Chris Nickerson’s recent talk at BruCON was probably the one that made my way of thinking change the most.
He pointed out the fact that the way things are currently being done, just DOES NOT WORK.
Just because you do a pentest, get root and go “look, I got root, I just p0wn3d you b14tch!!!111” – this doesn’t really mean anything to them. Whereas to a lot of security professionals, this means a hell of a lot and it is a major problem. But to the head of a company, we could be talking an alien language.
Unless we show them what somebody could do with these exploits, then we are doing a bad job, as they won’t think it is that important, and they won’t fix the problems.
I don’t necessarily think we need to go as far as some of the suggestions made in the talk, (for example taking pictures of the CEO’s children and saying you could kidnap them may not be the best idea) but we are able to show some of the things that could be possible. So if you have root on the payroll system, you could show how you could print everybody’s payment details, showing their bank details and telling each person how much they earn compared to the person sitting next to them, and how this could affect the company.
As in the end, this is all these people will care about. We aren’t the ones who need to make the decisions on what would be best for the company, as however much it may annoy us, it could be economically better for the business not to fix certain faults, they will only pay out money that really needs the investment. So if you show that they really need to fix this vulnerability in their network, or there could be some real consequences to their business.
I want to thank Chris for such a great presentation and for pointing out how much we suck, so that hopefully we can all eventually be better at our jobs.