Mainframe is happening now!

While most people may imagine mainframe computers to be an antiquated world of massive machinery, tape spools, and limited possibilities, they actually receive widespread use today in 2024 as the backbone infrastructure that allows billions of financial transactions to occur daily on a global scale.

Government entities can store and retrieve sensitive data with extremely high reliability and almost nonexistent downtime, and other sectors like healthcare, insurance, and utilities can meet the speed of demand by processing multiple terabytes of data with incredible ease, and consistency.

Mainframe computers have a wonderfully rich history that spans decades, and as such there have been many groups over the years that bring practitioners, vendors, and resource owners together for collaboration. SHARE, with an inauguration year of 1955, is the oldest and most well-known of these organizations — if you work in mainframe, you know about SHARE! It began as the first IT Enterprise group ever to form within the United States and has been operating continuously since, through industry publications, annual conferences, trainings, and ongoing opportunities to connect.

I had the pleasure of attending this year’s SHARE Orlando 2024 where I learned about the state of mainframe security today and the in-demand skills needed to protect these critical systems. Here’s what I thought of my time at the event.

Mainframe Penetration Testing is a Scarce Skillset 

SHARE Orlando 2024 was the first time I had the opportunity to experience a mainframe event, and it was an excellent introduction to the mainframe community at large with representation from organizations worldwide occupying the mainframe space. NetSPI was the only US-based proactive security consulting firm present, and I found myself engaged in multiple conversations on mainframe security as it relates to new integrations with data lakes, analytics platform, blockchain, and AI.

Also under frequent discussion were developments in hosted cloud computing, quantum cryptography, web applications on mainframe, and mainframe ethical hacking in general. I realized during my time at SHARE that there are currently very few dedicated ethical hackers working in mainframe; the arena is in great need of this skillset, and I was deeply encouraged to continue building my individual mainframe knowledge while contributing to the development of our expanding Mainframe Penetration Testing service line here at NetSPI.

IBM z/OS is the Most Popular 

IBM z/OS is by far the most common operating system you will find in use on mainframe today, and I was intrigued by a product IBM recently released called WatsonX AI. It makes use of foundational models and generative AI to assist with code translation from COBOL to Java for increased interoperability, and also makes it possible for businesses to train and deploy custom AI capabilities across the enterprise environment while maintaining full control of the data they own.

I also learned so much at both talks given by Philip Young, NetSPI’s Mainframe Director. At his first talk, entitled “Hacking CICS Applications: New Attacks on Old Screens”, the collaborative nature of SHARE was seen in full force as he was met with a great deal of feedback from the audience throughout the duration of the presentation. The talk covered an introduction to hack3270, a tool used to assist in CICS application pentesting, and certainly made an impression on the crowd… especially vendors and developers who had some new things to consider regarding the security of their CICS environments.

Philip’s second talk, “No Longer a Myth: A Guide to Mainframe Buffer Overflows”, was also well-received by the audience. A specific attack that for years many believed to be impossible was brought to light with a clear demo on how exactly this vulnerability can take place and some tips on ways to safeguard against buffer overflows on mainframe.

Finally, a talk given by Mark Wilson on the threat of ransomware within the mainframe environment. It was eye-opening for me as I personally was not aware of the native capability mainframe has for encrypting massive amounts of stored data within mere seconds. The fact that terabytes of mission-critical data could be encrypted in less than 12 minutes was a strong call to action for mainframe practitioners and owners alike to be aggressive with MFA requirements and tracking user behavior analytics.

Mainframe Security Is Mission-Critical 

I have a soft spot for mission-critical operations, legacy systems, and critical infrastructure. More specifically, I have a deep and abiding passion for the security of systems like mainframe that are heavily relied upon that do not frequently gain mainstream attention in the cybersecurity space. If we are relying on these computers, we must continuously work to protect them! Though they have been around for many years, new integrations and developments mean we will be faced with new potential vulnerabilities. All an attacker needs is one weakness to prevail, and these are the situations I am here to identify and report for eradication.

Check Out These Free Resources to Expand Your Mainframe Security Education 

There are some great talks available online, Philip has a fantastic list up (here and here are a few) covering many topics from the hacker perspective. IBM also hosts a free training program called IBM Z Xplore with hands-on interactive modules for learning to navigate and maximize z/OS use, as well as a networking platform called New to Z for burgeoning talent within any organization utilizing mainframe technology.

Overall, the experience at SHARE is a must-attend for those involved with or even just deeply fascinated by the world of mainframe. There is no other gathering of people with such passion and drive dedicated to this field. I was very pleased with the new information I was able to acquire and am so thankful for the connections I made among professionals and peers within the mainframe community.

