[unisog] RE: Outside Penetration Testing and FERPA

Valdis.Kletnieks at vt.edu Valdis.Kletnieks at vt.edu
Thu Dec 2 21:10:31 GMT 2004


On Thu, 02 Dec 2004 09:14:27 EST, GREGORY SEIBERT said:

> For our situation, we would have no problem with third party security
> testing by reputable firm as long as the appropriate agreements were in
> place.

OK. That just begs the question - how do you:

a) define
b) verify

what constitutes a "reputable firm"?  If you get a call from Clue-by-Four
Consulting, are they reputable?  If I'm(*) listed as the principal consultant,
does that change matters?  If they list your competitors as clients, does that
mean they're clued, or that they've already social engineered your competition
and you're next? ;) (Remember - if it's a new firm, or even a not-old firm,
if you require a long list of clients, you're almost by definition looking at
a list of companies that have lower due diligence standards than you do. Think
about that for a moment...)

(*) No, I don't do consulting at the current time - but for better or worse,
I probably have name recognition..  No need to voice which you think it is.. ;)

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
Url : http://www.dshield.org/pipermail/unisog/attachments/20041202/a9cd4d0c/attachment-0002.bin


More information about the unisog mailing list