Home page logo

pen-test logo Penetration Testing mailing list archives

Re: Re: rules of engagement scope
From: mr.nasty () ix netcom com
Date: 16 May 2006 14:29:37 -0000

Some of the pro ROE responses appear to have a serious disconnect between ‘reality’ and the seriousness of the subject.

As far as a pen-test contract is concerned, I’d want to make sure that I get my money’s worth.  Speaking from the 
standpoint of a taxpayer, shareholder or CEO.  Hence from this perspective I wouldn’t want to see what I would consider 

What is “Fraud, Waste & Abuse”?  Three terms used by organizations to keep an eye on the bottom line.  If organizations 
had to disclose the ROE (and I don’t mean the entire contract), in their prospectus to support the financial statements 
wouldn’t that help to assure investors (taxpayers and shareholders) of the financial environment.

Let’s take a look at two organizations whose Auditors were tried and convicted of fixing the books; ENRON and World 
Com.  This was as the news can only surmise and comprehend a financial disaster.  Correct.  But the main reason was the 
disclosure of the sheltered companies that were being used to launder money through that were not disclosed publicly.

What on earth does this have to do with PEN-TESTING?  I’m an AUDITOR, just like a MARINE, you are never and ex-MARINE, 
you are never an ex-AUDITOR!  I currently work as an ISO for a large organization who oversees PEN-TESTS in my 
organization.  When these folk visit a site and perform their tests, I want them to find the low hanging fruit.  Then I 
don’t just want them to take screen shots I want them to leave behind a gift, a worm in the apple.  (Not a Morris worm 
– it’s a euphemism)

Now how is all this related you ask?  Just like any organization there is a method and certain requirements that 
logically fall into place.  Before a financial auditor can perform any type of confidence testing on your internal 
controls or transactions they must be assured that the mechanism (the network – IT) in place is secure within a 
specific confidence level.

If however the organization dictates the methods of pen-tests to provide a favorable result without disclosure the 
financial auditors sample calculation will be wrong.  (We’re not addressing the ROE of the financial auditors at this 

What do we mean by ROE of the pen-test?  That’s probably the first step in addressing this question before it wanders 
off into 360 different directions.  In my experience I’ve seen organizations dictate how they want the pen-test done to 
the point of restricting the testers to a specific IP and to alert IDS prior to any testing.

As a pen-tester myself I was given an edict, restricting me to not connect to the network, and not to touch a keyboard 
at the facility I was testing.  Yet I was to perform a pen-test.  So how did I break in?  I thought like a hacker and 
social engineered my way right in front of the director, chief of security and my escort and took their sam file 
through locked doors and a “secure” network all within the confines of the letter.  But then that’s because I’m good; 
another story for a later date.

The point I’m trying to make here is that these tests (risk analysis, vulnerability tests, pen-test) are for a purpose 
and not in themselves a goal.  They are there to support the reliability of the information security of the 
organization through its financial statements.

Believe me no one (taxpayer or shareholder) is going to review the pen-test.  They rely on the financial statements.  
Without full disclosure of this ROE within their financial statements this, in my opinion, is considered FRAUD, WASTE & 
ABUSE.  It is misleading to the financial audit and to the taxpayer and shareholders alike.

Sorry to take so much bandwidth but I’m very sensitive to this.

This List Sponsored by: Cenzic

Concerned about Web Application Security? 
Why not go with the #1 solution - Cenzic, the only one to win the Analyst's 
Choice Award from eWeek. As attacks through web applications continue to rise, 
you need to proactively protect your applications from hackers. Cenzic has the 
most comprehensive solutions to meet your application security penetration 
testing and vulnerability management needs. You have an option to go with a 
managed service (Cenzic ClickToSecure) or an enterprise software 
(Cenzic Hailstorm). Download FREE whitepaper on how a managed service can 
help you: http://www.cenzic.com/news_events/wpappsec.php 
And, now for a limited time we can do a FREE audit for you to confirm your 
results from other product. Contact us at request () cenzic com for details.

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]