[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] Fwd: Rate Stratfor's Incident Response

To: Ferenc Kovacs <tyra3l@xxxxxxxxx>
Subject: Re: [Full-disclosure] Fwd: Rate Stratfor's Incident Response
From: Shyaam Sundhar <shyaam@xxxxxxxxx>
Date: Sat, 7 Jan 2012 19:53:35 -0500

Looks like the discussion is taking a different direction.

Thank you.
Shyaam

On Jan 7, 2012, at 7:37 PM, Ferenc Kovacs <tyra3l@xxxxxxxxx> wrote:

> 
> 
> On Sun, Jan 8, 2012 at 1:24 AM, Laurelai <laurelai@xxxxxxxxxxxx> wrote:
> On 1/7/12 6:20 PM, Valdis.Kletnieks@xxxxxx wrote:
> On Sat, 07 Jan 2012 17:37:44 CST, Laurelai said:
> Because they pay the kids to own them in a safe manner to show that
> It's not as simple as all that.  A good pen-tester needs more skills than just
> how to pwn a server.  You need some business smarts, and you need to be *very*
> careful about writing the rules of engagement (some pen tests that involve
> physical attacks can literally get you shot at if you screw this part up), and
> then *sticking with them* (you find a major social engineering problem while
> doing a black-box test of some front-end servers, you better re-negotiate 
> those
> rules of engagement before you do anything else).  Also, once a pen test
> starts, you can't take your time and poke it with the 3 or 4 types of attacks
> that you're good at - you have 3 weeks starting at 8AM Monday to hit it with
> 37 different classes of attacks they're likely to see and another 61 types
> of attacks they're not likely to see and aren't expecting.  And be prepared to
> work any one of those 94 from "looks like might be an issue" to something you
> can put in a report and say "You Have A Problem".
> 
> Almost no company is stupid enough to hire a pen testing team without that 
> team
> posting a good-sized performance bond in case of a screw-up taking out a
> server, or a rogue pentester stealing the data. (ESPECIALLY in this case, you
> *already* caught them stealing the data once :)
> 
> And the kids are going to land a $1M performance bond, how?
> 
> (Hint - think this through.  Really good pentesters make *really* good bucks.
> If those kiddies had what it took to be good pentesters, they'd already be
> making bucks as pentesters, not as kiddies)
> 
> their so called expertsd are full of shit, then they fire said experts
> and hire competent people saving time money and resources, try and
> Doesn't scale, because there's not enough competent people out there. There's
> 140 million .coms, there aren't 140 million security experts out there.
> 
> It's not a new idea - I've heard it every year or two since probably before
> most of the people on this list were born.  The fact that almost no companies
> actually *do* it, and that those hackers who have successfully crossed over to
> consulting are rare enough that you can name most of them, should tell you
> something about how well it ends up working in practice.
> 
> Well enjoy your doomed industry then. Ill continue to take great pleasure as 
> the so called experts get owned by teenagers.
> 
> imo public shaming(ie. owned by kiddies, usually they get bigger media 
> attention) can force companies to take security more seriously, but imo 
> hiring the kiddies isn't the solution.
> even if he/she happens to be the "superstar", who given the chance would be 
> able to secure your infrastructure, but the industry is rotten mostly because 
> it-sec isn't as high priority as it should be.
> it is an added-value, usually bolted-on top of the screwed up legacy 
> processes/softwares, and the higher-ups expect it to be bought by money alone.
> they would pay for the cert, they would pay for the hacker-proof seal, they 
> would pay for the insurance, and the decent looking it-security consulant 
> company, but they won't change the flawed processes, and the bad priorities.
> of course many of them will get owned, lose a good chunk of money, some of 
> them even will go out of business, but until most of them can get away with 
> those broken model, they won't try to fix the underlying problem.
> 
> -- 
> Ferenc Kovács
> @Tyr43l - http://tyrael.hu
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

References:
- [Full-disclosure] Fwd: Rate Stratfor's Incident Response
  - From: Ed Carp
- Re: [Full-disclosure] Fwd: Rate Stratfor's Incident Response
  - From: Jeffrey Walton
- Re: [Full-disclosure] Fwd: Rate Stratfor's Incident Response
  - From: Ferenc Kovacs
- Re: [Full-disclosure] Fwd: Rate Stratfor's Incident Response
  - From: Shyaam Sundhar
- Re: [Full-disclosure] Fwd: Rate Stratfor's Incident Response
  - From: Valdis . Kletnieks
- Re: [Full-disclosure] Fwd: Rate Stratfor's Incident Response
  - From: Shyaam Sundhar
- Re: [Full-disclosure] Fwd: Rate Stratfor's Incident Response
  - From: Valdis . Kletnieks
- Re: [Full-disclosure] Fwd: Rate Stratfor's Incident Response
  - From: Laurelai
- Re: [Full-disclosure] Fwd: Rate Stratfor's Incident Response
  - From: Ferenc Kovacs
- Re: [Full-disclosure] Fwd: Rate Stratfor's Incident Response
  - From: Laurelai
- Re: [Full-disclosure] Fwd: Rate Stratfor's Incident Response
  - From: Valdis . Kletnieks
- Re: [Full-disclosure] Fwd: Rate Stratfor's Incident Response
  - From: Laurelai
- Re: [Full-disclosure] Fwd: Rate Stratfor's Incident Response
  - From: Ferenc Kovacs

Prev by Date: Re: [Full-disclosure] Fwd: Rate Stratfor's Incident Response
Next by Date: Re: [Full-disclosure] Fwd: Rate Stratfor's Incident Response
Previous by thread: Re: [Full-disclosure] Fwd: Rate Stratfor's Incident Response
Next by thread: Re: [Full-disclosure] Fwd: Rate Stratfor's Incident Response
Index(es):
- Date
- Thread