See NetSPI’s technical research on Mainframe Penetration Testing by reading Philip’s article on Enumerating Users on z/OS with LISTUSER.

The post Mainframe Mania: Highlights from SHARE Orlando 2024  appeared first on NetSPI.

The Evolution of DSO

Traditionally, our DSO courses were conducted in-person, offering a blend of expert-led lectures and hands-on labs. However, the pandemic prompted us to adapt. We shifted to remote learning via Zoom, but we soon realized that we were missing the interactivity and personalized pace that made in-person training so impactful. 

A Fresh Approach

In response to this, we’ve reimagined DSO for the modern era. Presenting our self-directed, student-paced online courses that give you the reins to your learning journey. While preserving the exceptional content, we’ve infused a new approach that includes: 

• Video Lectures: Engaging video presentations that bring the classroom to your screen, allowing you to learn at your convenience. 
• Real-World Labs: Our DSO courses now enable you to create your own hands-on lab environment, bridging the gap between theory and practice. 
• Extended Access: Say goodbye to rushed deadlines. You now have a 90-day window to complete the course at your own pace, ensuring a comfortable and comprehensive learning experience. 
• Quality, Reimagined: We are unwavering in our commitment to upholding the highest training standards. Your DSO experience will continue to be exceptional. 
• Save Big: For those eager to maximize their learning journey, register for all three courses and save $1,500. 

What is DSO?

DSO 1: Malware Dev Training

• Dive deep into source code to gain a strong understanding of execution vectors, payload generation, automation, staging, command and control, and exfiltration. Intensive, hands-on labs provide even intermediate participants with a structured and challenging approach to write custom code and bypass the very latest in offensive countermeasures. 

DSO 2: Adversary Simulation Training

• Do you want to be the best resource when the red team is out of options? Can you understand, research, build, and integrate advanced new techniques into existing toolkits? Challenge yourself to move beyond blog posts, how-tos, and simple payloads. Let’s start simulating real world threats with real world methodology. 

DSO Azure: Azure Cloud Pentesting Training 

• Traditional penetration testing has focused on physical assets on internal and external networks. As more organizations begin to shift these assets up to cloud environments, penetration testing processes need to be updated to account for the complexities introduced by cloud infrastructure. 

Join us on this journey of continuous learning, where we’re committed to supporting you every step of the way.

Join our mailing list for more updates and remember, in the realm of cybersecurity, constant evolution is key. We are here to help you stay ahead in this ever-evolving landscape. 

The post NetSPI’s Dark Side Ops Courses: Evolving Cybersecurity Excellence appeared first on NetSPI.

Watch the video below or read along with the Q&A.

Tyler, why don’t you start off with a bit of an intro about yourself?

“I first got into cybersecurity while I was at university doing computer science and found it to be really interesting and had a real passion for it. So, I did my dissertation on cybersecurity. And after university, I was lucky enough to land a graduate job as a consultant. And this was sort of where my journey really began. I did a lot of web application testing and a lot of infrastructure testing, but particularly enjoyed web testing […] And so that led me down the route of getting some qualifications in web security. And I went for and have achieved the CREST certification.” 

Why is it important to achieve CREST certification?

In the UK in particular, CREST is a respected and well-known organisation. They accredit a lot of companies and certify a lot of individuals, so it’s a logical path for penetration testers to go down. Traditionally, individuals start out with the CREST Practitioner Security Examination Analyst (CPSA) examination.  

For a security consultant just starting out, it’s useful to have that first goal of passing the CPSA examination. When consultants start learning more about cybersecurity, then they can do the CREST registered tester (CRT) exam.  

“What really drove me towards those exams initially was that it made sense logically and had a progression. But also, they’re well respected and challenging exams. If it’s difficult to get [these certifications], they’re going to come with a lot of respect and really showcase your web skills.” 

What is the journey like to pass the CPSA exam? Is it challenging right from the start?

When you’re working toward CPSA, it can seem a bit daunting as your first qualification in the industry. At first, there are a lot of simple fundamentals to learn but at the same time, it can be challenging as a new professional in the industry. The timeline between the exams is well laid out, which makes it manageable.  

The CPSA is helpful because it teaches the necessary fundamentals, and the CRT is more of a little bit of everything and covers a lot more about web infrastructure. At the time, when preparing for these exams, you should be at least a mid-level tester.

When you get to the specific specialties, either application testing (CCT App) or infrastructure testing (CCT Inf), that’s when you put your head down and focus. The final section is broken into two additional parts. So, you have this multiple choice, which is kind of like CPSA, but much harder, and a lot more information. And then you come to the practical exam, where you have an assault course and a scenario, which lasts about a day.  

