Every week I talk about a security topic in simple terms to reduce our security load, increase our efficiency, and make our security work better. There is a free class on the topic so you can have a deep dive. If you need continuing education credits, this counts.

If you would like to learn about Social Engineering  in our live class Thursday May 17, 2012 at 19:00 Central time, wait till class and type your name here

This post with the video is here

This is part of Expanding Security’s partnership with Hackin9 – the full article will appear in the May issue.

Security communications and why you should trundle

Trundle – to move slowly and heavily, typically in a noisy or uneven way.

When I do a security assessment I trundle. Why? Mostly to protect the people for whom I work. They expect me to be the Security Nazi. If I am not doing security, they certainly will not. If I am stupid enough send my passwords in email, they will think it is appropriate behavior.

I am the guy who has the Elite Attache by Zero Halliburton with a combination that is not 007. I bring my original contract documents locked in this case. I bring a random list of words from which to choose a password. I hash the secret values and write the password once. I am the nut who encrypts the password keys for the project. I am the one who thinks this is just not enough. I am not paranoid! Everyone is after me. Most importantly, my customers know I am deadly serious about security and when I tell them there is no way around this security measure, THEY LISTEN!

What will you get from this article?

• If you are a decision maker for penetration testing, you should expect this level of paranoia.
• If you are a tester you should be able to improve your process.
• If you are a student all of these security terms should make sense.

We will talk about the tools you use for protecting data, the data you should protect, and the business processes that you must put in place.

TOOLS OF THE TRADE

The requirements for tools are: cross platform capability, easy to use, and able to increase security as needed. The basic tool set for secure communications are: a hashing tool, file encryption, whole disk encryption, and VPN software.

Hashing tool for files and passwords

We need good passwords. Good passwords are random. I suck at randomness. I use the next best thing. On site with the customer, I pick the names of people from the meeting and what they were drinking. If they had a beer, coffee, or nothing I use those values as an input to the hash. I use a hashing tool and my random word list to pick something easy to remember, but something long enough to make brute force computationally painful.

In the rules of engagement we agree not to transmit the password digitally ever. We agree to use out of band communication. If my team is distributed, we do a quick phone call. No VOIP. No Skype. Well a cell phone is not very secure, so we make it a short call.

Password container

In a word: Mandylion. (http://www.mandylionlabs.com) If you are like me, you need to track many passwords for many customer engagements. You also need a place to put your own passwords. For $250 for 5 password containers and a cradle, it is not a bad solution. Yes, above I did say I wrote my password for the project down. So a fire-rated safe is a requirement.

I do not like password software as a rule. Compromised machines under the attacker’s control are not a very good place to hide a password.  Screen capture by adversaries are a possibility, so again I say hard password containers are the best.

File encryption

You are going to send data. The customer is going to send credentials. You are going to send reports. I like anything that is easy to use for my customer that uses AES encryption.My top two tools are Truecrypt and Axcrypt. They both have their place. Your customer will only tolerate one.

Whole disk encryption

When you are transmitting big files, sometimes you cannot rely on the software and you need hardware. I like hard keys and hard disks with their own dedicated encryption chipsets. The advantage of hardware encryption from a processing standpoint makes sense. My computer is already doing a great deal of processing; why burden it with more tasks? I have not been able to find any other tools at the price of Buslink.  (http://www.buslink.com/) These multi-key encryption tools are expensive, but when you have multi-terabyte files to protect, I do not know of a reasonable substitute.

You and I both know there are software tools that do the same thing as hardware. When I last checked, there were 30 vendors. I like the cross platform capability of hardware, and there are no licensing requirements and no contracts.

Disk Wiping

When you are done with your project, you need to clean up. Rookies / Noobes will be tempted to use a degausser on external drives. Sure it will wipe the data.  You get a bonus with degaussing. The hard-drive arm will crash into the platter, and there is no reuse. So I take the opposite position for disk wiping as I do for whole disk encryption; software is better than hardware for the conservation of hard-drives.

