The Age of Pentesting & The Death of the Network Admin

In our current society image is everything. From the clothes we wear to the cars we drive. The business community is no different. So many corporations, firms, businesses, whatever, spend so much on public image. They spend large amounts of money on marketing & customer relations, and completely overlook security. They employ competent network administrators, but pay them at the lowest going rate. They generally don't understand the adversarial position, tools, or techniques. In the network community people can't defend against what they don't understand. On the other hand penetration testing organizations are hard at work. However, the majority of pentesting companies are spending a large amount of their time reporting and mitigating low hanging fruit; default passwords, vulnerable ports open to the internet, un-patched systems, etc. Meanwhile, the attackers are still getting in. The major vulnerabilities that exist on the critical infrastructure systems are going unchecked, and breaches are at their highest. Isn't it time we start really focusing on security, raise our standards for the network administrator, and let the penetration testers get back to the critical infrastructure?

Statistical analysis shows that the average company spends 10-12% of their operating budget on marketing while they only spend 3% on cyber security. That seems like those numbers could go a long way if utilized correctly. Not quite. Let's take a four lawyer law firm that grosses $2 million a year. This calculating the national average of an individual lawyer attached to a law firm grossing an annual $500,000. That is 4 lawyers bringing in $500K a year, for a total of $2M in revenue a year. The marketing budget for this firm, if we calculate on the high end at 12%, will be ~$240,000 annually. Proportionately, the cyber security budget would be an annual ~$60,000. It is reported that the average IT department budget is comparable to their marketing budget. This makes sense as companies need a reliable network infrastructure as much as they need marketing. What they don't realize is that they need a reliable network admin to think and function as a security specialist even more. It's time to start investing in cyber security in the right way.

When we break down the IT department and cyber security operational budgets, the picture can quite literally stop you in your tracks. The average annual salary for an IT admin is between $62K - $82K. If you assume a medium of $70K, and have two network admins that consumes $140K, over half of your annual IT department operational budget. Leaving only $100K for equipment, internet service fees, and any other related overhead. If an organization has an internal Information Security Analyst they can expect an annual salary of between $106K - $149K. This position seems to come at cost to the customer, in that it doesn't seem to fit into either the IT or Cyber Security budget. Furthermore, the majority of the work done by an Information Security Analyst is simply to clean up after the IT department. A seemingly mute position if IT admins were trained to function as Network Administrators, but think like the adversary.

Transitioning to the Cyber Security budget it becomes clear after a little bit of research that this is most commonly used to purchase cyber security equipment and pay for annual or semi-annual professional penetration tests. From current market research and a general understanding of cyber security tools, $60K a year will not get much. In fact the most a company can expect are feeds and associated API's that allow you to identify threats as they come across the wire. The difference from these purchased API's and community indicators are the associated, relevant actor and threat vectors delivered within the API. However, without proper development and understanding of what is purchased, these feeds become useless, unless of course your hire another analyst.

The case for streamlining pentests can easily be made when a little research is done on the percentage of breached organizations that have had professional penetration tests conducted on their network within a year of the breach. The targeted applications are always platforms that have been identified as critical infrastructure, but that the penetration testers did not have time to thoroughly test. The vast majority of penetration tests that are conducted annually focus primarily on switch/router & firewall rules, default applications/ports allowed on the network, active directory trusts & permissions, and default/easy passwords (or password policies). The hours it takes to perform these tests eat up all the time allocated to the overall penetration test. This time should be used to test critical infrastructure applications and help mitigate highly ranked vulnerabilities more thoroughly.

We know what you're thinking. Why not hire a cyber security analyst to function as a network administrator and pay them accordingly? The answer: boredom. Once an offensive-security analyst has developed a taste for blood, (functioning as a pentester, or other related offensive-security position) it is nearly impossible to get them to move backwards and operate as a network administrator; even if the pay is right.

While the community norm is to send cyber security analysts to cyber security training, and network administrators to network IT training, sending network admins to cyber security training has not traditionally been possible due to cost. The current average cost of classroom based cyber security training from a large cyber education organization is approximately $5K for a one week course. The cost of sending a network administrator to cyber security training is far too expensive to justify. While this may be true, it is the future of the network administrator.

The solution is simple, the evolution of the network admin. You must train your network admins to think like cyber security professionals. There are so many training options, and some of them are quite cost effective, that there really seems to be no excuse anymore.

Below are a few options from Pentester Academy, one of many organizations offering pentesting training, an organization can use to help better equip your defensive team become more offensive. It is important to note I am not affiliated with Pentester Academy in any way, but rather enjoy their product.

https://www.pentesteracademy.com/course?id=10

Pentester Academy also has a new pentesting lab that is completely free right now. Check it out while they're still in beta. It's a great source of info, and great prep work for training for the OSCP.

Offensive Security Certified Professional is an ethical hacking certification offered by Offensive Security company that teaches penetration testing methodologies and the use of the tools included with the Kali Linux distribution.

The future of the network admin is here, and the time has come to decrease the workload of professional pentest organizations and raise the standards of the network admin. Pentest Training courses have made it possible to increase efficiency, decrease overhead, and close the vulnerability gap that plagues so many businesses.