[GLLUG] Penetration Test

Suzanne Reiner sreiner@fnba.com
Tue, 28 Jan 2003 09:07:44 -0500


I've been fighting the flu for the past few days.  My apologies on my late
response to everyone's suggestions.

I will, certainly, employ these tools to check our services before we have a
scan completed.  The regulatory agency requires we have a scan done through
a third party.  I suppose, it is supposed to offer an 'unbiased' opinion of
our internal/external security if we aren't 'cooking the books' ourselves.

We do get a 'rudimentary' scan every year to meet regulations.  This year,
however, we are looking at having an intensive review completed.

EDS... great employees (for the larger part) but, refuse management.  It has
been my experience that EDS management impedes the work force.  EDS, in
particular, is a fine example of managerial cowardice.  I.E.: Management
won't hire management staff capable of out-shining a superior manager.  This
way, management remains flatulence through and through.  Stinks-up the whole
organization.  We'll see if Engler can help them get more State jobs.

Suzanne



-----Original Message-----
From: Brad Fears [mailto:brad@mtsdev.com]
Sent: Friday, January 24, 2003 11:29 PM
To: Hampton, Rodney
Cc: 'sreiner@fnba.com'; GLLUG
Subject: RE: [GLLUG] Penetration Test


I'll second that.  The department I work for (state gov't, go figure)
almost contracted EDS to conduct similar penetration tests for some of
our servers.  EDS wanted $50K for two weeks of testing and reporting.  I
was able to conduct the same level of testing with mostly open source
software and a little creativity.  Given, not every company is as
ridiculously priced as EDS, but in most cases, you can avoid
professional testing altogether with a little investigation of your
own.  Besides that, most companies that provide these types of services
never offer much of an explanation about the nature of vulnerabilities,
so you won't learn how to maintain a proper level of security as your
infrastructure grows.

--Brad Fears


On Fri, 2003-01-24 at 11:54, Hampton, Rodney wrote:
> In short, don't hire a company until you've done your homework and gotten
> the basics out of the way.  Make sure the penetration test you contract is
> exposing things that you couldn't have discovered on your own.
>
> My 0.02
>
>
>
>
> Rodney Hampton
> (sorry abou the HTML mail)
>
> -----Original Message-----
> From: Suzanne Reiner [mailto:sreiner@fnba.com]
> Sent: Friday, January 24, 2003 10:39 AM
> To: linux-user@egr.msu.edu
> Subject: [GLLUG] Penetration Test
>
>
> We're in the market for penetration testing.  If anyone knows of a
reliable
> company, I'm all ears.  FYI:  we will need detailed reporting (high-level
> for the suits and tech detail for IT) with recommendations.  Familiarity
> with banking/OCC proceedures a plus but, not necessary.
>
> Cheers,
>
> Suzanne
>
> _______________________________________________
> linux-user mailing list
> linux-user@egr.msu.edu
> http://www.egr.msu.edu/mailman/listinfo/linux-user
>
>
> _______________________________________________
> linux-user mailing list
> linux-user@egr.msu.edu
> http://www.egr.msu.edu/mailman/listinfo/linux-user