.

An Overlooked Skill?

<<

slinky

User avatar

Newbie
Newbie

Posts: 3

Joined: Tue Jul 17, 2007 10:28 am

Post Thu Jun 13, 2013 1:21 pm

An Overlooked Skill?

Hi Everyone,
As ethical hackers we must present our findings to other I.T. professionals; by exposing security flaws we are essentially critiquing their work and that can sometimes elicit a defensive reaction. The response can be anywhere from downplaying the threat or likelihood of exploitation to going on the offensive and questioning the value in our work, and it can be very tempting sometimes to respond in kind. Certainly our delivery can help push others towards or away from the defensive, and at times it's almost an art.

So what kinds of reactions have you gotten from presenting your findings? How did you react...what worked and what didn't?

Is this skill important, and would teaching effective delivery and diffusing a situation be a valuable subtopic in ethical hacker training?
<<

cd1zz

User avatar

Recruiters
Recruiters

Posts: 566

Joined: Sun Oct 03, 2010 9:01 pm

Post Thu Jun 13, 2013 4:44 pm

Re: An Overlooked Skill?

No matter how bad you root a company up, you have to find some good and tell them about it. You can also spin the bad findings and say things like "it's a good thing we caught this before someone else did" or "the good news is that these issues are easy to fix." Reporting style is important too. You cannot get emotional, your report should be based on data and be very matter of fact. Keeping the tone of the report this way is easier for people to digest.
<<

mustu

User avatar

Newbie
Newbie

Posts: 9

Joined: Wed Aug 15, 2012 4:08 am

Post Fri Jun 14, 2013 12:28 am

Re: An Overlooked Skill?

But "sometimes" it's in your own benefit to stay silent and don't try to be the hero :) Military and other National organizations are more sensitive in this regard and you can drag yourself in unnecessary investigations.
<<

slinky

User avatar

Newbie
Newbie

Posts: 3

Joined: Tue Jul 17, 2007 10:28 am

Post Fri Jun 14, 2013 9:46 am

Re: An Overlooked Skill?

cd1zz wrote:No matter how bad you root a company up, you have to find some good and tell them about it.


I agree, this is definitely a good way to approach it...tell them what they did right too and reinforce that. When I have just one or two findings, even if they're medium - high risk, I like to point out that the reason we didn't find more is due to their being security aware. That has really helped gain allies.

Return to Network Pen Testing

Who is online

Users browsing this forum: No registered users and 2 guests

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software