Cатсн²² (in)sесuяitу / ChrisJohnRiley

Because we're damned if we do, and we're damned if we don't!

Tag Archives: response

Pulling the hat out of the rabbit!

* This is a blog post response to the Getting Information Security Back to Basics – Change Management & Process Improvement blogpost by @wh1t3rabbit

Background

A week or so back Raf asked for some softball questions on Twitter for him to answer at the HPdiscover conference taking place in Vienna.

Just to keep him on his toes I threw him a curveball and asked .:

Why should companies spend money on vendor products when what they need is better processes and basic hardening?

Sure, I could have phrased it better, and I could have spiced it up a little, but for an off the cuff answer I think it made the point… Why do companies put so much stock in the next big thing, the big device with the flashy lights and the readout that tells you if your companies security is green, orange or red!

Raf took the time to form a full answer over on his Following the White Rabbit blog

Response

First let me say that I respect Raf for answering the question. There are too many people in this industry that would have just ignored the question and stuck to the easy home runs. Below I’ll try to answer a few of the key points he made as best I can. As usual, take everything I say with a pinch of salt (and a shot of vodka if you’ve got it!)

…your question seems to imply that you feel there is a mutual exclusivity between the very fundamental problems you see organizations facing and purchasing products/services from vendors

Yes and no. I try not to think in black and white, and there will always be companies that are in a situation where they need $vendor to help them. However, with that said, the penchant for buying a blackbox with the goal of becoming secure is worrisome and something that I feel is holding companies back from achieving the goals that they have both in business and security. I’ve seen instances where products and services from vendors have improved a company’s security posture, but those are dwarfed by the number that have simply wasted time and money on things that were unneeded, dysfunctional and downright pointless.

IMPO (In My Personal Opinion) a CISO/CSO that budgets more for shiny black boxes than for manpower, training and back to basics style projects, is misinformed and destined to fail. remember the age-old saying…

Nobody ever got fired for buying XYZ

The XYZ has changed over the years from IBM, through to Microsoft and who knows where it is now! Still, the comment irks me regardless. Too many CISO/CSOs believe that the best way to keep the status quo is to buy the latest and greatest thing. Whether that’s DLP, deep packet inspection devices, or a box that blinks red when it detects Anonymous activity. Nobody ever got fired for buying the latest and greatest! … but maybe they should have! Companies don’t need a CISO/CSO to tell them “buy this device”… the need somebody to help make the company more secure. To guide the hand of the company’s security posture.  Somebody to set a goal, whether that’s “reduce our patch time from 30 days to 14” or “react to virus infections within 2 hours”. Leave the how to the people who are on the ground doing this every day. If they can achieve this through training, better processes for response teams, or additional head count, then great. These things are going to improve the security of the company more than a device that goes *bing* when your web server sees a malformed packet from China!

With that said… there are places where $vendor can assist companies. Taking the examples I gave a moment ago. It’s hard for a medium to large company to improve patch times if they don’t have a central way to test, roll out and monitor systems. Even harder when they (like far too many companies) don’t even know where or what their systems are! It’s also hard to respond quickly when you don’t have a central AV solution and the tools needed to respond correctly. These are all things that are required to some degree or another. However, there’s a downside, as with everything. The more budget that gets pumped into these devices, the less people and training for those people you seem to encounter. These devices don’t work themselves, and a machine sitting in a corner saying “RED ALERT” is only as good as the people watching it, and the process behind what to do next!

Like @wh1t3rabbit said conveniently in an out of context tweet

It’s all about balance

$vendor != security… but then again, without them it’s hard for us to have the information we as security professionals need to get our jobs done.

I don’t hate vendors… but I don’t want them controlling my security.

In response to: Fradulent Security Experts

This post is in response to “Fradulent Security Experts” as posted on the SNOsoft Research Team Blog

As a lot of other security professionals (and I use the term loosely), I subscribe to a range of mailing lists to keep my finger on the pulse so to speak. Amongst the usual posts to the Nessus mailing list (followed normally by a rude or at the very least, rudely worded response from Tenable & Co.), and the informative posts on PaulDotCom and the SANS mailing lists, there lies the PenTest mailing list. I tend to prefer lurking on this list, as a lot of what I see makes me cringe. However I’ve never taken the time to comment on the mailing list before. That is until I saw the blog post from Adriel T. Desautels on the SNOsoft Research Team blog.

If you’ve not had a chance to read the blog, then I’ll summaries. His gripe (and rightfully so) is about so-called security professionals selling a service (and we’ll use a penetration test here as an example) and then not being qualified to finish the job. I’ve seen it on the mailing list before, but the latest post regarding SQL injection.

Now I want to quantify something before we move forward. I have no problem with people asking questions. I like to help people out where I can, and if people want to learn then asking questions is a must. However when people start their question with something like “I’m doing a pentest for a customer and…” I start to get worried. After all if you have a customer then you should know enough to cover the basics. Sure some of the questions are real brain teasers, but a lot fall into the “security 101” arena. So many people seem to think that penetration testing is about running nmap and nessus and walking away. There will always be people looking to make a quick buck, and penetration testing will be no exception.

The problem is, that there is no easy solution. Certification (as was discussed in the PenTest mailing list recently) is no indication of a persons true knowledge. Also at fault here is the Human Resources people who think a CISSP means everything security. Anyway, that’s an argument for another day. There is a lack of regulation and accreditation in the security industry as a whole. What accreditation does exist (i.e. Crest, the Council of Registered Ethical Security Testers in the UK) lacks pull, and is restricted to government contracts. However the problem really lies with the customers. I know it’s hard to say, but the average customer will take the lowest and quickest quote. If I say I can do it $100 cheaper and in 2 days less, then I win, no questions asked. Instead the customers need to be asking, why you’re better suited to do this test. How many have you done before, can you give sample reports, can you give references for previous work, and can we see the CV of the staff doing the test. Maybe it’s time for a list of questions the customer needs to ask, after all right now it’s the penetration testers doing the asking.