Category Archives: Uncategorized

One of the biggest challenges of running a security organization is balancing the ongoing efforts, with strategic directions, all while keeping the “pressure” on to increase the maturity across the prioritized elements that give you the most risk reduction over time.

Seems like a bunch of management words, I admit, but it’s truly one of the more exciting areas to run. Combines technical depth, with business understanding of not only what matters now, but also how to “open” up business opportunities by enabling it to take risks.

Dumpster fires and security incidents

Full disclosure: this post isn’t about security per-se. It’s here because of recent conversations I’ve had with people from outside the immediate security “industry” who wondered about Equifax from a technical perspective, but mostly from a “WTF are these guys smoking” one ;-). I’m also happily not selling any of this (although I did in the past, and ran crisis management for a few major incidents – ones that happily did not end up like Equifax – although had every opportunity to…)

A lot was said and written on the Equifax hack (check out Brian’s coverage for most of it). Mostly about how badly Equifax handled their security by blaming Apache Struts, and having 3 executives dumping stock before the public announcement. How they handled the incident response by working with a 3rd party that leaked the event by registering without proper OPSEC. And obvious security issues while working on communicating with their customers such as pointing people to use a newly registered domain name, hosting a fairly static site on WordPress, leaving trails of user config from said WordPress, etc…

But I’m not here to talk about this (again – enough have been said). I’m here to talk about how all these came out to be in the first place. Well not the original breach (that took years of neglect IMHO), but how does a major company like this gets to commit to a string of poor decisions in time of crisis.

And the simple answer is crisis management. They don’t have any. I’m not talking about a “cyber incident plan” that includes communication strategies (which I’m sure all the vendors are hawking these days in light of the major fail that Equifax are exhibiting). I’m talking about properly handling a crisis from a company management perspective.

Companies this size that go through a major breach and do not have a very strong leadership internally, tend to fall into mode of operation where all the executives are taking care of themselves, and have zero to negative cooperation. Everyone is trying to CYA, and rush to the closest “action” they can hide behind while saying “I did my job”. That’s how you end up with registering a new domain to handle the incident and running it on WordPress (instead of using your established “credible” domain).

Crisis management is often done best by bringing an outsider. It can be someone from the advisory board who doesn’t have a direct stake with the company, or just someone who’s JOB is to manage crisis scenarios. Much like the security consultants (that Equifax probably didn’t use as much as they should have), crisis management people come in, and represent the company’s best interest.

Unlike security consultants, the crisis manager is responsible for making decisions, and vetting any action the company does. Everything goes through them. From communications, through legal, to technical remediation. This assures that there is a clear line in how the company operates, there’s an owner to these actions, and the owner can report back to the board with accountability and represent the company’s best interests. Clearly, Equifax did not have any of this. I’m sure they were advised by the incident responders they hired, and potentially by other security consultants. But these don’t have crisis management experience. They lack the perspective, and the breadth of thinking about all the implications, and the solutions they propose are usually scoped to a technical element.

That’s how security incidents turn into dumpster fires. Even when you have the best security professionals working for you on the incident. Companies need to learn, that regardless of their size, for situations that exceed the typical “shit’s broken”, they need professional crisis management help. Just like they get for performing incident response (because they don’t have the skill-set) or forensics (because the don’t have the skill-set). See the trend?

PTES, remaining impartial, and insisting on high standards

The PTES (Penetration Testing Execution Standard) is standard that a small group of highly motivated and passionate practitioners have created (and yours truly). As such, it is designed to define how a penetration test should be executed – from start to finish. We tried not to skip a single element. We worked tirelessly to make sure that the standard does not reference any particular vendor or product, as we all believe that a proper penetration test is not about the tools, but more about the content and delivery.
The standard has survived several years of scrutiny and a few rounds of editing and improvements, and have never ever leaned to a specific industry player.
It has been by now adopted by the PCI council as a reference to what a penetration test is, it has been acknowledged by the British Standards Institute and placed in the same class as other standards, often receiving higher praise for its impartiality, practicality and coverage.
For some reason, in the past week or so I was approached by two different vendors, in attempts to either use their platform or writeup about how their suite of products provide “the best coverage for the PTES”. I’m sure that I’m not alone in this.
Just to be clear, I’m including the (slightly modified) answer below, which by now is also the “official” line of the core PTES founding group.

