If someone were to use this $200 p/h fee and apply it to a military or civilian agency pen test, the price would be astronomical.  The actual attack time would be $28,800 for 12 hour days, six days a week for two weeks.   This doesn’t include travel costs, per diem and logistics, and this is for one pen tester!

James DeLuccia IV wrote a good blog post on pen tester evaluation back in 2006.  He states in the conclusion good pen testers’ use automated pen testing products, like Core Impact, about 10% of the time.  They develop impromptu based on findings to create a true pen test environment.  This requires an extreme devotion to the profession and in our opinion a job which also requires it to be the professional’s hobby.

The costs associated with this profession are relatively high.  Tools like Core Impact are pricey, yet there are alternatives such as Metasploit.  A search of any technical penetration test related literature from online retailers, like Amazon, reveals the high costs associated for knowledge.  Most of the information found in pen testing books can be found online for free, it just takes time and a willingness to find it.

In most cases, office politics is a result of poor promotion and employee rating systems which are biased and lack depth.  The control is focused on one individual, the manager, who promotes adulation.  Meanwhile, the manger engages in this behavior with their boss who is also an enabler.  It turns into a vicious cycle comprising “good ole boy” networks and favoritism.

However, there is another method considered to be an enabler of office politics, management indecisiveness with lack of focus.  If your management and executive team can’t make decisions or enforce decisions they do make, office politics and internal strife will escalate.  One of the key contributing factors to this is when executives and management stagnant in one position for too long.  There must be turnover and change in most cases for an organization to rebuild, take new direction and/or improve.

What does this have to do with security?  If your security operations are suffering because other IT groups fail to cooperate due to power struggle or office politics you will be on the hook for failed security audits or compromises.  “They wouldn’t give me access or equipment” is not the answer you want to give auditors or lawyers.  However, giving this answer with evidence of your attempts to gain access or procure equipment required to secure company or government assets is a different story.  One of the best approaches to change is for a negative impact to occur.  Hope for a compromise or a massive audit failure due to security controls.  It’s like a dangerous intersection with stops signs.  Citizens ask for a stop light, but local officials won’t commit the funds to install one.  However, when someone gets killed at the intersection action is take to install the traffic light and quell the public outrage.  Promote your dangerous intersection as a point of concern and wait for the accident that gets you what you need.  In the meantime, don’t get your nose too dirty.

It is disturbing when US citizens accept this type of governmental control.  There is obviously not enough emphasis placed on US Government and History in high school and college.  The US is unique and still a super power because it doesn’t follow what every other government does.  This topic of government control and surveillance has been hotly discussed within our circle of colleagues.  One side of the argument is that if you don’t have anything to hide you shouldn’t care if the government is collecting everything you do.  The other side of course is vehemently opposed to this type of government abuse and would rather keep it overseas or across the borders if it is going to exist.

The financial strain this will put on the telecommunications industry in the UK will be immense.  The cost will be passed on to the consumer to drive cost of living higher and the market to a weaker stature.  The sad thing is a couple of red herrings will put this whole idea into a state of chaos because there just isn’t enough analysis available to cover everything.  The time sensitive nature of digital communications couple with the overwhelming amount of data processed daily is against the UK.

The UK is getting itself into a dangerous area, not with its enemies but with its citizens.

The Chicago Tribune posted an article discussing a case in Illinois where the identity of a forum poster was released by their ISP over disparaging remarks they made.  There have been similar cases like this in the past and it always starts a debate over anonymity online.  Is it justified, is it a free speech right, is it hall pass to skewer others? Can it be unfairly damaging?  The short answer to all is yes.

Honestly, anyone who has any digital smarts about them knows better than to use their assigned IP address.  Is it right?  No.  Is it ethical? No.  Does it provide a guarantee of not getting caught?  No, but it sure will hinder any traces and probably will result in wasted time by the justice system once the IP address goes overseas.  We aren’t condoning this activity but rather making a point.  How much money does it take to file a defamation suit?  How much court costs are involved to include investigation, etc.?  If it involves international traces the cost increases exponentially.  The best point of attack is to have the administrators of the forum take down the post or have the courts order them to take it down.  Most of these cases are the results of litigation popularity in the US.  Everybody wants to get rich off a lawsuit and we are opportunist in a America.

If someone speaks badly of us on a forum or attempts to spread a horrible rumor the first course of action is to ask the administrators to take the posts down.  It takes 10 seconds to do it.  If it a threat, same resolution.  The internet makes everyone a tough guy, because of the anonymity of course.  People put too much value into what is said online by mere mortals when they should be concerned with more important and tangible issues.

Network World Security and Computerworld Security are reporting that AV.test.org, a real independent tester, have given MSE high marks. It should also be noted that Symantec, DTL and AV.test.org are all members of Anti-Malware Testing Standards Organization (AMTSO).

