https://community.isc2.org/t5/Industry-News/Watch-out-for-your-White-Hats/m-p/13951#M1497 <P>Would you hire an electrician who was unaware of local building codes and electrical safety standards?</P><P>That&nbsp;looks like&nbsp;what happened in this situation.</P><P>&nbsp;</P><P>It appears that the Michigan Democrats engaged with a group of politically organized amateur hackers who think they are security testing professionals. Passion and good intentions are not enough.</P><P>&nbsp;</P><P>For my extended thoughts, with added linked reporting beyond the NPR article see</P><P><STRONG><A href="https://cragins.blogspot.com/2018/08/good-intentions-passion-professional.html" target="_blank">Good Intentions &amp; Passion /=/ Professional Expertise</A></STRONG></P><P>&nbsp;</P><P>&nbsp;</P> Fri, 24 Aug 2018 13:45:38 GMT CraginS 2018-08-24T13:45:38Z https://community.isc2.org/t5/Industry-News/Watch-out-for-your-White-Hats/m-p/13925#M1490 <P>Within my own company, we have had discussions about how often/wide pen testing should be announced.&nbsp; One extreme believes that there needs to be widespread knowledge so that the hounds can be called off if production were to be impacted.&nbsp; The other extreme believes that op-sec is required to maintain the integrity of the test. The best answer is probably somewhere in the middle.&nbsp;</P><P>&nbsp;</P><P>The DRC recently became a great example of not getting this balance correct.&nbsp; Yesterday, they <A href="https://www.nytimes.com/2018/08/22/technology/democratic-party-says-it-has-thwarted-attempted-hack-of-voter-database.html" target="_self">publicly announced an attack</A>, which got wide-spread media attention. Today, they&nbsp;<A href="https://www.npr.org/2018/08/23/641189337/dnc-says-attempted-cyberattack-wasnt-russia-it-was-a-test-from-michigan" target="_self">ended up walking it back.</A>&nbsp; Apparently, their white hats and their IR team were not on the same page.&nbsp; It also appears that the white hats may not have been engaged&nbsp;by the organization that owns the servers, which does create a legal risk (<A href="https://en.wikipedia.org/wiki/Computer_Fraud_and_Abuse_Act" target="_self">CFAA</A>) for&nbsp;the white hats.</P> Thu, 23 Aug 2018 19:07:43 GMT https://community.isc2.org/t5/Industry-News/Watch-out-for-your-White-Hats/m-p/13925#M1490 denbesten 2018-08-23T19:07:43Z https://community.isc2.org/t5/Industry-News/Watch-out-for-your-White-Hats/m-p/13951#M1497 <P>Would you hire an electrician who was unaware of local building codes and electrical safety standards?</P><P>That&nbsp;looks like&nbsp;what happened in this situation.</P><P>&nbsp;</P><P>It appears that the Michigan Democrats engaged with a group of politically organized amateur hackers who think they are security testing professionals. Passion and good intentions are not enough.</P><P>&nbsp;</P><P>For my extended thoughts, with added linked reporting beyond the NPR article see</P><P><STRONG><A href="https://cragins.blogspot.com/2018/08/good-intentions-passion-professional.html" target="_blank">Good Intentions &amp; Passion /=/ Professional Expertise</A></STRONG></P><P>&nbsp;</P><P>&nbsp;</P> Fri, 24 Aug 2018 13:45:38 GMT https://community.isc2.org/t5/Industry-News/Watch-out-for-your-White-Hats/m-p/13951#M1497 CraginS 2018-08-24T13:45:38Z