Jump to content

Company Pen Testing and Pen Testing arrogance


Stevie

Recommended Posts

These are just random thought, I'm just making a discussion from what I've watched and seen. I know this is in all walks of life and not everyone is like this. But I've watched a few "cons" and am beginning to feel more and more there either appears to be or I'm just not understanding their personality, a lot of arrogance in the pen testing community. I admire their work, the holes they find I find interested, the way they get around security but some just seem to come across as arrogant. As an IT Engineer and not in the same league, maybe I feel inferior so maybe, wrongly, see it as arrogance, that they are looking down on me. I've always been interested in security, but this is what puts me off attempting to get into the field.

Where did this come from? The recent Pen Test done on our company. I'm not involved but some of the finds in the reports just seem a little off to me. But that's another story. I was watching one of the old "cons" recently, Defcon 19, with the panel and Jericho was on it. He seemed to come across really hostile and arrogant. I could be totally wrong, he's probably a decent guy but, I totally don't agree with his comment 14mins in to the talk. That when you work 40-80 hours a week banging your head against a wall but being paid for it. Pen testing for 15 years, going back every 6 months to re-test and nothings changed, companies still not patching holes they've been warned about. Maybe it's time they were bent over and fisted. You'll need to watch the video for the full quote. But I just feel. You're a pen tester, you're hired to come into a company like ours and test and give us a report. Nothing more. Pen testers aren't the law or police. It's then up to that company to decide if it wants to act on those holes. Yes, they'd be stupid not to, but it's the companies decision at the end of the day. It's not the right of the pen tester to feel he/she, then has the right to "fist" the company after, because they gave them plenty of warning.

The whole talk just felt uncomfortable to me.

The other speakers I've enjoyed though are Dan Kaminsky and Zoz's talk at DefCon 18 when he had his Apple stolen :) (the Apple being stolen wasn't funny, how he got it back was) and also Jason Scott's talk "You're stealing it wrong"

This is why I'm crap at explaining what I'm thinking, because these talks show the industry isn't full of arrogance and so does Hak5, hence all those years ago when I found Hak5, I've ended up still here.

I'll get my coat.

Link to comment
Share on other sites

Attrition has a history of somewhat, being a bit, shall we say, straight shooter. He takes his job seriously, and makes an effort to go after charlatans, and people who pass off pentests by doing a nessus scan per say. he can be abrasive, but I think his purpose is just, in that he wants to help the people he is doing pentests for and such. He can come across like you mentioned, because he isn't so much police, as he is, trying to drive home the point of security, and if a pentester comes back to the same company year after year, and you don't close the holes from the previous year, well, why bother? Companies do it for compliance in most instances, but unless they are a bank or such, many companies don't want to spend the money to fix holes if they think the risk is minimal enough that if an attack did happen, it costs less to clean it up, than it does to protect and setup defenses in the first place, which brings us to the real issue. Money. Companies don't do anything, unless it impacts their bottom line, which is also why I like watching Chris Nickerson's talks. He will straight up call you out and tell you to your face that your a stupid, dicknose, a-hole for not fixing the problem, but he will also show you why you should fix it and how it impacts a companies bottom line, and thats part of their job. They get hired, to show where the flaws are, and why its important to fix them, and also, how it effects them monetarily. The bigger problem is, most managers, company presidents, etc, don't care about how many shells you spawned or domain controllers you compromised, because they have no clue what the fuck they are in the first place. So take with a grain of salt what some speakers say. They are angry and arrogant at times, because they DO care, and sometimes they care too much about trying to make a difference and help others, like the companies that hire them. Not everyone in the infosec community has the same type of personality either, and you illustrated that in your post above, so its a wide range of people from all walks of life with knowledge in specialized areas that they are very passionate about, and also take offense to when questioned on their work and efforts to come up with the exploits and techniques they've developed that others use without credit to the people who came up with them.

I guess the main thing to take away from all of this is, not everyone in the community is the same, and some are dead on nice, approachable people, more than willing to let you ask questions and even mentor you. There are also others, with then thousand things going on all at once, who don't even have time to take a lunch or pee break between things they do, some up tight, some laid back, some just still trying to get a foot in the door and have a chance to learn, so don't be deterred by one talk. You can't use that as a way to group and categorize an entire industry of people from just a few that might make a lot of noise. There are more than plenty of people from the other side willing to help teach and welcome you in, but you are always going to meet those who are of the old school who are like "get off my front lawn" and don't have the patience to deal with things, when they've spent decades or so working at the same thing and not seeing much progress from their side of the fence.

