Re: Government Compliance

From: Tim Adams (Tim.Adams@midwestairlines.com)
Date: Thu Jun 16 2005 - 12:16:31 EDT


I feel for you,

Unfortunately a problem in almost all sectors public or private seems to be
what I originally thought to be a lack of understanding regarding
pen-testing, and activities utilized in a typical INFOSEC Technical
Assessment. But it seems now, that most are just looking to get by with
doing as little as possible, eliminating more "Red Team" type activities,
and settling for identification of as many potential vulnerabilities as
possible. Rather then actually putting their systems, controls, and
procedures to the test and evauluating how these items work together to
identify, respond, and deal with actual events. It is also pretty typical
that most no longer feel the need to investigate and validate potentials
identified from their automated tools.

Tim

|---------+---------------------------->
| | Dave |
| | <dave.anon@gmail.|
| | com> |
| | |
| | 06/15/2005 09:50 |
| | AM |
| | Please respond to|
| | Dave |
| | |
|---------+---------------------------->
>---------------------------------------------------------------------------------------------------------------------------|
  | |
  | To: pen-test@securityfocus.com |
  | cc: |
  | Subject: Government Compliance |
>---------------------------------------------------------------------------------------------------------------------------|

Hello everyone. I know some will view this as a rant and other as
informative, but I am making this post as a sanity check.

For the purposes here, I currently work as an IT Security professional
for the US government. I work at the Department of Government, within
a component named AgencyX. Yes, these names are fictional.

To give an outline or basic background, all government computer
systems are governed by strict requirements for designing,
implementing, maintaining, and securing them. Many of these are
mandatory and are not up for negotiation. Some examples include NIST
SP's, FISMA, DCID 6/3, etc.....

OK....so I received and email from a "IT Security professional"
(qualifications and knowledge very questionable) at the Department in
response to a question I had. I had asked for the definition the
Department was adopting for penetration testing. The response I
received was (scrubbed for anonymity):

"... The guidance for penetration testing was reviewed at [department
committee] meeting... penetration testing shall consist of [product
name deleted] vulnerability scans and running [product name deleted]
for cracking passwords... if this has been done AgencyX shall get
credit for penetration testing...."

Ok, I have big problems with this. There are seperate and distinct
requirements for maintaining password complexity, performing vuln
scans, AND performing penetration testing. Any industry guideline or
resource would never allow this "definition". Am I wrong? Am I over
reacting?

When I brought this up to my chain of command I was told "don't rock
the boat". They fully admitted that they knew the definition to be
incorrect in that it was not meeting the intent of the requirement,
but that I should not say anything to rock the boat and just accept
this.

Obviously, for ethical reasons, I am leaving the agency and the department.

Feedback? Thoughts?

-- Dave



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:25 EDT