“I found the exam really tough, but really rewarding […] By the end of it, your brain is fried, because it’s just a really tough exam. But yeah, I passed in February last year and it’s probably my best achievement in the industry so far.” 

Does being CREST-certified change the way you can have conversations with customers and the way that they look at you as well?

CREST is well known in the UK especially because a lot of companies and clients do look for CREST certification and accreditation. One thing that is useful is that when you’re speaking with a client, you can be introduced as a CREST-certified tester. When clients look it up, they’ll see that it’s one of the best, most comprehensive web exams in the UK and one of the best in the world if you’re looking globally.  

Overall, being CREST-certified makes it easier because clients can see that you’re knowledgeable. If you have this qualification, it shows that not only do you have theory knowledge, but also practical real-world cybersecurity experience and pentesting experience. 

Do the skills developed during CREST exams help in the real world and in your day-to-day job as a penetration tester?

Knowledge from the exam is useful in day-to-day job scenarios. The exam teaches you how to deal with problems and unexpected inputs and scenarios, which is basically what penetration testing is. It’s seeing something you haven’t seen before and knowing how to apply certain theories that you’ve learned in different ways. And it’s not always the same formula, it’s very different each time.

The exam also has an element of reporting in there, which is obviously very important. At the end of the day, the report is what the client sees. And if you can’t communicate the results properly, then the client is not able to fix what is shown in the results.  

The CREST certification provides a great base and advanced knowledge and enables you to venture out into very niche parts of cybersecurity. However, it’s important to always continue learning.  

“A lot of my learning happens outside of the qualifications as well. Being on the team here at NetSPI, there are a lot of talented people, not just talented in web security, but we have really good cloud people. It’s hardware hackers, I don’t think I’ve ever been in an environment where there are just so many specialists. And it’s really good, because everything that you learn from even people that are doing hardware, hacking something so different. Being on the NetSPI team is a constant learning experience, I think in cybersecurity and penetration testing it’s impossible to ever stop learning.”  

Qualifications provide structure and a sense of achievement. And in the cybersecurity industry, continual learning is always important as the threat landscape continues to evolve. You mentioned that you never stop learning, have you decided what comes next for you?

“I think at the moment, I’m really enjoying just being able to have the freedom to go investigate something, or potentially go develop something. So, I think as a cyber professional, you do have to be able to do a little bit of everything. So, I’ve done a lot of development work recently and I’ve been enjoying writing some plugins and things that helped me become a better tester and more efficient tester. For the time being, I’ll keep doing this for another two years, then I’ll have to renew my credit certification.” 

Is NetSPI CREST-accredited?

Yes, NetSPI is a CREST member organisation and a CREST-accredited penetration testing service provider. You can find our profile online here. 

Does NetSPI have CREST-certified consultants?

Yes, NetSPI employs multiple CREST-registered and -certified penetration testers. CREST Registered Tester (CRT) is a mid-level qualification. CREST Certified Tester (CCT) is the higher level qualification, earned for either application testing (CCT App) or infrastructure testing (CCT Inf). 

Partner with NetSPI’s team of expert pentesters

NetSPI’s team of expert pentesters is available to provide always-on security, whether you need to scope a new engagement, parse real-time vulnerability reports, prioritise remediation, or ensure compliance. Learn more about NetSPI’s penetration testing as a service (PTaaS) or schedule a demo to speak with our team directly.

The post Q&A with Tyler Sullivan: The Journey to CREST Certification appeared first on NetSPI.

When daily activities go as planned, everyone carries on, but if things go awry, what can be a bad day for IT applications can mean taking an entire system offline in the ICS arena. In some cases, this can be hazardous to human safety and potentially cause environmental disasters. In fact, there’s an entire conference dedicated to ICS — and we’ve got the inside scoop. 

NetSPI Security Consultant Michelle Eggers earned a scholarship from Dragos and SANS to attend the ICS Security Summit & Training 2023. The summit is a deep dive into the field of ICS security, creating the space to share ideas, methods, and techniques for safeguarding critical infrastructure. We caught up with Michelle to share her experience and recap educational takeaways, memorable moments, and why ICS security is an important field of focus.  

Q&A with Michelle Eggers on ICS Security Summit & Training 2023 

1. How would you summarize your experience at the SANS ICS Security Summit 2023? 

The SANS ICS Summit was a phenomenal opportunity to undergo a crash-course into many foundational aspects of Operational Technology (OT) and the current trends surrounding the technologies used to support critical infrastructure worldwide.  

I had the opportunity to sit in on the beta rollout of the new SANS ICS 310 course and took away many valuable insights, such as a comparative analysis on the ways in which ICS and IT security concerns are similar, and the areas in which they differ dramatically.  

Each talk during the summit provided relevant, actionable information for ICS asset owners and operators with recommendations for navigating the current threat landscape. As a note, ransomware is by far the biggest concern facing the field at this time. In short, the conference presented zero filler and instead focused on rich information directly applicable to real-world scenarios.

2. What did you find most interesting in terms of tools used to secure ICS? 

Tooling wise, testing OT systems can be very similar to other types of penetration testing. The differences lie within the implementation. For example, Industrial Control Systems are often built on decades-old legacy hardware that may not be equipped to manage an active scan. In fact, something like a Nessus scan could easily knock out an entire system.  

While this situation may be a bad day for IT applications, in the ICS arena, taking a system offline can be hazardous to human safety and in extreme situations could even lead to an environmental disaster or loss of life.  

Cybersecurity for IT systems is built upon the CIA Triad model: Confidentiality, Integrity, and Availability. When working with operational technology, confidentiality is not the top priority; safety and availability instead play a much more crucial role. The impact goes beyond the potential loss or compromise of data or dollars and extends to potentially catastrophic effects in real-time, physical scenarios.  

3. How did you get introduced to ICS security? 

I first encountered the topic of ICS Security when I began my initial cybersecurity educational journey. It was not a large focus area but was mentioned in passing for general awareness purposes. I recall hearing at the time that air-gapped systems protect much of operational technology, but during the summit I came to understand that many OT systems are in fact networked and if there is an “air-gap” in place it is often a logical and not a physical separation, which as we know presents an opportunity for attacks that target bypassing security controls such as a misconfigured firewall. 

4. What makes you passionate about ICS security? 

Most people across the globe rely daily upon manufactured products or foods, critical infrastructure services (like healthcare), or utilities such as water or power to survive. The only way to escape the need for what OT provides us would be to live completely off grid, growing our own food, creating our own medicine, and so on.  

While this sounds ideal to some, the reality is very few people are actually living this way in industrialized countries. Industrial Control Systems are a crucial component of our daily lives whether we acknowledge it or not, and keeping these systems secure is of the utmost importance. 

5. Do you have a vision for how you could merge your pentesting skillset with operational technology (OT)? 

Ah, the dream! I would love to merge my existing interests in OSINT, Social Engineering, Physical Pentesting, and my current work in Web Application Penetration Testing with OT Pentesting into a well-rounded Red Team role that would assist organizations in securing their most vital assets in a multi-tiered and comprehensive approach.  

As far as OT testing branching out from Web App testing, many industrial control systems have some form of network connectivity that incorporates human-machine interfaces, and these can often present very similar vulnerabilities to IT systems regarding the authentication process. If forged remote authentication can be achieved to a workstation in control of a real-world, physical process you’ve got a very serious problem at hand. 

6. What tips do you have for security professionals looking to learn more about ICS security?  

Resources abound. Everything from YouTube to a basic browser search can provide a solid starting point for a better understanding of Operational Technology. I would recommend reading about the Colonial Pipeline cyberattack, studying up on Stuxnet and the Ukraine power grid attacks, and investigating any other infrastructure attacks of interest to gain a general idea of the OT landscape and what’s at stake.  

While at the conference I also had the opportunity to chat with Robert M. Lee, SANS ICS Fellow, who has put together a wonderful blog providing a list of resources for those interested in growing their knowledge base on ICS Cybersecurity, “A Collection of Resources for Getting Started in ICS/SCADA Cybersecurity.” 

In addition, Dean Parsons has also released several free PDF resources on the subject, entitled “ICS Cybersecurity Field Manual” Volumes 1-3. These will also be available soon in a consolidated hardcopy edition as well. I managed to snag a signed first edition copy of his book at the Summit and it’s an excellent read, I wholeheartedly recommend adding it to any cybersecurity resource collection.  

If ICS security piques your interest, then you’ve got some reading to do! Connect with Michelle Eggers on LinkedIn for more OT insights and learn about NetSPI’s OT-centric offensive security services here.  

The post Q&A with Michelle Eggers: An Inside Look at the SANS ICS Security Summit 2023 appeared first on NetSPI.

In fact, a recent Ponemon Institute Research report shows that 71 percent of AppSec professionals believe security is undermined by developers who don’t include proper security functionality early in the software development life cycle (SDLC). That statistic, to me, shows that there is a substantial divide between development and security teams, a divide that can (and should) be overcome. It’s not surprising, though, that these divides exist considering how teams are spread thinner everyday while aiming to increase release velocity. If we are going to solve these problems, we need to focus on creating human connections across teams, and a DevSecOps mentality will become not just policy, but also culture.

Come together by understanding motivations

In my experience, developers and security personnel don’t think that differently. They just have different incentives. Developers work to move through the SDLC quickly to get applications launched. Security teams, on the other hand, are incentivized to make the SDLC process as secure as possible, which is oftentimes viewed as slowing down progress by adding non-functional security requirements. If this is the viewpoint, it is no wonder that the groups may be at odds. Human relationships – even in the work environment – need to find common ground.

One of the best books I’ve read is Hit Refresh, the New York Times bestseller about the transformation happening inside Microsoft, from its CEO Satya Nadella. As Satya describes, “It’s about how people, organizations, and societies can, and must, transform and “hit refresh” in their persistent quest for new energy, new ideas, and continued relevance and renewal.” He is able to achieve this “refresh” he describes by being “out in the world, meeting people where they live and seeing how the technology we create affects their daily activities.” I believe in this philosophy and it has direct parallels to how we work in security.

Empathy for our colleagues and the relationships we develop with them is critical to achieving success within organizations because we can understand how the policies and procedures we develop impact their work and why the outcomes we expect often don’t materialize. Some may view empathy as letting people off the hook for not performing a specific task. But it’s important to connect empathy with accountability. By understanding the needs and incentives of our peers, we develop policies and procedures that are fair and transparent. Holding each other accountable is not only fair, but expected – as a result, security and development teams will uncover creative ways to collaborate to ultimately achieve overlapping goals, faster and with less friction.

Simple steps to start building a strong and productive relationship between development and security teams are:

• Spend time connecting with people – A Journal of Experimental Social Psychology study reported in the Harvard Business Review that face-to-face meetings are 34 times more successful than email. This also provides a forum to develop a mutual understanding of each team’s incentives and mission. Or, if working remote, set up a video conference between security and development teams.
• Creating processes together – Oftentimes development and security teams build processes separately, in a silo. Coming together at the start will help to develop realistic and cohesive goals, processes, and metrics. Further, each team can help to make the case for support, even financial or budgeting support, if necessary for the other team. There have been times in my career when I was able to secure additional budget or resources on-behalf of infrastructure or development teams to ensure they were able to support a specific security initiative.
  • “What do you need to effectively support this? I’ll do my best to include it in the project budget.”
• In a ticket-driven world, cleanup is essential – Stacks and stacks of IT tickets notifying of vulnerabilities will never motivate an already stressed development team, especially if they are not deduplicated and remove false positives. Taking the time to clean up this process will show developers that the security team does not want to waste time, respects their SDLC counterparts, and wants to quickly get to the root of any vulnerability issues, particularly high-severity issues. Tickets are important for tracking and accountability, but let’s make sure we’re giving the right information, to the right person at the right time.

• Leveraging automation, in combination with manual pentesting – An effective, reimagined AppSec
  program includes being able to manage manual penetration testing and secure code review 
  augmented by automated vulnerability discovery tools that are deployed at various phases of the SDLC process. Shifting to this mindset will take collaboration and commitment amongst the DevSecOps teams.
  • “What tools make the most sense and how can we maximize the value of existing investments?”
  • “What is the roadmap for the development team and how do we ensure we can grow together?”
• Bringing empathy to the situation to have credible conversations – Allowing openness and a safe space to say “I don’t know, but I’ll get the answers” will go far in building a strong DevSecOps team. At the end of the day, we’re all supporting the same business and striving for excellence. Let’s work smart, lead with integrity, and treat each other with respect to ensure we meet that end goal and, hopefully, have a little fun along the way.

It’s come to be expected that security is an emergent property of software. In fact, with Continuous Integration/Continuous Deployment (CI/CD) being adopted more and more, both development and security teams must come together, bringing empathy, accountability, and collaboration into the process, by working toward the same goal with transparency. When done, I’m confident that DevSecOps can become the norm.

The post Build Strong Relationships Between Development and Application Security Teams to Find and Fix Vulnerabilities Faster appeared first on NetSPI.

When it comes to cyber security training, less is more. Determine what is necessary and make it mandatory compliance training. The balance can be subtle and served through a variety of media. Ideally, it will not even feel like training. For example, record a brief video, narrate over a few PowerPoint slides, or host Q&A sessions for any cyber security questions.

