How to convince your boss to allow linux in the workplace

Viewing 10 reply threads
  • Author
    Posts
    • #7161
      eyenit0
      Participant

      So, I just started my first job where my main responsibility is pen testing. In my previous experience, I have mostly used linux when doing any sort of testing/hacking. My new job, they only use Windows. I asked about using linux for pen testing and was told it’s not allowed, but exceptions could be made (we deal with very sensitive information, so everything is very restricted). I was told this is because they don’t have anything in place to tie it into the network, as far as authentication, management, etc. We have a few linux servers, so I’m not sure what they do with those.

      Since many of the tools I know are either linux only, or natively linux, so I feel like I’m without my arms if I don’t have it.
      What advice could some of you give on how to convince my boss and the IT department that linux has it’s place in our testing toolkit? Even just being able to load up a live CD like Backtrack would be enough.

      On the flipside, I could get used to these jobs were they give you a Nessus Pro feed on your first day…

    • #44716
      l33t5h@rk
      Participant

      I would do a formal write up on the advantages of incorporating linux in the environment, including a cost savings angle. IT Suits (as I am one – unfortunately  😀 ) will always be pressured from the biz folks for $$$ savings so perhaps you could breakdown how certain tools can help automate certain tasks and thus save time, etc. Hard to believe they are doing pen testing on just windows though, I would assume this is for a particular reason but opening their eyes to backtrack would undoubtedly be worth everyone’s while.

    • #44717
      rattis
      Participant

      Sounds like they don’t have anyone on staff that really understands linux. Authenticating to windows domain controller’s while a pain isn’t that hard. they probably also have issues with not being able to push patches, and I suspect have a way to get into your system via domain admin to check to see what they’re doing.

      In your write up, include the fact that it can be added to the network no problem via the domain controllers, and that most backup solutions provide a linux client. Also include that the attackers aren’t going to limit themselves to just windows and you’re testing shows more real world equivalent instead of just check box security. Just don’t word it that way.

      🙂

    • #44718
      WCNA
      Participant

      I think I’d point out that if they don’t allow you to use linux then they need to come up with some big bucks for the windows pentesting apps. Otherwise you can’t do your job properly.

    • #44719
      l33t5h@rk
      Participant

      @WCNA wrote:

      I think I’d point out that if they don’t allow you to use linux then they need to come up with some big bucks for the windows pentesting apps. Otherwise you can’t do your job properly.

      I thought about that too. I know it’s not kosher to divulge a lot of info but has your company spent a decent amount on commercial products? I suppose there is a bit of rationale if they have a standardized suite but it is more unexpected than anything that linux just for certain tools wouldn’t be part of the environment.

    • #44720
      Anonymous
      Participant

      I agree with comments so far write up a review of the os and detail your reason why you want to use Linux.

      Maybe say that using linux there more tools and you can get better coverage of whatever you testing. also any attackers are going to be using linux so by not having access to the same tools you cant be 100% sure the system would be safe.

    • #44721
      Triban
      Participant

      you can also add that it doesn’t need to be a physical system, you can utilize virtualization to leverage linux clients for pen testing, so in a sense you would still be using your windows system, but the particular tool would be a linux vm 😀  Also what is the scope they want you to cover as an internal pen tester?  Is this a consulting company?  or just one that wants to have an internal guy testing things?

    • #44722
      Michael J. Conway
      Participant

      As 3xban pointed out, a VM might be your best bet of getting a Linux box.  If you do go that route though, pick the hyper-visor that will work best with both the host and the guest.  And don’t forget that backtrack was not built to be a secure OS but a pentest OS. 

    • #44723
      dynamik
      Participant

      At my previous job, I had a group of “Attack VMs” that I used with VMware Workstation. I didn’t want one of those as my main OS anyway. I used that primarily for writing reports, email, etc. I could be on the domain, receive patches and AV updates, etc., but I still had the flexibility and tools that I preferred during testing.

      Although, it totally depends on the organization (or rather, the customers). Sometimes you’re required to use commercial tools, and that’s just the way it is.

    • #44724
      eyenit0
      Participant

      Thanks for the replies, there’s some good stuff in here. Sorry I didn’t respond earlier…I forgot to subscribe to my own post again.

      I had thought about the VM solution and am going to talk with my boss about it. Without going into too much detail, I will be doing more internal pentesting than anything and we don’t have an official, established toolkit as of yet.
      Part of my job is to research and build our toolkit before the testing begins. There is some money in the budget for commercial apps, which we will be getting, but I’m not sure of the amount.

      I think all the advice on setting up a VM and only using it when testing is the way I’m going to present it to them. I don’t really need to use it on a daily basis, but I do feel pretty lost testing without it, even if we do get some pretty nice commercial tools. The advantage of using what an attacker is most likely using is a big thing too.

      As of right now, only a few of the IT people are familiar with linux and by boss hasn’t even heard of backtrack. I think if I can explain some of the points that you guys have made, along with demonstrating Backtrack and the usefulness of some of the tools, I’ll be able to get somewhere.

      Let me know if you’ve got anything else to add. I’m probably not going to get to the actual testing for another few weeks, but I’ll try to update on the outcome.

    • #44725
      dynamik
      Participant

      If you’re going the BackTrack route and not just discussing Linux in general, I’d really emphasis that Offensive Security is an established organization that provides professional penetration testing services and training. I think a lot of open source projects are viewed negatively from a corporate perspective because of the lack of structure, support, etc. I think you will be able to quell a lot of the concerns if you can successfully make the case for BackTrack being a professional platform that’s commonly used by experienced penetration testers.

Viewing 10 reply threads
  • You must be logged in to reply to this topic.

Copyright ©2021 Caendra, Inc.

Contact Us

Thoughts, suggestions, issues? Send us an email, and we'll get back to you.

Sending

Sign in with Caendra

Forgot password?Sign up

Forgot your details?