Wireless Pen Testing: How To Overcome Objections With A New Value Proposition

“Wireless Pen Testing: How To Overcome Objections With A New Value Proposition”

Written by: James D. Perry II and Jeremy Parrott

As published in PenTest Magazine - Issue 13/2016

Have you ever wished someone would stop beating around the bush and give it to you straight? Well, here it goes. We hope you're ready for this.

We will explain why organizations aren't knocking down your door to get a wireless pen test. It will be rough, but bear with us. We'll show you what you can do to fix that, and give you 5 approaches you can use to push through objections.

Will You Get Approval?

If you’re reading this article, chances are you’re a pen test pro. You have the skills and knowledge to succeed—and hopefully a Raspberry Pi-based quadcopter.

The only thing stopping you is approval from the iron gate—the C-suite. This is where ideas get funded, and where they die. You need their agreement, but getting that is not easy. You will have to show real benefit, but herein lies the problem.

You expect the Chief Information Security Officer (CISO) to be on board with a wireless pen test, and why wouldn't you? It makes perfect sense. You’ll definitely get his attention, but will you get his approval? The chances are…probably not.

But why?

Well, get ready to take a peek inside the mind of a CISO.

The CISO’s Perspective

You meet with the CISO, and you’ve got point after point on why you should do a wireless pen test. You delivered a great pitch, but you didn't get the support you imagined. He said, "Great idea, but no."

Bewildered, you scratch your head and struggle to understand how he could make such a short-sighted decision. It all comes down to return-on-investment (ROI). We know, we’re sure you just rolled your eyes at the mention of ROI.

So why should you (the pen tester) care about ROI? Because we (the CISOs) have to. We have to show the Board ROI, and you need to show us there is a real return.

The Battle Lines Are Drawn

When it comes to pen tests, there are two schools of thought. On one side, you have the pen test advocates. They preach the gospel of real world attacks and proving vulnerabilities exist.

On the other side, there are the opponents. Over here, they already know vulnerabilities exist, and see pen tests as a complete waste of time and money.

What? Vulnerabilities In My Wireless Infrastructure? This Is My Surprised Face

CISOs know there are holes.

As Bruce Schneier points out in “Is Penetration Testing Worth It,"

“Given enough time and money, a pen test will find vulnerabilities; there's no point in proving it. And if you're not going to fix all the uncovered vulnerabilities, there's no point uncovering them.”

Here is the hard truth: CISOs will not pay someone to find the holes they already know (or expect) to exist. We are vulnerable, we get it, and it didn't cost $30,000+ to find that out.

Now, back to return-on-investment. It just doesn’t make financial sense. Especially when that money can go to better defenses.

CISOs wish they had unlimited budgets and resources, but to be realistic, that will never happen. We must prioritize. We have to put our finger on the top threats and fix those first.

But to do that, we need evidence—which brings us to the next point.

The Prosecution Calls...Anyone With Evidence?

Before we make a decision, we look at our internal incident response data. Then, we fill the gaps with industry research. After looking at both, there’s little evidence to support a wireless pen test.

Our incident response team works 100+ compromised account cases a year. The most common cause? Unsophisticated attacks, like phishing, keyloggers, and malware.

When we have to choose, that is where our money goes. We fix the top threats first!

More on evidence. If you follow Verizon’s Data Breach Investigations Report (DBIR), you will notice wireless threats are not making headlines. In fact, the DBIR has not mentioned wireless threats since 2010. And when it was mentioned, this is what they had to say,

“This marks the third year in a row that only a single incident occurred in which wireless networks were used to infiltrate organizational systems."

Despite being aware that wireless vulnerabilities exist, the data tells us it should not be our highest priority. As a result, CISOs feel their resources are better invested elsewhere, say patching, next-gen firewalls, and more security staff.

How To Appeal To A CISO

Enough about why wireless pen tests are losing favor. Let’s talk about how to change that.

To start, here’s the question you need to answer, “What would change a CISO's mind about wireless pen tests?”

Heck, we asked ourselves that same question, and came up with 5 approaches you can use to change a CISOs mind.

Drive these points home, and you will likely have more work than you can handle.

1. Help me meet a requirement.

There's no getting around it, if you process cardholder data over wireless networks, you have to pen test it. It is a PCI DSS requirement, so you don’t need to convince us on this point. It is getting done. No CISO wants to be out of compliance, or have to answer questions about why a test didn’t happen.

Even worse, most businesses cannot handle the fines or the sheer cost of hiring a fleet of incident responders.

Find a compliance requirement, and you will get a YES. Whether it’s PCI or even HIPAA, we will support you. Better yet, use the success you gain here to build support for more pen tests.

2. Turn it into a training opportunity.

Although a company might not have the cash to throw at pen tests, they see clear value in training and education. And if you get two benefits at the same time, it's a no-brainer.

Here is one idea to test and train at the same time. Start with something small, like placing a rogue access point on the network, and see how long it takes us to find it. If it takes too long, show us how to do it faster. Once we get that on rails, we can move on to something more advanced.

Test the wireless network, train the staff on how to detect and respond, rinse and repeat.

Build momentum. Show small wins, then turn those into bigger wins. Eventually, wireless security will improve. It will mature to the point we need pro pen testers to find and exploit something new.

3. Focus on availability.

We are not that worried about wireless man-in-the-middle attacks. For us, the nightmare is a local DDoS attack. Or as we in HigherEd like to call it, *every Saturday during football season.* No one is happy when 150,000+ diehard fans can’t post their football pics to Instagram.

If you can help us find ways to improve our wireless availability, you may just find the checkbook wide open.

4. Invert the cost.

I am sure you know the amount big names charge for a pen test. One can run the cost of a Tesla Model S, and they can often run more than that. But, if a pen tester offered smaller, lower cost engagements you could get a lot more interest.

We imagine having a pro pen tester on retainer. We could use a few hours here and a few hours there—instead of a single six-figure project.

To sum it up, you know how much the big names charge? Don't be them.

5. Get our attention by showing us real value.

Do you know how many pen testers have given us real value at no cost? ZERO. Some have even given us no value at real cost.

Now pay attention to this. You can steal your competitor's business by offering CISOs free, valuable advice. We are not just talking about marketing material here. We are talking about real help.

If you have never read the “Recession-Proof Graduate” or “The Santa Claus Formula,” add these to your list right now. Here’s the gist: don't show up empty-handed. Find—in a legal way, of course—flaws we need to fix. Then, share that info, with actionable steps on how to fix it. We will never know how great your work is until you show us.

If you want to grow your business and get the CISO’s attention, this could be the most helpful (and profitable) step you could ever take.


Perspective: How To Get Better Results With Threat Data

Welcome to InfoSec 101!  Open your textbooks and turn to chapter one.

Not far into your first lecture, just past the introduction to confidentiality, integrity, and availability, you are likely to encounter the topic of risk management.  To fully understand risk management, the author points out; you must first understand risk itself.    

Introducing the Risk Formula:


While the definition looks simple, the hidden truths within are the keys to a successful information security program.  


By adding narrative to the risk formula, you learn that risk is the possibility of a threat acting upon a vulnerability that results in the unauthorized disclosure, alteration, or destruction of information or an information technology asset.

Principle #1:  An individual risk is calculated for a particular threat/vulnerability pair.

Recall from algebra that anything multiplied by zero equals zero (a x 0 = 0).  Therefore, for there to be an actual risk (that requires managing), there must be both a vulnerability AND a threat.  Stated differently, a risk is the probability for loss.  If there is no threat or vulnerability, there is no risk.

Principle #2:  Rewrite the formula - let threats drive the risk calculation.

By rewriting the formula as THREAT x VULNERABILITY = RISK (using the symmetric property this time - yay algebra) it allows for the proper prioritization of threat analysis as the first step in the risk management methodology.

Why is this necessary?  Glad you asked!  Given the lack of unlimited resources and budgets, an effective and efficient information security program must be able to prioritize which threats or vulnerabilities to mitigate.  More on this later...trust me it will be worth the wait.

Principle #3: Determine a specific threat, then let vulnerabilities drive risk reduction.

As previously noted, the absence of a vulnerability means there is no risk.  As a result, the best practice is to identify a given threat and then focus your effort on eliminating weaknesses in order of the greatest potential impact.


The great thing about principles is that they can be very useful in developing successful strategies and tactics.  The only problem is that they have to actually be applied for their true genius to be realized.  

Perhaps the following "best practice approach" sounds familiar?

Step 1 - Pick a risk management framework (i.e. NIST 800-53, ISO 27001, etc.).

Step 2 - Perform a gap analysis of your current program vs. the selected framework.

Step 3 - Develop a plan of action and milestones to resolve all of the identified gaps.

Or, perhaps the following statements can be found on your security strategic plan?

Goal 1 - Implement an enterprise vulnerability management program.

Goal 2 - Engage a third-party provider to perform a comprehensive penetration test.

Goal 3 - Engage with vendors to identify and invest in the latest NexGen widget.

If any of these resonate, chances are you have observed first hand the reality that many organizations fail to apply the principles previously established.  


----- 1,682 -----

1,682 is the number of unique security control elements outlined in NIST SP800-53r4.  Those unique elements are grouped into a "more manageable" 240 controls.  Still seem overwhelming?  You are not alone!

"Good news!"  To help you overcome that sinking feeling, NIST graciously provides a recommended prioritization of controls.  So, instead of worrying about the 240...just focus on those listed as a "P1" (priority one).  That leaves you with ONLY 122 #1 priorities.  Sounds reasonable, right?

Risk management frameworks, when used in the proper context, are tremendously beneficial. They help to provide a thorough and thoughtful approach to achieving information security program maturity.  However, as illustrated above, they require significant tailoring to an individual organization's unique situation; otherwise, you are likely attempting to boil the ocean. 

I suggest ending with the risk management framework versus starting there.  Further details below.


While some organizations get trapped in the "boil the ocean" approach, others are snared by vulnerability management.  Principle #3 (above) outlines that the "absence of a vulnerability means there is no risk."  So, to not have any risk all we have to do is have zero vulnerabilities. Easy enough!  We'll buy an enterprise vulnerability management tool, perform some penetration testing, get everything patched, and call it a day.  No easy button required.

Not so fast!  The Verizon 2016 Data Breach Investigations Report (see pages 13-16) points out that, despite years of banging the drum for vulnerability management, unpatched systems are among the leading sources of incident and data breach.  This is likely due to the following realities:

  1. The time between a vulnerability being announced and exploit code being available is ever shrinking - the 2016 median time was ~30 days.
  2. The pace at which new vulnerabilities are being discovered is growing exponentially.
  3. Not everything in your organization can be patched (remember that old mainframe).
  4. The business can't afford the number of maintenance windows needed.
  5. <Insert your reason here> (see BYOD, distributed responsibility, lack of tools, etc. for additional hints).


Start with principle #2 - "Rewrite the formula - let threats drive the risk calculation."

Your methodology should start with threat data (incidents handled by your Incident Response team). Then merge your information with threat data collected from other organizations in your specific industry (the threats in one industry are likely very different than another). Combined, you have an accurate picture of the top threats you are currently facing or that you are most likely to face.  

Next, principle #3 - Determine a specific threat, then let vulnerabilities drive risk reduction.

Evaluate vulnerabilities that a particular threat may exploit.  Remediate where possible.

Finally, end with an eye towards a risk management framework.

Consult your designated risk management framework to select additional safeguards based on effectiveness, cost, and productivity impact.  Leverage the framework to perform routine (annually?) maturity assessments to understand your gaps and plan for round two.


The Truth About Your Disastrous Security Awareness Obsession

YES!  Of course you should include security awareness as part of your overall information security strategy!  Failure to do so will likely invite "friendly advice" from your favorite auditors and call into question your credibility as an InfoSec warrior.

Conventional wisdom aside, the question remains as to the efficacy of "securing the human" through traditional security awareness methods (i.e. death by PowerPoint, internal phishing exercises, and clever marketing campaigns).