So, another epic Brucon has ended, and while everyone is getting their thoughts together again (the amount of super smart people I have had the pleasure to have conversations with is unimaginable), I wanted to post a quick recap.
First things first – numbers. I’ve been working with the FAIR methodology quite a while now, and have actually (with the kind permission of Jack Jones) integrated some of its elements into the Penetration Testing Execution Standard (PTES). Watching the discussions that started after Jack’s talk at Brucon was heartwarming. Pentesters and security practitioners finally “get it”, was divine. Working in a field of engineering that has the least engineering in the sense of how it’s applied to businesses has been frustrating to say the least. With the ability to effortlessly connect the technical elements of vulnerabilities and exploits to business-speak has been one of my personal challenges (and hopefully strengths), and being able to tilt the industry even a little towards that direction is something that we all needed for a long time.
A quick “teaser” to add on top of it (which has been previewed in my talk) is the ability to also marry in the social media risk into the risk management practice (look out for some more cool research and insights coming from that direction very soon!).
Which leads me to the last point – the ever evolving presentation I use to deliver the message about data exfiltration is provided for your viewing pleasure. Don’t fear the >100 slide count – it’s mostly the “build” effects that I left in for clarity.
Looking forward for some more discussions and developments in the way that we as an industry are justifying what we practice (if it wasn’t obvious by now – go check out what FAIR is, and then start thinking on how to integrate it into what you do…).
Following my last post on the realistic cost of a pen-test (which as I mentioned was derived from long conversations on the topic with a couple of friends from the industry), I’d like to review one of the best presentations I have seen lately – Chris Nickerson’s Brucon talk.
I’ve had the opportunity to see this talk shape up to be what it ended up like in the week or so that we have been hanging out together. And let me tell you – it was one hell of a week. There were some reactions to the talk (no wonder – Chris was on stage) and I’d like to put things in perspective (at least mine, if you want more go talk to Chris…).
The first point which is directly derived from the talk is that we, as an industry, have been doing the wrong thing for a long time. Pentesting has become a glorified minion work, and we just kept it behind for such a long time. What the talk tries to say is open your mind, and DO YOUR HOMEWORK. Chris calls it “do work”, but I’m saying that before we do work we need to do homework. Learn. Inspect. Absorb. See beyond the technical aspects of a pentest. Understand what is the environment in which the business operates, who are the key players, partners and customers. How does the business make money? What would hurt the business the most? Only then, we can approach the pentest with a clear goal in mind (and no – it’s not getting root/shell on a box).
The second point that I’d like this talk to provoke is that we are not the only ones at fault. It’s also the customers (yeah – I said that the customer is wrong. Sue me). They have been trained to ask for technicalities. Be it a pentest, a product or even a service. Most of the times they can’t really explain the methodology behind what they are asking for and the business relevance of it. Instead of asking for a pentest for a new web application, they should be asking for a security assessment of what makes their business “tick” which may be related to the web application. Small difference in wording, HUGE difference in scope and ROI from such an engagement. And yes, this all comes back to us as we have been offering “off the shelf” pentests that have no actual relevance to the business side, and have “technofied” our services and products to fit checkboxes of some obscure regulatory compliance. We need to retrain our customers (i.e. the industry) and get ourselves trained on the business aspects as well.
This topic is just one of many more that were conceived during the security-on-steroids-week which was Source Barcelona and Brucon. I’d rather post these side-effect ideas that were generated from discussions around the talks than the actual talk contents (you should be able to download these anyway in the near future from the conference websites anyway).
As noted before, for some reason beyond my understanding I am going to be speaking at both SOURCE Barcelona and Brucon in September, as well as in Excaliburcon in China (you guys must really like this whole crime meets state thing huh?).
So, down to business, SOURCE Barcelona is going to be awesome – It’s going to be my first SOURCE I’m really looking forward to getting back together with some of my friends (Chris, Wim, Jayson… the old Wuxi pwnage team en-scale), and meet people I wanted to pick their brains in person (Brian Honan – especially because I’ll miss his talk…).
Next up is Brucon. I’ve said enough about Brucon in the last conference schedule update, nevertheless, it’s shaping up to beat it’s last years’ reputation. Expecting great talks, great crowd, and awesome beer! As far as talks I’m looking forward to – will definitely catch up with Joe which I missed at DefCon, Craig who’s Skylab is of a personal/professional interest to me, Dale with the HeadHacking talk, and Fabian’s GSM one. Obviously there are many more, but as I’ve learned over the years – don’t be greedy (especially not at conferences)…
Last but definitely not least, Excaliburcon is going to happen after all! This year the location is going to be just outside of Beijing. We will all miss Wuxi a lot, but I’m really looking forward to checking out more of China. It was a great experience last year and I’m setting up my hopes pretty high for December as the speaker list is getting pretty hot!
The common threat across these three conferences is that unlike the “big ones”, they all allow the attendants a very close interaction with the talks. This really enables more information sharing and knowledge transfer, and I’ve really learned a lot more from smaller conferences such as these than from the big ones that sport a dozen tracks at the same time (think RSA… you are not going there for the content anymore…).
If you happen to be at one of those, feel free to ping me (or even better – buy me a beer 🙂 )!