A vCISO Interview With Dave Rose

I had the pleasure to interview, Dave Rose, who does a lot of our virtual CISO engagements at MSI. I think you might enjoy some of his insights.

Q) In a few sentences, introduce yourself and describe your background that makes you a valuable virtual CISO. What are the keys to your success?

A) So my name is Dave Rose and I have been a CTO and in Technology for 25+ years. I started working daily with Risk as an Internal IT Auditor with the State of Ohio and expanded exponentially my knowledge and skills with JP Morgan Chase where I had day to day Risk responsibility for their Branch, ATM, Branch Innovation, Enterprise and Chase wealth Management applications. (548 to be exact!) What makes me a valuable CISO? In technology I have been audited by the best of them, SEC OCC,FINRA,Internal Audit, and been responsible for PCI and Basil compliance. I have had to review, implement and modify controls from NIST, ISO,SOX, GLBA, OWASP and CIS. In the financial industry I have worked with Agribusiness, Commercial Real Estate, Retail Banking, Investment Banking, Mutual Funds, Wealth Management, Credit Unions and 401K plans. As an IT/Operations manager/leader I have been responsible for Network Management, Finance, HR, Contract and Vendor Management, Help Desk, Development staff, Investment Operations, Sales, Cyber Engineers and Project Management, which I started my career performing. 

With the diversity that I listed above, there is a pretty good chance my past experience can help you to solve your current problems, now. A modicum of common sense, perseverance and a passion to do what right for the business while being responsible to the controls that make you successful has made me successful. 

Q) Speaking as a virtual CISO, what are some of the toughest challenges that your clients are facing this year?

A) I think that one of the biggest challenge that our clients are facing this year is Technology Deficit. I dont think this is anything new but with the deprecation of Win 7 and the threat of Ransomware, holding onto old technology with critical vulnerabilities is no longer an option. Whether is is hardware, software or code updates, companies cannot continue to mortgage technology debt to the future. Hate to be cliche but the time is now. 

Q) If you met with a board and they wanted to know what percentage of revenue they should be spending on information security, how would you answer that question?

A) I hate this question because it really does not have a good answer. A board asked me once “How much money would it cost me to get to a 3.5 on the NIST scale?” Money is only one facet of solving risk, there is culture, leadership, technology and business vision. Know and set the roadmap for all of those items for the next 5 years and your dollar investment will come naturally. So 6-7% (Rolls eyes)

Q) In terms of the NIST model, can you walk us through how you would prioritize the domains? If you came into a new organization, where would you start in the NIST model to bring the most value and what would the first 100 days look like?

A) There are two areas of the NIST model I would focus on, identify and protect. I would take a good hard look at access administration and all the components that make that up. Next I would look at log analysis and aggregation. I would spend the first hundred days doing a Risk Assessment of the entire environment but would also create a roadmap based on evaluation of current state for both Access Administration and Log Governance. Based on your results and determination of Risk and Reward (80/20 rule) map out the next 1-3 years. 

Q) If folks wanted to learn more about your insights or discuss having you work with them as a virtual CISO or security oversight manager, how can they reach you?

A) If you would like to talk further about these question, insights or would like to hear more about the MSI vCISO service, you can reach me at 614 372–6769, twitter @dmr0120 or e-mail at drose@microsolved.com!

3 Lessons From 30 Years of Penetration Testing

I’ve been doing penetration tests for 30 years and here are 3 things that have stuck with me.

I’ve been doing penetration testing for around 3 decades now. I started doing security testing back when the majority of the world was dial-up access to systems. I’ve worked on thousands of devices, systems, network and applications – from the most sensitive systems in the world to some of the dumbest and most inane mobile apps (you know who you are…) that still have in-game purchases. 

Over that time, these three lessons have stayed with me. They may not be the biggest lessons I’ve learned, or the most impactful, but they are the ones that have stuck with me in my career the longest. 

Lesson 1: The small things make or break a penetration test. The devil loves to hide in the details.

Often people love to hear about the huge security issues. They thrill or gasp at the times when you find that breathtaking hole that causes the whole thing to collapse. But, for me, the vulnerabilities that I’m most proud of, looking back across my career are the more nuanced ones. The ones where I noticed something small and seemingly deeply detailed. You know the issues like this, you talk about them to the developer and they respond with “So what?” and then you show them that small mistake opens a window that allows you to causally step inside to steal their most critical data…

Time and time again, I’ve seen nuance vulnerabilities hidden in encoded strings or hex values. Bad assumptions disguised in application session management or poorly engineered work flows. I’ve seen developers and engineers make mistakes that are so deeply hidden in the protocol exchanges or packet stream that anyone just running automated tools would have missed it. Those are my favorites. So, my penetration testing friend, pay attention to the deep details. Lots of devils hide there, and a few of those can often lead to the promised land. Do the hard work. Test every attack surface and threat vector, even if the other surfaces resisted, sometimes you can find a subtle, almost hidden attack surface that no one else noticed and make use of it.

