.

How to convince your boss to allow linux in the workplace

<<

eyenit0

User avatar

Jr. Member
Jr. Member

Posts: 52

Joined: Wed Sep 01, 2010 2:17 pm

Post Fri Dec 16, 2011 10:09 pm

How to convince your boss to allow linux in the workplace

So, I just started my first job where my main responsibility is pen testing. In my previous experience, I have mostly used linux when doing any sort of testing/hacking. My new job, they only use Windows. I asked about using linux for pen testing and was told it's not allowed, but exceptions could be made (we deal with very sensitive information, so everything is very restricted). I was told this is because they don't have anything in place to tie it into the network, as far as authentication, management, etc. We have a few linux servers, so I'm not sure what they do with those.

Since many of the tools I know are either linux only, or natively linux, so I feel like I'm without my arms if I don't have it.
What advice could some of you give on how to convince my boss and the IT department that linux has it's place in our testing toolkit? Even just being able to load up a live CD like Backtrack would be enough.

On the flipside, I could get used to these jobs were they give you a Nessus Pro feed on your first day...
<<

l33t5h@rk

User avatar

Jr. Member
Jr. Member

Posts: 79

Joined: Tue Nov 22, 2011 12:06 am

Post Fri Dec 16, 2011 11:19 pm

Re: How to convince your boss to allow linux in the workplace

I would do a formal write up on the advantages of incorporating linux in the environment, including a cost savings angle. IT Suits (as I am one - unfortunately  :D ) will always be pressured from the biz folks for $$$ savings so perhaps you could breakdown how certain tools can help automate certain tasks and thus save time, etc. Hard to believe they are doing pen testing on just windows though, I would assume this is for a particular reason but opening their eyes to backtrack would undoubtedly be worth everyone's while.
<<

rattis

User avatar

Hero Member
Hero Member

Posts: 1172

Joined: Mon Jul 27, 2009 1:25 pm

Post Sat Dec 17, 2011 4:42 pm

Re: How to convince your boss to allow linux in the workplace

Sounds like they don't have anyone on staff that really understands linux. Authenticating to windows domain controller's while a pain isn't that hard. they probably also have issues with not being able to push patches, and I suspect have a way to get into your system via domain admin to check to see what they're doing.

In your write up, include the fact that it can be added to the network no problem via the domain controllers, and that most backup solutions provide a linux client. Also include that the attackers aren't going to limit themselves to just windows and you're testing shows more real world equivalent instead of just check box security. Just don't word it that way.

:)
OSWP, Sec+
<<

WCNA

User avatar

Full Member
Full Member

Posts: 187

Joined: Wed Mar 02, 2011 8:05 am

Location: Florida

Post Sun Dec 18, 2011 5:16 pm

Re: How to convince your boss to allow linux in the workplace

I think I'd point out that if they don't allow you to use linux then they need to come up with some big bucks for the windows pentesting apps. Otherwise you can't do your job properly.
ISC2 Associate, WCNA, CWNA, OSCP, Network+
<<

l33t5h@rk

User avatar

Jr. Member
Jr. Member

Posts: 79

Joined: Tue Nov 22, 2011 12:06 am

Post Sun Dec 18, 2011 9:21 pm

Re: How to convince your boss to allow linux in the workplace

WCNA wrote:I think I'd point out that if they don't allow you to use linux then they need to come up with some big bucks for the windows pentesting apps. Otherwise you can't do your job properly.


I thought about that too. I know it's not kosher to divulge a lot of info but has your company spent a decent amount on commercial products? I suppose there is a bit of rationale if they have a standardized suite but it is more unexpected than anything that linux just for certain tools wouldn't be part of the environment.
<<

millwalll

Post Mon Dec 19, 2011 4:58 am

Re: How to convince your boss to allow linux in the workplace

I agree with comments so far write up a review of the os and detail your reason why you want to use Linux.

