Category Archives: Opinion

Preparing Your Infosec Program for Quantum Computing

Posted on by
Reply

 

Imagine a world where encryption, the bedrock of our current cybersecurity measures, can be unraveled in mere moments. This reality is not just conceivable; it’s on the horizon with the advent of quantum computing. A groundbreaking leap from traditional binary computing, quantum computing has the potential to redefine what we deem secure.

Delving into the peculiar realm of quantum mechanics unleashes power that eclipses the might of our current supercomputers. To truly grasp how this will reshape information security, one must understand qubits and the unfathomable processing capabilities they present. The security protocols we depend on today are poised for a seismic shift as quantum computers become more prevalent.

In this article, we embark on a journey through the landscape of quantum computing and its impending collision with the world of cybersecurity. From exploring quantum-resistant cryptography to pondering the role of agencies in securing data in a post-quantum Era, we will prepare your infosec program to stand firm in the face of this computational tidal wave.

Understanding the Basics of Quantum Computing

Quantum computing signifies a revolutionary leap from classical computers, fundamentally altering the landscape of data processing. The core of this transformation lies in the utilization of quantum bits or qubits. Unlike standard bits, which are confined to a binary state of either 0 or 1, qubits harness the peculiar properties of quantum mechanics. These particles can exist in a state of superposition, being both 0 and 1 simultaneously, which greatly expands their computational capacity.

To maintain their complex states, qubits require an environment that isolates them from any external interference. Achieving this usually involves extreme measures such as cooling systems that approach absolute zero temperatures. This delicate balance is essential to prevent the decoherence and degradation of the qubit’s information.

Another hallmark of quantum computing is entanglement, a phenomenon where qubits become so deeply linked that the state of one will instantaneously influence its entangled partner, regardless of the distance separating them. This interconnection paves the way for unprecedented speed and efficiency in computing processes.

Given the immense computing power quantum machines are expected to yield, they pose a critical concern for information security. Current cryptographic protocols, which rely on the computational difficulty of certain mathematical problems, might become easily solvable in a fraction of the time currently required. Therefore, in anticipation of this quantum threat, governments and institutions like the National Institute of Standards and Technology (NIST) are proactively working on developing and standardizing quantum-resistant cryptographic mechanisms. These intensified efforts aim to buttress our cybersecurity infrastructure against the potential onslaught of quantum attacks that could exploit the vulnerabilities of classical cryptographic systems.

Explaining Quantum Computers

Quantum Computers

Feature

Description

Qubits

Utilize qubits instead of bits, allowing for simultaneous representation of 0 and 1 through superposition.

Entanglement

A property where qubits are interconnected so that the state of one can instantaneously impact another.

Encryption Threat

Pose danger to current encryption methods due to their ability to solve complex cryptographic problems rapidly.

Quantum computers diverge entirely from the operational framework of classical computers. While traditional machines process data linearly, quantum computers leverage the dual state capability of qubits through superposition, allowing them to perform multiple calculations concurrently.

The intrinsic feature of entanglement in quantum computers enables a linked state among qubits, enabling immediate and correlated changes across them. This feature dramatically accelerates complex problem-solving and data analysis processes.

The exponential speed and power of quantum machines offer promising advancements but simultaneously challenge the integrity of cryptographic algorithms, including those protecting internet infrastructure. As quantum computers excel at calculating large numbers efficiently, they could potentially decipher encryption swiftly, rendering many of the security protocols we currently rely on ineffective. This quantum leap requires a reevaluation and reinforcement of encryption to secure data against the potential intrusion by these powerful computing entities.

Discussing Quantum Bits (Qubits)

Quantum bits – or qubits – are the quintessential building blocks of quantum computers. By being able to embody multiple states at once through superposition, they bypass the limitations of classical bits. This property permits an exponential increase in computing power, as each qubit added to the system essentially doubles its capacity.

Entanglement compounds this capability, fostering a network of qubits that synchronize changes over any distance. This drastically enhances efficiency, enabling rapid complex calculations and high-level problem-solving far beyond the scope of traditional computing.

The manipulation of qubits through quantum algorithms, exploiting both superposition and entanglement, allows quantum computers to perform functions in mere moments that would take classical computers years. However, it’s key to note that this power to swiftly navigate through vast computational possibilities not only offers solutions but also necessitates the evolution of cybersecurity measures.

Exploring Quantum Mechanics and Its Relation to Computing

Quantum Mechanics Principles in Computing

  • Superposition: Facilitates qubits to be both 0 and 1 concurrently, enabling parallel calculation capabilities.
  • Entanglement: Connects qubits, allowing information sharing instantaneously regardless of distance.
  • Acceleration: Propels computing processes at an unprecedented pace, opening new possibilities for industries.

Quantum mechanics and computing are intertwined, with the former offering an analytical lens for the latter. By viewing computing through the principles of quantum physics, a vast new computational paradigm emerges. The spoils of quantum mechanics, such as superposition and entanglement, permit the functionality of quantum bits, or qubits, fundamentally differentiating quantum computers from their classical counterparts.

