cyberwart

Today I was sort of surprised that basic CYA steps I use for pen testing weren’t immediately obvious to others. Maybe I’m exceptionally paranoid and worry to much but I thought I’d share some thoughts on the CYA business end of things.

1. Always start with a signed contract and rules of engagement. Do nothing without having this document.
2. Always read the Statement of Work (SoW) and the Rules of Engagement (RoE). These define both what you have to do and what you can’t do.
3. Always keep your PoC happy. Everything is much easier if your contact is happy. Make sure you ask them up front what they hope to get out of the engagement and check in to see that you’re meeting the objectives.
4. For any variation in the RoE/Contract feel it out verbally with the PoC first. If all is well, follow up with an email confirming what you heard and CC the project management. (good pen testers sometimes cheat, but this is how things should be done…)
5. Check with your management that your variations are cool. Sometimes actions are too risky for them and sometimes they don’t want to do free labor. This item really depends on your management.
6. If you put any tools or accounts on boxes notate it all in a spreadsheet as you do it. Track state, install, md5, uninstall — always uninstall/remove anything you create.

For the most part, I’ve avoided general ranting on my blog. However tonight I feel compelled. First, hearing Amherst people rant about politics is hilarious. Foremost, being from DC I hear strong arguments about the difficulties of executing effective public policy. There are idealist, but their grounded in realities. For example, I’m hugely liberal and I think issues such as homlessness should be fought. The difficulty is that as aid goes up, people are more inclined to rely on the safety net and the problem compounds. Here they seem to ignore such realities.

The thing that really suprises me is that they only theorize the systems. I’m probably overly inclined to build models and I’m fully aware of their flaws, but I can’t imagine a simulation would be worse of than pure brain power. Maybe I should go build one for the fun of it. I actually think it would be kind of interesting. I could roughly model a town or something with people, topology, income, political drive, etc. Add some randomness and see how things (d)evolve. Economic and political theory are amusing enough. I bet it could keep my attention long enough to build…now if only I didn’t have 10 other projects.