mailing list archives
Re: How does a customer get PCI audited?
From: Adriel Desautels <adriel () netragard com>
Date: Sat, 07 Jun 2008 00:16:59 -0400
Comments embedded below.
Adriel T. Desautels
Chief Technology Officer
Office : 617-934-0269
Mobile : 617-633-3821
Join the Netragard, LLC. Linked In Group:
Netragard, LLC - http://www.netragard.com - "We make IT Safe"
Penetration Testing, Vulnerability Assessments, Website Security
Netragard Whitepaper Downloads:
Choosing the right provider : http://tinyurl.com/2ahk3j
Three Things you must know : http://tinyurl.com/26pjsn
Dan Anderson wrote:
On Wed, Jun 4, 2008 at 11:08 AM, Adriel Desautels <adriel () netragard com> wrote:
In order to properly defend a network you must first know what you
need to defend it against. You must have a strong understanding of the
threat and how the threat might align with your risk and exposure profile.
The only way to do that is to either have good threat intelligence, or work
with a qualified penetration testing team that has REAL threat intelligence.
Are you suggesting that you should hire a pen-tester to do your risk-analysis?
In my opinion, the job of a penetration testing company is to test the
security of an existing IT Infrastructure and the effectiveness of
policies and procedures to a degree. For example, some of our customers
have very specific incident response policies in place. Those customers
hire us to launch unannounced penetration tests against their
infrastructure as a means to test how well their personnel follow the
incident response policies.
Another example. Many of our customers have managed security providers
that monitor their networks for unauthorized access (IDS/IPS monitoring
etc.). Those customers bring us in to perform unannounced
stealth/evasive penetration testing to see how effective their managed
security providers are.
That said, penetration tests and vulnerability assessments do not
perform complete reviews of a businesses controls, but they can
challenge them to a degree.
It's a novel idea, but don't you normally do risk analysis with your
and a consultant or two?
Why are you assuming that I was talking about a risk-analysis?
Once you've identified such a firm your IT Infrastructure, personnel,
policies, etc. need to be tested at the same or higher threat level as you'd
face in the real world. That will identify your risks and help you to build
the proper CONTROLS to counter those risks. Suggesting that anyone build
controls without first having a GOOD and REAL assessment is horrible advice.
That would be akin to building defenses against Russia during the cold war
with no intelligence about their capabilities.
Never mind, I see why. What I wrote there came out like total horse
shit. Penetration Tests and vulnerability assessments help to test some
existing controls to make certain that they are working properly. New
controls can be created from the results of a penetration test, but
penetration testing is not the tool for creating all controls.
Isn't it more cost effective to use pen-testing to validate your
I mean - if you have no controls in place what value are you getting
from letting the "hackers" break in?
Isn't architecting your controls based on pen-test results kind of
like building your entire security program based on audit findings?
(and a bad idea for the same reasons?)
With respect to your paper, I still need to go read it. That said,
even if Penetration Testing is 30% of the total solution, it is clearly the
foundation to building the solution. Else you are building a blind defense
that most probably won't work.
I still don't get it...Is NetraGard a pen-test outfit?
The foundation to building a secure solution is more about risk
analysis, sound policies, procedures, methodologies, training and
frameworks - not hiring pen-testers.
Penetration testing is a part of *maintaining* a secure foundation.
Certainly there is a point to pen-testing to validate controls, but
it's not the "foundation" of any security effort.
Its common sense Craig, know your enemy, know yourself, and then you
can build a good defense.
Isn't this called a "risk analysis"? Nobody needs to penetrate
anything to do a risk analysis.
There is an old saying, "When all you have is a hammer, everything
looks like a nail."
On the other hand - I guess you would sell a lot more pen-tests if you
convince anyone that you are right.
Well, under any other circumstance I'd be insulted, but what I wrote
before was not at all what I intended to write, please accept my apologies.
Analogies usually suck, mine more then most, but here goes:
Imagine you need to protect a valuable object from theft or destruction.
So, you do no risk analysis, and just put it on a vacant lot...Then
you hire pen-testers to see if they can get it.
They walk onto the lot and take it.
So, you realize that maybe a fence would be a good idea...you install
it, Then you hire pen-testers to see if they can still get it.
They climb the fence and take it.
So, you realize a building might be a neat idea...
Is this really the "common sense" approach?
Wouldn't you be better off getting a few people who know about the
object, a few people who know about protecting objects, and even a few
people who know about stealing objects together in a room and
analyzing the risks and then designing controls to mitigate those
RE: How does a customer get PCI audited? Hill, Pete (Jun 03)
Re: How does a customer get PCI audited? amatachick (Jun 03)
Re: How does a customer get PCI audited? mkburns (Jun 04)
Re: How does a customer get PCI audited? shoten (Jun 06)