alucian wrote:What stroked me is that the auditory ones will not start a project unless they have at least 80 - 90 % of the information and skills.
I will share with you guys a gig I did about 3 weeks ago. Went to another state to perform an assessment slash test against a videoconferencing system. Client is a financial trading information powerhouse who's revenue is in the billions. Premise for the test: "We get on conf calls with the SEC, we want to make sure our conference is secure, untappable, etc. we are using X system" Nothing else was given to me.
I was NOT able to arbitrarily plug in anything without their IT staff getting a whiff of things and literally running to the location were a device was plugged in. I had zero knowledge of the infrastructure outside of: "this is the vendor we use, this is how we make these teleconference calls...."
Under 5 minutes... Trusted laptop on the network, bootable operating system, no DHCP, sniffing the network. Seriously? ... Nice MAC addresses flying by in tcpdump, think I will take one. No MIS guys running to find a rogue device. Teleconferencing? Game over. Credentials were horrible. Gone in under 3-5 minutes. Could I have escalated - sure, but I was only there focusing on the video/voip side of the equation but I mentioned it to them.
Moral of the story: Know your systems and protocols. Had I not understood how voice and video worked, I would likely be intimidated and not known where to begin. Had I not understood how switching, routing, VLANs work - I would not have been able to sniff, hijack a MAC and get on the network. Had I not understood matters of timing, any password cracking would have been detected from excess packets flooding the network. Had I not the ingenuity to created a quick targeted wordlist, I would not have gotten the password and credentials. I sat down and in less than a maximum of about 15 minutes, I had access to do whatever an admin did to their teleconferencing system. As an attacker I could have re-routed the registrar to a rogue server, recorded the calls, took pictures of anyone in a call and so on. What's the big deal you ask? Imagine a conference call before earnings are reported where I was recording. One could make millions, take a company out of business, and so on and so forth.
End of the day, I made my report based on 2 days at the client. I was not allowed to perform a full blown penetration test as many departments had to be involved and the original individual tasked with the test was out of office so the coordination to do the test never came to fruition. They however were spooked enough to understand I needed to really go no further from there. On a conf call with an entire security team, many of whom are visible in the industry (I know of them, the books they've written, what colleges they TEACH at, etc.), not one challenged me on anything I said. I was able to explain the technical risk and swap into the management scope of risk management.
Experience is everything. Not a cert, not a college. When you're comfortable standing your ground with any security engineer, then you're ready to do consulting on your own. When you don't necessarily need to do any research in a quick scenario like this, then you're at your at the top of the game. I am fortunate enough to be such a pain in the ... that I have been able to collaborate with, talk with, learn from some of the top in the industry (and I mean top). This comes from years upon years upon years of studying and dabbling in the industry.
As for money, comes with the territory. Its not everything, there are times I am more curious and in a tinkering kind of mode for the sake of STILL learning something. Those times I can lower a price if I see a benefit (learning something new, testing a unique environment, etc.) Last thing I do though, is ever bite off more than I can chew. If I have trouble understanding a concept, technology, I take a step back rather than make an idiot out of myself pretending to be able to do something I can't. I had to avoid a test that was out of my league that involved satellites, yachts (really big mega millionaire type yachts) and a whole bunch of marine communications. I had to avoid an ATM (airline traffic management) test because its a whole different ballgame. Know your limits, be truthful with yourself. If you have to ask one too many questions and are shaky going into an environment, you might not be ready for this type of work yet.