pentest, level of assurance

Breaking bad news

![Oh noes](/img/breaking_bad_news.jpg)
I had the pleasure of being in Bloomington, MN, last week and met with a fellow CISO who wanted to know more about how I approached vulnerability assessments. We got to talking about some of the boutique assessment firms out there and what made the good ones so good. For me, the difference came down to their ability to answer a very important question: if someone of a certain skillset had the inclination to make my company a target, how long would it take them to succeed, and how much noise would they have to generate? Society has learned to demand this sort of information for its physical assets; this is why Underwriters Laboratories [rates their safes](http://www.ul.com/global/eng/pages/corporate/newsroom/storyideas/urbansafetymyths/safes/): >Safes are rated for their resistance to attack against specific tools for a set period of time. There are a dozen different ratings, everything from ATM machines, to gun safes to bank vaults. For example, a safe that bears a Class TRTL-15x6 rating, which might be found in a jewelry store, should resist a hand tool and torch attack for a minimum of 15 minutes. A TRTL-30x6-rated safe, which would protect important documents or store money, should withstand an attack for 30 minutes. The ultimate safe rating -- a TXTL60 -- should withstand an hour's worth of attack that includes the use of 8 ounces of nitroglycerin.

What makes a good pentester is their ability to provide a similar level of assurance for a digital asset; anything less is (there... I said it...) mere compliance. When I hire someone to do this task, I am paying for the confidence of knowing, for that magical point in time when the test occurred, that a skilled attacker spent X hours trying to break in and the exact result of that exercise.

At this point, my fellow CISO asked a rather salient question:

People that good are bound to break in more often than not... how do you break the bad news???

Pausing for a brief flashback to my last gig, where we kept a copy of Grandma's Dead: Breaking Bad News with Baby Animals around for just these sorts of occasions, I responded: "knowing is never bad news." Reality is, of course, rarely that cut-and-dried. Some vulnerabilities are easier to fix than others, and some can be downright embarrassing. However, if you believe (as I do) that the CISO's role is not to prevent all bad outcomes, but to drive for informed risk management and, year over year, to raise the bar on the safety rating of his company's digital assets, then you rarely feel the need to pull out that aaaaawfully cute puppy.