An Overlooked Skill?

This topic contains 3 replies, has 3 voices, and was last updated by  slinky 6 years, 5 months ago.

  • Author
    Posts
  • #8485
     slinky 
    Participant

    Hi Everyone,
    As ethical hackers we must present our findings to other I.T. professionals; by exposing security flaws we are essentially critiquing their work and that can sometimes elicit a defensive reaction. The response can be anywhere from downplaying the threat or likelihood of exploitation to going on the offensive and questioning the value in our work, and it can be very tempting sometimes to respond in kind. Certainly our delivery can help push others towards or away from the defensive, and at times it’s almost an art.

    So what kinds of reactions have you gotten from presenting your findings? How did you react…what worked and what didn’t?

    Is this skill important, and would teaching effective delivery and diffusing a situation be a valuable subtopic in ethical hacker training?

  • #53120
     cd1zz 
    Participant

    No matter how bad you root a company up, you have to find some good and tell them about it. You can also spin the bad findings and say things like “it’s a good thing we caught this before someone else did” or “the good news is that these issues are easy to fix.” Reporting style is important too. You cannot get emotional, your report should be based on data and be very matter of fact. Keeping the tone of the report this way is easier for people to digest.

  • #53121
     mustu 
    Participant

    But “sometimes” it’s in your own benefit to stay silent and don’t try to be the hero 🙂 Military and other National organizations are more sensitive in this regard and you can drag yourself in unnecessary investigations.

  • #53122
     slinky 
    Participant

    @cd1zz wrote:

    No matter how bad you root a company up, you have to find some good and tell them about it.

    I agree, this is definitely a good way to approach it…tell them what they did right too and reinforce that. When I have just one or two findings, even if they’re medium – high risk, I like to point out that the reason we didn’t find more is due to their being security aware. That has really helped gain allies.

You must be logged in to reply to this topic.

Copyright ©2019 Caendra, Inc.

Contact Us

Thoughts, suggestions, issues? Send us an email, and we'll get back to you.

Sending

Sign in with Caendra

Forgot password?Sign up

Forgot your details?