$BlogRSDUrl$>
linking INTEGRITYIntegrity - use of values or principles to guide action in the situation at hand.Below are links and discussion related to the values of freedom, hope, trust, privacy, responsibility, safety, and well-being, within business and government situations arising in the areas of security, privacy, technology, corporate governance, sustainability, and CSR. Using Penetration Testing to Identify Management Issues, 15.5.04
ONLamp.com
After managing the performance of over 20,000 infrastructure and application penetration tests and vulnerability assessment exercises, I have come to realize the importance of technical testing and provision of information security assurance. The purpose for conducting the tens of thousands of penetration tests during my 20-plus years working in information systems security was 'to identify technical vulnerabilities in the tested system in order to correct the vulnerability or mitigate any risk posed by it.' In my opinion, this is a clear, concise, and perfectly wrong reason to conduct penetration testing.
Vulnerabilities and exposures in most environments come about by poor system management -- patches not installed in a timely fashion, weak password policy, poor access control, et al. Therefore, the principal reason and objective behind penetration testing should be to identify and correct the underlying systems management process failures that produced the vulnerability detected by the test. The most common of these systems management process failures exist in the following areas:
Unfortunately, many IT security consultants provide detailed lists of specific test findings, and never attempt the higher order analysis needed to answer the question of "why." This failure to identify and correct the underlying management cause of the test findings assures that, when the consultant returns to test the client again in 6 months, a whole new set of findings will appear.
...
CommentsPost a Comment
Archives07.03 08.03 09.03 10.03 11.03 12.03 01.04 02.04 03.04 04.04 05.04 06.04 07.04 08.04 09.04 10.04 11.04 12.04 01.05 02.05 03.05 04.05 05.05 06.05 07.05 08.05 09.05 10.05 11.05 12.05 01.06 02.06 03.06 04.06 05.06 06.06 08.06 09.06 10.06 11.06 01.07 02.07 03.07 04.07 07.07 08.07 09.07 10.07 05.08 06.08 |