If you are running an Apple with O.S. 10 or better you get some really great built-in disk erasure tools. The last disk I wiped was a 250GB external. It tool 9 hours for one overwrite with zeros. The U.S. DOD 5220-22 option is 7 overwrites and Yes it takes 7 times longer. If you are a total security nut and want to resell the drive on an auction site, the Guttman method is 35 passes. It will take 14 days for 80GB. (http://en.wikipedia.org/wiki/Gutmann_method)

VPN software

This is very customer dependent and very platform dependent.  Some customers want you attacking as if you are the real black-hat. Others want to bring you closer so they can inspect your traffic. Still others will leave it up to you.

If you get the choice, SSH is a reasonable tool for VPN. Putty is a free, easy client.  On our team we try to use industrial strength SSH client/ server. Secure CRT is one of the few vendors who makes a cross-platform client and server that customers are willing to trust.

You can never be completely ready for the customer, but be ready on your side. Two big gotchas in VPN are protocol ID 47 (for GRE and PPTP) and protocol ID 50 / 51 plus port UDP 500 (for IPSEC). These are the protocols and ports being blocked on your end by firewalls.

DATA TO PROTECT

What are you encrypting? Packet captures, virtual attack images, databases, and all output of tools and business process documents. Any data that could be used to do an attack or the reports that discuss the weaknesses of your customer must be encrypted. It must be encrypted at rest and in transit. It must be encrypted and protected for longer than it is useful to anyone.

Packet capturing

You need to prove that what you did is only what you did and not what a true attacker did while you were doing your test. Screen shots get the customer’s attention. These screenshots will only be to convince the executive to spend money on fixing the problem. The technical person that the executive relies on to do the action needs more than screenshots. Packet captures are that something more.  They provide the raw data.  But this raw data is perfect data for the evil outsider to use to know what worked.

When you start your activities, start your capture. When you stop you capture, log the capture name. Now you need to protect this data with file encryption.

Databases and Tool output

Many tools will offer you flat files to transmit or use as input to another tool. Metasploit can be configured for a number of database back-ends. Commingling of customer data is a no-no. A simple rule is one database per customer. I know this really puts a cramp in your style, but suck it up. Protect the data.

Virtual images

I do not think you should use a physical host with software installed. It is too messy to clean up afterwards when you have finished your test. Start with a clean image. Do your testing. You will end up with a dirty image that has customer data in it. You may refer back to this image when you are writing your report. Keep it encrypted and on a separate drive.  (I know before I said hard disk encryption is best, but it may be cost prohibitive.) Truecrypt has a hidden partition feature so that if someone steals the drive they think “format free disk space” not “let us see what is on the disk.”

All this sounds like a lot of work?

So far this is all punishment and no reward; or as my dad would say, “all stick and no carrot.” (http://en.wikipedia.org/wiki/Carrot_and_stick)

Let us go back to the previous data point of packet captures. If you captured packets in the virtual machine, they are encrypted. When you encrypt them in the virtual machine and pull them out for your summary or report, they remained encrypted for the entire time. This is critical to all your business processes.

Here is the good part: If you use whole disk encrypted virtual machines and you keep all your tools’ outputs inside the virtual machine until you need the report output, you are protected. This means everything: packet captures, virtual images, databases, all output of tools and business process documents.

Client scope request and data

Here is the problem- Clients are not going to do what you want. They are going to do what they want. The client looks at your contract and wants to make adjustments. Scope data is valuable to the attackers. You have two choices. Teach them your encryption process or communicate in abstract terms. The first idea is fraught with pain unless you are a patient teacher and willing to spend the time. The second idea may be easy for your clients, but it opens you up to passing data in the clear.

A third option is to state your policy in an email signature block and remind the client at the beginning of the contract and at reasonable intervals.

You get to customize your process to fit the job and your customer.

Report output

Now we have a chance to protect the client’s data. Sending the report from your mail server to theirs means there are at least four possible copies. If you and they have a data retention policy and a backup mailbox policy, you will have two copies you know about and two copies you don’t know about. You have a copy in your sent mail. Your server might backup the outbound email. Their server might backup a copy and they might never delete it. If you use a self-executable like Axcrypt, you can protect it in all four places.

From cradle to grave or start to finish ALWAYS keep it secure. Whatever process you decide to implement, this is your trust that the customer has placed in you. Don’t abuse that trust.

