The Ethical Hacker Network - Latest posts of: Animus

Latest Additions

EH-Net Login

Welcome Guest.

No account yet? Register

Who's Online
We have 47 guests online

Advertisement

You are here: Home

EH-Net

May 20, 2013, 07:02:41 AM

Welcome, Guest. Please login or register.
Did you miss your activation email?

News: Go back to The Ethical Hacker Network Online Magazine Home Page

Home

Help

Calendar

Login

Register

Show Posts
Pages: [1]

1	Ethical Hacking Discussions and Related Certifications / Compliance, Regulations & Standards / Re: I gotta know...."Quis custodiet ipsos custodes?" Are there standards?	on: June 28, 2010, 02:18:19 PM
I'm not exactly expecting people to have some kind of information on a step-by-step remediation... I just want someone to tell me the means of addressing a security vulnerability and some suggestions on how to address it... Point form, like this: Vulnerability identified Exploit possible/not possible Risk to company Possible means of addressing risk etc.... I'll take a look at those methodologies and see if there is something in there in the form of some kind of Visio or process diagram. Also, if you could point me to some form of "Checks and Balances" or other "caveats" towards a pen-test... I would be very grateful.... Cheers, Animus

2	Ethical Hacking Discussions and Related Certifications / Compliance, Regulations & Standards / I gotta know...."Quis custodiet ipsos custodes?" Are there standards?	on: June 28, 2010, 02:13:51 AM
I'm curious... When a client hires my consulting firm to complete a project, there are a few pieces of collateral that I have grown to expect... Project Plan (and associated collateral) Process Guide Process Documentation (usually in UML/XML/BPMN 1.2, etc... though it really depends...) Project Notes (including interviews with SMEs, entrance/exit interviews, Post Implementation Reviews, etc...) So when my buddy's company hires an "Ethical Hacker" to do a security assessment, I'm expecting: a list of vulnerabilities (itemized and ranked by priority and criticality/impact) the means to exploit them (exploit code location/repository) those that were exploited (identified by a unique identifier, like a MAC, IP, name, anything really...) those that were not exploited and the reasons why (like it'd bring down X service, etc...) What I was not expecting was a Word document showing what they scanned and the "possible" risks. With nothing towards remediation... "It's not in the scope of the pen-test. [...] We make recommendations, and they make the changes..." Wha? Is there some "standard" penetration methodology or process out there? I'm sure, if it's like any other industry - there's tons of "standards" out there... But which ones are the "biggies" and how would one know if someone did a good job? Are there firms that "audit" the pen-testing companies? I'm thinking there has to be some way to address the age-old question: "Quis custodiet ipsos custodes?" - Who will watch the watchmen?

Pages: [1]

Powered by SMF 1.1.18 | SMF © 2013, Simple Machines
Joomla Bridge by JoomlaHacks.com

Page created in 0.078 seconds with 22 queries.

Exclusive Deal

SANSFIRE 2013
June 15 - 22

5% Off w/ Code: EHN_5

SANS Deals 4 EH-Netters
5% OFF Any SANS Course in Any Format! Coupon Code: EHN_5 Including SANS Rocky Mountain 2013 & SANS Boston 2013

Polls

Compared to this year, 2013 will be:

	Great!
	Better.
	About the same.
	Little worse.
	FUBAR!

Recent Forum Topics

EH-Net News Feeds
Latest Additions

Privacy Notice
for TDCC & All Properties

Advertisement

© 2013 The Ethical Hacker Network

Joomla! is Free Software released under the GNU/GPL License.