Security Basics: RE: Would you bet your life on your security?

["MacDougall, Shane" <smacdougall () idanalytics com>]

As a former pen-tester with over 13 years experience, I can say that many companies (large and small) offer this as an 
incentive (I've worked with all types). In fact, in the past when some potential clients bragged that their networks 
didn't need pentests because they were secure, we'd offer a "double or nothing" option - if we gained root access 
they'd pay double our initial quoted price. If we didn't get in, they'd pay only our travel costs and we'd eat the 
rest. Most would balk, and instead opt to go with the initial fee.

Just because ISECOM forbids it means nothing in the real world. I've met **many** "pen-testers" who couldn't hack their 
way out of a wet paper computer. They'd do a basic scan of a network, not notice obvious vulns staring them in the 
face, then write a report saying the network was secure. The only people that gained anything from the exercise were 
the "consultants". The clients still had vulnerable networks, yet were blissfully unaware of the fact, and were out the 
money for the "review".

I've seen "Big 5" (or Big 4 I guess now) firms throwing IIS scripts at verified Apache servers, and "boutique" pen test 
firms reporting routers as secure when their config files (passwords and all) were open to the world.

Offering a money back guarantee protects companies from hiring firms that know how to run ISS, nmap and nessus, but can 
do f**k all with the results. If you can't back your work, get out of the arena.

The only real concern here is defining what discovered vulnerabilities are "critical". This can easily become a 
quagmire for the consultant unless the ground rules are clearly established before the engagement begins. Does a host 
running ECHO/CHARGEN qualify as a critically vulnerable system? That depends on whether or not the system's data is 
critical, or its availability is critical. I've had many clients who couldn't give a rat's ass if their network could 
be DOS'd - as long as the data on the hosts was intact they could sleep soundly. 

My $.02 ($.028 Canadian)

SET FLAMES=ON

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Shane MacDougall
Chief Security Officer
ID Analytics
San Diego, California USA
Direct: (858) 427-2860
Toll Free: 866-240-4484 x 2860
Fax: 858-427-2899
 

-----Original Message-----
From: Eric Brown [mailto:ericbrow () ziplip com] 
Sent: Wednesday, October 01, 2003 7:04 PM
To: simon; security-basics () securityfocus com
Subject: Re: Would you bet your life on your security?

Hello Simon,

I'm pretty new to security, but this is discouraged by the ISECOM in their most current Open Source Security Testing 
Methodology Manual, p. 18, "2. The offering of free services for failure to penetrate or provide trophies from the 
target is forbidden." 

I wouldn't know this if I hadn't just read it though.  
Eric



---------------------------------------------------------------------------
----------------------------------------------------------------------------