re: #742 CIA Reject

If your client is a government agency you should know that computer security in most government agencies has almost nothing to do with how secure the networks are.

It’s all about audits.

And audits are all about paperwork. If the paperwork is in order then the agency passes the audit and the security manager gets a good performance review. And all is happiness.

Penetration tests and network scans are done so that the appropriate boxes can be checked off on the all important paperwork.

And if the boxes are checked then the paperwork is in order, and if the paperwork is in order then the agency passes the audit.

It’s the “Radar O’Reilly” method of network security…

Yup. Thats exactly what we have here. Audit audit audit with no real security analysis. This was supposed to be an actual audit testing processes and baselines and its just been tossed aside to go ahead with business as usual.

Been doing this for the last 5 years and its frustrating as hell. My new project consists of copying cells out a spreadsheet and copying them into a power point slide show, adusting the font and colors so they have a pretty report to show. What the fuck has that got to do with security?

If I didn’t have a family to think of, I’d walk out.