Maybe say that using linux there more tools and you can get better coverage of whatever you testing. also any attackers are going to be using linux so by not having access to the same tools you cant be 100% sure the system would be safe.
<<

Triban

User avatar

Hero Member
Hero Member

Posts: 620

Joined: Fri Feb 19, 2010 4:17 pm

Post Mon Dec 19, 2011 9:24 am

Re: How to convince your boss to allow linux in the workplace

you can also add that it doesn't need to be a physical system, you can utilize virtualization to leverage linux clients for pen testing, so in a sense you would still be using your windows system, but the particular tool would be a linux vm :D  Also what is the scope they want you to cover as an internal pen tester?  Is this a consulting company?  or just one that wants to have an internal guy testing things?
Certs: GCWN
(@)Dewser
<<

sgt_mjc

Sr. Member
Sr. Member

Posts: 294

Joined: Tue Feb 05, 2008 8:34 am

Location: AL

Post Mon Dec 19, 2011 10:10 am

Re: How to convince your boss to allow linux in the workplace

As 3xban pointed out, a VM might be your best bet of getting a Linux box.  If you do go that route though, pick the hyper-visor that will work best with both the host and the guest.  And don't forget that backtrack was not built to be a secure OS but a pentest OS. 
Mike Conway
CISSP
CompTia Security +
C|EH
<<

dynamik

Recruiters
Recruiters

Posts: 1119

Joined: Sun Nov 09, 2008 11:00 am

Location: Mile High City

Post Mon Dec 19, 2011 11:28 am

Re: How to convince your boss to allow linux in the workplace

At my previous job, I had a group of "Attack VMs" that I used with VMware Workstation. I didn't want one of those as my main OS anyway. I used that primarily for writing reports, email, etc. I could be on the domain, receive patches and AV updates, etc., but I still had the flexibility and tools that I preferred during testing.

Although, it totally depends on the organization (or rather, the customers). Sometimes you're required to use commercial tools, and that's just the way it is.
The day you stop learning is the day you start becoming obsolete.
<<

eyenit0

User avatar

Jr. Member
Jr. Member

Posts: 52

Joined: Wed Sep 01, 2010 2:17 pm

Post Mon Dec 19, 2011 7:06 pm

Re: How to convince your boss to allow linux in the workplace

Thanks for the replies, there's some good stuff in here. Sorry I didn't respond earlier...I forgot to subscribe to my own post again.

I had thought about the VM solution and am going to talk with my boss about it. Without going into too much detail, I will be doing more internal pentesting than anything and we don't have an official, established toolkit as of yet.
Part of my job is to research and build our toolkit before the testing begins. There is some money in the budget for commercial apps, which we will be getting, but I'm not sure of the amount.

I think all the advice on setting up a VM and only using it when testing is the way I'm going to present it to them. I don't really need to use it on a daily basis, but I do feel pretty lost testing without it, even if we do get some pretty nice commercial tools. The advantage of using what an attacker is most likely using is a big thing too.

As of right now, only a few of the IT people are familiar with linux and by boss hasn't even heard of backtrack. I think if I can explain some of the points that you guys have made, along with demonstrating Backtrack and the usefulness of some of the tools, I'll be able to get somewhere.

Let me know if you've got anything else to add. I'm probably not going to get to the actual testing for another few weeks, but I'll try to update on the outcome.
<<

dynamik

Recruiters
Recruiters

Posts: 1119

Joined: Sun Nov 09, 2008 11:00 am

Location: Mile High City

Post Tue Dec 20, 2011 10:30 am

Re: How to convince your boss to allow linux in the workplace

If you're going the BackTrack route and not just discussing Linux in general, I'd really emphasis that Offensive Security is an established organization that provides professional penetration testing services and training. I think a lot of open source projects are viewed negatively from a corporate perspective because of the lack of structure, support, etc. I think you will be able to quell a lot of the concerns if you can successfully make the case for BackTrack being a professional platform that's commonly used by experienced penetration testers.
The day you stop learning is the day you start becoming obsolete.

Return to Network Pen Testing

Who is online

Users browsing this forum: No registered users and 1 guest

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software