The real issue here is MSE is free and Symantec will see a considerable reduction in market share and profits.

After some research we found an interesting site explaining backscatter SPAM.  http://www.dontbouncespam.org/

Based on the authors definition, our SPAM problem appears to be a some type of backscatter variant.  Yay.

IT and digital security are NOT the focus of a business, unless the sole purpose of your business is to provide those two elements.  The Federal Governments purpose is not IT services or cyber security and this misconception is the root problem surrounding many organizations today.  IT and security personnel lose sight of the fact they are employed to support the business and help reach its goals.  Every consulting engagement we have been involved with faced the terrible situation of overcoming IT organizational control, or perceived control.

Interviews conducted during process improvement initiatives support the IT control statement.  Probably 9 out of 10 IT personnel interviewed would say they don’t know what their employers focus or goals were.  Pre-school kids have a better understanding of strategic goals than most IT and security professionals, and I use the term professionals loosely.  If you have a big drawing for a group of kids to color and assign each one a part to complete, they understand the bigger picture is to have completed drawing.  Companies do a poor job of communicating their goals and initiatives to employees and ensuring they know the focus is reaching those goals.  IT is a mechanism to reach those goals, not the goal or centerpiece itself.

The first step in this Seven Practice Steps for Federal Cyber Security FISMA Compliance white paper is phenomenal writing.  The last contract we worked on involved application development, security risk analysis and process re-engineering for a Fortune 500 client.  No one knew anything about the systems they ran, and that is an understatement.  Responsibilities were passed from one group or individual to another the more involved we became.  Ownership of data was a mystery and spread over multiple databases with no control.  The best part came when no one wanted to give the green light to dissolve the mess and implement streamlined systems with assigned data controls and responsibilities.

In the end, we provided our services and solution to the problem this organization faced.  Politics and spineless management intervened to help this problem persist and it still does today.  The shareholders of this organization would be outraged if they learned of underlying problems, which are no doubt helping the stock price drop.  Dog and pony shows eventually turn into slaughter houses.

Step 4: Integrate and Help Enforce Change Management Processes is a stretch in our opinion.  Is it required? Yes.  Will it be enforced long-term? Probably not.  The same problem plagues change management programs no matter the organization or the situation.  Red tape.  Most of the incidents involving change management breach occur because someone or some group needs to test something quickly to meet a deadline.  Or, they are directed by executive leadership to get something done and to hell with policy.  Unauthorized access points are the main violation that comes to mind here.  Change management is required by virtually ever compliance program, but it fails due to long winded and poorly written procedures.  For it to be successful, it must allow for quick decision making, short approval or disapproval chain with alternates and be time sensitive.  When we say time sensitive, the change will be for a specified time and cut off immediately without question when that time passes.

We have no affiliation with Trip Wire and never used their products.

Security Horizons is also offering a red teaming course called Information Security Red Team Methodology (ISRM).

For example, if you put some status presentation together outlining the process used to capture all traffic off the core switch SPAN port and that you installed a removable media monitoring solution on all clients, you will either get a deer in the headlights look or have teeth marks in your rear end.  This is the problem with tech folks and executives, failure to communicate.  Since the executives run the business and sign the checks, guess who needs to learn the others language?

One of the most difficult tasks for tech savvy employees to overcome is writing or creating outside technical boundaries.  Think about it this way.  How is capturing traffic off a SPAN port going to help someone explain progress or satisfy stakeholders?  It is focusing the effort through administrative clandestine operations to identify malicious or criminal activity.  See, an executive can run with that statement way more than “We plugged a Niksun into our SPAN port, captured all traffic, rebuilt TCP/IP sessions, and are using filters to identify activity outside our baseline.”  You also accomplish another mission by keeping it high level and “gray”.  Executives are notorious for inadvertently leaking information.  You need to keep your security analysis methods classified and on a need to know basis.  Unless an executive wants to know exactly what you are doing, just give them enough high level information to keep them happy.

IT types get too wrapped up in details.  Executives don’t care about details, especially technical details.  They speak in generalities and commit to nothing just like politicians, and this is no coincidence.  The more details provided, the more pigeon holed they feel and that is never good.  Remember teeth marks.

Tracking down internal threats on an enterprise network can be daunting.  It goes without saying that you can’t shut the network down piece by piece to isolate the threat  unless there is a compromise which could result in grave danger or loss of life, and sometimes that isn’t enough.  The explanation we received made it seem as if one entity handled the front end security, the web servers, perimeter security devices, etc.  This individuals organization handled what he called the back end.  The use of enterprise security management applications like ArcSight was mentioned, so apparently the core back end systems are being dumped into ESM for analysis.  Hopefully, the analysis and effort doesn’t end with ESM.