Sunday, June 8, 2008

Updated DoD 8570.1M (draft) -- CISA/GSNA required for pentesters

If you do any IA work for the US government its probably worth taking a look at this draft to see what's coming down the pipe.

of interest to me is the new requirement to get the CISA or GSNA if you do any sort of "Auditing" to include pentesting.

"C11.6.1. CND-AU personnel perform assessments of systems and networks within the NE or
enclave and identify where those systems/networks deviate from acceptable configurations,
enclave policy, or local policy. CND-AUs achieve this through passive evaluations (compliance
audits) and active evaluations (penetration tests and/or vulnerability assessments)."

Not to get back into the whole Not a CISSP thread or CEH != pentester debate but I'd like to hear other people's opinion on the validity of basically requiring the CISSP and now CISA if you do pentesting for DoD. I have no experience with the SANS GSNA material, so I have no comments.

I'm studying for the CISA now and there is very little if anything that applies to pentesting. Painful is the only word I can think of right now to describe it. But I'm taking my own advice by sucking it up, learning the material, taking the test, and going back to doing what I was doing.

In case anyone is still in the dark, auditing != pentesting.



dentonj said...

I started looking at this as a potential misunderstanding of the difference between an audit and an assessment. But I can see how someone can group the two together.

I'm more inclined to think that someone who does C&A or auditing has delusions of grandeur of being a pentester. I can back this up with personal experience from interacting with various IA personnel from different locations when DIACAP first came out. A number of them looked at the new security controls requiring penetration testing, printed off the appropriate pages, and went to leadership asking for funding for CEH classes and "tools". "See, DoD regulations require this and I need training...." (ignoring all of the other regulations and requirements to actually conduct pentesting).

Maybe the designation of an "auditor" was intended to keep the riff-raff out.

The following proposed change is interesting.

"C11.4.1. CND-IS personnel test, implement, maintain, and administer the infrastructure systems which are required to effectively manage the CND-SP network and resources. This may include, but is not limited to routers, firewalls, intrusion detection/prevention systems, and other CND tools as deployed within the NE or enclave."

This is going to effectively roll all of the network administrators/engineers under IA and place the same training requirements on them.

There always seems to be some turf battle/land grab going on in the US government. What better way enforce change than to use written policy.

CG said...

i'm sure its all well intentioned and I think the majority of IA people in the gov probably fall more into auditing category instead of assessment category anyway. So like I said, I'm just sucking it up.

Travis said...

yea i had to comment on this as well, i am in total agreement that an audit != pentest / vulnerability assessment. in my mind they are 2 total different areas of scope. auditing simply proves whether you're doing what you say you're doing while a pen test simply tries to find holes in your system.

now back to the cissp / cisa shit. i cant stand either one or any cert for that matter. but sometimes we have to put on the skirt and dance, unfortunate but true.

pdanhieux said...

The CISA won't provide you with technical knowledge on penetration testing or any other specific audit/assessment project. It will provide you with a generic approach on auditing, and also seeing the "bigger picture" of penetration testing. It is not enough to be technically superior, you also need to know why you are testing it and being able to link your vulnerabilities to a business impact for your client/system.

The GSNA is technically oriented, however, not specifically for penetration testers. It will provide you knowledge about which tools you are generally used to audit the configuration of certain devices or system components.

Do I support the CISA/GSNA requirement? Of course. Although these certificates do not proof you are an expert auditor, pentesters or whatever. It does proof that you are not an idiot :-). Usually, people who do auditing every day, own these certificates. People who wash cars every day... they don't. And I wouldn't want my organization be audited by people who wash cars every day.

So, that leaves us with the people who don't have the certificate and who do it every day. Well, time to wake up. Clients do put believe in certificates, although the value of each cert is specific to which organization issued them. If you want to work for that client, take the effort to show that you are not an idiot.

My 2 cents,


CG said...

"Although these certificates do not proof you are an expert auditor, pentesters or whatever. It does proof that you are not an idiot :-)"

then I would ask what they prove?

not disagreeing with you that requiring certifications to prove compentency is a step in the right direction but I'd be careful to say those WITHOUT a certification are idiots and those WITH a particular cert are not ;-)

Anonymous said...

well one way to look at it is one who has a certification can be expected to have a certain min quality of work....though i know people will contest this any body can make a car but whe n u buy from a manufacturer u can e assured of a min level of quality as the manufacturers label ensures the this is a rule for which u will find lots of exceptions or deviations....Then again looking from the clients side unless i get pen test/audit done by a certain "certified" guy
i wont be able to claim certain benefits made mandatory.....