Thursday, March 4, 2010

Professional Script Kiddies vs Real Talent

The Good Guys in the security world are no different from the Bad Guys; most of them are nothing more than glorified Script Kidies. The fact of the matter is that if you took all of the self-proclaimed hackers in the world and you subjected them to a litmus test, very few would pass as acutal hackers.

This is true for both sides of the so called Black and White hat coin. In the Black Hat world, you have script-kids who download programs that are written by other people then use those programs to “hack” into networks. The White Hat’s do the exact same thing; only they buy the expensive tools instead of downloading them for free. Or maybe they’re actually paying for the pretty GUI, who knows?

What is pitiable is that in just about all cases these script kiddies have no idea what the programs actually do. Sometimes that’s because they don’t bother to look at the code, but most of the time its because they just can’t understand it. If you think about it that that is scary. Do you really want to work with a security company that launches attacks against your network with tools that they do not fully understand? I sure wouldn’t.

This is part of the reason why I feel that it is so important for any professional security services provider to maintain an active research team. I’m not talking about doing market research and pretending that its security research like so many security companies do. I’m talking about doing actual vulnerability research and exploit development to help educate people about risks for the purposes of defense. After all, if a security company can’t write an exploit then what business do they have launching exploits against your company?

I am very proud to say that Everything Channel recently released the 2010 CRN Security Researchers list and that Netragard’s Kevin Finisterre was on the list. Other people that were included in the list are people that I have the utmost respect for. As far as I am concerned, these are some of the best guys in the industry: (clearly this list is not all inclusive and in no way includes all of the people that deserve credit for their contributions and/or talent).

  • Dino Dai Zovi
  • Kevin Finisterre
  • Landon Fuller
  • Robert Graham
  • Jeremiah Grossman
  • Larry Highsmith
  • Billy Hoffman
  • Mikko Hypponen
  • Dan Kaminsky
  • Paul Kocher
  • Nate Lawson
  • David Litchfield
  • Charles Miller
  • Jeff Moss
  • Jose Nazario
  • Joanna Rutkowska

In the end I suppose it all boils down to what the customer wants. Some customers want to know their risks; others just want to put a check in the box. For those who want to know what their real risks are, you’ve come to the right place.


  1. Really? I wouldn't suggest buying a pentest from Jeff Moss. Or a wireless pen from Grossman. Or a SocEng from Billy Hoffman. Or having Charlie look at your Windows server farm. Not saying anything negative about any of those folks, but is that really anything like a comprehensive list of everyone worth a damn for every single project that any customer would want? I'm glad to see some of those people get recognition, but it's not anything even remotely complete.

    To the larger point, yes, the idea of buying a pen test from anyone who doesn't have the ability to find vulns and write exploits, sure, agreed 100%. Just don't think another silly top ten list is the right place to start shopping from.

  2. FlamingBagofPoo... I can't disagree with you, I'll change my comment to "some" of the top security experts. I can't possibly say that "is" the list and be accurate... who knows who's actually out there right?

  3. I realize upon re-reading that you weren't necessarily implying the list was comprehensive, hence "some of the best guys".

    Still, I've seen some absolutely terrible work from the "name" shops with the big hitters on the payroll (maybe having the big names means they can't afford to hire any other good people?), and I've seen amazing work from people that nobody's ever heard of, not because they aren't amazing, but because they choose not to chase headlines at security conferences.

    And that's to say nothing of the hundreds of blackhats who are, by definition, not on this list, or any other one. :>

  4. FlamingBagofPoo... You're assuming that none of the people on the list are BlackHat's. I happen to remember a specific company founded by a so called WhiteHat that knowingly hired a BlackHat to do systems administration. It gets a lot more messy than that though...

    The real key is to know the people, know their ethical boundaries. Because its those boundaries that really define what you are.

  5. I believe I know of that specific company and that specific sysadmin, or a very similar one. ;> But he's not on that list, because he'd rather not be, which was the point I intended to make. Serves me right for bringing silly hat colors into the thread.

    Larger point, which you obviously are making as well, is that nothing is ever quite as simple as it seems.

    Good conversation.