Link to comment
Share on other sites

Ive been working in IT for about 15 years. A lot of IT people are arrogant, and egotistical Ive found. Not saying that this is directed at anybody. Ive not seen the presentations you have. Ive also had hard times where the economy is bad where i live and had to do other jobs outside of IT. During these times Ive had the pleasure of working outside of IT and liked almost all if not all the people I worked with. Every IT job ive had there has been people I could not stand to work with. Mostly because they are arrogant and abrasive. Again, im not trying to rip on IT people, but a lot of us need to pull our heads out of our asses.

I think a lot of the problem is you get the sterotypical "nerd" and all they got going on in life is their IT career so they need to flaunt it and belittle others to feel special or needed.

These people tend to also hoard information and its especially hard if your new and being trained by such a person. Its called "Information technology" for a reason. The last thing people should be is unsharing of information in this field. But because lots of people feel powerful with knowledge - they tend to hoard it. Or...they dont know an answer to a question and are preceived to hoard information cause they cant just say they dont know.

Just my 2 cents....sorry if its a rant :) I know lots of nice IT people too!

Link to comment
Share on other sites

The arrogance and idiocy goes both ways. I was pentesting within a large company the other week, and the IT manager was simply just rude. Always cracking jokes, that we build pig-pens, dog-houses, baby-pens. That we cant do our job when our pens run out of ink. That same sadist even farted purpose in the direction of our faces as he got up to go to the water cooler. I think the worst thing was he was encouraging the other system admins and technical support teams to join in on the fun/abuse. It became a very hostile environment quite quickly. Help and support disappeared virtually straight away, and it became very hard to do a thorough test in the limited time available. When it came to requiring credentials for patch checking, none were handed over... the response "go find a post-it with someones password on - hahaha", our test scope only had permission for VA and build-reveiws, we were specifically told NO EXPLOITATION, which is usually a big part of pen testing to demonstrate risk. In the end we found some admin accounts with weak passwords antivirus:antivirus, but as soon as they discovered we found had found a high-permission account they would disable the account and change the password. The assessment was getting very frustrating. But we did manage to severely own them in the end ;) - using the IT managers admin-all-keys-to-the-kingdom-account and weak password (6 character password, no special or numerics) (obtained from shoulder surfing!). Turns out the password was his wife's name.

The problem with pen testing and corporate IT, is that corporate IT departments no longer want penetration tests in fear of highlighting issues they need to fix. IT departments have gotten lazy, pen testing has now become VA (Vulnerability Assessments) with limited scope and support, limited time due to limited budgets (or just penny pinching from financial mangers). I do not know if this is down to dumb IT managers that have been promoted or sidestepped into that role to prevent them doing further damage to the company, or simply because the upper management cant fire them. I find a lot of bad IT managers are only there because of the "Peter Principle".

As to getting frustrated about companies not fixing issues I can see where pen testers feel the pain. I was at an organisation 3 years ago that got badly owned through their website. The pentest highlighted the way the attackers got in, and the report laid out all recommendations to fix the holes. The company also paid for security consultancy and training to help the development and technical teams think more about security. I new system was developed, and it looked like the company was moving forward in the right direction. Low and behold, the following year they got owned again? Investigation took place and no changes had been made from the previous year. By this point I was friendly with the developers and asked them what happened? Their responses "the board would not sign off on our changes", I was furious - all that hard work for nothing. But what I was feeling was nothing compared to the development and technical team, they realised that no-matter what they did their actions would always by blocked/prevented by someone else; they lost all love and pride for their work. slowly became lazy and uninterested in their jobs. The best ones eventually moved into other companies, for better challenges and working environment, the ones that had simply given up are still there to this day. and YES, 3 years on and they are still vulnerable to the same vulnerabilities, and they still get owned once/twice a year (you would think it would be more!), every 6 months I'm called in to attempt to perform a clean up - very frustrating!

Overall, we're a Team! IT geeks need pentesters to highlight problems in their environments so that they can fight for extra resources to fix the problems; no one wants to be pwned! IT geeks can learn tricks/new skills from pentesters, and more importantly vice-versa! IT geeks can supply pentesters with interesting bugs, and crash dumps that can become the next 0-day's, or even the name and version of products their using so pentesters can undertake research.

Pentesters should fight and support the IT geeks (like the way Tron fights for the Users!), in the same way IT geeks need to support and fight for the Pentesters!