It is no longer realistic to base cyber security standards around employees keeping their personal and professional activities separate. By educating employees about digital security in their personal lives, it will extend into their business activities. Additionally, employees will appreciate the trusted guidance.

Another of my training philosophies is having open communication absent of shaming. When someone is the victim of a cyber security scam, they feel shame. We need to move past this. If an employee reports being tricked by a suspicious email, link, call, etc., thank them and encourage them to share their experience with employees. This helps others protect themselves and your business.

Lessons Learned from the Unlikeliest of Places

In 2016, I joined the cyber security team after two years of international travel. Together with my husband, we bicycled from Seattle to Singapore. The lessons I learned along the way were surprisingly relevant to my work in cyber security.

1. Learning to communicate when you don’t share a common language was key for me both in work and in life. Professionally, I was able to translate cyber security or any tech speak to something employees could understand and relate to their daily responsibilities. More broadly, as our environment grows more diverse, we will continue to find ourselves interacting with people from different geographies, cultural backgrounds, and native languages. It is increasingly important for us to effectively communicate with our global citizens whether personally or professionally.
2. Change has become the new normal. Being in a different location and needing to find food, water, and shelter each day forced me to live with change and uncertainty. Within a few weeks, it became normal and much less stressful. I became comfortable trusting that things would work out.

Areas of Cyber Security Focus in the Biotech Sector

Great cyber security is boring and some media have done a disservice to the industry by making it flashy and scary. Cyber security is about doing the preparation to provide a safe, secure space for people to work. Three main areas I would focus on are:

1. Equipment Maintenance: Everything runs off software. Ensure the software is current with security patches applied. It can be a difficult balance between business and security when you need to take a money-making instrument offline to do a security upgrade. Having excellent cross-functional relationships so you can have those tough conversations is critical.
2. Data Privacy: Ensure your systems are secured from the outside and you have alerting and monitoring mechanisms in place should the worst happen. Prevention only goes so far. You need to be prepared and practiced for what to do in the event of a breach. The speed to recognition and recovery is more important.
3. Audit Trails: Ensure that the right information and the right discoveries are attributed to the right people. Audit trails are also key in cyber security investigations. When you are trying to determine whose PC or which server or what part of the network was infiltrated, that audit trail and an environment with open communication allows you to conduct a successful investigation.

The views presented by Kristin are those of her own and do not necessarily represent the views of her employer or its subsidiaries.

The post Cyber Security: How to Provide a Safe, Secure Space for People to Work appeared first on NetSPI.

Twenty years ago, the role of a cyber security professional revolved around securing the perimeter. Today, cyber security has evolved and matured, along with the attack landscape. CISOs are responsible for many things, from preventing breaches and instilling ongoing security and vulnerability management programs, to internal/external leadership and even reporting to the board. Learning from the past as we plan for the future, I’m confident that the role of the cyber security team will continue to evolve, making it is imperative that organizations build and invest in a team with staying power.

Humbly speaking, with the tenure of many NetSPI team members at 10 years or more, we are fortunate to be able to offer our clients quality – and consistent – counsel because we have built a mindset around focusing on building teams with staying power. In this blog, I’ll share some insight into NetSPI’s commitment to team building in the hopes that it can provide guidance for your own workplace development (or even to serve as criteria for hiring your third-party testing team).

Hire for Experience, but also for Thirst of Knowledge

After hiring numerous professionals throughout the years, I’ve noted that there are a number of things, beyond experience, that can come together to make a person great in this profession. Someone who is a self-starter or is ambitious, oftentimes is a great team member. Further, an individual who works on projects outside of work or school demonstrates to me a passion for the profession.

Yet, two traits that are more difficult to recognize at first are the more unique soft skills: memory recall and curiosity. Individuals who have memory recall, who can understand patterns and relationships, usually gain an advantage when it comes to thinking like an attacker and recognizing familiar trends, while working as part of a client consulting team. And the highly curious person often has an innate drive to pick things apart, skills that are fundamental to success when the technology landscape becomes more complex by the day and emerging technologies continue to open new doors to hackers. Technology vulnerabilities are there – and a curious person is more apt to see find exposures so remediation can commence.

Make Training and Continuing Education Fundamental

Today’s college graduates in the technology or cyber security fields, or even those with just one to two years of experience, have a definite thirst for knowledge. Our organization has found that investing in feeding that knowledge has paid dividends and has manifested in our proprietary NetSPI University.

Each year, through NetSPI University, we take new cyber security talent through a six-month continuous improvement and training program that consists of internal and external educational courses, technical labs, shadowing programs, and cross training. Why do we make this investment? The reason is two-fold. First, it is part of our DNA and culture to continuously improve (truly, at all levels of the organization). Secondly, our ability to outpace attackers is due to our talent and our culture. Our clients respect that, and in some cases, seek out our counsel in putting in place their own training programs. In the long run, organizations benefit from investing in their teams.

