Home page logo

basics logo Security Basics mailing list archives

RE: How does a customer get PCI audited?
From: Craig Wright <Craig.Wright () bdo com au>
Date: Fri, 6 Jun 2008 01:36:42 +1000

"Just out of curiosity how are you defining a "Pen Test"?"
Pick any of the definitions, right up to full red teaming.

"but you give no examples of other more effective forms of testing."
I have stated audit - correct with knowledgeable people (which is rare I know) to you many times. A good audit of a 
system will validate a system. If actually done, this is more in-depth than a pen test.

"Common sense doesn't fail more than it succeeds, if it did
then we would not survive as a species."
That is not correct and demonstrates a misunderstanding of evolutionary theory. Evolution does not favour being 
smarter. In fact the base IQ of most native groups that life a hunter gather existence is higher than that for modern 
western society. I can send some research papers if you like.

"Testing at a higher threat level means performing research against the
target to be assessed. Often times that involves performing a review of
historical IDS events, a review of the targets policies and procedures,
and gaining an understanding of what they have that is of value that
others want. Another helpful aspect is to be able to keep tabs on what
sorts of 0-day threats exist, which we can do."

The comment again is a red herring. It applies to all aspects of security if done effectively and is designed to throw 
one off without adding anything. This needs to be done as a pen tester, auditor or whatever else.

"Are you suggesting that a talented, financially oriented malicious hacker with intent to extort his or her victims is 
not a real world threat?"

NO, I am suggesting the opposite - that no pen test does a high level analysis to the level of a high level attacker.

"Or are they not real because they do not come wielding hand grenades and guns? Are they not real because they never 
get physical?"

Again you are being ridiculous to try win a point through other means. Nothing of the type.

"We're not in the 90's anymore, that's 18 years old."
Actually it is 9 years old - it did not state 1990 do the maths and please stick to the topic.

"I see many more people suffering because of "hacks".
I see most due to actual things that matter, fraud, theft of intellectual property, corporate espionage, breaches of 
health information.

"So now you are talking about policies and procedures that are far out of
the scope of where this discussion started."

Again you "choose" to miss the point. Pen testing is better to you as this is what you sell and thus there can be no 

">Even from a physical limitation removed perspective with access
granted, how common is it to map internal business processes in a pen
For my team, very common.
"A good team capable of real testing will test those processes and

Show me an example. I do pen testing, I just am honest enough to tell my clients that there are better options for 
testing and managing controls. Even stating this firms want the "sexy option" as I stated.

Next, to add to "For my team, very common". We have US clients. As an auditor (real audit firm, not security tester but 
auditor as per corps act etc) I have the legal right to ask for testing documents. This is all pen test reports etc. 
This included groups ones from the US.

I look through Pen test reports weekly. I have seen ones from your firm in  the past. I will give you that they are 
better than most. I shall also state that before you try arguing that they are confidential, remember, audit firm and 
the right to have any and all documents we wish to see under law. These are a security control and thus I have a legal 
right and responsibility to view them.

With this I would state, either you misunderstood the comment or I happen to be unlucky enough in the (approximately) 
2500 pen test reports I have reviewed and the 40+ this year alone to have missed every example of what I suggested as I 
have never received a report from pen test that actually tested business processes.

"Penetration Tests identify those risks if done properly by a capable team."
Pen testing identifiers a limited subset of risks.

It (a pen test) does not test security. It is a form of failure model testing. A system that a pen tester could not 
compromise is not in a secure state for this reason - it just means that no critical state was discovered.

Craig Wright GSE LLM GREM CISA... and ...

Craig Wright
Manager, Risk Advisory Services

Direct : +61 2 9286 5497
Craig.Wright () bdo com au
+61 417 683 914

BDO Kendalls (NSW-VIC) Pty. Ltd.
Level 19, 2 Market Street Sydney NSW 2000
GPO BOX 2551 Sydney NSW 2001
Fax +61 2 9993 9497

The information in this email and any attachments is confidential. If you are not the named addressee you must not 
read, print, copy, distribute, or use in any way this transmission or any information it contains. If you have received 
this message in error, please notify the sender by return email, destroy all copies and delete it from your system.

Any views expressed in this message are those of the individual sender and not necessarily endorsed by BDO Kendalls. 
You may not rely on this message as advice unless subsequently confirmed by fax or letter signed by a Partner or 
Director of BDO Kendalls. It is your responsibility to scan this communication and any files attached for computer 
viruses and other defects. BDO Kendalls does not accept liability for any loss or damage however caused which may 
result from this communication or any files attached. A full version of the BDO Kendalls disclaimer, and our Privacy 
statement, can be found on the BDO Kendalls website at http://www.bdo.com.au/ or by emailing mailto:administrator () 
bdo com au 

BDO Kendalls is a national association of separate partnerships and entities. Liability limited by a scheme approved 
under Professional Standards Legislation.

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]