These quantum properties allow for parallel calculations to be conducted simultaneously, something utterly impossible for classical computing architecture. With the formidable capability to expedite solutions and answer monumental questions across varied industries, quantum computing is expected to drive significant progress in the next decade.

However, the same properties that endow quantum computers with their power also render current encryption models, like RSA, profoundly vulnerable. Quantum computers can decipher complex numerical problems in a fraction of the time expected by traditional systems, therefore outpacing and potentially compromising existing cybersecurity measures. Consequently, acknowledging and preparing for quantum impacts on encryption is paramount, ensuring a secure transition into the impending post-quantum world.

The Implications of Quantum Computing on Cybersecurity

Quantum computing heralds a double-edged sword for the digital world; on one side, it promises unprecedented computational breakthroughs, and on the other, it poses a seismic threat to cybersecurity. The very nature of quantum computing, with its ability to solve complex problems that are intractable for classical computers, could undermine encryption methods that protect everything from daily financial transactions to state secrets. Data meant to be safeguarded for an extended period is at risk, as current encryption could eventually be rendered obsolete by quantum techniques.

Recognizing this, efforts to create quantum-resistant encryption are gaining momentum. NIST, among other institutions, is actively seeking post-quantum solutions, having sifted through 69 potential cryptographic methods. The road ahead is a paradigm shift in cybersecurity strategy: to adopt a multi-layered, quantum-safe defense and build an infrastructure resilient to the quantum age. Such a transition demands identifying and protecting critical data assets with diversified cryptographic solutions and contemplating novel, quantum-robust algorithms for enduring security.

As quantum technology advances, organizations must remain vigilant, continuously adapting to new cybersecurity regulations and principles like zero-trust architecture to fortify themselves against future quantum exploits.

Identifying the Quantum Threat to Cryptographic Algorithms

The Cloud Security Alliance forecasts a worrisome horizon for cryptographic algorithms such as RSA, Diffie-Hellman, and Elliptic-Curve Cryptography, indicating their susceptibility to quantum attacks possibly by April 2030. Such a development exposes organizations to ‘harvest now, decrypt later’ scenarios, where adversaries collect encrypted information, waiting to unlock it with mature quantum capabilities.

Notably, over half of the participants in a Deloitte Poll acknowledged this risk, attesting to the widespread concern regarding quantum computing’s impact on cryptography. The crux of this threat is the superior ability of qubits, the core units of quantum computing, to tackle multifaceted problems rapidly. Hence, the urgency to innovate quantum security measures is fundamental, demanding a robust cybersecurity edifice that can withstand advanced future threats.

Assessing the Impact of Powerful Quantum Computers on Current Security Measures

Contemporary cybersecurity rests on encryption algorithms like RSA, which powerful quantum computers could nullify. Post-quantum cryptography (PQC) seeks to mitigate this threat, ensuring our safety protocols are compatible with a quantum future.

The U.S. National Institute of Standards and Technology (NIST) is at the Knowledge cutoff: forefront, assessing 69 methods for such cryptography. Moreover, the ‘harvest now, decrypt later’ dynamic looms as a direct consequence of powerful quantum computing, prompting the necessity for quantum-safe countermeasures, without which industries face considerable security risks.

Recognizing the Challenges of Key Distribution in a Post-Quantum World

With the prospect of quantum computing, the secure distribution of cryptographic keys becomes ever more crucial, yet challenging. The landscape beyond the coming decade needs to account for quantum threats; organizations must ensure continued data safety while raising awareness among leaders and stakeholders.

Strategies like crypto agility are crucial, providing the flexibility necessary to transition between algorithms in response to emerging vulnerabilities or quantum threats. Additionally, the integration of traditional and quantum-driven security methods or technologies like Quantum Key Distribution could bolster our cryptographic defenses in this new computational era.

Analyzing the Implications for Crypto Agility in the Face of Quantum Attacks

The ascent of quantum computing casts a foreboding shadow over established encryption methods such as RSA and ECC. Algorithms conceived for quantum machines, like Shor’s and Grover’s, are primed to factorize large numbers expeditiously, undermining the foundations of conventional cryptographic security.

Post-quantum cryptography is the beacon of hope, looking at alternatives like lattice-based cryptography founded on the intricacies of lattice mathematics for quantum-resistant encryption methods. With 50.2% of respondents in a Deloitte Poll voicing concern over ‘harvest now, decrypt later’ threats, the imperative for crypto agility has never been clearer. Making a preemptive pivot towards quantum-resistant solutions is both a strategic and necessary stance to counter the coming quantum onslaught.

Quantum Technologies and their Potential Impact on Infosec Programs

Quantum computing represents a transformative force across sectors, boasting the ability to accelerate problem-solving capabilities to levels unattainable by classical systems. Within the sphere of cybersecurity, this computing paradigm foreshadows profound repercussions. Existing security protocols could falter as advanced computational techniques emerge, rendering them inadequate against quantum-powered attacks.

To hedge against this prospective quantum revolution, organizations are hastily directing focus toward post-quantum cryptography (PQC). This advanced subset of cryptographic algorithms is designed to be quantum-resistant, ensuring the protection of sensitive data even against adversaries wielding quantum tools. In a proactive move, NIST has earmarked four quantum-resistant encryption methods, setting the stage for a fortified cybersecurity infrastructure in the impending era of quantum computing.

Another trailblazing quantum technology is Quantum Key Distribution (QKD). QKD exemplifies a formidable approach to escalated security, exploiting the quirks of quantum physics to enable impenetrable key distribution, safeguarding against even the most sophisticated eavesdropping endeavors. As such, the confluence of PQC and QKD marks a pivotal junction in the roadmap for future infosec programs that need to anticipate the universal challenges posed by quantum technologies.

Examining the Role of Quantum Computing in Artificial Intelligence and Machine Learning

The symbiosis of quantum computing and artificial intelligence (AI) promises an era where data is dissected with unparalleled precision. Quantum machine-learning could significantly enhance AI algorithms, sharpening the detection of evolving cyber threats. Thanks to the deftness of quantum computers in sifting through extensive datasets, quantum advantage could lead to more astute and efficient pattern recognition, empowering real-time threat detection, and proactive response systems.

Furthermore, the nascent realm of quantum computing stands to revolutionize network security through its prowess in dissecting complex networks, uncovering latent vulnerabilities, and buttressing cybersecurity frameworks against imminent threats. The precipitous growth of quantum-informed algorithms suggests a future where AI and machine learning not only accelerate but also achieve greater energy efficiency in warding off novel cyber risks.

One cannot ignore, however, the demands such developments place on human capital. Quantum computing necessitates a cadre of skilled professionals, ushering in an educational imperative to train and cultivate expertise in this avant-garde technology.

Exploring the Integration of Quantum Technologies into Traditional Computers

In the advent of a hybridized technology ecosystem, quantum computers are poised to take on the mantle of specialized co-processors, alongside their classical counterparts. Such arrangements would enable classical systems to offload computationally intense tasks, particularly those well-suited to quantum’s nuanced problem-solving capabilities. Yet, this marriage of digital methodologies is not without its pitfalls.

Integrating quantum and classical systems may inadvertently create conduits for established cybersecurity threats to infiltrate quantum realms. The anticipated arrival of standardized quantum algorithms within the next several years provides some assurance, although the perpetual evolution of quantum computing techniques may challenge such uniformity.

Taking center stage in the convergence of quantum and traditional computing is the Quantum Key Distribution (QKD), an encryption method that leverages quantum physics to deliver keys with guaranteed secrecy. Despite these innovative strides, vulnerabilities highlighted by quantum factorization methods, like Peter Shor’s notorious algorithm, forecast potential threats, especially to cornerstone encryption protocols such as RSA.

Evaluating the Processing Power of Quantum Computers and its Effect on Cybersecurity

Quantum computing’s extraordinary processing power is derived from quantum bits, or qubits, which operate in a rich tapestry of states beyond the binary confines of classical bits. This quantum capability enables the performance of calculations at a pace and complexity that is exponential compared to traditional computing power. The crux of the matter for cybersecurity is the implications this has on encryption, as quantum computers can potentially break encryptions that classical computers would never feasibly solve.

The burgeoning presence of quantum computing introduces a myriad of challenges, not least the financial and accessibility barriers for smaller organizations. As advancements in quantum computing gain momentum, the cybersecurity landscape will need to adapt to an ever-evolving set of challenges, requiring vigilant monitoring and nimble responses.

To keep apace with the dynamic growth of quantum computing, a collaborative trinity of industry, academia, and government is imperative. Together, these stakeholders are the keystone in the archway leading to new cryptographic defenses, ensuring the enduring confidentiality and integrity of private information amidst the quantum computing revolution.

Strategies for Adapting Infosec Programs to the Quantum Computing Era

As quantum computing continues to develop, its potential impact on cybersecurity grows exponentially. Infosec programs, therefore, must evolve with the emerging quantum threat. Here are key strategies for ensuring that security frameworks remain robust and agile in the face of quantum advancements:

  • Evaluating Post-Quantum Cryptography (PQC): Proactively assess and integrate NIST-approved PQC algorithms into existing security protocols to ensure data remains secure against quantum computers.
  • Employing Quantum Key Distribution (QKD): Consider the practicality and benefits of QKD for safeguarding critical communications against quantum spying techniques.
  • Practicing Quantum-Secure Governance: Develop and instill governance principles that specifically address the unique considerations of quantum technologies to establish trust and mitigate risks.
  • Prioritizing Data Protection: Identify and categorize the sensitivity of organizational data to strategize encryption overlays and safeguard valuable assets.
  • Implementing Crypto Agility: Embrace a comprehensive risk assessment approach that prioritizes the swift adoption of quantum-resistant mechanisms and allows for quick adaptation to new cryptographic standards.

Developing Quantum-Resistant Cryptographic Algorithms

In anticipation of quantum computing’s potential to disrupt current cryptographic models, the development of quantum-resistant algorithms is critical. Lattice-based, code-based, multivariate, hash-based, and isogeny-based cryptography exemplify such pioneering approaches. These algorithms aim to withstand the computational supremacy of quantum mechanics. However, this futuristic cryptography frontier presents unique challenges, including the steep curve in development, adoption, and the required coordination among global stakeholders to achieve homogeneity in protection measures.

Implementing Quantum-Safe Key Distribution Mechanisms

The secure exchange of encryption keys is fundamental to confidential communication. Quantum key distribution (QKD) emerges as a cutting-edge mechanism, utilizing quantum states to thwart eavesdropping attempts detectably. Integrating QKD entails specialized infrastructure, such as high-quality fiber optics, and embodies the principle of forward secrecy. By leveraging the peculiar characteristics of photons during transmission, QKD introduces an inherently secure method of key exchange, bolstering defenses against both current and potential future quantum interceptions.

Enhancing Post-Quantum Crypto Agility

Crypto agility is paramount for organizations navigating the transition to post-quantum cryptography (PQC). Forward-thinking entities are recognizing the necessity of adopting NIST’s identified PQC algorithms as part of their cyber-defense arsenal. With an estimated 5 to 10-year window for full implementation, the race is on to redesign infrastructure with quantum-resistant measures. Achieving this elastic state of post-quantum crypto agility will ensure that organizations can seamlessly evolve alongside emerging cryptographic standards, mitigating quantum-related threats.

Leveraging Quantum Technologies for Enhanced Security Measures

The integration of quantum technologies offers a vanguard in security measures. Utilizing quantum random number generators lays the foundation for constructing encryption keys grounded in the incontrovertibility of physical laws, delivering unprecedented guarantees. Innovations such as the Quantum Origin platform are fostering stronger cryptographic resilience. Major tech players—eyeing the transformative trajectory of quantum computing—are already providing quantum capabilities through cloud services, underscoring the urgency for organizations to harness these emerging technologies to fortify their cybersecurity posture against quantum-scale threats.

Summary

  • Quantum Mechanics Leap: Quantum computers leverage quantum mechanics, outperforming traditional computers in certain tasks.
  • Superior Processing: They offer unprecedented computational power, solving complex problems efficiently.
  • Cryptographic Algorithms Crisis: Current cryptographic algorithms may become vulnerable to quantum attacks.
  • Quantify the Quantum Threat: Assessing the quantum threat is essential for future-proof cybersecurity strategies.
  • Post-Quantum Cryptography Need: Development of quantum-resistant encryption methods is crucial.
  • Quantum Bits Revolution: Utilizing quantum bits (qubits) fundamentally changes data processing and security.
  • Crypto Agility is Paramount: Organizations must adapt to crypto agility to respond to quantum threats swiftly.
  • Key Distribution Redefined: Quantum key distribution promises enhanced security in the quantum era.
  • National Security Implications: Government agencies are deeply invested due to implications for national security.
  • Global Race for Quantum Supremacy: Powers vie for control over quantum computing’s immense potential.

Implication Aspect

Traditional computing

Quantum Computing

Computational Speed

Limited processing power

Exponential capabilities

Encryption

Currently secure

Potentially vulnerable

Security Focus

Crypto stability

Crypto agility

National Security

Important concern

Top priority

In summary, the rise of quantum computing presents both an opportunity and a formidable challenge for cybersecurity, necessitating the development of robust post-quantum cryptography and strategic adaptation across global industries.

 

 

* AI tools were used as a research assistant for this content.

 

 

Value of an ISSA Membership

Posted on by
Reply

One of the most common questions that mentees ask me is about membership in different groups and organizations. One of the most valuable in the Central Ohio area is ISSA (Information Systems Security Association International). Here are a few reasons why we believe in ISSA, their mission and their work.

Specific Value of an ISSA Membership

The ISSA is the community of choice for international professionals who are interested in furthering individual growth, managing technology risk, and protecting critical information and infrastructure.

A few key reasons that a Cybersecurity professional would want to join ISSA are listed below.

  • Chapters Around The World -ISSA provides educational opportunities and local networking for information security professionals. ISSA’s members can become your strongest allies when needed, and there are 157 chapters around the world.
  • Build Your Knowledge and Reputation – There are opportunities for active participation at Board and Chapter levels. You can use the ISSA Journal and KSEs to share your insights with the industry if you are an ISSA author or speaker. If you have innovative ways to solve problems, have applied security technology to address risks, or have case studies of how you have done it, then your ideas on security challenges, management, and innovation will go a long way in establishing you as a thought leader.
  • Network Like a Pro -Make new contacts and deepen old ones on a regular basis. ISSA offers a lot of networking opportunities beyond exchanging business cards. Forging lasting ties with others who have the same professional interests and concerns is one of the things you can do as you attend local chapter meetings, become involved on a committee or take a prominent leadership role. The sources of inspiration and ideas will come from these relationships. Networking contacts are a great resource for benchmarking security practices and validation of security product features.
  • Grow Your Career – The training you receive through the ISSA will give you a means to find potential career opportunities and can help get you noticed by those looking for someone to join their team. The ISSA sponsors many meetings and conferences that you can attend in order to earn CPEs for various certifications.
  • Learn for a Lifetime – The annual conference and chapter meetings are vital educational and professional resources that provide in-depth and timely information about the information security industry. Meeting and events can help you develop skills and solve problems. In addition to comprehensive workshops, seminars and knowledgeable guest speakers, there are presentations on new technologies. ISSA gives members additional discounts to security conferences.

Summary

In summary, I think that joining ISSA is worth every penny, especially if you want to progress from beginner to practitioner to expert. It’s among some of the best money you can spend in terms of ROI for growing your knowledge and your reputation in the community.

 

A vCISO Interview With Dave Rose

Posted on by
Reply

I had the pleasure to interview, Dave Rose, who does a lot of our virtual CISO engagements at MSI. I think you might enjoy some of his insights.

Q) In a few sentences, introduce yourself and describe your background that makes you a valuable virtual CISO. What are the keys to your success?

A) So my name is Dave Rose and I have been a CTO and in Technology for 25+ years. I started working daily with Risk as an Internal IT Auditor with the State of Ohio and expanded exponentially my knowledge and skills with JP Morgan Chase where I had day to day Risk responsibility for their Branch, ATM, Branch Innovation, Enterprise and Chase wealth Management applications. (548 to be exact!) What makes me a valuable CISO? In technology I have been audited by the best of them, SEC OCC,FINRA,Internal Audit, and been responsible for PCI and Basil compliance. I have had to review, implement and modify controls from NIST, ISO,SOX, GLBA, OWASP and CIS. In the financial industry I have worked with Agribusiness, Commercial Real Estate, Retail Banking, Investment Banking, Mutual Funds, Wealth Management, Credit Unions and 401K plans. As an IT/Operations manager/leader I have been responsible for Network Management, Finance, HR, Contract and Vendor Management, Help Desk, Development staff, Investment Operations, Sales, Cyber Engineers and Project Management, which I started my career performing. 

With the diversity that I listed above, there is a pretty good chance my past experience can help you to solve your current problems, now. A modicum of common sense, perseverance and a passion to do what right for the business while being responsible to the controls that make you successful has made me successful. 

Q) Speaking as a virtual CISO, what are some of the toughest challenges that your clients are facing this year?

A) I think that one of the biggest challenge that our clients are facing this year is Technology Deficit. I dont think this is anything new but with the deprecation of Win 7 and the threat of Ransomware, holding onto old technology with critical vulnerabilities is no longer an option. Whether is is hardware, software or code updates, companies cannot continue to mortgage technology debt to the future. Hate to be cliche but the time is now. 

Q) If you met with a board and they wanted to know what percentage of revenue they should be spending on information security, how would you answer that question?

A) I hate this question because it really does not have a good answer. A board asked me once “How much money would it cost me to get to a 3.5 on the NIST scale?” Money is only one facet of solving risk, there is culture, leadership, technology and business vision. Know and set the roadmap for all of those items for the next 5 years and your dollar investment will come naturally. So 6-7% (Rolls eyes)

Q) In terms of the NIST model, can you walk us through how you would prioritize the domains? If you came into a new organization, where would you start in the NIST model to bring the most value and what would the first 100 days look like?

A) There are two areas of the NIST model I would focus on, identify and protect. I would take a good hard look at access administration and all the components that make that up. Next I would look at log analysis and aggregation. I would spend the first hundred days doing a Risk Assessment of the entire environment but would also create a roadmap based on evaluation of current state for both Access Administration and Log Governance. Based on your results and determination of Risk and Reward (80/20 rule) map out the next 1-3 years. 

Q) If folks wanted to learn more about your insights or discuss having you work with them as a virtual CISO or security oversight manager, how can they reach you?

A) If you would like to talk further about these question, insights or would like to hear more about the MSI vCISO service, you can reach me at 614 372–6769, twitter @dmr0120 or e-mail at drose@microsolved.com!

3 Lessons From 30 Years of Penetration Testing

Posted on by
Reply

I’ve been doing penetration tests for 30 years and here are 3 things that have stuck with me.

