations don’t understand how > to prioritize their information systems or know what data or its > criticality to the business/organizations it servers even is. Couple that > with a lack of BCP/DR planning to guide the RTO/RPO/MTTR discussion and why > IT needs to procure to meet these requirements is another stumbling block. > Again its falls into the “compliance” bucket and most > business/organizations will only do the minimum they need to do to appease > the auditors and pass compliance, and folks are starting to find out just > because your compliant, doesn’t mean you can’t be “P0wned” in a heartbeat. > **** > > ** ** > > Why I have always told folks that security for the sake of compliance is a > really bad framework to work from. Because you are missing the Governance > and the Risk Management pieces of the GRC which is really where it all > comes together from. **** > > ** ** > > Z**** > > ** ** > > ** ** > > Edward Ziots**** > > CISSP, Security +, Network +**** > > Security Engineer**** > > Lifespan Organization**** > > [email protected]**** > > ** ** > > *From:* Andrew S. Baker [mailto:[email protected]] > *Sent:* Tuesday, April 03, 2012 10:46 AM > > *To:* NT System Admin Issues > *Subject:* Re: OT: Favour to ask**** > > ** ** > > While I agree with the thrust of this article, the fact is that much of > the complexity is there because without it, many would not accept that the > risks exist.**** > > ** ** > > Yes, it is critical that an organization also receive some guidance about > how to prioritize the risks and remediate them, but if organizations insist > on not maintaining FTEs or consultants who can provide that > information/guidance, and they don't seek a qualified security vendor to > partner with to obtain said information/guidance, is the problem really the > size or complexity of the penetration testing report?**** > > ** ** > > > **** > > *ASB***** > > *http://XeeMe.com/AndrewBaker***** > > *Harnessing the Advantages of Technology for the SMB market…***** > > > > **** > > On Tue, Apr 3, 2012 at 9:31 AM, Kennedy, Jim <[email protected]> > wrote:**** > > I’ve seen it, my kid wrote it. J**** > > **** > > He is currently ripping on the industry pen test standards, much as you > were last week.**** > > **** > > > http://searchsecurity.techtarget.com/news/2240147882/Expert-advocates-for-more-effective-pen-tests-less-complex-security > **** > > **** > > **** > > *From:* Ziots, Edward [mailto:[email protected]] > *Sent:* Tuesday, April 03, 2012 9:28 AM**** > > > *To:* NT System Admin Issues > *Subject:* RE: OT: Favour to ask**** > > **** > > Take a look at the social engineers toolset, its pretty amazing what you > can do with those tools, to test how well your users are equipped against > social engineering threats. **** > > **** > > EZ**** > > **** > > Edward Ziots**** > > CISSP, Security +, Network +**** > > Security Engineer**** > > Lifespan Organization**** > > [email protected]**** > > **** > > *From:* Kennedy, Jim [mailto:[email protected]] > *Sent:* Monday, April 02, 2012 4:08 PM > *To:* NT System Admin Issues > *Subject:* RE: OT: Favour to ask**** > > **** > > Yes, we all should have sandboxes for this kind of thing.**** > > **** > > *From:* Cameron [mailto:[email protected]<[email protected]>] > > *Sent:* Monday, April 02, 2012 4:05 PM > *To:* NT System Admin Issues > *Subject:* Re: OT: Favour to ask**** > > **** > > Andrew...you are of course correct! Thankfully we are not our end-users! > LOL!**** > > On Mon, Apr 2, 2012 at 3:08 PM, Andrew S. Baker <[email protected]> wrote: > **** > > Isn't this the sort of thing we teach our end-users not to fall for in an > effort to avoid social engineering issues? **** > > > Why would we undermine our own education in this arena? > **** > > *ASB***** > > *http://XeeMe.com/AndrewBaker <http://xeeme.com/AndrewBaker>***** > > *Harnessing the Advantages of Technology for the SMB market…***** > > **** > > On Mon, Apr 2, 2012 at 2:53 PM, Cameron <[email protected]> wrote:* > *** > > Good afternoon all!**** > > **** > > I have a favour to ask for my 2nd cousin Heather. She and some class mates > have done an assignment for her Cardiology Final (she is pre-med) as a > youtube presentation. The information is real, and they came up with a > fictional newscast channeling Chalies' Angles. The information is a real > study and the athlete in it is her boyfriend. The number of hits is going > to determine their grade.**** > > **** > > I would really appreciate it if you could just *hit* the video (you don't > need to watch it!).**** > > **** > > http://www.youtube.com/watch?v=H3TD98qRPAM&feature=youtu.be **** > > **** > > Thanks as always!**** > > Cameron**** > > **** > > > ** > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