Lesson 2: A penetration test is usually judged by the report. Master report writing to become a better penetration tester. 

This is one of the hardest things for my mentees to grasp. You can geek out with other testers and security nerds about your latest uber stack smash or the elegant way you optimized the memory space of your exploit – but customers won’t care. Save yourself the heartbreak and disappointment, and save them the glazed eyes look that comes about when you present it to them. They ONLY CARE about the report.

The report has to be well written. It has to be clear. It has to be concise. It has to have make them understand what you did, what you found and what they need to do about it. The more pictures, screen shots, graphs and middle-school-level language, the better. They aren’t dumb, or ignorant, they just have other work to do and need the information they need to action against in the cleanest, clearest and fastest way possible. They don’t want to Google technical terms and they have no patience for jargon. So, say it clear and say it in the shortest way possible if you want to be the best penetration tester they’ve seen. 

That’s hard to swallow. I know. But, you can always jump on Twitter or Slack and tell us all about your L33T skillz and the newest SQL technique you just discovered. Even better, document it and share it with other testers so that we all get better.

Lesson 3: Penetration tests aren’t always useful. They can be harmful.

Lastly, penetration tests aren’t always a help. They can cause some damage, to weak infrastructures, or to careers. Breaking things usually comes with a cost, and delivering critical failure news to upper management is not without its risks. I’ve seen CIOs and CISOs lose their jobs due to a penetration test report. I’ve seen upper management and boards respond in entirely unkind and often undeserved ways. In fact, if you don’t know what assets your organization has to protect, what controls you have and/or haven’t done some level of basic blocking and tackling – forget pen-testing altogether and skip to an inventory, vulnerability assessment, risk assessment or mapping engagement. Save the pen-testing cost and dangerous results for when you have more situational awareness. 

Penetration testing is often good at finding the low water mark. It often reveals least resistant paths and common areas of failure. Unfortunately, these are often left open by a lack of basic blocking and tackling. While it’s good news that basics go a long way to protecting us and our data, the bad news is that real-world attackers are capable of much more. Finding those edge cases, the things that go beyond the basics, the attack vectors less traveled, the bad assumptions, the short cut and/or the thing you missed when you’re doing the basics well – that’s when penetration tests have their biggest payoffs.

Want to talk more about penetration testing, these lessons or finding the right vulnerability management engagement for your organization? No problem, get in touch and I’ll be happy to discuss how MicroSolved can help. We can do it safely, make sure it is the best type of engagement for your maturity level and help you drive your security program forward. Our reports will be clean, concise and well written. And, we’ll pay attention to the details, I promise you that. 🙂 

To get in touch, give me a call at (614) 351-1237, drop me a line via this webform or reach out on Twitter (@lbhuston). I love to talk about infosec and penetration testing. It’s not just my career, but also my passion.

After Nearly 30 Years in CyberSecurity, I Still Learn Something Every Day

Cybersecurity Playtime Today:

Today, while searching through some web logs and reviewing some of the data from our HoneyPoint deployments, I found an interesting scan. The payload was pretty common, something we see, nearly every day – but the source, a pretty mature organization with a reputation for being tightly managed and capable, was what caught my eye. The scans went on for several days across a couple of weeks – sourced from a web server that clearly was not as securely managed as their reputation might insist. So, I notified them, of course, and played in the data a while, fascinated by some of the nuances of it. 

Good Days Versus Bad Days:

This is pretty much a daily occurrence for me – on the good days, at least. I get to play with data, learn something new, experiment, hypothesize and test myself. Those are the good days of being an infosec entrepreneur, CEO and researcher. The bad days are the ones when I have to struggle with sales efforts, manage difficult resources/projects or solve the same security problems as I tackled in the 90s. Those are the days when I am less happy about what I do. But, fortunately, those days are pretty few and far between. 

Fighting the Cybersecurity Good Fight:

After 30+ years in technology and “cybersecurity”, I still find a wealth of things to learn and play with. I never seem to get to the point where I feel like I know stuff. I try and remain intellectually curious and mentally humble at all times. I also try to believe in the magic of technology and fight the cynicism of doing infosec for 30 years. That keeps me making new things, and investing in new solutions, like our new ClawBack data leak detection tool

I try to keep fighting the good fight, so to speak. I’ve spent a lot of time learning about attackers – what motivates them, how they operate and how tools evolve. I’ve learned a lot about the economics of cyber-crime and the information security industry, as well. I’ve grown my understanding and world view around the day to day of infosec. I try to add value to someone every single day. Those things keep me going and keep me engaged. They help minimize the burnout and maximize my patience with the often challenging task of being an infosec person and an entrepreneur. Sometimes, living to fight another day is all you can ask for, and some days it seems like you can’t wait to jump back into the fray. Such is the infosec (“cybersecurity”) life.

Advice for New Cybersecurity Practitioners:

If you’re new to cybersecurity or considering joining us, my advice to you is simple and a gut check. Be sure that you are ready for a career that requires life long learning and life long change. If you want to have a repeatable, 9-5 job that you can master and forget when you walk out the door, this probably isn’t for you. Attackers are amazingly dynamic, and thus, infosec must be just as dynamic as well. This isn’t an industry built for mastery – it’s an industry built for being a life long student. While that’s not always easy, it can be fun and rewarding. Got what it takes? I sure hope so – because we need help and we need it for today and the years to come…

Why Our Firm Loves The Columbus Cyber Security Community

Yesterday, I was doing an interview with one of my mentees. The questions she asked brought up some interesting points about MSI, our history and Columbus. I thought I would share 3 of the questions with the SoS readers:

How Did The Firm End Up In The Columbus Cyber Security Community?

Brent Huston:

“You have to remember that when I founded MicroSolved, back in 1992, there wasn’t a strong commercial Internet yet. Most of the electronic commerce efforts and digital business was done via dial-up or dedicated networks. I came to Columbus in 1988 to go to school and eventually ended up at DeVry. I was working at Sterling Software and doing a lot of experimentation with technology. Somehow, I got completely interested in security, hacking, phreaking and online crime. I took that passion and began to explore building it into a business. There were a few of us starting consulting companies back then, and Columbus was certainly an interesting place to be in the early 90s. Eventually, Steve Romig, from The Ohio State University started putting groups together – meeting at different parks and restaurants. That was the first place I really identified as the beginning of a security community in the city.”

Continue reading

My 3 Favorite Podcast Episodes (So Far…)

The State of Security Podcast has been a fun endeavor and I am committed to continue working on it. I am currently working on raising it to multiple episodes per month, so as I was reflecting, I thought I would share my 3 favorite episodes so far. There are so many great moments, and so much generosity from my guests, I am certainly thrilled with all of them – but everyone has to have favorites… 🙂 

#1 – Episode 1 – This one holds a special place in my heart. Thanks to the wonderful Dave Rose and the absolutely brilliant Helen Patton, they made this interview segment much more comfortable than it should have been. If you can get past my stumbling and bumbling, they share some pure magic with the audience. I hopefully have improved as an interviewer, but much thanks to them for helping SoS get off to a roaring start! 

#2 – Episode 6 – One of the most personal episodes ever, an anonymous friend shares a tale of what it is like to work for over year on a major breach. There is heartbreak and pain here, well beyond infosec. I still get chills every time I listen to it.

#3 – Episode 9 – This one is so personal to me, I get butterflies when people tell me they listened to it. Adam Luck interviews me, and the questions get very personal, very fast. We cover some personal history, why I am an infosec professional and some of the amazing friendships I have enjoyed over the years. Stark and raw, this is worth dealing with the crappy audio, or at least people tell me it is. (This episode is also why we hired audio professionals for our episodes.)

Those are my 3. What are yours? Hit me up on Twitter (@lbhuston) or @microsolved and let us know. Thanks for listening!

Thanks to Columbus State Community College & Get Involved

On Tuesday, I spoke at Columbus State Community College to a group of high and middle school teachers about digital crimes, black market economics and cyber-ethics. We had fantastic discussions and as teachers, they were amazingly engaged with myself and my content. I have never taught a more enthusiastic group of folks.

They asked a lot of questions; mostly about crime, motivation and the techniques of criminals in the digital world. But, they also asked for critical lessons that they could take back to their students and use in their own classrooms. Kudos for that!

If you want to get involved in the program, please contact @sempf on Twitter for more info. They are always looking for great speakers, excellent content and especially women with experience in STEM related careers. Thanks so much to Columbus State for having me. I was honored and thrilled to participate in the GenCyber program. Thanks to @sempf for the photo!

Co3J RfW8AAem8l

The Dark Net Seems to be Changing

The dark net is astounding in its rapid growth and adoption. In my ongoing research work around underground sites, I continue to be amazed at just how much traditional web-based info is making its way to the dark net. As an example, in the last few research sessions, I have noticed several sites archiving educational white papers, economic analyses and more traditional business data – across a variety of languages. I am also starting to see changes in the tide of criminal-related data and “black market” data, in that the density of that data has begun to get displaced, in my opinion, by more traditional forms of data, discourse and commercialization.

It is not quite to the level of even the early world wide web, but it is clearly headed in a direction where the criminal element, underground markets and other forms of illicit data are being forced to share the dark net with significantly more commercial and social-centric data. Or at least, it feels that way to me. I certainly don’t have hard metrics to back it up, but it feels that way as I am working and moving through the dark net in my research. 

There is still a ways to go, before .onion sites are paved and turned into consumer malls – but that horizon seems closer now than ever before. Let me know what you think on Twitter (@lbhuston).

Introducing Tomce

Today I am thrilled to announce that Tomce Kuzevski has joined the MSI team as an intelligence analyst, working on TigerTrax, analytics and machine learning focused services. I took a few minutes of Tomce’s time to ask some intro questions for you to get to know him. Welcome Tomce, and thanks for helping us take TigerTrax services to the next level! 
 
Q – Tomce, you are new to MSI, so tell the readers the story of how you developed your skills and got your spot on the Intelligence Team.
 
A- Ever since I was a kid, I was always into computers/electronics. I can’t tell you how much money my parents spent on computer/electronics for me, for them only to last a week or so. I would take them apart and put them back together constantly. Or wiping out the hard drive not knowing what I did until later. 
 
Growing up and still to this day, I was always the “go to kid” if someone needed help on computers/electronics which I didn’t mind at all. I enjoyed trying to figure out the issue’s. The way I learned was from failing and trying it myself. From when I was a kid to now, I still enjoy it and will continue to enjoy. I knew I wanted to be in the Computer/IT industry. 
 
I know Adam through a mutual friend of ours. He posted on FB MSI was hiring for a spot on their team. I contacted him about the position. He informed me on what they do and what they’re looking for, which was right up my alley. I am consistently on the internet searching anything and everything. I had a couple interviews with Brent and the team, everything went how it was suppose to. Here I am today about 7 weeks into it and enjoying it! That’s how I landed my spot on the MSI team.
 
Q – Share with the readers the most interesting couple of things they could approach you about at events for a discussion. What kind of things really get you into a passionate conversation?
 
A- I really enjoy talking about the future of technology. Yet, it’s scary and mind blowing at the same time. Being born in the 80’s and seeing the transformation from then to now, is scary. But, laying on the couch holding my iPhone while skyping my cuzin in Europe, checking FB and ordering a pizza all in the palm of my hands is mind blowing. I cant imagine what the world will be like in next 25 years. 
 
 
Q – I know that since joining our team, one of your big focus areas has been to leverage our passive security assessment and Intel engine – (essentially a slice of the TigerTrax™ platform) to study large scale security postures. You recently completed the holistic testing of a multi-national cellular provider. Tell our readers some of the lessons you learned from that engagement?
 
A- I absolutely could not believe my eye’s on what we discovered. Being such a huge telecom company, having so many security issues. I’ve been in the telecom business 5 years prior to me coming to MSI. I’ve never seen anything like this before. When signing up for a new cell phone provider, I highly recommend doing some “digging” on the company. We use our phones everyday, our phones have personal/sensitive information. For this cell phone provider being as big as they are, it was shocking! If you’re looking for a new cell phone provider, please take some time and do some research. 
 
 
Q – You also just finished running the entire critical infrastructures of a small nation through our passive assessment tool to support a larger security initiative for their government. Given how complex and large such an engagement is, tell us a bit about some of the lessons you learned there?
 
A- Coming from outside of the IT security world, I never thought I would see so many security issues at such a high level. It is a little scary finding all this information out. I used to think every company at this level wouldn’t have any flaws. Man, was I wrong! From here on out, I will research every company that I use currently and future. You cant think, “This is a big company, there fine” attitude. You have to go out and do the research.  
 
Q – Thanks for talking to us, Tomce. If the readers want to make contact with you or read more about your work, where can they find you?
 
You can reach me @TomceKuzevski via Twitter. I’am constantly posting Information Security articles thats going on in todays world. Please don’t hesitate to reach out to me. 

State Of Security Podcast Episode 10

Episode 10 is now available! 

This time around, we get to learn from the community, as I ask people to call in with their single biggest infosec lesson from 2015. Deeply personal, amazingly insightful and full of kindness to be shared with the rest of the world – thanks to everyone who participated! 

Podcast Episode 9 Available

Check out Episode 9 of the State of Security Podcast, just released!

This episode runs around an hour and features a very personal interview with me in the hot seat and the mic under control of @AdamJLuck. We cover topics like security history, my career, what I think is on the horizon, what my greatest successes and failures have been. He even digs into what I do every day to keep going. Let me know what you think, and as always, thanks for listening!