Scott Larson interviewed in SC Magazine article NIST: Fed agencies should mount penetration attacks. An excerpt from the article:
Scott Larson, a computer forensic consulting executive, who formerly headed the investigative unit of the FBI’s National Infrastructure and Computer Investigations division, told SCMagazineUS.com that many government agencies already are conducting regular penetration tests.
Larson supported the proposed NIST guidelines, but cautioned that “significant oversight and resources” should be applied to the testing process and that tests must be carefully planned to avoid potentially disruptive attacks that are not fully authorized.
“Anyone who [is designated by a government agency] to undertake this activity needs to have adequate technical and legal training,” Larson told SCMagazineUS.com, adding that each agency should also arrange to have an outside auditor conduct penetration tests to ensure that agency specialists do not downplay problems in the systems they administer.
The use of outside auditors to conduct penetration tests also would limit the number of federal employees trained to undertake sophisticated attacks, reducing the possibility that a disgruntled government staffer could use the knowledge gleaned from simulated tests to mount a real attack, Larson noted.
According to a draft of the NIST guidelines, special consideration should be given to penetration tests on newly developed information systems before it is authorized for operation, on any legacy system undergoing a major upgrade or “when a new type of attack is discovered that may impact the system,” according to the draft of the NIST guidelines.