Penetration Testing: Re: My Frustrations Step Two

["Adriel T. Desautels" <ad_lists () netragard com>]

Comments embedded below:

On Dec 19, 2008, at 7:04 AM, Paul Melson wrote:

> On Thu, Dec 18, 2008 at 7:27 AM, Adriel T. Desautels
> <ad_lists () netragard com> wrote:
> > So it appears to me that the solution to this problem is to provide  
> > the
> > customer with ammunition so that they can quickly shoot down the  
> > fraudulent
> > security experts and properly identify the real ones. There are  
> > different
> > services, different classifications of service, different threat  
> > levels,
> > etc. If our customers knew how to identify what they needed, they  
> > could use
> > that to choose a good provider with much more success. But thats  
> > the real
> > problem isn't it? Our customers aren't security experts and as a  
> > result they
> > don't know what they need...
> I think that you're on the right track here, insofaras customer
> awareness is the key to differentiating expert pen-testers from people
> who charge money for Nessus scans.  (To that point, using a scanner
> isn't a differentiator between a poseur and a real pen-tester, but
> *only* using a scanner is probably the big one.)  But this is far from
> a silver bullet.  As I pointed out the last time we discussed this
> topic, there are customers out there that want - or are required to
> have - a report from a third party that shows hat they're secure.  And
> they're not willing to pay much, so they're not going to get much.
Paul, do you think that customers go cheap because they don't know why  
they should pay for the more expensive service, or do you think that  
they go cheap because they don't care? If they don't care isn't that  
usually an indication of a lack of understanding/education about the  
threat? The fact of the matter is that most businesses have  
intellectual property that is worth a lot of money and that in almost  
all cases hackers can get at that information. Hell, if you paid a  
blackhat $25,000 to get the information you'd probably get it within 8  
hours.
My opinion thus far is that some people just don't understand why good  
security is a requirement. I think that most people really  
misunderstand and underestimate the threat.

> For a Netragard, or an InGuardians, or an IOActive, or an Immunity, it
> is simply not worth their time to work with clients who want to do
> security on the cheap.  They staff experts, and they pay for it.  As a
> result, so must their clients, and it's clear that they don't have
> problems getting clients who are willing to pay for access to their
> experts.  But if somebody's willing to spend money, somebody's also
> likely willing to take it, and that's not going to change no matter
> how much you educate the customer.  Unqualified people will continue
> to do IT security work for the duration.  And for those that propose
> licensing as a solution, ask an attorney how effective that's been in
> their field.
>
>
> > So, what questions can we arm our customers with so that they can  
> > weed out
> > the Frauds?
> I think that this is less about general education and more about brand
> awareness.  It is a business, after all.  In our industry, you build
> brand awareness by publishing new research and by sending your experts
> to present at conferences where they can be seen.  Oh, and you put
> your logo on all of it. :-)
>
> The end result will be customers who want, and can easily find,
> upper-echelon talent and service on one end, and customers who care
> only about cost on the other, with a pretty big middle defined by
> various organizational constraints.  Frankly, I'm not sure we aren't
> already there.
>
> PaulM
Adriel T. Desautels
ad_lists () netragard com




------------------------------------------------------------------------
This list is sponsored by: Cenzic

Security Trends Report from Cenzic
Stay Ahead of the Hacker Curve!
Get the latest Q2 2008 Trends Report now

www.cenzic.com/landing/trends-report
------------------------------------------------------------------------