Hi [vendor],
Thanks for reaching out. Unfortunately, the PTES as a standard is not going to endorse any specific product or service. We have a guide section that offers approaches to the execution of the standard ( and I’m sure that your products can fit into _SOME_ of these areas.
I’d suggest avoiding an attempt to portray any product suite as “filling the needs of penetration testing standard” as it would be bound to be criticized and proven otherwise. Additionally, as an impartial member of the standard founders, we are all committed to avoiding any endorsement or participation in a product or vendor specific writeup.
Thanks, Ian

The standard is written for us. Practitioners, customers, organization, anyone and everyone who’s dealing with penetration testing. It is not about a specific product, or even a specific approach or methodology for testing. It’s about defining expectations, and delivery bars. It’s about setting up and insisting on a high standard. Not even a “minimal bar” for delivery. It is designed so that when it is adhered to, the delivery will be well above a “minimal standard”. We do not settle for minimums.
Please don’t settle on your end either.

Hacking, community, friends, and professionalism

Adult. What a weird concept.

I keep finding myself saying that word in different contexts, and it feels weird because deep inside I’m still pretty much a non-adult (can’t really say kid, so non-adult would work best here).

Lately, all the buzz was around (another) overblown drama in the infosec community, fueled by emotions, friendships, followings, almost to a cult behavior, sprinkled with the necessary “wait a second, someone needs to be the adult here” moment.

So here goes – as Lesley eloquently put it, this is my community. She quotes the hacker manifesto, which I still hold close to my heart as well, and I couldn’t agree more with her. But there’s a bit more that I’d like to add.

We are hackers (at least a lot of my friends and who I consider the more “fun” part of the infosec community). As such, yes, we tend to have personalities that can become borderline, but at the end of the day we learn how to deal with each other. We have been for decades already. Nothing new.

However, in the past few years, a weird spin is developing around this community. This spin (like many) brings good as well as bad to us. The good part, is more visibility and attention from the “muggles”. The outside world. The business, media, and general population. What we do is starting to bubble up into people’s attention as they get closer to the matrix, and realize that we have lived it all our lives. Cars, factories, financials, entertainment, social, you name it, we’ve done it. And it’s great. The bad part is that we get more attention. And as such we get to see cases of “rockstar” issues.

Now, I usually don’t care much for this rockstar bullshit. Everyone gets their 15 minutes of fame, and everyone should be able to enjoy it while it lasts. But letting it get to your head is when things get ugly. And while I can look up to people in the community because I respect what they do, and the kind of people they are, the “rockstar” phenomena is flawed when you look back at who we really are. Hackers. And this is what drove me to this rant.

How did we, hackers, get to have our “own” people behave like sheep? From where I’m sitting, this is inexcusable.

It’s totally OK to look up to someone. I do. But the second that blindly following someone clouds your judgment you lose your hacker-cred (again – in my personal view). And while we all cultivate our quirky personalities, we need to remember that we do represent something bigger – especially when viewed in our hacker persona. And mixing this with personal quarrels is a recipe for disaster.

Case in point – I consider Adrian a friend. Someone who I respect for what he does, for his personality, sense of humor (sarcasm ;-)) and contribution to the hacker community. I can also disagree with him, and tell him so without being afraid that he’s going to be insulted. And then have drinks and laugh about it.

I also hold BSidesLV close to my heart. I’ve been close to it and part of it pretty much from the first instance in Vegas. It represent a big part of what I consider the hacker community, and have grown (along with the usual growing pains) to something that I am proud of.

So yes, when the latest twitter drama unfolded, I could easily convey my support to Adrian on a personal level, while also supporting the BSidesLV decision to part ways with him. As ambivalent as it may sound, it makes perfect sense to me. Pretty much like being able to separate friendship from business. Hard and painful decisions sometimes need to happen, but based on my experience, they tend to strengthen friendships rather than ruin them.

So yes, for some of you this may seem out of context. If it does – totally ok, I’m sure you’ll catch the next drama. For others – it’s also OK to get pissed at me for picking one side, or another, or both. I still love you for what you are. Because at the end of the day, we are all hackers.

But lets also stay professionals. Adults. It’s not a bad word. It just makes us stronger, and at the end of the day lets us have more fun and focus on what we do best.


Update: because I’m lazy I didn’t sum up the gist of said drama. Here’s a summary from someone less lazy: (thanks Rob!).