Firewalls: RE: Security Auditor versus Security Auditor was Re: Certifying Security

Firewalls
(February 1998)

Indexed By Thread: [Previous] [Next]

Subject:	RE: Security Auditor versus Security Auditor was Re: Certifying Security Auditors
From:	Mark Teicher <mht @ clark . net>
Date:	Mon, 16 Feb 1998 15:51:39 -0500 (EST)
To:	"Moser, Stefan" <stefan . moser @ csfb . com>, ipdaily @ earthlink . net
Cc:	firewalls @ GreatCircle . COM
In-reply-to:	<21D8314B439ED111A4690000F8AE45E5036AAD @ slon00302 . gb . csfp . csh . com>


Stefan,

Sounds like a great idea, sort of a DEFCON, capture the flag type of thing
for security auditors.  

Sort of a contest to test the security auditor type of folks out there who
do this for a living..

Set a dozen systems or so, with various security problems, and go from
there.

Have a couple of guest speaks on the topic..  

Have over a week's time, corporation against corporation, auditor versus
auditor..

The best team who wins, then gets to teach the rest of the group how to
conduct a proper security audit.

Anybody from sponsor land willing to back this???




> [Stefan Moser]
> Elaborating on this maybe the only test of any value is to conciously
> induce some
> 'security problems' before the audit actually takes place. Then let the
> auditors do their work and
> see how many of the phony security risk the auditor finds besides any
> real ones (which might
> or might not exist). This would give you a pretty good idea on the
> quality of the audit.
> 
> The problem with the approach is that the client needs to be way
> security savvy in order
> to induce the phony problems, i.e. present any challenge and also make
> sure that
> they're not actually putting their network into real jeopardy.
> 
> In a case where a client hires indepent consultants for security
> implementation and audit, he
> could play out the two parties against each other and get a quality
> evaluation for both.
> 
> Also, maybe the NCSA or somebody like that could host an annual
> competition, setting up 
> a network that auditors can bang their heads against :)
> 
> 
> > > Hopefully, two things can happen over time, 1. security auditors are
> > > properly trained by some experience folks before they are sent to
> > customer
> > > sites and 2. That customers are more aware of what a security audit
> > is.
> > 
> > I agree completely. Without both ends it will remain a black arts
> > field of study
> > that will be plagued with shoddy workmanship. Not to say we are all
> > clueless on
> > this, but them again I just saw a few more "unsubscribe" messages hit
> > the list. ;)
> > 
> > Cheers,
> > Chris
> > --
> > **************************************
> > cbrenton @
 sover .
 net
> > 
> > Multiprotocol Network Design & Troubleshooting
> > http://www.amazon.com/exec/obidos/ISBN=0782120822/0740-8883012-887529
> > 
> > Support the anti-spam movement: http://www.cauce.org/
> > 
> 

##########################################################
'Turn on, Boot Up, Jack in'
#########################################################

Follow-Ups:

RE: Security Auditor versus Security Auditor was Re: Certifying Security Auditors
From: Bret Watson <lists @ bwa . net>

References:

RE: Certifiying Security Auditors -reply
From: "Moser, Stefan" <stefan . moser @ csfb . com>

Indexed By Date	Previous:	Re: Certifiying Security Auditors From: mcnabb @ argus-systems . com (Paul McNabb)
Indexed By Date	Next:	References for writing Security Policies (was Re: Certifiying Security Auditors) From: Bennett Todd <bet @ rahul . net>
Indexed By Thread	Previous:	RE: Certifiying Security Auditors -reply From: "Moser, Stefan" <stefan . moser @ csfb . com>
Indexed By Thread	Next:	RE: Security Auditor versus Security Auditor was Re: Certifying Security Auditors From: Bret Watson <lists @ bwa . net>