Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



WebApp Sec: RE: Remote Desktop Security - Compliance VS Pen-Test

RE: Remote Desktop Security - Compliance VS Pen-Test

From: Rivest, Philippe <PRivest_at_transforce.ca>
Date: Tue, 2 Sep 2008 10:04:50 -0400

(I don't want to branch out this conversation)
Don't you belive that compliance and Pen-Test is 2 different domains?

Let me explain what I think, compliance is for marketability but it also
ensure that a client is doing at least the MINIMUM. The goal is always to aim
to at least the minimum. But it is minimum at everything, and this is
important (everything important..)

Pen-Test will do a maximum damage with minimal effort I know. It will
probably succeed, but Pen-Test is covered in a compliance check as of SOX and
COBIT. A Pen-Test is aiming at proving security can still improve and should
be used as such because we all know that most if not every network can be
penetrated. It should be a mean with which you can prove to management that
you still need some funding.

I'd like to point out to the quote I use in my emails:
"Everything that can fail, will fail. If something can't fail, it will fail
anyway" - Murphy

Merci / Thanks
Philippe Rivest, CEH, Network+, Server+, A+
Vérificateur interne en sécurité de l'information
Courriel: Privest_at_transforce.ca
Téléphone: (514) 331-4417
www.transforce.ca

Vous pourriez imprimer ce courriel, mais faire pousser un arbre c'est long.
You could print this email, but it does takes a long time to grow trees.
"Everything that can fail, will fail. If something can't fail, it will fail
anyway" - Murphy
-----Message d'origine-----
De : listbounce_at_securityfocus.com [mailto:listbounce_at_securityfocus.com] De la
part de Kish Pent
Envoyé : 2 septembre 2008 03:14
À : Nate McFeters
Cc : webappsec_at_securityfocus.com; jaredmalthus
Objet : Re: Remote Desktop Security

Hi Nate,

The point of having compliance as I understand is to "be marketable" to your
customers (from their perspective) ... most people than not who've passed
compliance will fail a thorough pen-test, hands down ;)

We all know that compliance is crap to begin with, but that's the sad
reality.

Cheers :)
Kish 

--
Kishore Parthasarathy, 
Penetration Tester, Smart Security,
17/1,Upstairs, Sarojini St,T.Nagar, 
Chennai - 600 017
Phone: 91 98841 80767
--- On Sun, 8/31/08, Nate McFeters <nate.mcfeters_at_gmail.com> wrote:
> From: Nate McFeters <nate.mcfeters_at_gmail.com>
> Subject: Re: Remote Desktop Security
> To: kish_pent_at_yahoo.com
> Cc: webappsec_at_securityfocus.com, "jaredmalthus" <jared.malthus_at_gmail.com>
> Date: Sunday, August 31, 2008, 5:50 PM
> Hard to believe someone would PCI certify LogMeIn.  Makes me
> lose my faith
> in PCI... oh wait, I never had any faith in it to begin
> with.
> 
> -Nate
> 
> On Sun, Aug 31, 2008 at 5:45 AM, Kish Pent
> <kish_pent_at_yahoo.com> wrote:
> 
> > Try RSASecurID or Phonefactor's two factor
> authentication scheme.
> >
> > Overview of what is available in LogMeIn Pro version
> can be found here,
> >
> > https://secure.logmein.com/security.asp
> >
> > Documentation of security features for LogMeIn can be
> found here...
> >
> >
> https://secure.logmein.com/documentation/Security/wp_lmi_security.pdf
> >
> > Cheers :)
> > Kish
> >
> >
> > --
> > Kishore Parthasarathy,
> > Penetration Tester, Smart Security,
> > 17/1,Upstairs, Sarojini St,T.Nagar,
> > Chennai - 600 017
> >
> > Phone: 91 98841 80767
> >
> > --- On Sat, 8/30/08, jaredmalthus
> <jared.malthus_at_gmail.com> wrote:
> >
> > > From: jaredmalthus
> <jared.malthus_at_gmail.com>
> > > Subject: Remote Desktop Security
> > > To: webappsec_at_securityfocus.com
> > > Date: Saturday, August 30, 2008, 6:47 PM
> >  > I need to be PCI compliant using a remote access
> program
> > > called LogMeIn.
> > > Does anyone have any suggestions on two-factor
> > > authentication solutions that
> > > work with LogMeIn?
> > > --
> > > View this message in context:
> > >
> http://www.nabble.com/Remote-Desktop-Security-tp19238126p19238126.html
> > > Sent from the Web App Security mailing list
> archive at
> > > Nabble.com.
> > >
> > >
> > >
> -------------------------------------------------------------------------
> > > Sponsored by: Watchfire
> > > Methodologies & Tools for Web Application
> Security
> > > Assessment
> > > With the rapid rise in the number and types of
> security
> > > threats, web application security assessments
> should be
> > > considered a crucial phase in the development of
> any web
> > > application. What methodology should be followed?
> What tools
> > > can accelerate the assessment process? Download
> this
> > > Whitepaper today!
> > >
> > >
> https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F
> > >
> -------------------------------------------------------------------------
> >
> >
> >
> >
> >
> -------------------------------------------------------------------------
> > Sponsored by: Watchfire
> > Methodologies & Tools for Web Application Security
> Assessment
> > With the rapid rise in the number and types of
> security threats, web
> > application security assessments should be considered
> a crucial phase in the
> > development of any web application. What methodology
> should be followed?
> > What tools can accelerate the assessment process?
> Download this Whitepaper
> > today!
> >
> >
> https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F
> >
> -------------------------------------------------------------------------
> >
> >
      
-------------------------------------------------------------------------
Sponsored by: Watchfire 
Methodologies & Tools for Web Application Security Assessment 
With the rapid rise in the number and types of security threats, web
application security assessments should be considered a crucial phase in the
development of any web application. What methodology should be followed? What
tools can accelerate the assessment process? Download this Whitepaper today! 
https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F
-------------------------------------------------------------------------
-------------------------------------------------------------------------
Sponsored by: Watchfire 
Methodologies & Tools for Web Application Security Assessment 
With the rapid rise in the number and types of security threats, web application security assessments should be considered a crucial phase in the development of any web application. What methodology should be followed? What tools can accelerate the assessment process? Download this Whitepaper today! 
https://www.watchfire.com/securearea/whitepapers.aspx?id=70170000000940F
-------------------------------------------------------------------------
Received on Sep 02 2008
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos