“Wireless Pen Testing: How To Overcome Objections With A New Value Proposition”
Written by: James D. Perry II and Jeremy Parrott
As published in PenTest Magazine - Issue 13/2016
Have you ever wished someone would stop beating around the bush and give it to you straight? Well, here it goes. We hope you're ready for this.
We will explain why organizations aren't knocking down your door to get a wireless pen test. It will be rough, but bear with us. We'll show you what you can do to fix that, and give you 5 approaches you can use to push through objections.
Will You Get Approval?
If you’re reading this article, chances are you’re a pen test pro. You have the skills and knowledge to succeed—and hopefully a Raspberry Pi-based quadcopter.
The only thing stopping you is approval from the iron gate—the C-suite. This is where ideas get funded, and where they die. You need their agreement, but getting that is not easy. You will have to show real benefit, but herein lies the problem.
You expect the Chief Information Security Officer (CISO) to be on board with a wireless pen test, and why wouldn't you? It makes perfect sense. You’ll definitely get his attention, but will you get his approval? The chances are…probably not.
Well, get ready to take a peek inside the mind of a CISO.
The CISO’s Perspective
You meet with the CISO, and you’ve got point after point on why you should do a wireless pen test. You delivered a great pitch, but you didn't get the support you imagined. He said, "Great idea, but no."
Bewildered, you scratch your head and struggle to understand how he could make such a short-sighted decision. It all comes down to return-on-investment (ROI). We know, we’re sure you just rolled your eyes at the mention of ROI.
So why should you (the pen tester) care about ROI? Because we (the CISOs) have to. We have to show the Board ROI, and you need to show us there is a real return.
The Battle Lines Are Drawn
When it comes to pen tests, there are two schools of thought. On one side, you have the pen test advocates. They preach the gospel of real world attacks and proving vulnerabilities exist.
On the other side, there are the opponents. Over here, they already know vulnerabilities exist, and see pen tests as a complete waste of time and money.
What? Vulnerabilities In My Wireless Infrastructure? This Is My Surprised Face
CISOs know there are holes.
As Bruce Schneier points out in “Is Penetration Testing Worth It,"
“Given enough time and money, a pen test will find vulnerabilities; there's no point in proving it. And if you're not going to fix all the uncovered vulnerabilities, there's no point uncovering them.”
Here is the hard truth: CISOs will not pay someone to find the holes they already know (or expect) to exist. We are vulnerable, we get it, and it didn't cost $30,000+ to find that out.
Now, back to return-on-investment. It just doesn’t make financial sense. Especially when that money can go to better defenses.
CISOs wish they had unlimited budgets and resources, but to be realistic, that will never happen. We must prioritize. We have to put our finger on the top threats and fix those first.
But to do that, we need evidence—which brings us to the next point.
The Prosecution Calls...Anyone With Evidence?
Before we make a decision, we look at our internal incident response data. Then, we fill the gaps with industry research. After looking at both, there’s little evidence to support a wireless pen test.
Our incident response team works 100+ compromised account cases a year. The most common cause? Unsophisticated attacks, like phishing, keyloggers, and malware.
When we have to choose, that is where our money goes. We fix the top threats first!
More on evidence. If you follow Verizon’s Data Breach Investigations Report (DBIR), you will notice wireless threats are not making headlines. In fact, the DBIR has not mentioned wireless threats since 2010. And when it was mentioned, this is what they had to say,
“This marks the third year in a row that only a single incident occurred in which wireless networks were used to infiltrate organizational systems."
Despite being aware that wireless vulnerabilities exist, the data tells us it should not be our highest priority. As a result, CISOs feel their resources are better invested elsewhere, say patching, next-gen firewalls, and more security staff.
How To Appeal To A CISO
Enough about why wireless pen tests are losing favor. Let’s talk about how to change that.
To start, here’s the question you need to answer, “What would change a CISO's mind about wireless pen tests?”
Heck, we asked ourselves that same question, and came up with 5 approaches you can use to change a CISOs mind.
Drive these points home, and you will likely have more work than you can handle.
1. Help me meet a requirement.
There's no getting around it, if you process cardholder data over wireless networks, you have to pen test it. It is a PCI DSS requirement, so you don’t need to convince us on this point. It is getting done. No CISO wants to be out of compliance, or have to answer questions about why a test didn’t happen.
Even worse, most businesses cannot handle the fines or the sheer cost of hiring a fleet of incident responders.
Find a compliance requirement, and you will get a YES. Whether it’s PCI or even HIPAA, we will support you. Better yet, use the success you gain here to build support for more pen tests.
2. Turn it into a training opportunity.
Although a company might not have the cash to throw at pen tests, they see clear value in training and education. And if you get two benefits at the same time, it's a no-brainer.
Here is one idea to test and train at the same time. Start with something small, like placing a rogue access point on the network, and see how long it takes us to find it. If it takes too long, show us how to do it faster. Once we get that on rails, we can move on to something more advanced.
Test the wireless network, train the staff on how to detect and respond, rinse and repeat.
Build momentum. Show small wins, then turn those into bigger wins. Eventually, wireless security will improve. It will mature to the point we need pro pen testers to find and exploit something new.
3. Focus on availability.
We are not that worried about wireless man-in-the-middle attacks. For us, the nightmare is a local DDoS attack. Or as we in HigherEd like to call it, *every Saturday during football season.* No one is happy when 150,000+ diehard fans can’t post their football pics to Instagram.
If you can help us find ways to improve our wireless availability, you may just find the checkbook wide open.
4. Invert the cost.
I am sure you know the amount big names charge for a pen test. One can run the cost of a Tesla Model S, and they can often run more than that. But, if a pen tester offered smaller, lower cost engagements you could get a lot more interest.
We imagine having a pro pen tester on retainer. We could use a few hours here and a few hours there—instead of a single six-figure project.
To sum it up, you know how much the big names charge? Don't be them.
5. Get our attention by showing us real value.
Do you know how many pen testers have given us real value at no cost? ZERO. Some have even given us no value at real cost.
Now pay attention to this. You can steal your competitor's business by offering CISOs free, valuable advice. We are not just talking about marketing material here. We are talking about real help.
If you have never read the “Recession-Proof Graduate” or “The Santa Claus Formula,” add these to your list right now. Here’s the gist: don't show up empty-handed. Find—in a legal way, of course—flaws we need to fix. Then, share that info, with actionable steps on how to fix it. We will never know how great your work is until you show us.
If you want to grow your business and get the CISO’s attention, this could be the most helpful (and profitable) step you could ever take.