[Techtalk] Re: Gender as a weapon? Pen-testing and female auditors

Raven Alder raven at oneeyedcrow.net
Thu Mar 25 00:29:03 EST 2004 

Heya --

	Concatenated replies!  (I'm so timely.)

Quoth Mary (Tue, Mar 16, 2004 at 06:52:56AM +1100):
> Do pen testers balk at threatening violence? At threatening people's
> jobs? At actual violence? At actual fake firings? At extended faux
> devastating office politics? At harrassment?

	Depends on the threat model.  I have talked with (and worked
with) some pen-testers who have indeed done some things like that... on
one occasion, we sent a "temp worker" to an office, claimed that they
were being payrolled through some other department, they accepted her,
and we had a person on the inside.  (And she was indeed being payrolled
through "some other department"... Internal Affairs...)  That made for
all sorts of easy access... she could plant mini-cameras to capture
passwords and keypad codes, etc.

	At my current job, threatened violence is a routine way of
testing.  Since we do physical security as well as network security,
they have to test our responsiveness.  So, every so often, one of those
"bomb threats" won't be real, and the department is measured by the
success of our response.

	Social engineers have been known to pretend to be a CEO locked
out of their account, and to threaten to fire the help desk person if
they don't get their password NOW.

	All of this is obviously excessive for your average small
business, but appropriate for a TLA or megacorp.
 
> What I am trying to point out is that there are definitely grey areas
> to "any means possible". Even if you're stopping short of leaving
> scars, I can imagine exploits that come at considerable cost to
> people's emotional wellbeing in the short and long term.

	Yes.  That's definitely a consideration -- that's why a good
security officer or CTO will match the desired level of pen-testing to
the real possible threats the employees might be facing.  It's more okay
to be mean to military folks, for example -- they expect some emotional
duress in the course of their duties.  They signed on for a stressful
job.
 
> The fact that the enemy/opposition may be willing to try those tactics
> doesn't neatly solve the moral dilemma either, because you still have to
> weigh up the value of keeping the secret safe versus hurting someone
> else and hurting yourself. (Plus time expenditure involved in screwing
> someone's life up, for the prgamatic.) That's not a dilemma that the
> opposition's tactics can solve for you.

	Well said, and I agree entirely.

Quoth Tracey (Thu, Mar 18, 2004 at 12:57:22PM +0000):
> On the other side of that coin, think of the vulnerabilities which you 
> could test but do not which does get exploited later - how much 
> responsibility would you feel for the real life penetration which 
> could have been prevented by your pen-testing?
 
        Yes, that is a real concern.  I want to be thorough in my job, 
and not leave out any real threat that the company I'm testing is likely 
to face.  I'd feel awful, professionally, if they got hacked because of 
something I should have tried but didn't.

> >     Similarly, I feel bad taking more extreme measures against
> > anyone that's not a TLA or megacorp.  I don't want to get Grandpa
> > Joe fired because he let the nice young lady in to PopAndMom.com. 
> 
> Would it come down to firing the lady necessarily? Is there a 
> possiblity for her to be re-trained? I suspect the answer depends on 
> the company.

        A good company would re-train their erroring employees.  A bad 
company will just can them, and hire new ones that will make the exact 
same mistake.

> do my job to the limits of my ability and morals with the idea that 
> covering for an incompetent sys admin could cost that company and its 
> customers mucho money, downtime, etc etc later if that sys admin 
> fails to do the right job later.
 
        Yes.  The idea is that correcting these sorts of problems now is 
good.  I don't want to hide that problems are there -- I want to provide 
helpful guidance on fixing the real problems to management.

> > That feels like I'm contributing to making the world a nastier
> > harsher place. 
> 
> Understandable. But your job isn't about contributing compassion to 
> the world either. It is about making a network as secure as possible. 

        Yes.  The problem is clueless bosses who want the appearance of 
security more than real security.  But that's a whole other issue.  
[grins and readines her "whacking copy" of "Beyond Fear"]

Quoth Walt (Wed, Mar 24, 2004 at 10:23:06PM -0500):
> Isn't it a bit of a hole in this kind of security auditing that you
> can be trusted? In other words, since you can be trusted to not do any
> genuine harm to the company, if someone trusts you and lets you know a
> bit of information that you rightfully shouldn't be entitled to,
> they're not actually causing any harm.

        Yes, sort of.  That's one reason I prefer just to do the tech 
side and to leave the social engineering to other team members.  I do 
point out that "had I been a bad guy, this would have been 
catastrophic", but they don't have the horrible firsthand experience of 
watching everything melt.

> The only way to do true social "pen-testing" of this sort, it would
> seem, would be to find a nasty black- hat infiltrator and set 'em
> loose in your company with the knowledge that they can and probably
> will use any information that they reap. :-)
 
        I think that's like crashing your car to see how well it 
performs in a crash, though.  Certainly more effective than any 
preliminary or mocked-up testing, but the cost may just be too high.  
Most companies would take really serious damage from that.

> It is not logical that pen-testing in any non-government, minor
> company should result in the firing of an employee. Rather, I'd think
> it would result in a, "let that be a lesson to you!" type of
> reprimand.
 
        It should result, if the first offense, in "hey, this is what 
nasty social engineers do, this is how you can avoid giving away 
anything and report it to security" training.  Only repeat offenders or 
hugely egregious violators should be canned.

Cheers,
Raven
 
"See what happens when you treat women like pieces of meat?
 Kapow, your network's broken, and you're fired!"
  -- RavenBlack, on using gender as a weapon during pen-testing

More information about the Techtalk mailing list