  6. I tell clients that if there is a skilled and patient attacker with some money and no deadlines, and he wants on your network really really bad, he's gonna get on your network at some point. No pen-test will prevent that, and anyone who tells you otherwise is bullshitting you. (Whether he can persist and expand on the network or extract what he's looking for is another issue entirely.) Good pen-tests can just make it really, really hard for that guy and hopefully make him slip up and expose himself or give up and move on to something with a better effort/reward payoff.

    Even an average pen-test with canned tools is useful because, guess what, there's a limited number of patient and skilled attackers with some money and no deadlines. Most of the people trying to get on networks are using the same tools as the people doing the pen-tests and don't understand them any better. There really is a value to that pair of running shoes.

  7. I have to say that I mostly disagree with your thoughts. I do agree that it really is buyers beware when it comes to choosing a good security company but this applies to any service you purchase and not just security.

    Really, what you are saying here could be compared to being a doctor (somewhat anyway). We all go to General Practitioners when we are sick. Most of them have not done any research or created any of there own cures but because of the hard work and talent of others they are able to prescribe the right treatment (in most cases). Does this make them a bad doctor? Should we stay away from GP’s and only deal with disease researchers or specialists?

    Not everyone needs to know all the details to provide value. A highly trained individual with skills gained from others can provide value to the security of an organization. Just like our GP’s provide value.

    Malicious active can spread like a disease and the more security GP’s we have on the ground the better.

  8. Anonymous, your analogy isn't entirely accurate. When you go to your General Practitioner you know that he's not going to perform surgery. You know that if you need surgery that he will send you to a specialist.

    In this industry, if you go to a General Practitioner and you need surgery, most of them will attempt surgery because they want to make a buck.

    Customers should know how to tell the difference between the capabilities of various providers, but they can't because not all providers are honest about what they can do. Instead they just say "Yes we can do that".

  9. RE: “your analogy isn't entirely accurate”

    As I said already, buyers beware.

    It also speaks to the maturity of this industry. We don’t have a governing body controlling who can use the “Real Talent” credential or Security MD to follow my analogy. We need this to promote and control. Accountants have the CPA or CA. Lawyers have the LLB. Engineers have the P.Eng. What to do we have? Certifications just don’t fill this void.

    Really all I am saying is that you can’t tar everyone with the same brush. I work very hard trying to determine if my clients are secure. In the market that I’m in, no one will pay the cost of what you call “Real Talent” at this point. The scope of work is usually much less. Does that mean we should not do the work? Am I being dishonest with my client? I don’t think so.

  10. Anonymous, I agree with what you are saying here, especially with regards to the maturity of this industry. A few of my colleges and I have discussed the idea of creating a board to certify certain levels of "talent" within the industry. In the end, its not so easy to do as with other industries.

    With regards to your second paragraph, I take no issue with it so long as you are not selling people a false sense of security. Real Talent doesn't need to cost an arm and a leg, and it will almost always cost less than the damages that result from even a single successful compromise.

  11. I'm very interested in the whole Black hat and white hat divide (leaving out the grey!). In terms of making a good deal of money (say millions) would a person with skills be better setting up a consultancy as a white hat, or taking chances as a Black hat? I really would like to know your thoughts, as I am doing a CCNA right now, and am trying to absorb what I can about the field. This questions that I have asked is of particular interest to me. Thanks.

  12. Anonymous, why would it be any different? In both cases if you are good at what you do then you stand the chance of making a lot of money. Your ethical designation has little to do with business acumen and/or the ability to make money.

  13. Hi Adriel. Thanks for replying.

    The reason that I figured ethical designation matters is that often (at least it seems so in this case, but then again I'm not in the field (yet :)) )certain skills are more useful and more lucrative when used illegally. To illustrate my point - The hacker Albert Gonzalez who has been in the news - I very much doubt he would have made anywhere near the amount he made (2 mill+) as a security consultant trying to stop people like him than he did by actually commiting the crimes himself. I can't say I have ever read about any millinaire security consultants either. Then again, as I said, I don't move in those circles.

  14. You are dealing with a management culture issue. Management understands ‘ROI’, ‘culpability’ and ‘due care’. To address the issue, one would almost have to create oversight/accreditation of the practitioners and only allow companies to use those. That’s a Pandora’s box similar to the one opened against computer forensics experts where several states (specifically GA, TX, MI) have begun requiring a PI license. What does a PI license have to do with digital forensics? Not much.