DHS Offering Free Vulnerability Scans, Penetration Tests

tsu doh nimh writes: The U.S. Department of Homeland Security (DHS) has been quietly launching stealthy cyber attacks against a range of private U.S. companies -- mostly banks and energy firms. These digital intrusion attempts, commissioned in advance by the private sector targets themselves, are part of a little-known program at DHS designed to help 'critical infrastructure' companies shore up their computer and network defenses against real-world adversaries. And it's all free of charge (well, on the U.S. taxpayer's dime). Brian Krebs examines some of the pros and cons, and the story has some interesting feedback from some banks and others who have apparently taken DHS up on its offer.

Get out of jail free.

[xxxJonBoyxxx]

>> The problem is that it measures only a very limited subset of of the vulnerability space but comes with a gold plated get out of jail free card: ‘The US government came and checked us.’

This.

>> They say they are doing it only for organizations that cannot afford commercial assessments, but they often go to organizations that have deep enough pockets.

Simple solution: put in a regulation that says if you get breached, you agree to take down your online services for two weeks to get your house in order. Something like that would free up money for preventative solutions in a hurry. Furthermore, we KNOW the inspected organizations have some security personnel (which aren't cheap) because the permission form asks for specific contacts who might be smart enough to interpret any results.

Why is this free of charge?

[rsborg]

Another example of corporate welfare... pen-testing costs time and money, why should I as a taxpayer be out this money?

Weird use of Government resources

[avandesande]

How about publishing a set of standards and tests that critical infrastructure companies must utilize?