Survey - Selling Security

Following is a survey conducted by me on 3 simple questions which a lot of security professionals may have seen, heard and answered in the course of their career. These three questions are simple, but cover the basic questions any client may ask frequently,

Question1: How much would you charge for a pen-test for a 500 user base? (involving Desktops & Servers). Scope of work is to conduct VA, PT and a Social Engineering exercise. Is Rs.20,000 a realistic number for the said scope?

A) Auditor X - Done generally to reduce price or show their objection (price/budget). There's all kinds of people who do these tests, For example, I've heard about people pricing a 50 server assessment for Rs.10,000 (with PoC Exploits). I have seen reports being copy / pasted from the scanner without any change for a lot of engagements.

B) Sec Consultant - The price has to be more, but preferably in double digits, not in lakhs!

C) Big4 Consultant - Practically not possible to price a pen-test of this magnitude at the client's budget

(Minimum 10 lakhs for the engagement would be my quote)

D) Customer X - 1.5 to 2 lakhs will be a realistic budget, Unrealistic to ask for 20K

E) Trainer X - Approximate number would be upwards of 1 lakh, I don't know what would be a realistic number.

F) Former Dev X - Definitely wouldn't do it for 20,000. Regardless of the tools used the skill set I've learnt over years, that's what demands pay.

Question2: Is it fair to compare a consultant's time, skill and experience with tool(s) license cost?

A) Auditor X - Obviously the tool's cost is cheaper, why do they need the consultant in this case?

B) Sec Consultant - Need for a mix of both things (tools and consultant's skillset)

C) Big4 Consultant - 10 lakhs minimum - 20,000 is not possible, manual effort, interpretation of vulns and skill involved is the differentiator.

D) Customer X - Based on the frequency, I will choose whether or not to hire... IF Quarterly or frequent tests (say 12) are warranted then I'll train in house personnel for the requirement.

E) Trainer X - Anybody can run a tool, but without properly understanding the vulns and what happens behind the scenes, the test results can't be interpreted properly.

F) Former Dev X - No it doesn't justify the argument, I wouldn't just rely on a guy who doesn't know security. 

Question3: Do Certification(s) like CEH, CPTS and a couple more enable you to carry out a penetration test?

A) Auditor X - People can't run tools properly, let alone conduct a proper test. You'll be shocked by the things I've heard about CEH and how it (CEH Training/Cert) can be procured for 15K inclusive of exam voucher.

B) Sec Consultant - Yes... but depends more on the foundation and creative ability...

C) Big4 Consultant - Certifications are theoretical, cover only basics of tools, do not impart practical knowledge.

D) Customer X - Real time experience and fundamentals are necessary... just certifications won't help in conducting a penetration test.

E) Trainer X - Absolutely not possible to perform a test in live environment.

Content provided in certification is theoretical and not a real indicator of skill.

MNCs may buy the argument, but even they conduct interviews to assess the credibility and skill set of a candidate.

F) Former Dev X - Honestly certifications are to "basically convince prospective employers and yourself" that you know something that you don't. Haha! The certification's content just scratches the surface of what's possible.

Participants of the Survey:

Auditor X - Infosec Auditor with over 5 years of experience, which includes areas such as VA, PT, Auditing, Operational Risk, Business Continuity

Sec consultant - Over 10 years of experience in GRC, Vulnerability Assessment, Pen-Testing

Big4 Consultant - Security analyst with 3 years experience in Web - Vulnerability Assessment, Pen-Testing

Customer X - Works as a manager for a manufacturing giant, over 8 years of experience.

Trainer X - Works as a trainer on mostly Windows, Networking and Security based topics.

Former Dev X - A former developer working for an MNC, With exposure towards Programming.

Former Dev X is also an experienced hacker, who currently performs all kinds of pen-tests and source code reviews (which he finds boring) ;)

The opinions are interesting when you read each person's - background, point of view, experience and current work profile. Based on general consensus, we have opted to make your identities anonymous; we respect your privacy... Thanks for taking the time to answer the questions politely...

Personal thanks to all the participants, interacting with y’all was fun!

Cheers,

Kish

Update: Found an > old bookmark < certainly worth a laugh... ;)

GoogleTalk Disconnect Issue (Notes)

GoogleTalk Disconnect - Workaround
URL: hxxp://talk.google.com

if your gtalk disconnects OFTEN

that's because your client / browser establishes a tunnel to localhost
127.x.x.x

if you can change that goddamn proxy to a proper setting or a port fwd

it doesn't disconnect at all
i got so pissed today to check out off all the days... i've been using talk...
netstat -t
netstat -n
netstat -ban
all those commands showed this idea of google-talk tunneling to my localhost

two things to note, this doesn't apply for mobile and browser based chat (chatenabled.google.com)
just for gtalk client, browser based chat connects through 5222 / 52xx mostly...

too bad google talk doesn't provide a "No proxy" option... It makes sense to add the feature ASAP...

Homeshop18 - Top 10 Indian Website?

Shouts to the websites that provide ranking for e-Commerce websites in India ;))

Additional shouts to people who tell me, how their "website security" budget is cramped, but they can do endless meetings, interviews and documentation work for compliance, year on year! :)

#############################################
# Website: www.homeshop18.com
# Date: 05.12.2012
# Bug: Cookie Manipulation / Bad authentication
############################################

Trust me when I say your website is the most visible and targetted asset in your whole infrastructure. It represents your brand image and everything your company stands for on the Internet. One mistake like this can cost a business - customers and sales...

Homeshop18 website suffers a few vulnerabilities namely path disclosure & user authentication cookies being insecure... If the cookies can be manipulated on the client side a user's data can be compromised which will lead to a security incident...

Kindly make amends and work on fixing the vulnerability within 48 hours, this information has been released with public awareness & safety in mind.

