Requirements for conducting VA and PT tests

On one of the lists I subscribe to I saw someone make this alarming comment:

There may be better and cheaper ways, but I suspect that an outsider
walking in and gaining root on your core database is much more
convincing than an auditor pointing out the same vulns.

That is a very sad situation to be in, since it

  1. shows how little faith your management have in the professional capabilities of their own staff, who are the people who should know the system best, and of the auditors who are trained not only in assessing the system but assessing the business impact of the risks associated with a vulnerability
  2. has no guarantees about what collateral damage the outsider had to do to gain root.
  3. says nothing about things that are of more importance than any vulnerability, such as your Incident Response procedures
  4. indicates that your management doesn’t understand or make use of a proper development-test-deployment life-cycle

Yes, it is more dramatic, in the same way that Hollywood movies are more dramatic.

One of my favourite “hacker” movies is “Swordfish“.

It begins with John Travolta saying how badly Hollywood portrays hi-tech and then goes on to demonstrate that, with lots of typical Hollywood drama, explosions, conspiracy theory, car chases, violence, guns, flashy graphics, sprinklings of sex and corny sentimentalism.

There is a later scene where the protagonist has to hack into a Department of Defence computer by speed-typing passwords. HAHAHA we all know reality is nothing like this and we see it as the joke that it is. But non-technical people don’t know any better; they don’t see the research, the probing, the social engineering.

So yes, management is more impressed by by flash and glamour


Now it you tried tied to convince those grey-haired suits with MBAs and 40 years of business experience about something in their own knowledge domain, something abut the kind of business risks they are used to dealing with, stock options, whatever, by using the flash and glamour of Hollywood, they would laugh at it just as much as we laugh at the outrageous silliness of John Travolta, Hugh Jackman and Hally Berry.

Having a hacker take over root will get their attention, yes, but it does not educate them about the proper approach to technology risk assessment and management in general and IT risk assessment and management in particular. Their response to such, based on their lack of understanding, might not be what you expect or want or think sensible.

In my database of DotSigQuotes is

The best way to get management excited about a disaster
plan is to burn down the building across the street.
— Dan Erwin, Security Officer, Dow Chemical Co.

Excited“, yes, but the result may be something like increasing the insurance – a business/financial response – rather than a technical response like better fireproofing.

The responses I’ve seen to pen-testing have usually been patch-overs.

The reason the pen-tester could get in was rarely a specific overlooked vulnerability and more often systematic failure of risk management, such as poor staffing, funding, lack of baseline controls and processes.

The responses I’ve seen to pen-testing have usually been patch-overs because that’s how management sees the problem. They don’t see that these security holes arise through other, deeper, more fundamental shortcomings that grow out of problems with policy, staffing, funding
and operations because of their ignorance of the technology. They are specialists in their own field, not in yours.

In the long run this “drama-response” is unproductive. It ‘teaches’ management the wrong thing – to respond to drama rather than to set up a good system of governance based on policy, professional staffing, adequate funding and operations based on accepted good principles such as change management.

About the author

Security Evangelist

Leave a Reply