Business process documents

These documents tell the customer what to expect as encryption behavior from your team. Keep instructions as clear as possible. For example, give simple statements such as, “We will not send the password via email or text message.” I do an hour long discussion with my customers followed up with a detailed email and website to ensure clear communication. Be ready to explain your process. Instructions are never as clear as we think they are.

Closing out the report and putting away the data

Hand all the data over in encrypted form. Burn a DVD of the project report data and your captures for backup with all data encrypted under a superkey. Move the superkey to a physical vault. Delete the keys from your digital vault. Wipe the disk where the working image was copied.

Your customer will fight you

The goal is to convince your customer that they need even more security for communications about the test. All along the way, from the first discussion about penetration testing to the final report, all this data needs to be handled delicately. We need to deal with the expectation of privacy, how we are perceived by the customer to treat their data, and the level of trust they are placing in our ability to deliver. For the majority of my customers it is unlikely that I will convince them to take security as seriously as I do. No they are not going to set up PGP, digital signatures or a secure drop box. Yes they want to use email. Ask yourself realistically, what are your customers willing to do?

Don’t know how to do these activities? Come to our free class! 2012-05-17 CENTRAL time 19:00:00

http://www.expandingsecurity.com/contact-us/adobe-connect-login?theclassid=4231&company=ES&namex=pp1212&link=http%3A%2F%2Ftraining411.adobeconnect.com%2Fceh09%2F

Click here

Or bit.ly/painpill1212

Every week I talk about a security topic in simple terms to reduce our security load, increase our efficiency, and make our security work better. There is a free class on the topic so you can have a deep dive. If you need continuing education credits, this counts.

If you would like to learn about  Digital Signatures in our live class Wednesday, May 2, 2012 at 12:30 Central time, wait till class and type your name here. The long link is below if you don’t like bit.ly.

This post is here

Setting expectations in a fantasy movie world

When people ask my mom what I do, she says things like, “Well you know the television show where the police get the bad guy’s computer and pull all the evidence off? My son is that computer guy” or “You know the movie the Matrix? He is Neo.” I cringe. I smile. Oh mom!

I am happy that she is proud of what I do, but she and the rest of the world have this movie or T.V. expectation of what we do as penetration testers. This expectation causes problems in many ways. We need to let the myth propagate so that our customers have some general idea of what we do, because they really do not know. We also need to manage and set expectations on what we can do with the time allotted by our customers.

What the public thinks of penetration testing and what we can deliver can be the same thing, but the problem is typically time and results. I am not saying that we cannot do the great job where we find every flaw in the system. I am saying there is always a tradeoff between what we can accomplish and how much time we are given to do the task.

There are 4 main group perceptions: Public- non technical, Technical, Peers and the Press. In each of these groups we encounter bias based upon movies and television. Your job is to give these people some idea of what we do. The best way to manage these expectations is to provide a parallel story or reality.  I apologize at the beginning for not knowing your favorite show. To make this easy to understand for your group’s perception, replace my example with the localized myth, language, and movie.  Ask your customers what they have seen, what they think. Change their perspective by explaining a few parts of what we do by relating it to what they do or think.

Public non-technical

What has shaped perspective?

The movies based upon world-wide gross receipts are: Matrix Reloaded, Transformers, Mission Impossible, Ocean’s Eleven, and every James Bond movie. Television shows that have done the same are CSI, Dr. Who, and The X-files.

What do they expect?

They expect you to hit a few keys on the keyboard, screens of data will flow by; you will be able to sort and read this data as it scrolls up the screen, and with one stroke you have the answer.

How can we bring them back to our reality?

They do not care or know about the particulars of our business, but they do understand a little bit about the movie industry. Ask them how long they think it takes to make the movie or show. One basic piece of knowledge that they can understand; for every minute of broadcast quality television, it takes roughly 60 minutes of filming. This doesn’t include all the hours of pre-production or post-production work for all the people that work. So if one person were to string together all the work that goes into 1 minute of the final product, it would be a minimum of 10 hours. That is a ratio of 600 to 1.

The public doesn’t calculate the original effort that supports those few keystrokes.

Technical

What has shaped perspective?

The Italian Job, Hackers, The Net, 23, Pirates of Silicon Valley and Office Space. The technical group has a bit more of an understanding of the penetration test. They still think all the tools work all the time.