Focus on Measures Outside of Just Technology Competencies

In Nabil Hannan’s inaugural edition of his Agent of Influence podcast (with the excellent title of “Cyber Security Education and the Ethics of Teaching Students to Break Things”), he states that “some of the most successful people who he’s seen in cyber security are usually very adaptable – they learn to adapt to different situations, different scenarios, different cultures, different environments.” He goes on to point out that this is critical as technology is always evolving, as are the security implications. I couldn’t agree more. In fact, I think it is a hiring measure – adaptability or agility outside of technical competencies – that is undervalued. I write about the importance of agility here.

What’s more, organizations that provide a framework for performance – meaning evaluation measures on quality, technical depth and outcome – help not only the team member, but the organization as well. But I argue that agility measures should also be part of the framework for performance so that team members can bring their own skills and perspectives to each and every engagement and incorporate their individual style. This not only benefits the employee and the client, but an organization can then apply that individual’s insights across the whole team to make the organization better and smarter. Additionally, organizations need to understand that a dynamic culture, one that puts in place the building blocks to enable people to enjoy working together pays dividend in terms of work product, retention, and recruitment.

In my opinion, cyber security professionals have the best job in the world. They get to ethically hack into some of the largest companies. With that comes responsibility. Because of the importance of the work that cyber security professionals do day in, day out, its critically important that organizations provide opportunities for these talented individuals to grow, stay on the cutting edge, and to lead. A commitment to building a team with staying power through a commitment to training and development of the next generation of security professionals is imperative as the profession continues to grow to meet the growing demands of the job.

The post How to Build a Cyber Security Team with Staying Power appeared first on NetSPI.

Below is an excerpt of their conversation. To listen to the full podcast, click here, or you can find Agent of Influence on Spotify, Apple Music, or wherever you listen to podcasts.

Nabil Hannan

What are your views and thoughts on how actual education in cyber security and computer science has evolved over the last couple of decades?

Ming Chow

I think one thing that is nice, which we didn’t have, is this: ten or twenty years ago, if we wanted to learn Java, for example, or about databases, or SQL, you had to go buy a book from your local tech bookstore or we had to go to the library. That doesn’t have to happen now. There’s just so much information out there on the web.

I think it’s both a good and a bad thing. Now, with all this information readily available, it feels like that content and information is much more accessible. I don’t care if you’re rich or poor, it really leveled the playing field in terms of the accessibility and the availability of information.

At the same time, there is also the problem of information overload. I’ll give you two good examples. Number one: I’ve had co-workers ask me, “What’s the best book to use for python?” That question, back in the day when we had physical books was a lot easier to answer. Making a recommendation now is a lot harder. Do you want a physical book? Are you looking for a publisher? Are you looking for an indie publisher? Are you looking for a website? Are you looking for an electronic form? Now, there are just way too many options.

Now it’s even worse when it comes to cyber security and information security. There are a lot of people trying to get into cyber security and a common question is how to get started. If you ask 10 experts that question, you’ll get 10 different answers. This is one of the reasons why, especially for newcomers, that it’s hard to understand where to get started. There are way too many options and too many avenues.

Nabil Hannan

Right, so people get confused by what’s trustworthy and what’s not, or what’s useful versus what isn’t.

Ming Chow

And, what makes this worse is social media because a lot of people in cyber security are on Twitter and there’s also a community on Facebook. This has both pros and cons, of course. You have community, which is great, but at the same time, there is just more information and more information overload.

But, there is one thing that hasn’t changed in cyber security education – or lack thereof – and computer science curricula since 2014. I don’t see much changed in computer science curricula at all. I still see a lot of students walking out of four years of computer science classes who don’t know anything about basic security, not to mention about cross site scripting and SQL injection. Here we are in 2020 and there are still many senior developers who don’t know about these topics.

Nabil Hannan

Let’s say you have a student who wants to become a cyber security professional or get into a career in cyber security. What’s your view on making sure they have a strong foundation or strong basics of understanding of computer science? What do you tell them? And how do you emphasize the importance of knowing the basics correctly?

Ming Chow

Get the fundamentals right. Learn basic computer programming and understand the basics. It makes absolutely no sense to talk about cyber security if you don’t have the fundamentals or technical underpinnings right. You must have the basic technical underpinnings first in order to understand cyber security. Because you see a lot of people talkabout cyber security – they talk and talk and talk – but half of the stuff they say makes no sense because they don’t have the basic underpinnings.

