Teaching Old Dogs New Tricks Why Both Pentesters and Business Management Must Adapt
Friday, March 12, 2010 at 1:50PM During the podcasters meet up in Shmoocon 2010 a very important subject came to discussion and it was that many pentesters do not know how business people think and how to talk with them and I do have to say that I agree fully with that notion. A great number of discussion have been made in forums, IRC chat channels, Blogs and Podcasts where the blame of many of the insecurities in most companies today is the complete fault of the business management side and I do not agree with this notion personally. The fault is a shared one. Both sides are at fault. Both sides need to change their training and the way both approach their jobs.
Many times we see again and again pentesters complain that they presented to management at their client the vulnerabilities, shells and information they where able to ascertain on the target network and management did not understood or dismissed what they said causing no change in the clients environment. For me this statement raises several questions, do we as community encourage that pentesters learn in addition to their technical body of knowledge that they must master that they also acquire soft skills in report writing, public speaking, project management, risk analysis and basic business logic? Do we require that management and business people have an understanding of how information systems operate, the risks these systems are exposed to and how this risks may impact their business operation? They learn about accounting, markets, trends and many other areas but the focus given to information system is a low one.
The skills mentioned above for pentester to acquire are needed but for most of us this type of training is like pulling teeth, we hate it, but if the tooth is rotten it must be removed. Mastery of a field does not come by practicing what we know again and again but by training and practicing deliberately on that we are not good at and must master. We talk also a lot about the process we fallow while attacking a client system during a pentest, what we must do during a code review, vulnerability assessment and incident response but we are at the end consultants providing a service to a client, a service that the client needs so we must understand our client, how he does business, what he considers as risk for his business and what he has in place to be able to achieve his business goals, once we know all of this information we will get a pretty good picture of what systems and processes are those that should be targeted during our work, also it is important to know and have very clear what we can do and what we can not do so having clear ROE (Rules of Engagement) are of great importance since we will know our boundaries. We have to remember that our actions if not controlled can cost our clients large amounts of money and probably image problems. During the definition of them with the client we can get a clear look at his worries, his mind set and his general demeanor, this can be taken like applying Social Engineering skills since the concepts are similar just the result is what is a bit different. We also have to be honest not all consultants have the necessary skills to go in front of a business person and transmit the desired message in a way that the business side can understand and are given a clear track of what they can do to improve the risk posture of their business and the values of what was found to it, this is one of the main reasons I like that consultants work in groups, each with their specialty so as to achieve the best results, the specialty of managing the technical group and work as a mediator should be a project manager or senior consultant that has the business and technical knowledge to transmit findings and keep the focus of the team doing the work at what matters the most for a client, whish is nothing more that reducing the risks to his business and how such risk affects his bottom line. Still each person that wants to be a good security consultant, be it as a Pentester, Incident Response Specialist of any other security position as it may be called must have this knowledge and know how to apply it in the work they do.
On the management side knowing how information systems work, regulations that govern their use, what are best practices for their use and how they relate to the way that businesses are now dependant on this systems. In the new information age being connected is of great importance since they are just a couple of milliseconds away from every script kiddy that wants to make a name of themselves, every corporate spy, criminal organization and curious soul out there so knowing that speed is important but being careful and managing the risks of this new way of doing business must be taken in to account. Proper training and education must be given to the new generation of business majors and to influence the current crop of executives out there to adapt to this new changes. They must see that security services provided by external and internal entities help minimize risk so they remain profitable and nimble enough to adapt to change. Training in laws and regulation is a must, from the domains in the CISSP, PCI, Gramm-Leach-Bliley Act and many others out there, not only the ones in the US but also those in Europe and other continents so as to understand how to comply, look to improve on top and adapt to this regulations so as to help them in their business. Management and procedures for information systems like ITTIL and NIST must be studied so as to have a base of knowledge of what takes to administer this systems and understand what an IT department must provide as a base for their operation, understand some of the reason why proper budgeting is important for security and other risks mitigation factors that must be considered.
At the end I do believe that the way new business men and security consultants are trained and operate must evolve to be able to handle not only how business, economy and systems have changed but also how security is no longer some black art but a field with structure and body of knowledge that makes it critical for any operation in today’s market. Both side must know how to manage risk by knowing how to transfer, eliminate and mitigate it, and where it makes sense to do each.
Note: Special Thanks to Chris Nickerson for the proof reading and helping me re-express some of the ideas.
Reader Comments (2)
Is it possible that management just doesn't care? Look at it this way, the average senior executive lasts on the job about 3-5 years on average. During that time, he is going to do what he or she can to make him or herself look good and the company look good so that his or her executive compensation can remain excessive. The person is not necessarily looking after the interests of the company, but looking after his or her own interests. So long as a possible security breach doesn't bring the company down completely, what incentive do they have to care? They'll be gone in 3-5 years and that's all the time they have to make their fuck-you money and effectively retire. If the company itself fails in year 6 or later, who cares? I got mine. So, what do I care if our web site gets hacked or our database gets stolen? I can cover that mess up for up to six months or more before I have to disclose it depending upon state law and the penalties aren't that excessive. So long as I meet the minimum requirements for compliance (PCI or HIPAA), the company will not be harmed too badly especially if it has a monopoly position. Not as bad as the harm I am causing it by my looting and short term mindset. This is a long winded way of saying that there's a Gresham's dynamic in effect, bad behavior is driving good behavior out of the company because if my competitors' cheat, then I have to cheat to stay in business with them. The risk of the company failing from that external risk is much greater than any failure by my security groups because my security groups will generally minimize or contain any damage once it is discovered. But once that dynamic is in play, it's a race to the bottom as far as standards and ethics. What's the point of protecting the servers and infrastructure if the management is gutting the company any way? I'm sure Lehman's IT people did their jobs, and they kept their networks as secure as possible, but at the end of the day they got pink slips as well even if they performed diligently and superbly. You can argue that Lehman is an outlier, but I'm not so sure. We've seen a whole industry being bailed out, two if you count AIG. If that behavior is common to other industries such as IT (Microsoft antitrust violations anyone?) where bad behavior and software are condoned, and, if Microsoft does it, then I have to do it to stay in business, where is IT Security going to fall in the scheme of things? It's going to be mostly an afterthought at best and window dressing at most. We are talking controlling markets. After I have market share, I'll worry about securing that market share maybe by beefing up my product's security. In the meantime, I'll put any crap code out there I need to get that market dominance, security be damned. This is likely the mindset of the businessmen.
Or maybe your gripe is a variation of Planck's complaint that new scientific theories aren't accepted until all of the old critics are dead and a new generation learns of the new theory and accepts it. Either way, greed or obstinate denial of the facts by management, can only be solved if management is made to care about the problem ( they lose their paycheck for their error in judgment). Until that happens, you can say all you want, but the problem lies more with management then with IT Security because it is ultimately management's responsibility to run the business and understand any problems the business encounters.