Home page logo

pen-test logo Penetration Testing mailing list archives

Re: My Frustrations Step Two
From: "Adriel T. Desautels" <ad_lists () netragard com>
Date: Fri, 19 Dec 2008 07:44:39 -0500

Comments embedded below:

On Dec 19, 2008, at 7:04 AM, Paul Melson wrote:

On Thu, Dec 18, 2008 at 7:27 AM, Adriel T. Desautels
<ad_lists () netragard com> wrote:

So it appears to me that the solution to this problem is to provide the customer with ammunition so that they can quickly shoot down the fraudulent security experts and properly identify the real ones. There are different services, different classifications of service, different threat levels, etc. If our customers knew how to identify what they needed, they could use that to choose a good provider with much more success. But thats the real problem isn't it? Our customers aren't security experts and as a result they
don't know what they need...

I think that you're on the right track here, insofaras customer
awareness is the key to differentiating expert pen-testers from people
who charge money for Nessus scans.  (To that point, using a scanner
isn't a differentiator between a poseur and a real pen-tester, but
*only* using a scanner is probably the big one.)  But this is far from
a silver bullet.  As I pointed out the last time we discussed this
topic, there are customers out there that want - or are required to
have - a report from a third party that shows hat they're secure.  And
they're not willing to pay much, so they're not going to get much.

Paul, do you think that customers go cheap because they don't know why they should pay for the more expensive service, or do you think that they go cheap because they don't care? If they don't care isn't that usually an indication of a lack of understanding/education about the threat? The fact of the matter is that most businesses have intellectual property that is worth a lot of money and that in almost all cases hackers can get at that information. Hell, if you paid a blackhat $25,000 to get the information you'd probably get it within 8 hours.

My opinion thus far is that some people just don't understand why good security is a requirement. I think that most people really misunderstand and underestimate the threat.

For a Netragard, or an InGuardians, or an IOActive, or an Immunity, it
is simply not worth their time to work with clients who want to do
security on the cheap.  They staff experts, and they pay for it.  As a
result, so must their clients, and it's clear that they don't have
problems getting clients who are willing to pay for access to their
experts.  But if somebody's willing to spend money, somebody's also
likely willing to take it, and that's not going to change no matter
how much you educate the customer.  Unqualified people will continue
to do IT security work for the duration.  And for those that propose
licensing as a solution, ask an attorney how effective that's been in
their field.

So, what questions can we arm our customers with so that they can weed out
the Frauds?

I think that this is less about general education and more about brand
awareness.  It is a business, after all.  In our industry, you build
brand awareness by publishing new research and by sending your experts
to present at conferences where they can be seen.  Oh, and you put
your logo on all of it. :-)

The end result will be customers who want, and can easily find,
upper-echelon talent and service on one end, and customers who care
only about cost on the other, with a pretty big middle defined by
various organizational constraints.  Frankly, I'm not sure we aren't
already there.


Adriel T. Desautels
ad_lists () netragard com

This list is sponsored by: Cenzic

Security Trends Report from Cenzic
Stay Ahead of the Hacker Curve!
Get the latest Q2 2008 Trends Report now


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]