Tag Archives: comptia
Defcon: The security penetration testing quagmire
How corporate security flaws are handled raises lots of questions
LAS VEGAS — The relationship between CISOs and security penetration testers is anything but clear-cut and raises ethical issues for both parties, a Defcon crowd heard from a former CISO.
Whether penetration testers should come in looking for the place where they can spectacularly break into the network or instead assess it clinically and point out potential vulnerabilities is the big decision CISOs have to make, says a CISO-turned penetration tester identified only as Shrdlu.
SELF TESTING: Metasploit 4.0 sets the stage for mass penetration testing
And the choice is the CISO’s, she says, because the CISO is paying the bills. “It’s not about your satisfaction,” she told a crowd that included many penetration testers.
She says that often penetration tests are mandated by regulations, and the network must pass in order to comply. In that case, she prefers a light touch by the tester, telling her informally about technical security shortcomings but not including them in the formal report that goes to the compliance auditor. “Tell me verbally what’s wrong and don’t write it down,” she says.
For example, if the help desk prompts users that they can’t login because they’ve gotten their username wrong, that’s a violation. But, she says, doing so saves a lot of help desk and employee time and is a good risk-business tradeoff. She doesn’t consider the practice a major breach of good practice.
“There are things I do on purpose and are not high-impact,” she says.
That drew protests from audience members, one of whom said it was unethical not to include security problems he finds and is possibly illegal because it is essentially lying to compliance auditors. “It sounds like avoiding regulatory scrutiny,” he said.
“That’s very fair,” Shrdlu responded. But she says most compliance regulations are vague enough that reports can be vague as well, indicating an unspecified problem without detailing it. She says penetration testers can prepare two reports, one for her use and a second for the auditor.
She says these dual reports are useful for public organizations where the reports may become public record. The vague one that doesn’t detail specific problems can be the public version and the detailed one can be called a working document and so avoid public scrutiny.
Another audience member said her approach could cause problems for penetration testers if a problem found but not mentioned is exploited. The tester would have no documentation that he’d done his job properly. Again, she fell back on the dual report, where the vague reference to the problem would provide cover for the penetration tester.
She says she’s found frustration with penetration testers who haven’t worked in corporate security and had to shore up problems testers have found. Often the problems present less of a risk to the organization than the time it would take to fix them is worth, she says. “I’m impatient with penetration testers that have never been on the fixing side,” she says. They need to be more aware of the big impact and the business impact of remedies. “There are things that just plain aren’t going to be fixed.”
How to Become CompTIA A+ Certified
The Computing Technology Industry Association (CompTIA) created A plus certification online to provide technicians with an industry-recognized and valued credential. Due to its acceptance as an industry-wide credential, it offers technicians an edge in a highly competitive computer job market. Additionally, it lets others know your achievement level and that you have the ability to do the job right. Prospective employers may use the CompTIA A+ Certification as a condition of employment or as a means to a bonus or job promotion.
Earning CompTIA A+ Certification means that you have the knowledge and the technical skills necessary to be a successful entry-level IT Professional in today’s environment. The recently revised exam objectives test your knowledge and skills in all the areas that today’s computing environment require. More then 5000 CompTIA A+ Certified Professionals and Employers participated in validating the revised exam’s objectives. Although the tests cover a broad range of computer software and hardware, they are not vendor specific.
Complete Comptia A+ training – Comptia A+ Certification at Actualkey.com
With the 2006 exams, CompTIA introduced an entirely new structure to the exams. You will still need two exams to achieve your CompTIA A+ Certification. However, where previously the two exams were easily divided into a hardware exam and a software exam, the new exams are organized very differently, and each tests knowledge in a variety of areas. The first exam is the CompTIA A+ Essentials 220-701 test cost, which every candidate must pass. This exam measures the competencies required for an entry-level IT Professional in a wide range of responsibilities.
Beyond the Essentials Exam, you can select your second exam from among three exam choices-each of which carefully targets specific job titles. For instance, the CompTIA 220-602 Exam tests competencies required for such job titles as IT technician, enterprise technician, IT administrator, field service technician, and PC technician. The CompTIA 220-603 Exam targets the following job titles: remote support technician, help desk technician, call center technician, specialist, and representative. Finally, the CompTIA 220-604 Exam tests skills expected for such job titles as depot technician and bench technician.
CompTIA recognizes that soft skills are an important part of most jobs, so the exams for job titles that require interaction with customers include a domain called communication and professionalism, which deals with human interaction. This is the first time these skills are being measured in the CompTIA Exams. The Exams can be taken at any Thomson Prometric or Pearson VUE testing center. If you pass both exams, you will get a certificate in the mail form from free CompTIA practice tests saying that you have passed, and you will also receive a label pin and business card.