Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
denbesten
Community Champion
‎08-23-2018 03:07 PM
‎08-23-2018 03:07 PM

Watch out for your White Hats

Within my own company, we have had discussions about how often/wide pen testing should be announced.  One extreme believes that there needs to be widespread knowledge so that the hounds can be called off if production were to be impacted.  The other extreme believes that op-sec is required to maintain the integrity of the test. The best answer is probably somewhere in the middle. 

 

The DRC recently became a great example of not getting this balance correct.  Yesterday, they publicly announced an attack, which got wide-spread media attention. Today, they ended up walking it back.  Apparently, their white hats and their IR team were not on the same page.  It also appears that the white hats may not have been engaged by the organization that owns the servers, which does create a legal risk (CFAA) for the white hats.

Reply
0 Kudos
1 Reply
CraginS
Defender I
‎08-24-2018 09:45 AM
‎08-24-2018 09:45 AM

Would you hire an electrician who was unaware of local building codes and electrical safety standards?

That looks like what happened in this situation.

 

It appears that the Michigan Democrats engaged with a group of politically organized amateur hackers who think they are security testing professionals. Passion and good intentions are not enough.

 

For my extended thoughts, with added linked reporting beyond the NPR article see

Good Intentions & Passion /=/ Professional Expertise

 

 

D. Cragin Shelton, DSc
Dr.Cragin@iCloud.com
My Blog
My LinkeDin Profile
My Community Posts
Reply
0 Kudos