Retain Your Cybersecurity Talent: Empower People with Tools

Transcript

Welcome to another episode of A Cup of Joe. Today I want to talk to you about that talent crunch and retaining your staff.

Employees like to feel appreciated. For years, the business world has acknowledged that employee satisfaction is a key component of employee retention. Lower turnover means less money spent on recruitment, less time lost on training and development, and a higher retention of job knowledge and expertise. It’s estimated that the cost of replacing an employee is roughly 20% of that of the employee’s annual salary. And with really good employees, sometimes it can cost you up to two times the annual salary. Employees who feel appreciated and valued at work perform better, and they’re more productive. Ensuring your employees have the right tools to do their job can benefit their productivity, but perhaps even more importantly, it will affect their job satisfaction.

Now imagine walking into a dentist office and seeing a hodgepodge of DIY power tools. You turn around and leave. Now imagine you’re a Pen tester and you walk into a job with limited tools, an attitude of, well, just make do. You’re going to be out looking for a new gig pretty quick, too. Giving your employees outdated tools or asking them to make do with a mishmash of freeware sends a message that screams, we don’t value your time and expertise. You can get away with free alternatives, but having licensed copies of tools such as BurpSuite Pro, Nessus Professional, and Core Impact reduces the friction of testing, allowing your testers to be more efficient and enjoy the experience of testing without the drudgery of making do with DIY hacking tools. And the same is true for reporting.

Hackers love being Tom Cruise, dropping from the ceiling into a heavily secured room to tippy tap our exploits onto the keyboard. Nobody wants to go home and write about it. I know testers who would rather confront dogs and armed guards in an attempt to bypass security controls rather than deal with a pile of Microsoft Word docs back at the office. But you know what? That’s what PlexTrac was built for. Take, for example, the individual findings. They are arguably some of the most important elements of the report, but they’re given very little attention. They’re often a mishmash and mashup of descriptions from vulnerability assessment reporting products, and they might vary wildly from tester to tester.

Without a centralized management system, findings can become poorly categorized in this name, making any future analytics difficult, if not impossible, without having to clean up the data every time. This places a huge burden on the Pen tester, the project manager, anyone else involved in the QA process. Over time, this drudgery can be a drag on morale, causing your operators to ask, there’s got to be a better way. Or worse, there’s got to be a better company. The good news is that there is a better way. Check this out.

I wanted to show you some new functionality. We have the ability now to create separate write up DB repositories. This is perfect for the customers that have different regulatory regimes or risk profiles or who have decided that certain findings should be rated with a different severity. Let’s imagine that we have a global company, super busy soda out of Atlanta, Georgia with HQ manufacturing, distribution and retail networks that combine zero trust architectures and the cloud. Now, they’ve determined that the flat CVSS three scores don’t always apply and they have asked your team to mirror their internal risk assessment. You could use the same findings as your other customers and hope that you remember to make the necessary changes. Or you could just create a repository just for them.

So log into PlexTrac, click on write ups DB and select New Repository. Now, here we’re going to create our new repository and we’ll make a description of internal risk findings. Now, I have the option of setting up repository access to private just for specific users manage so that everybody can see it, but they can’t make any changes. But for now, because I’m still building this repository, I’m going to leave it open to all of the members of my team. Now I hit create and that’s it. Super busy, new Write ups DB is ready to go. Now, how do I get findings into this database? Well, we have several different ways.

If this was my initial import of findings, I could import findings from bulk CSV. Now, the instructions and the schema for doing that can be found here at doc.plextrac.com. Now, if I already have a populated repository, I can do a bulk copy from one repository to another. For example, I can go into write ups, select the write ups that I want to have transferred, for example, Ms 1710, select it, the drop fare, maybe the cross site scripting, and then choose Actions, select these three items and import them into my new database. Now, I can also create findings from scratch. I can go into new write up. Select Start from scratch.

Click Start.

And here I can create a finding like I would in Microsoft Word, only here. Now I’ll have it entered into the database. So I could, for example, make this one LLMNR man in the Middle Attack. So I’ll give it the title and then I’m going to select which repository I want. I can leave it in my default Pository or in this case I’m going to go ahead and put it in super Fizzy. The severity here is a high, the score, I’m going to use CDSs Three for this. I’m going to give it a high, I’m going to give it 9.6% and I will copy in the CVSS calculation and then my description, my recommendations and my references, just like I was creating it in a Word Doc or in a Word Doc template.

But the nice thing is I’ll be able to reuse this over and over again and it will always be the same. So when I go back later to do analytics or try to make some changes, I won’t have three or four different versions of this. Now, the other thing I will want to do is put in additional tags that I can use for search or for analytics. So I might want to put in LLM and R. I might want to put in Metasploit because there’s a metasploit plugin. I could put in wireshark, I could put in network, whatever I want to create in terms of smart tags to help me find this or to be able to do future analytics. One of the things I like to add to my findings is steps to validate remediation.

We tell them how they should fix it, but we don’t tell them how they should confirm that it’s been fixed. I like to do that instead. So I’m going to create the label of steps to validate remediation. I’m going to create a key called Validate underscore remediation. And then I’m going to put my value in here. And this is my new finding. And I’ll go up and save, and my finding has been created.

Wonderful. Now, I can also add additional findings into my database by importing them from tools while I’m creating the report. So let’s go into one of my reports up into findings. Now, if I have a finding that I want to import, I can create the finding from scratch like we just did. I can copy a finding from the writeups database into my report, and I can also import findings from tools. The tools we have are numerous and varied. So we got Acutenetics, Burp, Checkmarks, Nessus, Net, Sparker, Nipper, all of what you would expect to see in your typical engagement, we’re able to import into the reports.

And once imported, what you can do is copy the findings into your reports database. So it’s there. You can just grab it in the future and it will be able to be reused for all of the individual Pen testers that have access to this repository. Now, what could be easier than selecting from a drop down and tweaking for your particular engagement? By reducing the hassle of reporting and providing a platform purpose built for the job, you’re letting your operators know that you value their unique skills as testers. All right, well, that’s all the time we have today. I’m Joe Perini. PlexTrac’s product evangelist wishing you happy reporting.

Until next time.