The One Word A Pentester Needs to Stop Using Immediately!

The One Word A Pentester Needs to Stop Using Immediately!

Henry Dalziel | Information Security Careers | February 23, 2014

One word a Penetration Tester, Security Professional and others in the industry should never utter, is the word: ‘hope’.

On February 10, 2007, President Obama announced his candidacy for President of the United States in a campaign that projected themes of “hope” and “change”. President Obama can, and did, use the H word, but we are unable to say this word in our industry.

As an information security expert or professional, if you find yourself on a regular basis beginning sentences with “I hope that” then you are on a losing streak. Such examples could include:

  • I hope that the hackers don’t exploit our new platform
  • I hope that our data is never compromised
  • II hope that our new Intrusion Detection expert we hired works out.

From a security perspective, hope is an expectation based on a desire to protect our networks and computer systems. Every organization, not least those in the security space that are more targeted than others, has expectations, but expectations will never be accomplished without the proper planning and execution.

‘Hope’ is indicative of a lack of control and in information security, and a lack of control means the end.

Think about it, if the following professionals: forensic investigators, incident handlers, ethical hackers, penetration testers, secure programmers, CISO’s, CTO’s, CIO’s etc – all said, “oh well, I hope that all I have done is going to protect our organization’s network and reputation” – indicates that they have given up control.

(As a side note, take a look at a recent Hacker Hotshot presentation we had with Dr Larry Ponemon in which he outlined: CISO’s, The Good, The Bad & The Ugly. If you are interested in this subject and are a CTO or CIO then you will likely learn a lot from this presentation).

‘Hope’ also implies a lack of planning and management. Placing “faith and hope” in security systems suggests things are no longer going as planned. Now – of course, there are risks and situations that might be outside our control – perhaps there is zero-day vulnerability that was never anticipated by anyone, but we should all be constantly planing and thinking the worst. Thinking the worst could be for example planning for remediation and back-up policies should systems be compromised.

So what’s the alternative?
Use the word ‘plan’ instead of ‘hope’ and to that effect – keep planning! Plan for every eventuality! Imagine a Navy Seals team, before they go on a covert mission they will consider every single possible scenario and practice each scenario repeatedly until they have done their best. Only when we feel that we have covered every eventuality then we can afford a degree of comfort but that must also be monitored since as we all know, advanced persistent threats, zero-days and vulnerabilities are always on the horizon.

In Summary
Carrying on from the Navy Seals analogy, we once heard an awesome acronym: “Piss Poor Planning Prevents Piss Poor Performance!” We couldn’t have put it any better.

What are your thoughts, do you work as a C-Level executive, do you have to make decisions that are vital to your organization and how much planning do you realistically allocate in your daily routine?

Leave a comment or reply below...thanks!