I’ve been doing penetration testing for around 3 decades now. I started doing security testing back when the majority of the world was dial-up access to systems. I’ve worked on thousands of devices, systems, network and applications – from the most sensitive systems in the world to some of the dumbest and most inane mobile apps (you know who you are…) that still have in-game purchases. 

Over that time, these three lessons have stayed with me. They may not be the biggest lessons I’ve learned, or the most impactful, but they are the ones that have stuck with me in my career the longest. 

Lesson 1: The small things make or break a penetration test. The devil loves to hide in the details.

Often people love to hear about the huge security issues. They thrill or gasp at the times when you find that breathtaking hole that causes the whole thing to collapse. But, for me, the vulnerabilities that I’m most proud of, looking back across my career are the more nuanced ones. The ones where I noticed something small and seemingly deeply detailed. You know the issues like this, you talk about them to the developer and they respond with “So what?” and then you show them that small mistake opens a window that allows you to causally step inside to steal their most critical data…

Time and time again, I’ve seen nuance vulnerabilities hidden in encoded strings or hex values. Bad assumptions disguised in application session management or poorly engineered work flows. I’ve seen developers and engineers make mistakes that are so deeply hidden in the protocol exchanges or packet stream that anyone just running automated tools would have missed it. Those are my favorites. So, my penetration testing friend, pay attention to the deep details. Lots of devils hide there, and a few of those can often lead to the promised land. Do the hard work. Test every attack surface and threat vector, even if the other surfaces resisted, sometimes you can find a subtle, almost hidden attack surface that no one else noticed and make use of it.

Lesson 2: A penetration test is usually judged by the report. Master report writing to become a better penetration tester. 

This is one of the hardest things for my mentees to grasp. You can geek out with other testers and security nerds about your latest uber stack smash or the elegant way you optimized the memory space of your exploit – but customers won’t care. Save yourself the heartbreak and disappointment, and save them the glazed eyes look that comes about when you present it to them. They ONLY CARE about the report.

The report has to be well written. It has to be clear. It has to be concise. It has to have make them understand what you did, what you found and what they need to do about it. The more pictures, screen shots, graphs and middle-school-level language, the better. They aren’t dumb, or ignorant, they just have other work to do and need the information they need to action against in the cleanest, clearest and fastest way possible. They don’t want to Google technical terms and they have no patience for jargon. So, say it clear and say it in the shortest way possible if you want to be the best penetration tester they’ve seen. 

That’s hard to swallow. I know. But, you can always jump on Twitter or Slack and tell us all about your L33T skillz and the newest SQL technique you just discovered. Even better, document it and share it with other testers so that we all get better.

Lesson 3: Penetration tests aren’t always useful. They can be harmful.

Lastly, penetration tests aren’t always a help. They can cause some damage, to weak infrastructures, or to careers. Breaking things usually comes with a cost, and delivering critical failure news to upper management is not without its risks. I’ve seen CIOs and CISOs lose their jobs due to a penetration test report. I’ve seen upper management and boards respond in entirely unkind and often undeserved ways. In fact, if you don’t know what assets your organization has to protect, what controls you have and/or haven’t done some level of basic blocking and tackling – forget pen-testing altogether and skip to an inventory, vulnerability assessment, risk assessment or mapping engagement. Save the pen-testing cost and dangerous results for when you have more situational awareness. 

Penetration testing is often good at finding the low water mark. It often reveals least resistant paths and common areas of failure. Unfortunately, these are often left open by a lack of basic blocking and tackling. While it’s good news that basics go a long way to protecting us and our data, the bad news is that real-world attackers are capable of much more. Finding those edge cases, the things that go beyond the basics, the attack vectors less traveled, the bad assumptions, the short cut and/or the thing you missed when you’re doing the basics well – that’s when penetration tests have their biggest payoffs.

Want to talk more about penetration testing, these lessons or finding the right vulnerability management engagement for your organization? No problem, get in touch and I’ll be happy to discuss how MicroSolved can help. We can do it safely, make sure it is the best type of engagement for your maturity level and help you drive your security program forward. Our reports will be clean, concise and well written. And, we’ll pay attention to the details, I promise you that. 🙂 

To get in touch, give me a call at (614) 351-1237, drop me a line via this webform or reach out on Twitter (@lbhuston). I love to talk about infosec and penetration testing. It’s not just my career, but also my passion.

After Nearly 30 Years in CyberSecurity, I Still Learn Something Every Day

Posted on by
Reply

Cybersecurity Playtime Today:

Today, while searching through some web logs and reviewing some of the data from our HoneyPoint deployments, I found an interesting scan. The payload was pretty common, something we see, nearly every day – but the source, a pretty mature organization with a reputation for being tightly managed and capable, was what caught my eye. The scans went on for several days across a couple of weeks – sourced from a web server that clearly was not as securely managed as their reputation might insist. So, I notified them, of course, and played in the data a while, fascinated by some of the nuances of it. 

