Another facet of this industry, for those of use who are contractors in this environment, is the level of access we have to a client’s upper management. Typically as a contractor – retained perhaps for a pen-test or vulnerability assessment – you will likely be dealing with the CSO, CIO, or other such high ranking individual. The same does not really apply to temporary system administrators or temp agency secretarial staff; they don’t interact by default with the upper echelons of the corporation like the computer security contractor.

Which brings us to my point: It is no longer enough to have excellent computer security skills in your given domain; you must also possess excellent business savvy and people skills.

Here’s a good example: Recently, a friend of mine had a contractor performing a remote pen-test at company X. I was around at one point and the guy came up to me and started yammering about how he had “totally pwned” the client’s network, and then started going on in leet speak. It was a painful experience, and most irritating to listen to, but it nicely makes my point.

There was no way that this contractor should ever interact with the actual client, which meant that my friend had to handle the client himself when delivering the report and going over it. Not an ideal situation to have, really. Each person should be able to conduct the client engagement from start to finish.

I was reminded of this by a more recent incident that you’re all likely aware of if you read SecurityFocus or the Matasano blog, specifically the latter, where they challenged Joanna Rutkowska on the ability to detect her BluePill rootkit. Her response was that she would happily accept the challenge if they would pay her the cost of having developed BluePill, which if memory serves was $400K by her account. Now, I’m not a peer of either Joanna Rutkowska or any of the Matasano crew. I’m not even a programmer, let alone an exploit seeker. With that said, Joanna’s response to the challenge strikes me as someone who was pissed off. And I can’t say I blame her, really.

Likely a far better way for Matasano to have handled the claim of BluePill detection would have been to contact Joanna offline rather than challenge her as publicly as they did. That would have likely led to a far better resolution, and from a business perspective, made a lot more sense. Who knows, there could have been a third-party evaluation of the rootkit as a result. Business pays the office rent, and more importantly the mortgage. Backing someone into a corner, in a public venue no less, just isn’t a good idea.

Another good example of hacker ego, or just plain bad business sense, is the way some exploit researchers have chosen to engage with commercial companies.

One such case is the much ballyhooed Michael Lynn versus Cisco debacle. Michael Lynn made claims about being able to hack Cisco routers, which would basically result in the widespread exploitation of the Internet backbone -– and imagine what the result of that would be. This claim has led to Lynn being forced out of his job with ISS and large legal fees. And for what? Has the Internet ground to a halt? Is there widespread Cisco router exploitation? Nope.

Don’t get me wrong here, I very much respect the ethics of people like Michael Lynn and the price he was willing, and did to an extent, pay. Personally, I just don’t think it was worth it. He would have been far better to have worked with Cisco behind the scenes till whatever exploit he professed to have found was fixed. Nothing good came out of this, except for the titillation of Black Hat attendees.

It is no longer good enough to be a talented security researcher; you also have to have good people skills, as well as excellent business acumen. With no shortage today of skilled security people, you need to distinguish yourself from the pack by your actions outside of the binary realm. Being smart is a good way to start.