What do they expect?

Their tools are supported by billion dollar companies. They expect that the tools we use work like the tools that they use. The setup and install routine for programs for their tools have been regression-tested against all variations of the expected operating system and other tools possibly present on the target machine.

How can we bring them back to our reality?

We need to ask them questions that evoke that pain they have experienced. How long does it take to download Office? How easy is it to find the download location? How long does it take to install and configure a desktop by hand when converting a live user from one Office Suite to another? Many information technology shops know and depend on the resource being available and the only limitations are based upon bandwidth and processing power. Most know the pain of converting from one version to another. That installation is not work. It is preparing for work.

In a great number of cases, tools that we use might disappear. Finding a current mirror might take a few hours. Configuration has many undocumented software dependencies. Some configuration files require you to remove commenting for a feature to work. A major part of our job is getting the tools installed and configured. Far fewer penetration testing tools are regression-tested.

The tools and signatures for penetration testing have development cycles that are measured in months, weeks, and hours. The support, help files, and configurations are not as robust.

Technicians do not calculate the time it takes to prepare the environment before work gets done.

The Press

What has shaped perspective?

In these days of total information from the Internet and conspiracy theories, some movies help shape the press’s perspective such as: Hackers, Anti-Trust, Swordfish, Enemy of the State, and Live Free or Die Hard. These movies change what the press thinks about our motivation for penetration testing and how much time and resources we actually have.

What do they expect?

They expect one computer in our house has the power to take down the world. Password cracking is a simple thing that can be done on one computer bought with a few hundred dollars. Once we capture the machine, we are done.

How can we bring them back to our reality?

The press is not going to engage you in conversation for you to change their perspective. The reporters have pressure to perform. They have deadlines. They have editors. You need to be ready. When that microphone is pushed into the penetration tester’s face, pause. Think about what is good for our business and our profession.  Give a measured business answer. Deliver the plain truth that the real value in our work is creating a report to protect our clients’ assets.

What is true is typically boring. The Press writes about what sells.

Peers

What has shaped perspective?

They have seen all the movies. They laugh at how silly the movies are.  They know Trinity from the Matrix. They know that Trinity’s hack using sshnuke will never work against modern systems. They know… it all.

What do they expect?

They expect you to know it all. They expect anyone who calls themselves a hacker or a penetration tester knows what they know. They may have ten years working with a tool that you have never seen. That tool is just small part of the knowledge they have. That tool becomes second nature to them.

How can we bring them back to our reality?

Ask your peers to do something outside their comfort zone. Challenge your peers to do something they don’t know. Give them a set of steps that may seem simple to understand, but require a great deal of background knowledge. Each month when I read the Pen Test Magazine, I take some time to do what other writers have set out in their articles. I typically pick something new that is not part of my skill set. This new challenge brings me back to reality.

Pen Testers do not know what I don’t know.

SUMMARY

Take some time to help people adjust their perspective and move away from the myth or movie. It is up to you to make others understand what is possible and impossible. If I have offended you as one of the groups, help change my perspective. I am willing to learn.

Thanks to linuxhaxor.net for their top 20 movies and screen shots, cyberpunkreview.com for their vast collection of cyberpunk data, and imdb.com for their all-time gross world-wide data.

Come to our free class! Cryptology Digital Signatures, 2012-05-02 12:30:00 CENTRAL TIME ZONE!

http://www.expandingsecurity.com/contact-us/adobe-connect-login?theclassid=3168&company=ExpSec&namex=pp1211&link=http%3A%2F%2Ftraining411.adobeconnect.com%2Ff_22%2F

Details- At the end of each month we work with the Pen Test magazine to produce something special. Check them out here.

It could have been evil, but it was just a test.

The above is a graphic.