Link to comment
Share on other sites

Ben (and a lot of others) have been screaming for a long time, that IT and regular work staff, need to be on the same team, but also that IT needs to work with the staff to motivate them to 1, help, and 2, understand why security is important, and yes, IT people can be abrasive, but the last post perfectly shows my point. Do something long enough, and find upper management isn't going to do shit for your suggestions, you eventually take it to heart when you do care about your industry, job trade, etc, and a lot of pentesters and just average IT people go through the same frustrations. At the end of the day, of the cost of clean up is less than fixing and plugging holes, money wins out and they'll never implement the changes you ask to be made, and thats been an ongoing struggle in all IT departments, not just security related, for as long as computers have existed on company networks.

Link to comment
Share on other sites

Some good points and interesting to hear from the Pen Testing side. I maybe vague here in case someone I know reads these. I have been lucky in my current role as the engineers I work with are all nice and helpful which is rare. I can't stand IT Engineers who hold information and aren't helpful. Anyone new, I try to help as much as I can. My old manager also drummed into us in my old company about "single points of failure". So I try to document everything & the fixes I come across. So if I'm not in or have left, someone else can fix the issue. We did have an engineer who was an arsehole but knew quite a lot in my past company. Once you worked out how to play him, he was easier to deal with but really surprised he wasn't given the boot because he'd even be rude to the customers. But then senior management there were arseholes (I can think of a stronger word but can't say that here)

I feel one of the issues we currently have is our IT management panics when the pen test reports come in. They actually respect them and so they should. But I've explained that I've always been lead to believe they are suggestions & it's up to the company to decide if the fixes should be applied or not. If the suggested restrictions are to much, are currently unworkable and will hamper support, then they can wait and be changed later. I would like to be more open here, but fear of people reading this, can't. It would explain why we have issues. But some of the suggests we feel they bring up, aren't as serve as they claim. We have some good people that know what they are doing & they've even said some of the issues don't make sense. One of the issues they claimed was serve was our WIFI SSID name. For staff and clearly named so. They've said this will make it a bigger target and needs to be changed. 3 of us gave the argument, in private, why this was a none issue. We've changed it to conform but I explained what's the point. If I use Airmon-ng, you'd sit there and monitor the WIFI in the area and see what you can see. Anything with an obscure name will look interesting. You'll monitor this obscure name, see loads of devices connecting and disconnecting and know it's a business, so target it. Another point was that, if it was me, I'd just check every one I see in the area, again, the one with the most devices popping off and on, I'd assume was a business so again, target it. So I don't see how the SSID name is such an issue and changing it to something obscure, won't stop an attack on it.

It's good to see the point from the pen testing side though. The IT Team midnitesnake came across though seem like arseholes and I'd never like to work for a team like that.

Link to comment
Share on other sites

Don't take too seriously any attitude you see in these talks. They are preaching to the security converted and trying to show off a little. If anyone really treated clients that way (or cared that much, for that matter), then they would be in the wrong profession.

In reality, pentesters are hired to report on the security status, recommend better practice where relevant, and then back off. As mentioned above, it all comes down to money. The client company gets to decide whether fixing or leaving problems is most cost effective. It's simple business. Sure you get clients making questionable decisions, but that is their business.

Certainly, don't let anyone's attitude dissuade you from getting more involved in security. You get all types in all professions, but I suspect anyone causing trouble for someone earnestly joining the industry would be quickly shot down by the majority.

Link to comment
Share on other sites

Problem I'm having is although IT is my life, I enjoy my work and it's also my hobby and I've never got bored of it, so where's the problem? Gaming. I'm also a bit of a gamer and my motivation or discipline is shit. I have Vivek's WIFI book that he released in the hopes to learn at least the basics of one area, but I've never forced myself to sit and go through it all. I always end up on a game instead of studying more. I have another powerful PC which is my lab machine with ESXi etc on it. I set it up then end up on a game again so neglect it for months. Need to sort that out if I want to learn more and progress.

Link to comment
Share on other sites

Problem I'm having is although IT is my life, I enjoy my work and it's also my hobby and I've never got bored of it, so where's the problem? Gaming. I'm also a bit of a gamer and my motivation or discipline is shit. I have Vivek's WIFI book that he released in the hopes to learn at least the basics of one area, but I've never forced myself to sit and go through it all. I always end up on a game instead of studying more. I have another powerful PC which is my lab machine with ESXi etc on it. I set it up then end up on a game again so neglect it for months. Need to sort that out if I want to learn more and progress.

Yeah, it's always hard to make time to learn something new. My advice is to allocate a solid hour to work on it a couple of times each week, and promise yourself you will play games after if you complete the hour. Once you get started, you tend to get more into it and it becomes less of a chore. That's what works for me, anyway.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...