Christopher Healey(0) thesidechannel Log in to become a member of Christopher Healey's Fan Club!
When you show up in red at your local emergency room clamoring for the half-baked attention of someone in scrubs, they ask you a few poignant questions, assuming you're exhibiting something remotely resembling consciousness. What they put on the back burner amounts to the bulk of your medical history, and all manner of details you'd normally find fascinatingly important. They more or less don't know who you are, and there will be plenty of time to find out.
Once they stop the bleeding.
Things are much the same with your average penetration test. Penetration testing is not a panacea. If you succumb to the allure of simply chasing the perfect pen-test profile, you will eventually die a death of one-thousand cuts (and probably sooner, rather than later). But if you're bleeding-out today, you don't have time to phase in a layered and comprehensive security program. You need to stop the bleeding!
There are a select few organizations that have a well-structured, sensible IT security management program in place. Most fall short; far, far short (although many are now improving). The individuals that are up to their elbows every day in keeping the juggernaut rolling often have an intuitive sense that they're ignoring something important, but aren't sure how to communicate that to management in an effective way. If they do get their point across, that security needs a deeper look, it's almost always considered an imposition, a pure expense that will never be recouped.
And then they realize that they're covered by the latest flavor of regulation. Suddenly, the downside risk of not properly addressing the myriad of issues faced is given a clear and present value; one for which they'd rather not find themselves on the receiving end.
Panic ensues. We must become compliant. We'll do anything. And they go off like a cluster bomb, hitting everything in sight, diluting their efforts as measured against the rational focal points that would actually contribute something more toward their goals.
...
As risk management and security consultants, we ultimately want to help steer out customers toward the best realization of their goals. Our own goal in helping them down this road is not in drumming the value of security. Security, in and of itself, has *no* intrinsic value. Our goal is to help them to understand the *instrumental* value that managing their IT risks has upon actually achieving their core objectives. Once we can help them to see the relations of value that we've come to understand for ourselves, an exciting partnership with reveal itself. Every engagement we join that falls short of this is in some sense our own communication failure.
But you can't usually walk into situation X and talk your way into a strategic consulting engagement. And if you could, you're either very, very good, or it's not likely your customer will be in business for long (given that level of skepticism). Being allowed "into the fold" as a trusted risk/security advisor is a much deeper proposition than most of us realize.
The fact is that when you're initially interacting with a client on a technical level, there are many mutual unknowns. Before jumping in headlong, it makes sense to build a valid trust between yourselves. If they are relatively competent, your client will probably maintain a significant number of barriers until you can directly exhibit your work ethic, competence, priority structure, etc...
A penetration test is an exceedingly well balanced format in which to do this, and offers great leverage in building a relationship that will result in an improved ability to contribute toward the betterment of their security program.
The engagement is normally very specific as to the scope and parameters of the testing. Your handling of communications and scheduling of project components speaks directly to your level of organization. Your adaptation to the anomalies that arise will speak to your desire to be thorough and generate maximum value. Your interpretation of discovered issues and resolution paths will establish your competence and worth as a trusted advisor.
In most cases, the perceived value of penetration testing can often be quite bounded. However, if we profess that our goal is to do the most good for our clients, it is our responsibility to use the small contact surface we do have accessible to us in demonstration of our deeper value. The result of a penetration test can be much wider than the technical conclusions reached. It can grow the roots of a relationship that allows our clients to realize the instrumental value of security that they *must* achieve through a comprehensive security management program; ultimately, in order to focus on safely dominating their market.
P.S. The question regarding the merits of penetration testing is perrenial one, with advocates and detractors on both sides. One of the most succinct and constructive discourses I've seen on the topic was a point-counterpoint in early 2007, with views by Bruce Schneier(here) and Marcus Ranum(here). Bruce and Marcus make a slew of great points that really help to highlight a multitude of views you'll encounter.
Hi Chris, Thank you for taking the time to share your information. I'm not too sure what you aretalking about here: A certain type of test you receive if you end up bleeding? What kind of injury? But then it appears you are talking about good policies and procedures? I don't understand "Penetration testing". I am sure its just me.
Maybe those in your field will undestand and benefit from this information. Lord bless you!
You make a good point. I wrote this article for the information
security community, but have posted it in a number of additional places
to spread my net a little wider. What I should have done is include an
introduction setting the context for the article.
To simplify, penetration testing is attacking your own computer
networks from the perspective of an outsider, to determine if you're
really secure. It's meant to be a single tool in a larger toolkit.
Ultimately, to achieve consistent, effective, and measurable
information systems security, you need a comprehensive program,
including both internal and external audit at various intervals.
Penetration testing can help reach this ultimate goal, but without the
context of a larger security program to frame its results, it is of
very limited value.
But you often can't help an organization improve their overall security
program unless you've already established the credibility that comes
with having worked together closely. The penetration test is a great
way to do this, namely because it's rarely a complicated project from
an administrative perspective, even if actually performing the testing
can be very technical. So if you're ultimately a bad prospect, their
downside risk in much more limited than with other security projects.
After doing the penetration test as an initial engagement, you've likely won the credibility to help them truly enhance their core security management program, dealing with issues through structural solutions, rather than point fixes.
And if your client does have any *extremely* serious issues, you've identified them for remediation prior to worrying about the overall program; you can help them stop the bleeding.
Hi Chris, this is a great description of what you do--I think if you put your answer to me in an article, you will expand your reader base to people like me who are outside of your industry. It becomes an interesting article because I feel I am learning something new instead of already having to be in the "know" to enjoy the article.
Thank you for teaching me something new today. :-)
Disclaimer: All information on this site is provided for informational purposes only! By no means is any
information presented herein intended to substitute for the advice provided to you by any health care or other professional
or organization.