▄▄▄▄▄▄▄    ▄ ▄▄   ▄  ▄    ▄▄▄▄▄▄▄
█ ▄▄▄ █  █ ▀ ▀▀▄█▀█ █▄▄▄▄ █ ▄▄▄ █
█ ███ █ ▀▀█▀ ▄▀██▄█▄█▄ ██ █ ███ █
█▄▄▄▄▄█ █ ▄ ▄ ▄▀█ █ █ ▄ █ █▄▄▄▄▄█
▄▄   ▄ ▀█▀ ▄ ▄▀▀ ▀▄    ▀ ▄▄ ▄
█ ▄▀▄  ▀█▄▄█▄ ▄▄▄█▀▄▄█▀▀▀▀ █▄ █
▄ █▀▀ ▄ ▀▀▄▄▀▄█▄█▄███ ▀▄▀▀██▀▀ ▄█
█▄█▄  ▄▄██▀▀▄ ▀▄█▄▀ █▄██▄ █▀  █▀█
▀▀▀▀▄▀▄██ ▀ ▀ ▄▄▄▄▄▀█ ▀▄▄▀█▄ ▀ ▄
▀▄ ▄█▄▄▄▀█ ▄█▄█▀ ▄███▀ ██▀▀  █▄▀█
▄▄▄▄ ▀▄█▄▀▀██▀▀██▄▄▀█▄█▀▀█▄█▀▀ ▀▄
▄▄ █ ▄▄▀▄   █▀ ▄▀█ ▄▄▀▀█▀ ██ █▄ █
▄▄ █ ▄▄ ▄██ ▄▄▀▀▀▀▄█▄  ▀█████▀  ▄
▄▄▄▄▄▄▄ ▀▀ ██▄█▄▄  █▀▄  █ ▄ █▄▄▀█
█ ▄▄▄ █  █▄▀▄▀▄     ▄▄▄▄█▄▄▄█  ██
█ ███ █ ▄▀▄▄▀▄▀██  █ ▄ ▀█▀ ▄█ █▄█
█▄▄▄▄▄█ ▀▄▀▄ ▀▄▄  █▄▄  ██▀▀▄▀▄

This is the same QR code but only in ASCII. ( it needs some adjusting), but it should pass your image filters.

Every week I talk about a security topic in simple terms to reduce our security load, increase our efficiency, and make our security work better. There is a free class on the topic so you can have a deep dive. If you need continuing education credits, this counts.

If you would like to learn about Access Control and Biometrics in our live class Wednesday, April,18 2012 at 12:30 Central time, wait till class and type your name here

This post is here

Biometrics is not just for the super secret anymore.

I was blown away when I heard that India has a major initiative in biometrics for the masses. Over 200,000,000 people have been enrolled for both Iris and fingerprint biometrics. The rate of 4,000,000 new enrollments per month is blazingly fast. The Economist from January 14,2012 says there is a great deal of push-back by the Indian government. They had their own inititative that could barely register 8,000,000 with a huge cost. Then private industry came along and made it a merit-based system for each enrollement contractor. Bidding at  50 cents per enrollment pushes each worker to be fast and efficient. Good news: it works!

Business use of biometrics is nothing new. Disney did it at their theme parks years ago. Every guest on a multi-day pass is registered to get into the park. This cut resale of spare day passes to nothing, increasing Disney’s profits.

So what does this have to do with us in the security world?

If they can do it, we can. We should start thinking state-wide or national, but not on a business by business basis. Cost of biometric systems and collection is down around the cost of passwords. No, it is not free, but think about the support cost for password resets. Think about the reduction in breach cost. If passwords went away, password breaches would also. How much does it cost us to clean up from a breach? How many breaches do we have per year? How much complaining do we hear at the government level about cyber crime? It seems like the datalossdb.org cannot keep up. We are losing the security race because we don’t want to start running.

Can we? Should we?

As a privacy advocate I hate this idea. As a confidentiality nut I love it because it protects me. You can achieve it at the individual level with a few dollars and an up to date operating system. You can do at the company level with a bit more. But we should think like India and go large scale.

What can we do to make it better for us, for you?

Policy:

• Build a business case for biometrics
• Identify government projects that include biometrics

Action items:

• Investigate which of your company’s authentication systems are Biometric compliant
• Calculate the cost of biometrics including enrollement

Don’t know how to do these activities? Come to our free class! CISSP: Access Control Authentication Services
2012-04-18
12:30:00

http://www.expandingsecurity.com/contact-us/adobe-connect-login?theclassid=3161&company=ExpSec&namex=pp1210&link=http%3A%2F%2Ftraining411.adobeconnect.com%2Ff_02%2F

Click here

Or bit.ly/pain1210

When you click on your device in the left window you will see your serial number.

