Home page logo

pen-test logo Penetration Testing mailing list archives

[PEN-TEST] 'selling security' & risk
From: "Missy, E" <freehold () EROLS COM>
Date: Sun, 17 Sep 2000 00:29:48 -0400

Carv wrote:

This is something that every security professional
runs across, whether as a consultant or as an
employee to a company...how best to 'sell'

If this is way off topic, please kill mercifully.  It's Saturday night &
I'm feeling cranky, so here's where I take the opportunity (I'm blaming
it on you, Carv! and Azimuth wrote in about 'educating' a fellow admin a
couple days earlier) to complain about what I've personally noticed
recently - too small a sampling for me to call it a trend, but FWIW how
about those who want to acquire the latest fashion accessory: a security

'Selling' security hasn't been the problem so much, especially with all
the publicity - it's becoming chic to distribute a policy and include a
security briefing for new employee orientation.  You know:  it's a way
of saying, 'we're up on this, we've moved into the new millenium, *we
know* about this stuff.'

Actually *implementing* and *enforcing* is still another matter,
though.  That's where the kicking and screaming occurs.  How about
companies who (it is eventually revealed) never really intend to
enforce, because they just want a policy in place to show their
customers?  (Note:  Not dotcoms/e-commerce -- but nevertheless
accessible, with stored, sometimes very sensitive data.)

No formal announcement is ever made saying this, of course, but if you
keep an eye on them, you realize the policy is getting most of its
exercise from being shuffled through ring binders, attached to business
proposals along with HR info, and referred to periodically in corporate
emails that say things like, 'We trust that whoever was responsible for
last week's bandwidth gorge and binge will stop doing whatever they were
doing that caused us to have to go offline for a full day because that
was a really bad thing to do and we have a policy against it.'

Ouch.  IMO this goes back to that same old problem:  no one *truly*
believes they're vulnerable or a potential target until it's 'too late'
- it's sometimes like selling a potential need, a possibility, a
probability factor that no one really has a handle on because things are
happening so fast, new vulnerabilities and bugs and exploits hit the
ground running every day and even the definition of 'hacked' is still
being worked out.

D'you ever feel like the equivalent of a lightning rod salesman? ('Sir,
you WILL thank me for this someday when 10 million volts hits these rods
on your roof and slithers away harmless as water while your house stays
safe - why, these babies work so well you won't even know it

Except for another problem:  the #$# () ! lightning keeps mutating and
developing new paths and tricks and methods, so I can't even tell a
client that his house is 'guaranteed to be safe'.  We can climb all over
the roof and nail rods on every point and pound wires into the ground
and the stuff'll figure out how to blap in through a window. :)

That's when a client wants to know what might be called the bottom-line
number:  'the odds of being hit' (I can cite projected stats and sampled
guesstimates and data that I intuitively feel doesn't reflect the actual
state of the net).  Then the client may seek safety in the harbor of
'we're too small for anyone to really go after us' or 'we don't store
anything of interest to a hacker!' and feel comfortable that not having
to go through 'the inconvenience and hassle' of implementing the policy
is actually a good trade-off in terms of the daily business process, at
least not for right now.

Which it frequently is -- unless lightning strikes catastrophically.

Does anyone add any kind of risk-benefit analysis (even rudimentary) to
your selling bag of tricks, i.e. a profile of vulnerabilities/network
architecture matched to loss potential, to help them through the
implementation process, at least initially?  Or do you reckon that to be
the client's responsibility?  What about for smaller companies whose 'IT
division' frequently consists of overworked sysadmins/network guys
desperately trying to keep up with patches, downtime,  management
expectations, and rambunctious, free spirited users?

I feel less cranky already, just complaining out loud is a good


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]