cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
denbesten
Community Champion

Watch out for your White Hats

Within my own company, we have had discussions about how often/wide pen testing should be announced.  One extreme believes that there needs to be widespread knowledge so that the hounds can be called off if production were to be impacted.  The other extreme believes that op-sec is required to maintain the integrity of the test. The best answer is probably somewhere in the middle. 

 

The DRC recently became a great example of not getting this balance correct.  Yesterday, they publicly announced an attack, which got wide-spread media attention. Today, they ended up walking it back.  Apparently, their white hats and their IR team were not on the same page.  It also appears that the white hats may not have been engaged by the organization that owns the servers, which does create a legal risk (CFAA) for the white hats.

1 Reply
CraginS
Defender I

Would you hire an electrician who was unaware of local building codes and electrical safety standards?

That looks like what happened in this situation.

 

It appears that the Michigan Democrats engaged with a group of politically organized amateur hackers who think they are security testing professionals. Passion and good intentions are not enough.

 

For my extended thoughts, with added linked reporting beyond the NPR article see

Good Intentions & Passion /=/ Professional Expertise

 

 

D. Cragin Shelton, DSc
Dr.Cragin@iCloud.com
My Blog
My LinkeDin Profile
My Community Posts