When you click your serial number it will change to  (UDID).

This is a very long string of numbers. I am only showing you the first part for security reasons.

Please do not send me a screenshot it will not work for our purposes.

Here is the tough part.

You can click and drag across the numbers, but it doesn’t look like it is highlighted.

Control C to copy.

Open your mail client and send these three items:

1.UDID

2.Software version & Hardware  (ipad1 ipad2 ipad3)

3.CISSP ID

to dean.bushmiller , a+ ExpandingSecurity.com

To install the dev environment you must be on your ipad when you visit this link and call Dean.

20120517  The new link will be up soon.

You will receive further instructions once we load your profile.

Thanks!

Dean

If you need Certification training on the CISSP, ISSAP, ISSMP, or CEH come to class and see if what we do is what you want.  Today April 6, 2012 we are covering Change and Patch Management 12:30 Central time.

Click here. Type your name and email.

Back to the topic at hand!

The PainPill – Subordinates & Superiors – Who is running the show?

In business there is a struggle between those who perform the service and those who manage the service. This is never more apparent than in the penetration testing business. You care as a penetration tester because if you are any good at what you do, someone will offer you a job. That job offer comes with hidden strings attached. Your job now is to navigate the subordinates and superiors in that system with the same skill as the tools you use. Be too abrupt and you are seen as a prima donna. Be too nice and you are seen as a doormat. You should be looking for the balance. Let’s look at the common relationships that a pen tester must navigate in the business world and how we might cause ourselves problems.

As my friend Pam says, “Dean you are high maintenance in a good way.” That means she and others are willing to put up with my demands because they are matched by my talents and my effort. I don’t know if it was a compliment, but she says, “ You expect a great deal of people, but you give just as much as you expect.” I have tried to live by that, only expect from others what we are willing to give.

Valuing Yourself

Self-worth is a difficult assessment in the technology and security game. I have seen many people sell themselves and their profession short to please someone. I have seen the opposite also. Some young adults out of college think that they can demand a huge salary without the experience.

Many of us have great technical skills (our Kung Fu is strong) and no social communication skills. It makes sense that we either have one or the other skill. We relate to the keyboard and the computer so well that we give up the ability to hold a conversation or negotiate. I am lucky. I have my partner Helaine for when people do not see things my way. You would think she would go beat them up for me (joking). Just the opposite; she reminds me that my head is up my… well you know. When others do not understand: I need to be nice. I need to think about what the other person needs to know about the situation. And most importantly,  that I have not communicated successfully.

In the technical business I typically see people who think that just because they cannot relate well with humans that they have less value. I have seen managers manipulate someone based upon this very trait. Do not let Subordinates & Superiors tell you what you are worth. Find a trusted mentor, not your mom- she thinks you are worth the world.

Know your strengths and weaknesses as a team player.  Make up for your weaknesses.

Raw hex dumps on other humans

For me there is the issue that happens every so often. I get in the go mode: the I-will-not-quit-until-I-beat-this-computer frame of mind. You have seen it in yourself before. You work so hard and so long you forget to do the human things like eat or drink. When you are in that zone, you do anything to keep on task. Then another human tries to interact with you. BIG Mistake! With me, my brain assesses the situation and looks for the fewest words possible that will get this person away from me and make sure they never come back just so I can continue working.  I call it the raw hex dump. It is typically brutal, not well thought out, and very effective at getting people to leave me alone. I am ashamed to admit I once crushed a great subordinate with one sentence. I have done the same to a few superiors, with much less regret but much more long-term damage.

I suggest a few simple things to protect yourself and others when you get into deep testing mode where they may be a lot of pressure on you.

1. Set a timer for eating, drinking and other biological functions. As dumb as this sounds, it took me my whole life to realize that if I eat regularly, I am nicer to others (i.e., able to communicate in a productive way).
2. Get a “Do Not Disturb” sign. Teach everyone that it means what it says. You get your work done and come out of your cave when you have slayed your dragon. (By the way: If you want a door hanger- email me- I will mail you one and a pocket protector free while supplies last.)
3. Pause before opening your mouth, think about the good things that that person does for you. And even if they have not done anything for you ever, it will give you time to stop you from creating a career limiting move or harming a nice work environment.   Just because others may not understand our pressures or challenges does not give us license to forget to make the effort to communicate to others what is happening or when I will next be available to get them what they need.