Cheers,
Kish

iPod not for common man !

Apparently the iPod manufactured by Apple is not for a common man... The more restrictions, the more twisted and the more ironic the sales reps and customer service behaves these days... Apple has become a bloody pain in the rear to deal with...

Take their iPad for instance, you do a 101 pointless things to get two files across... through their royal useless iTunes software - which must be updated all the time. Take Samsung Note or Galaxy for example, you have so many useful apps, a lot of flexibility with the Android OS and accessing files and transferring the same in High Def are a breeze...

Most irritating part of this whole shindig is when Apple decides, India is not there in their "universe" !

Fuck you, Apple for not including India / Asia in the list

Considering that Asia is the biggest continent in the world, with important electric / electronic players like Japan, China and India... Why do they need a separate website? What's more? Their product fails epically, cosmically, at all levels... from their promise to "hidden costs" to "service and support" BS... To top it off, they don't provide open service in India!

iTunes is king, really? A piece of shit called iTunes - which fails at what it is supposed to do - sync, delete, manage and restore - basically, enable smooth functioning of the device - I conclude Apple's useless products are not for every man, a common man, most certainly not for a hacker... You like flexibility? You want to hack a device? You want to play with all the features?

You better look away from Apple, unless you want to give your hard earned cash for a worthless list of shiny products. There's a whole list of products in terms of smart phones, tablets and mp3 players...

As the guy, who's spent money on 5 iPods (of all sizes and shapes) in 3 years and dumped all of them in 6 to 8 months each... I say, Fuck You Apple for making bad products and selling them!

How I got back a returning customer

Background

A little background information for you folks... who don't understand what I do... I expose the ways in which your network, server, host, web application, website or any other system maybe vulnerable to real attacks. We are not talking about some obscure bug that can't be exploited. We are talking about DNS here...

Now DNS is not exactly rocket science, right? You think so? The customer whom I spoke to doesn't really concur with me on that point. He thinks it is rocket science, since he does not have enough technical knowledge to figure it out. I give him a demonstration of how to tunnel SSH over DNS (Ozyman) and SSH over HTTP :))

Show time (DNS Tunneling)

Once I do that, his auditor freaks out and tells me how I am doing bad things. What is my job again? I expose vulnerabilities and real threats to the customer, I don't perform simple scans and tell the customer to patch some bug without taking business productivity and impact in to consideration. In layman terms, tunneling a protocol over another like discussed above can cause the network to think SSH is just DNS traffic. Truth is some rogue hacker may get a reverse shell running through that port and hide in plain sight.

The customer and his new found "auditor" (read: CISSP / CISA holder, with no grasp of protocols). I had to show documentation, research and a tool. To top it off, I showed a live demo and used Wireshark to show the DNS traffic. I did my job and I did it so well, that the customer becomes scared, confused and everything else, but convinced. The customer does not want to understand the impact, or go with a quality security tester like me.

My mistake

I told them, I will test the environment without any bias and will not support their certification (compliance) efforts, if they fail to co-operate and patch all the important vulnerabilities. This causes a real stir and the next time, the customer (who happened to be a return customer - more than 4 engagements)... fails to choose ME for the 5th time.

Business 101

Guess why they didn't want me? I argued and I failed to co-operate with them for their namesake compliance... OK, from a business point of view I totally understand their hatred towards me. There's an old saying in sales, If You Win the Argument, You Lose the Sale (The auditor played a good part in convincing them, that I am not the right person for the job). When it comes to security and technical aspects, I put my money where my mouth was... and showed them a real demonstration.

Better Late Than Never

What did I learn? Be co-operative... or lose the sale. I'd rather have it my way or the highway... and a customer who can not appreciate quality is always going to end up in my bad books. I am a person that believes in quality over everything else.

What did they learn? The customer's network got hacked exactly 90 days, after they achieved compliance. The customer didn't hesitate to call me. The manager at their firm said some thing I am very proud of... He said, "We are calling you because you scared us just like that hacker..."

For a few dollars more
After the post mortem and forensic analysis, I helped them to set up an incident response plan. The customer now engages me for security testing and over all maintenance of their network. I have gained a returning customer, after losing them once. Selling is all about second chances ;))

P.S: This is NOT the First Time, I am getting a call from a customer that disagreed with me and got hacked!

Cheers,
Kish

Wow, Goodbye Steve?

Is it that time of the century for an inventor to be gone? Gee, that sucks... Goodbye Steve :(

Steve is an inspiration at best and he braved - being born to unmarried parents, thrown to be adopted by his mother... Then he drops out of college, founder of apple, founder of pixar, rejoins apple - a revolution happens with iPhone, iPad, iPod and owning an Apple product doesn't make you exclusive anymore, they've turned from being a niche company to a mainstream company with nearly $350 Billion USD in stocks... The only company that makes more money than Apple is Exxon Mobil and they do it from oil, not from ideas !

R.I.P Steve, also R.I.P A.C Nielsen... Peace !

iQuit... Steve job quits apple, what again?

I have stopped counting the number of times, he's quit and come back to Apple...

Really would be a relief, if he let M$ stay on top and generate serious revenue compared to Apple. Personally, I'd like to see iPhone and a lot of i Apps / i Hardware(s) to stop... The world becomes restricted to bullshit software provided by apple... and their updates, well you've got to pay for it? WTF?

A lot of apple fans are pissed because the software, drm and whole pay for your updates BS - what if, they introduce bugs just to push more updates... That is not happening now, but some thing like that isn't impossible... ;)

It would be ironic to have such ridiculous stuff going on, amidst their already high number of vulnerabilities. iHate - Apple... All that aside, Steve Jobs is a great guy (business strategy, promotion, ideas and inspiring), Good luck to him !