Well since I've been gone for the last few months and haven't posted in a while I thought I'd update anyone that cares (do they really love me??). I've been doing some consulting recently to keep my skills up to snuff and put some food on the table...or is that beer in my tummy?

I have just come upon what is being called a "vulnerability assessment" by my friend the VAR and I am quite sure that none of my activities will be in line with what could be called by that name. It's not a true penetration test since the work will be performed internally, not really a vulnerability assessment since I'm not to have free reign to look for vulnerabilities. What I am being asked to do is to review their current security stance and make recommendations based on best practices and my personal experience as to what they should be doing. In addition I will look for viruses, rootkits, malware and the like and remove as needed (yay windows!). They would like me to perform a "scan" of all their hosts, I'm not really sure what they would like to accomplish by having me do this "scan" against their hosts. I know they are fairly up to date from a patching stand point since I was out there just a few weeks ago helping them get some troublesome patches installed on their server systems. I'm guessing they have a fairly good idea of what types of services their servers are running or else how could they support them at all?

Don't get me wrong, I'm more than happy to lighten the wallets of the misguided, I'm not complaining about getting some "cheddar" as the kids these days call it. I do plan on providing the services they are requesting. I'm kind of left wondering though, what is my responsibility to the customer here? I didn't sell them these services, or push them in any particular direction. I was just called up and asked if I would like to help out my friend the VAR. I'm certainly not going to go to one of his customers and tell them that he should sold them something other than what I'm doing. Is this customer under the impression that this is going to make them into an iron clad fortress impenetrable to hackers and viruses forever and ever amen?

I certainly don't want to get a reputation for pulling some sort of scam, or not performing my duties correctly. I also do not want to sour any relationship that the VAR has built with his customer. Perhaps there is a happy medium, I can let the customer know about infosec being a journey, not a destination and that they must remain ever vigilant in the fight against the evil, mean and nasty internet. Perhaps I can congratulate the customer on taking the first important steps down the road of security and just do my best and not make any mention of my opinion on the matter.

Maybe I'll just keep my fat mouth shut, take the money, do what they have asked me and get the heck out of dodge....