Communicating well is a typical weakness for techies.

Small, Medium, Large

There are only three business setups, right? I know, but for our purposes it typically breaks down into these variations for the business of pen testing and these roles. I am sure you call it something else and you have all these other administrative staff who do accounting, human resources and other paperwork. Let us stick to the major players.

Ask yourself:

• Who is going to handle those contracts?
• How do we get a proper non-disclosure agreement created?
• When should we pull this out?

Small = Pen Tester – Customer

The ultimate superior is the customer. Without them we get no check, no hacking time and no fun. Some of my customers have never met me. But I still need to interact with them in a way that is respectful, values ourselves, and gives a fair exchange. This requires we perform the scoping, while understanding the problems. The simple questions make for the best communication. The answers may be difficult to interpret.

• Why do they want a pen test?
• What is their budget for remediation?
• When is the deadline for completion?
• How do they want the test performed?

Really listen. The bad communicator thinks they know the answer before they ask the question. Give the customer time to talk. Then take all that data in and wait a few minutes, hours or days. Repeat it back to them. Make sure they know that you know.

Medium = Pen Test Team –Project Manager-Salesperson- Customer

If you do not have that listening skill, either the tester or the customer gets frustrated. In either case they would rather talk to the translator. This is where salespeople and project managers make themselves indispensible to our process.

When we add layers of abstraction and people between us and the customer, we are adding noise to the communication channel. Hopefully we are also adding value. Good Project managers (PMs) dispatch assignments to the best person and correlate all data into a report. They change those terse words and raw reports into business speak and actionable statements. Project managers are the great translators. Is the PM a superior or a subordinate? That could be very different depending on the organization. As someone who has been on both sides, I suggest a different approach. Whoever is the superior should act as if their job depends on the success of the other people on the team.  The PM should make schedules easy to follow and give people the flexibility they need. For example, if you work best at night, plan night jobs and convince the customer to adjust the testing times.

Salespeople convince the customer to buy and they keep on those potential leads. The skill of selling is knowing when and how many times to contact the prospect. But sales people do not do the testing and they tend to smooth out the rough edges of the transaction. They abstract. They make everything on the tester’s side seem like we are Internet Super Heroes. I don’t know about you, but that makes me angry. Who the heck are they? That set of skills keeps you busy. Respect it.

Large = Pen Test Team –Project Manager-Director-Salesperson- Customer

Directors, Vice-Presidents, whatever you call the people that do strategic planning are really critical for success in large firms. They might need to present to senior executives and fight for head count. That would be your head in some cases. In publicly traded organizations, sometimes the mandate is to cut salaries by 20% to make the quarterly earnings report look good. They fight to keep the business unit in tact. They have no idea what you do or how good at your job you are other than results. Results may be billable hours. Billable hours may mean they squeeze the PM to get more out of you. It may mean they ask a salesperson to force that sale when it is not ready.

We need them fight the political battles that we will not. When they ask you how is it going; they do not care about the latest release of this tool or that. Talk to them in terms they understand: business terms.

Summary

If we are good pen testers, we strive to find the balanced navigation through relating to subordinates and  superiors, in a way that communicates what each invested party needs to know about the project.  We know our strengths and weaknesses and make a plan to improve our weaknesses.  We must value ourselves and never lose sight of the other party’s value to the success of the project.  It takes everyone’s cooperation to reach our goal of keeping the pen testing business going, keeping their enterprise safe, and keeping you doing most of what you love to do.

Don’t know how to do these activities come to class- yes this is part of the class!

The painpill for this week will be out later today, but it has nothing to do with the Friday Intrusion Detection or Prevention class.

I am offer two options for attending class today. Both are about IPS & IDS.

CISSP class is at 12:30PM Central time. March 30,2012

• Type your name and email
• Click this link

ISSMP class is at 3PM Central time. March 30,2012

• Type your name and email
• Click this link

Hope to see you!

Dean