Need a bigger security budget? Star in your own hacking video!

Over the years I’ve assisted many security directors in their process of justifying new security projects and budgets. I’ve seen countless techniques used by security teams in an effort to free up hard to attain dollars for security projects. There are two techniques I’ve seen work with a very high degree of success that I wanted to pass along to you all.

Let’s start with the one that you have probably thought of, but most likely have never followed through with. Budget approval technique number one is whitehat hacking your environment. Said another way, this is a technique that makes your nebulous, sky is falling security vulnerabilities very personal and verifiable to your executives and board of directors. So the first thing you need to do is make sure that you have the legal contractual authority to perform penetration tests on your company’s systems. Make sure this agreement is ironclad and put together by a corporate lawyer; you need to protect yourself from personal liability. And no, this blog will not serve as protection. ☺ Now, you are ready to start your sanctioned penetration testing. Make sure that you have any administrator or equivalent account privileges removed from your user accounts. This is so that you don’t have any unfair advantages above and beyond the normal jdoe user. Next, come up with an attack/hack plan. Depending on your hacking skill level this plan will either be high level or super detailed. If you’re a hacker newbie then it should be super detailed. In fact, if you’re new at this you shouldn’t be hacking your company until you gain some experience in a lab or somewhere. Be sure to share and get approval for your plan by your manager first. The format you choose to deliver your results in will vary according to the message you are trying to send. One of the most effective formats is creating a movie, Video Podcast or VoD of your exploits. This format takes the most investment of time and skill but the pay off is usually more than worth it. There really is no substitute for playing a movie of you and your team actively Pwning critical systems and gathering sensitive corporate data on your network. The movie format delivers irrefutable proof to your executives that your systems are unsecure and need to be protected. Of course along with the movie must be your plan and budget requirements for fixing the vulnerabilities you are showcasing. For CISO’s this type of video evidence, if ignored by the company, can keep you safe from any liabilities you may incur (i.e. getting fired or sued) due to a substantial security breach on your watch. Bottom line is it’s very hard for executives to watch their systems being hacked and then not do anything about it. The goal is to make it REAL to them. Here are some ideas on creating your whitehat hacker video:

• The goal of the video is to make previously very hazy and nebulous corporate security threats extremely clear-cut and personal to the corporation and more importantly to the executives who have budget control over the funds you are seeking. Show them that the vulnerabilities and threats you have been warning them about for months is actually real and can happen on their systems.
• If your company needs to comply with PCI standards then be sure to target and attack PCI related systems and databases. I can almost guarantee you that if you are able to show management and your internal auditors a movie that proves you can easily gain access to PCI data you will get budget to fix it. It still might take a few months to get approval, but you’ll probably get some funding. The risk (both monetary and brand protection) attached with such an exposure to a company is just too great. Not to mention that if the card clearing bank(s) get wind of it they can shut down your ability to process credit cards!
• Same thing is true for HIPAA regulations. If your company needs to be HIPAA compliant then run a penetration test of the systems that house and protect Patient Health Information (PHI).
• Try to keep your exploits simple and always use public domain tools. This avoids the possibility of anyone saying that the risk of someone else performing these exploits is very low because you’re just a ninja hacker using specialized tools.
• Try using exploit tools like metasploit, ettercap, hacksaw, backtrac, and a text editor. A fun and effective day-zero exploit can be done easily using an old virus file that your AV client will detect. You move some stuff around in the virus file using a text editor, run the virus again and your AV client will miss it even though the virus is still valid! This attack demonstrates the need for more sophisticated client based security like HIPS, FW, behavioral threat prevention, etc.
• Physically (like the example above) or digitally (usb drive, powerpoint slides of screenshots, etc.) give examples of the compromised data you were able to obtain to your executives. It works best if you can deliver actual files or plant “you’ve been hacked” type txt files to prove that you were there.
• Remember that the data, movie, etc. that you have gained during pen testing is highly confidential and needs to be treated that way by you. The worst thing that could happen is the data you’ve gathered is rendered even less secure than it was before you got it. As a minimum, Encrypt and password protect everything.
• Attack those parts of the network that will best enforce your current budget request. Don’t try to boil the ocean with this. Keep your movies targeted, short (less than 5minutes), and concise. Even though you may have several vulnerabilities in your network just focus on one or two of them at a time. Don’t worry you’ll be able to follow-up with the others once you gain some attention.
• Include some social engineering attacks in your movie. These almost always work. Take off your badge, dress like a repairman (or some such), go to a place in the company where nobody knows you, and try to gain access to sensitive areas. These areas could be the datacenter, MDF closets, document storage rooms, or telephone systems. Try and see if one of the users will let you on their computer or even give you their password. You’d be surprised at what you’ll get if you act the part and are believable!
• Another important tip is to know your audience and not go to far with the whitehat hacker VoD thing. Under no circumstances do you want to gather/open data that is HR related or created by high-level executives. This stuff is taboo, stay away from it unless given specific permission to do so. It can make you more enemies than friends thus defeating your purpose. In some cases it can get you fired as well!
• You do not want to appear cocky, self-important, or superior in your exploit footage. Never forget that it could be your board of directors that is watching your video. If you wouldn’t say or show it to them in person then don’t do it in your video. Remember that the vulnerabilities you are exposing will make some high muckamucks look bad. If you can help them save face do it. Don’t try to paint them as incompetent or negligent. If they truly are incompetent others will expose it in due time.

Here is a recent example of social engineering: I have one customer that social engineered himself into a document warehouse where he proceeded to steal boxes of PHI and PCI data. Then he put the boxes under his executive’s desk for him to find the next morning. Best thing is that he was even able to social engineer his way back in days later to return them! Needless to say this prompted his company to spend the money to upgrade their physical security, access procedures, and run security awareness programs. If the exploits you use in your video are simple to execute then another budget approval technique is to teach executives how to hack. Might sound crazy at first but it can be incredibly effective and pay off huge dividends. Here are some tips for your executive hacking course: Pick your executives carefully. You should be able to tell which execs would be more open and interested in this. Don’t pick the stodgy ones. ☺ It works best if you sit down one-on-one with the executive, play them the movie explaining as you go, then show how you can execute the exploit live and finally, walk the executive through performing the exploit themselves. The easier and more personal you make it to the executive the more he/she will remember it and quickly become a champion for your cause. You’ll be surprised at how much the newbie hacker executive will talk about their new abilities and exploits to colleagues and friends. It’s cool to be a hacker, use that to your benefit! A future blog will continue this theme with “how to use compliance regulations and standards to help you fund security projects”. Enjoy your new found star status, hopefully it will assist you in obtaining security funding for critical security projects even in this economy. If you have any other tips to share please post them here. Have you ever used the hacker VoD technique? If so, what were the results? If not, why not? Huge thanks to my hacker buddy, Y3T1!

The opinions and information presented here are my PERSONAL views and not those of my employer. I am in no way an official spokesperson for my employer.

More from Jamey Heary: Credit Card Skimming: How thieves can steal your card info without you knowing it Cisco enters the crowded AV and DLP client marketCisco's new ASA code allows you to securely take your Cisco IP Phone with you anywhereCisco targets Symantec, McAfee with its new antivirus client Google's Chrome raises security concerns and tastes like chicken feet a>Go to Jamey’s Blog for more articles on security.

*

*

*

*

*