04 Jun, 2015

SecCasts Live: Beyond the Pentest – The Evolving Security Landscape

by Tania Ryseck

On May 27th, security professionals joined nVisium to share their views on a variety of topics concerning the cybersecurity industry. The conversation began on a light-hearted note, sharing the projects and technologies they are each currently involved in. A debate soon followed about what the security community is doing right and wrong and the public’s role (if any) in it. To wrap up the discussion, each panelist recommended a few good books that could be helpful to those in the industry. While this blog post summarizes the important points that were raised, a complete recording of the conversation can be found below:

The Panelists: 

####

Chris Gates ( @carnal0wnage): Chris joined Facebook in 2014 as an Offensive Security Engineer. He has extensive experience in network and web application penetration testing as well as Information Operations experience working as an operator for a DoD Red Team and other Full Scope penetration testing teams. Chris is also a cofounder of NoVA Hackers. www.carnal0wnage.com

####

Rob Fuller ( @mubix): Rob is a Senior Red Teamer at GE. His professional experience started from his time on active duty as a United States Marine. He has worked with devices and software that run the gambit in the security realm. Rob is also a cofounder of NoVA Hackers. www.Room362.com

Robin Wood ( @digininja): Robin, a freelance security consultant, has over 6 years experience in computer security and over 15 in software development. He has run security audits for large banks, trading firms, and various other international organizations. Robin regularly publishes blog posts and security tools on topics varying from auditing security cameras to password analysis. He has spoken at various security conferences and now runs SteelCon. digi.ninja

Seth Law ( @sethlaw): Seth, nVisium’s VP of R&D, is an experienced Application Security professional who has worked in multiple disciplines in Security from software development to network protection. Seth has honed his application security skills using offensive and defensive techniques, including tool development. Seth revels in deep-level analysis of programming languages and inherent flaws.

####

What projects do you find most interesting at the moment?

Robin Wood says he’s been working a lot with PowerShell lately, such as the PowerTool and PowerView projects. Rob Fuller, on the other hand, has been looking into the Docker and Vagrant platforms most recently. Seth Law says he has currently been keeping an eye on Dan Meyer’s idb project and Google’s Project Zero. idb is an offensive tool to simplify some common tasks for iOS pentesting and research. Seth is also curious to see how organizations react to Project Zero, as “Google is basically looking for exploits in their platform and then releasing them.” He believes this to be “an interesting way to go about securing everyone’s platform because it is Google sponsored and Google employees are doing the work in-house.”

What technologies are you currently looking into? (2:55)

UEFI, DevOps, and understanding security through the eyes of a developer were amongst the answers that the panelists gave. “The unification of bios, or UEFI, gets really interesting when talking about malware and backdoor because there is a common coding platform,” says Rob. He believes that “the security aspect in the past was harder, but with a standard firmware system it will be much easier.” Then again, this could also make it easier for hackers to hack into. As moderator and CTO of nVisium Ken Johnson puts it, with UEFI you can “essentially write malware that can be written on any machine.” Chris Gates says he likes DevOps tools because “they are basically botnet controllers, designed to attack against multiple hosts.” Robin and Seth have recently moved a bit away from the security side, focusing more on developer tools to better understand the mistakes that developers can make in terms of security. For instance, Robin has started to take a training class for developers to see which bad habits are getting picked up in the beginning while Seth has been spending a fair amount of time developing apps to see what developers are doing in different languages.

How do you properly use an internal red team? (5:16)

Rob describes a red team as “a pentest team with a bigger scope.” The major difference between a pentest and a red team is that “whereas a pentest is just a scanner…, a red team is where a group actually tries to get into the building and break absolutely everything they can.” Chris refers to it as a “mix of physical, social, and electric” aspects, since the purpose of the team is to determine “how vulnerabilities in one can affect or create vulnerabilities in another.” Unfortunately, not all red teams are implemented properly. Rob believes charge red teams to be ineffective, since the internal red teams charge parts of the company to do assessments, effectively reducing themselves “into the role of an external team… where security is put on a back burner and budget at the front.” However, he does support two models of red teams. First, red teams should be implemented “on things that are already in place,” because new products can be tested more simply with a pentest. A second effective model for a red team is to use one for “a constant, open assessment; something that goes year-round.” Both Rob and Chris agree that regardless of the model used, there must be a good relationship between the red team and owners to get rid of the adversarial relationship that oftentimes exists between the groups.

What is the security community getting right? (13:30)

Despite the usual talk of how organizations and security teams need to do better, the panelists agreed that there were some things the security community was getting right. As Robin states, “Hacking everything is… doing it right.” He especially finds the community’s interest in the Internet of Things to be a good sign that they are focusing on not just web applications but also on home devices. In addition, both Seth and Rob agree that adoption from a larger audience has helped over the last ten years. “I love the amount of research that is going on. Ten years ago most of this stuff was never even looked at,” says Seth. Rob notices this change as well, saying, “We are finally on the big screen. I mean, literally, every time I look at the news, there is something about cyber. So I think we are in a great position now to make the ‘Silicon Valley’ a better place.”

What are we not getting right? (21:16)

Of course, the security community also needs to see a lot of improvements in the future. Chris argues that security professionals in general give bad “recommendations to clients on how to fix the problems that we identify,” arguing that much of the advice is too general and not actionable enough. In addition, Seth thinks that “mass communication with the wider world” needs to be stressed, since “nobody really cares.” In Seth’s opinion, security needs to be understood by everyone. For instance, “having a logo and a name for a vulnerability… makes it easier for my dad or my grandma to actually recognize that there is a problem out there and something needs to be done. We do a pretty poor job of educating those that don’t have the same level of experience that we do.” In contrast, Rob argues against having awareness for all, since he doesn’t believe “we can put the onus on the users.” “Nobody really cares, and they shouldn’t have to care,” says Rob. He believes it is “our job to protect users and enable them to do things in an automatic fashion.”

What are some books you would recommend to security folks? (37:42)

The Phoenix Project by Gene Kim is good to help you understand the idea of DevOps,” suggests Chris. Seth and Rob recommend Rework, since it makes you think about how you are actually developing things. Rob also suggests picking up a copy of Red Team Field Manual, as he “pretty much carries a copy always around with him.”

Follow us on Twitter ( @nVisium) to find out about any upcoming nVisium Webinar sessions.