Good Days Versus Bad Days:

This is pretty much a daily occurrence for me – on the good days, at least. I get to play with data, learn something new, experiment, hypothesize and test myself. Those are the good days of being an infosec entrepreneur, CEO and researcher. The bad days are the ones when I have to struggle with sales efforts, manage difficult resources/projects or solve the same security problems as I tackled in the 90s. Those are the days when I am less happy about what I do. But, fortunately, those days are pretty few and far between. 

Fighting the Cybersecurity Good Fight:

After 30+ years in technology and “cybersecurity”, I still find a wealth of things to learn and play with. I never seem to get to the point where I feel like I know stuff. I try and remain intellectually curious and mentally humble at all times. I also try to believe in the magic of technology and fight the cynicism of doing infosec for 30 years. That keeps me making new things, and investing in new solutions, like our new ClawBack data leak detection tool

I try to keep fighting the good fight, so to speak. I’ve spent a lot of time learning about attackers – what motivates them, how they operate and how tools evolve. I’ve learned a lot about the economics of cyber-crime and the information security industry, as well. I’ve grown my understanding and world view around the day to day of infosec. I try to add value to someone every single day. Those things keep me going and keep me engaged. They help minimize the burnout and maximize my patience with the often challenging task of being an infosec person and an entrepreneur. Sometimes, living to fight another day is all you can ask for, and some days it seems like you can’t wait to jump back into the fray. Such is the infosec (“cybersecurity”) life.

Advice for New Cybersecurity Practitioners:

If you’re new to cybersecurity or considering joining us, my advice to you is simple and a gut check. Be sure that you are ready for a career that requires life long learning and life long change. If you want to have a repeatable, 9-5 job that you can master and forget when you walk out the door, this probably isn’t for you. Attackers are amazingly dynamic, and thus, infosec must be just as dynamic as well. This isn’t an industry built for mastery – it’s an industry built for being a life long student. While that’s not always easy, it can be fun and rewarding. Got what it takes? I sure hope so – because we need help and we need it for today and the years to come…

Why Our Firm Loves The Columbus Cyber Security Community

Posted on by

Yesterday, I was doing an interview with one of my mentees. The questions she asked brought up some interesting points about MSI, our history and Columbus. I thought I would share 3 of the questions with the SoS readers:

How Did The Firm End Up In The Columbus Cyber Security Community?

Brent Huston:

“You have to remember that when I founded MicroSolved, back in 1992, there wasn’t a strong commercial Internet yet. Most of the electronic commerce efforts and digital business was done via dial-up or dedicated networks. I came to Columbus in 1988 to go to school and eventually ended up at DeVry. I was working at Sterling Software and doing a lot of experimentation with technology. Somehow, I got completely interested in security, hacking, phreaking and online crime. I took that passion and began to explore building it into a business. There were a few of us starting consulting companies back then, and Columbus was certainly an interesting place to be in the early 90s. Eventually, Steve Romig, from The Ohio State University started putting groups together – meeting at different parks and restaurants. That was the first place I really identified as the beginning of a security community in the city.”

Continue reading

My 3 Favorite Podcast Episodes (So Far…)

Posted on by
Reply

The State of Security Podcast has been a fun endeavor and I am committed to continue working on it. I am currently working on raising it to multiple episodes per month, so as I was reflecting, I thought I would share my 3 favorite episodes so far. There are so many great moments, and so much generosity from my guests, I am certainly thrilled with all of them – but everyone has to have favorites… 🙂 

#1 – Episode 1 – This one holds a special place in my heart. Thanks to the wonderful Dave Rose and the absolutely brilliant Helen Patton, they made this interview segment much more comfortable than it should have been. If you can get past my stumbling and bumbling, they share some pure magic with the audience. I hopefully have improved as an interviewer, but much thanks to them for helping SoS get off to a roaring start! 

#2 – Episode 6 – One of the most personal episodes ever, an anonymous friend shares a tale of what it is like to work for over year on a major breach. There is heartbreak and pain here, well beyond infosec. I still get chills every time I listen to it.

#3 – Episode 9 – This one is so personal to me, I get butterflies when people tell me they listened to it. Adam Luck interviews me, and the questions get very personal, very fast. We cover some personal history, why I am an infosec professional and some of the amazing friendships I have enjoyed over the years. Stark and raw, this is worth dealing with the crappy audio, or at least people tell me it is. (This episode is also why we hired audio professionals for our episodes.)

Those are my 3. What are yours? Hit me up on Twitter (@lbhuston) or @microsolved and let us know. Thanks for listening!

Thanks to Columbus State Community College & Get Involved

Posted on by
5

On Tuesday, I spoke at Columbus State Community College to a group of high and middle school teachers about digital crimes, black market economics and cyber-ethics. We had fantastic discussions and as teachers, they were amazingly engaged with myself and my content. I have never taught a more enthusiastic group of folks.

