[Chugalug] penetrate me!

Stephen Kraus ub3ratl4sf00 at gmail.com
Thu Mar 27 14:15:49 UTC 2014


Man, sounds like the company I'm working for: All the IT got left by the
wayside and was in a mess when I came in.


On Thu, Mar 27, 2014 at 9:34 AM, Christopher Rimondi <
chris.rimondi at gmail.com> wrote:

> Unfortunately it is probably just due diligence and who you have perform
> it will not be as important as that you had it done. If your client has
> someone who mildly knows what they are doing they may look at the scope of
> the test. Without knowing more information about your situation the things
> I would look at when hiring someone like this are their experience,
> references, insurance, etc...
>
> I will give Stephen Haywood a good recommendation FWIW.
>
>
> On Thu, Mar 27, 2014 at 8:58 AM, Joseph Simoneau <
> joseph.simoneau at gmail.com> wrote:
>
>> If it'll satisfy your requirements for professionalism, I can get in
>> contact with the greyhat club at Georgia tech.
>>
>> We're all students, mostly undergrads, but I'm sure we'd love to put a
>> team together for travel (if necessary, not sure what scenarios you're
>> looking at), possibly a pittance, and resume fodder.
>>
>> Some of us definitely know what we're doing; some have interned or
>> co-op'd; and graduates tend to get hired by firms like PWC and BishopFox.
>>
>> If you're interested, send me some information, and I'll ask for interest
>> at the meeting tonight.
>>
>> -js
>> Our "network administrator" at the main office quit over a year ago and a
>> replacement was never hired.
>> http://www.linkedin.com/pub/christopher-silver/7/6a8/341
>>
>> Our "network administrator" at our "NOC" quit over a year ago and never
>> got replaced.
>> www.linkedin.com/in/mlaman
>>
>> Our "phone system guy" quit a year ago, a replacement was hired, but I've
>> seen him, like, once.  When the phone/fax systems goes down, they call ME.
>> http://www.linkedin.com/profile/view?id=49461976
>>
>> So guess what?  I and one of the other programmers on my team inherited
>> all these extra support duties (without a single f'ing penny of a pay
>> raise, mind you).
>>
>> We inherited hardware and software that hasn't been updated in years
>> (insert career-damaging-but-painfully-true
>> my-boss-is-a-cheap-bastard-and-doesn't-spend-money-on-upgrades comment here)
>>
>> We know basic firewall, iptables, am mindful of sql injection, can
>> install/run/monitor virus scanners etc, but we are not security experts nor
>> do we play one on t.v.
>>
>> If this situation wasn't stressful enough, it has now come to a boil as a
>> potential (big!) client "demands" proof of pen testing before they will let
>> us host their data.    At this point I'm spread way to thin and told my
>> boss today that he needs to crack open that wallet and hire an outside pen
>> tester.    Anyone on the list "qualified" to do it?    Willing to work for
>> peanuts?
>>
>> What defines a qualified pen tester?  I see what appears to be "free"
>> software I could download and run myself, if I was inclined to take on more
>> responsibility w/o pay.    I suppose this free software would be a "good
>> start" but is a pen test done by an "internal" employee good enough for the
>> client, I doubt it.
>>
>>
>>
>>
>> _______________________________________________
>> Chugalug mailing list
>> Chugalug at chugalug.org
>> http://chugalug.org/cgi-bin/mailman/listinfo/chugalug
>>
>>
>> _______________________________________________
>> Chugalug mailing list
>> Chugalug at chugalug.org
>> http://chugalug.org/cgi-bin/mailman/listinfo/chugalug
>>
>>
>
>
> --
> Chris Rimondi | http://twitter.com/crimondi | securitygrit.com
>
> _______________________________________________
> Chugalug mailing list
> Chugalug at chugalug.org
> http://chugalug.org/cgi-bin/mailman/listinfo/chugalug
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://chugalug.org/pipermail/chugalug/attachments/20140327/23e21065/attachment-0001.html>


More information about the Chugalug mailing list