Share this page!

Mick Douglas Profile picture
Twitter logo
23 Dec, 10 tweets, 2 min read
Pen testers, we need to talk. Please listen up, take notes... and above all, ask questions.

A non-trivial part of my service portfolio is now reviewing the reports of other firms and either adjusting or providing missing context.

Read on for the common issues...
1
Most important: you need to give clients multiple options on how to fix something. MULTIPLE. At least 3. Telling them "fix the code" when it's from a vendor that's closed, doesn't help at all.
2
Show your work. There's a few firms that hide what they're doing. Some to the point where they just show a "ta da!" screenshot and don't explain how they did it... and frankly, that's weaksauce.
3
single screenshot as proof is bad. You do know that clients will need to reproduce your work to verify they fixed the issue, right? If you don't give them a step-by-step, how are they going to verify any corrections they take?
4
I could go on an entire day long rant about the lack of business impact in most reports. I hate to say it, but frequently I get something to the effect of "and this is bad"... and that's about it.

Redact it, but show you got to the data!
5
Try not to editorialize. (everyone does this... including me from time to time) it's hard not to opine on things, but you're there to give a very "this is what we did, this is how things responded".
6
On the flip, if you observe issues that indicate something is not meeting standards, just come out and say it. "this shows that XYZ is not following the ABC regulatory framework requirements in section 123.4"

Be crisp. Be clinical. Be precise.
7
However, if some finding is NOT in a framework, your job is to help your client understand that compliance isn't security. There's an amazing lack of nuance in the reports I read. It makes me sad. :-(
8
TONE. OMG... this is another day long rant. When was the last time you gave a client credit for the work they've done? Shown that they're doing some things well? Don't kick them and leave. Show what's working... SO THEY KEEP DOING THE GOOD STUFF!!
9
IDK.... I don't want to go too far down this rabbit hole. If you just follow the elements in this thread, I could get away from doing review of *your* work. It's easy money for us, but I HATE that we're doing this.

Pen testing is HARD. Report writing is HARDER.

Do better.
fin.

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Mick Douglas

Mick Douglas Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @bettersafetynet

Mick Douglas Profile picture
11 Dec
Just got off phone with a client. Log4j is in their network. Vendor claims patch will be available next release... which is multiple months from now.

Here's what you do if you're in this situation.

1. Keep calm. There's no need to panic.
2. Carefully read this thread.

1/?
First, it's bad. It's a remote code execution meaning any attacker will almost certainly be able to run code of their choice on your systems.

If you can, please patch it's the easiest path. But you're reading this because you can't patch (for whatever reason) OK, let's go!
2
When dealing with attacks like this you should remember the acronym IMMA.

I = Isolate
M = Minimize
M = Monitor
A = Active Defense

I'll walk you through the IMMA model for the Log4j attacks we've seen so far.

3
Read 20 tweets
Mick Douglas Profile picture
10 Dec
Boating update:
Mrs signed us up for a week long bootcamp style live aboard sailing adventure... however unlike earlier trainings we've done... this school sent us books 4 months out. With a warning... most take 6 months to do the homework. We have 4.
1
We were granted an exception since we've got prior experience. After looking at these books... I'm regretting asking for it.

There's just **so** much to learn.

I'm most worried about the night non-radio signaling & signal flags. Stuff I've never done before. :-/
2
If our paths cross over the next few months, and you hear me making odd dinging or horn sounds... I've not gone mad... I'm practicing overtaking in fog procedures. (which it's cool how nuanced the conversation can be... but like... wow it's also complex)
3
Read 4 tweets
Mick Douglas Profile picture
8 Dec
HR & middle management folks... we need to talk.

Some management of people is done in the most non-nonsensical ways.

You may know that I mentor folks... like a lot of them.

Today one called me almost in tears. With permission here's a redacted version.
1
End of year evals are due soon. This person was told to rank each employee. Top 25% will get bonuses and put on advancement path. Bottom 25% will be put on PIP!

For those not aware PIP is Performance Improvement Program, it's basically the first step to being fired.
2
For a very large team you may have a bell curve distribution where this may be a viable approach. (I'd like to quibble at the numbers, but it's not THAT bad)

The issue is this approach is **horrible** for the small teams we tend to have in infosec.
Read 8 tweets
Mick Douglas Profile picture
21 Apr
blue teamers:
We have to talk. Not everyone, but lots of us are writing really bad detects. Stop trying to detect the tool you will never win doing that. Detect the impacts.

A great example of this:
Responder.
1/?
Responder is a great pen test tool (we use it on our offensive engagements and you should to)

You damn well better be looking for responder... but HOW you do that look is just as important as the fact that you do.

2/?
Perhaps the most frequently used mode of responder is the LLMNR function. This allows responder to trick Windows systems into giving up the currently logged in user's creds to the attacker who is on your local network, but not yet on the victim's system.
3/?
Read 6 tweets
Mick Douglas Profile picture
8 Apr
I *rarely* call out journalists. But this is an exception.

Hey @dannyjpalmer, this article you wrote is everything that is wrong in infosec.

zdnet.com/article/why-do…

ding ding schools in session!

1/?
First of all your headline is deliberately inflammatory.

but more critically, you miss the really interesting angle... how is it that these users are setup to fail?

2/?
The fourth estate is supposed to be elevating the discussion. You sir have let us down here. I don't know you... but I feel like you phone it in on this one.

The article should enlighten. At a few points you come close but don't drive home.

3/?
Read 14 tweets
Mick Douglas Profile picture
30 Mar
I don't normally repost stuff from reddit or other sites, but this is *important*

arstechnica.com/tech-policy/20…

A thread of things to know why US citizens should care deeply about this.

1/?
Many (most?) folks in the US know that the internet was developed by the US by DARPA.

What few do know is that year over year, the US has been slipping in terms of broadband... by every measurable metric.

I'll cover them one at time so you can understand how bad it is
2/?
The US does *not* have the fastest internet speed. We're ranked 11th in the world!

decisiondata.org/news/analysis-…

3/?
Read 12 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

Like this author's thread?

Get emails when @bettersafetynet has new unrolls!

Check out other threads from @bettersafetynet!

Read all threads by @bettersafetynet

:(