BackgroundA little background information for you folks... who don't understand what I do... I expose the ways in which your network, server, host, web application, website or any other system maybe vulnerable to real attacks. We are not talking about some obscure bug that can't be exploited. We are talking about DNS here...
Now DNS is not exactly rocket science, right? You think so? The customer whom I spoke to doesn't really concur with me on that point. He thinks it is rocket science, since he does not have enough technical knowledge to figure it out. I give him a demonstration of how to tunnel SSH over DNS (Ozyman) and SSH over HTTP :))
Show time (DNS Tunneling)Once I do that, his auditor freaks out and tells me how I am doing bad things. What is my job again? I expose vulnerabilities and real threats to the customer, I don't perform simple scans and tell the customer to patch some bug without taking business productivity and impact in to consideration. In layman terms, tunneling a protocol over another like discussed above can cause the network to think SSH is just DNS traffic. Truth is some rogue hacker may get a reverse shell running through that port and hide in plain sight.
The customer and his new found "auditor" (read: CISSP / CISA holder, with no grasp of protocols). I had to show documentation, research and a tool. To top it off, I showed a live demo and used Wireshark to show the DNS traffic. I did my job and I did it so well, that the customer becomes scared, confused and everything else, but convinced. The customer does not want to understand the impact, or go with a quality security tester like me.
My mistakeI told them, I will test the environment without any bias and will not support their certification (compliance) efforts, if they fail to co-operate and patch all the important vulnerabilities. This causes a real stir and the next time, the customer (who happened to be a return customer - more than 4 engagements)... fails to choose ME for the 5th time.
Business 101Guess why they didn't want me? I argued and I failed to co-operate with them for their namesake compliance... OK, from a business point of view I totally understand their hatred towards me. There's an old saying in sales, If You Win the Argument, You Lose the Sale (The auditor played a good part in convincing them, that I am not the right person for the job). When it comes to security and technical aspects, I put my money where my mouth was... and showed them a real demonstration.
Better Late Than NeverWhat did I learn? Be co-operative... or lose the sale. I'd rather have it my way or the highway... and a customer who can not appreciate quality is always going to end up in my bad books. I am a person that believes in quality over everything else.
What did they learn? The customer's network got hacked exactly 90 days, after they achieved compliance. The customer didn't hesitate to call me. The manager at their firm said some thing I am very proud of... He said, "We are calling you because you scared us just like that hacker..."
For a few dollars more
After the post mortem and forensic analysis, I helped them to set up an incident response plan. The customer now engages me for security testing and over all maintenance of their network. I have gained a returning customer, after losing them once. Selling is all about second chances ;))
P.S: This is NOT the First Time, I am getting a call from a customer that disagreed with me and got hacked!