They asked a lot of questions; mostly about crime, motivation and the techniques of criminals in the digital world. But, they also asked for critical lessons that they could take back to their students and use in their own classrooms. Kudos for that!

If you want to get involved in the program, please contact @sempf on Twitter for more info. They are always looking for great speakers, excellent content and especially women with experience in STEM related careers. Thanks so much to Columbus State for having me. I was honored and thrilled to participate in the GenCyber program. Thanks to @sempf for the photo!

Co3J RfW8AAem8l

The Dark Net Seems to be Changing

Posted on by
6

The dark net is astounding in its rapid growth and adoption. In my ongoing research work around underground sites, I continue to be amazed at just how much traditional web-based info is making its way to the dark net. As an example, in the last few research sessions, I have noticed several sites archiving educational white papers, economic analyses and more traditional business data – across a variety of languages. I am also starting to see changes in the tide of criminal-related data and “black market” data, in that the density of that data has begun to get displaced, in my opinion, by more traditional forms of data, discourse and commercialization.

It is not quite to the level of even the early world wide web, but it is clearly headed in a direction where the criminal element, underground markets and other forms of illicit data are being forced to share the dark net with significantly more commercial and social-centric data. Or at least, it feels that way to me. I certainly don’t have hard metrics to back it up, but it feels that way as I am working and moving through the dark net in my research. 

There is still a ways to go, before .onion sites are paved and turned into consumer malls – but that horizon seems closer now than ever before. Let me know what you think on Twitter (@lbhuston).

Introducing Tomce

Posted on by
6
Today I am thrilled to announce that Tomce Kuzevski has joined the MSI team as an intelligence analyst, working on TigerTrax, analytics and machine learning focused services. I took a few minutes of Tomce’s time to ask some intro questions for you to get to know him. Welcome Tomce, and thanks for helping us take TigerTrax services to the next level! 
 
Q – Tomce, you are new to MSI, so tell the readers the story of how you developed your skills and got your spot on the Intelligence Team.
 
A- Ever since I was a kid, I was always into computers/electronics. I can’t tell you how much money my parents spent on computer/electronics for me, for them only to last a week or so. I would take them apart and put them back together constantly. Or wiping out the hard drive not knowing what I did until later. 
 
Growing up and still to this day, I was always the “go to kid” if someone needed help on computers/electronics which I didn’t mind at all. I enjoyed trying to figure out the issue’s. The way I learned was from failing and trying it myself. From when I was a kid to now, I still enjoy it and will continue to enjoy. I knew I wanted to be in the Computer/IT industry. 
 
I know Adam through a mutual friend of ours. He posted on FB MSI was hiring for a spot on their team. I contacted him about the position. He informed me on what they do and what they’re looking for, which was right up my alley. I am consistently on the internet searching anything and everything. I had a couple interviews with Brent and the team, everything went how it was suppose to. Here I am today about 7 weeks into it and enjoying it! That’s how I landed my spot on the MSI team.
 
Q – Share with the readers the most interesting couple of things they could approach you about at events for a discussion. What kind of things really get you into a passionate conversation?
 
A- I really enjoy talking about the future of technology. Yet, it’s scary and mind blowing at the same time. Being born in the 80’s and seeing the transformation from then to now, is scary. But, laying on the couch holding my iPhone while skyping my cuzin in Europe, checking FB and ordering a pizza all in the palm of my hands is mind blowing. I cant imagine what the world will be like in next 25 years. 
 
 
Q – I know that since joining our team, one of your big focus areas has been to leverage our passive security assessment and Intel engine – (essentially a slice of the TigerTrax™ platform) to study large scale security postures. You recently completed the holistic testing of a multi-national cellular provider. Tell our readers some of the lessons you learned from that engagement?
 
A- I absolutely could not believe my eye’s on what we discovered. Being such a huge telecom company, having so many security issues. I’ve been in the telecom business 5 years prior to me coming to MSI. I’ve never seen anything like this before. When signing up for a new cell phone provider, I highly recommend doing some “digging” on the company. We use our phones everyday, our phones have personal/sensitive information. For this cell phone provider being as big as they are, it was shocking! If you’re looking for a new cell phone provider, please take some time and do some research. 
 
 
Q – You also just finished running the entire critical infrastructures of a small nation through our passive assessment tool to support a larger security initiative for their government. Given how complex and large such an engagement is, tell us a bit about some of the lessons you learned there?
 
A- Coming from outside of the IT security world, I never thought I would see so many security issues at such a high level. It is a little scary finding all this information out. I used to think every company at this level wouldn’t have any flaws. Man, was I wrong! From here on out, I will research every company that I use currently and future. You cant think, “This is a big company, there fine” attitude. You have to go out and do the research.  
 
Q – Thanks for talking to us, Tomce. If the readers want to make contact with you or read more about your work, where can they find you?
 
You can reach me @TomceKuzevski via Twitter. I’am constantly posting Information Security articles thats going on in todays world. Please don’t hesitate to reach out to me.