That’s why I tell brand new people, number one, get the fundamentals right. You must get those because you’re going to look like a fool if you talk about cyber security, but you don’t actually have any knowledge of the basic technical underpinning.

Nabil Hannan

The way I tell people, that is, it’s important for you to know how software is actually built in order for you to learn or figure out how you’re going to break that piece of software. So that’s how I iterate the same thing. But yes, continue please.

Ming Chow

Number two is to educate yourself broadly. Let me explain why that’s important. You want to have the technical underpinnings, but you also want to educate yourself broadly – take courses in calligraphy, psychology, political science, information warfare, nuclear proliferation, and others.

Educate yourself broadly, because cyber security is a very broad field. I think that’s something that many people fail to understand. A lot of people, especially in business, think that cyber security is just targeted toward technology. A lot of people think cyber security is IT’s responsibility. But of course, that’s not true, because things like legal and HR have huge implications for cyber security. You have to educate yourself broadly because sometimes the answer is not technical at all.

Nabil Hannan

I think some of the most successful people that I’ve seen in this space are usually very adaptable – they learn to adapt to different situations, different scenarios, different cultures, different environments. And, technology is always evolving and so are the actual security implications of the evolving technology. Some of the basics and foundations may still be similar, but the way to approach certain problems ends up being different. And the people who are most adaptable to those type of changing and evolving scenarios tend to be the most successful in cyber security, from what I’ve seen.

Ming Chow

I think it’s a huge misnomer for any young person who is studying and trying to get into security. Cyber security is not about the 400-pound hacker in the basement. It’s also not hunting down adversaries or just locking yourself in a room, isolating yourself in a cubicle, writing code that would actually launch attacks.

Nabil Hannan

So, you’re saying it’s not as glamorous as Hollywood makes it seem in their movies like Hackers and Swordfish?

Ming Chow

I think the most legit show is Mr. Robot because they actually vet out real security professionals for that show.

Now, I want to go back into something you said about the software engineering role. Probably one of the best ways to get into cyber security is to follow one of these avenues: software development, software engineering, help desk, network administration, or system administration. And the reason is because when you’re in one of those positions, you will actually be on the front lines and see how things really work.

Nabil Hannan

Things in practice are so different than things in theory, right? So, that’s what you really got to learn hands on.

To listen to the full podcast, click here, or you can find Agent of Influence on Spotify, Apple Music, or wherever you listen to podcasts.

The post The Evolution of Cyber Security Education and How to Break into the Industry appeared first on NetSPI.

Innovation Remains Mission Critical

First, it’s important to understand that there are a couple ways to define innovation. The first, of course, is through the lens of creativity and disruption. Attackers don’t have any boundaries when it comes to figuring out how to exploit a program or system; neither should cybersecurity teams. Finding new ways to break things is a critical part of the job.

A second way to define innovation is more pragmatic. While companies need to address large volumes of vulnerabilities and develop strategies to remediate them, most security teams are faced with doing more with less due to budget restrictions, lack of resources, and other constraints. The only way to accomplish this is to adopt some level of automation. Moreover, automation is critical for handling mundane or repetitive processes to free up time for humans – pentesters, developers, and others – to exercise their creative minds. As in any industry, automation enables people to perform at their highest potential, and when used correctly, it becomes a force multiplier.

Consistency Plays a Vital Role, Too

As partners to large corporations and other organizations that have extensive testing programs, we must have consistency in our testing approach. When we find a new vulnerability within one client’s environment, our consistent, systematic process enables us to add that one vulnerability to a checklist for each and every test we do in the future, regardless of the individual tester. This process frees up time for our team of pentesters to be more innovative in finding ways to exploit a program or system, while also ensuring as much coverage as possible.

Another way to approach consistency is through more regular testing for vulnerabilities instead of performing a pentest on your network as an annual compliance tool that results in static PDF reports with out-of-date vulnerability information. As a best practice, vulnerability management measures should employ continuous monitoring, with real-time reporting that enables companies to remediate vulnerabilities as quickly as possible. This new paradigm, known as Penetration Testing as a Service (PTaaS), employs both automated scanning and manual tests that dive deeply into applications and networks.

Striking a Balance Between Innovation and Consistency

How our industry maintains the balance between innovation and consistency should start with our people. While it may seem easier to screen for skills versus personality, the goal is to look for people that can not only think like an attacker, but also excel within a framework that supports individual agility, and leads to a consistent and high quality outcome. A tip? Search for individuals who have an interest in information sharing and bettering the larger security community; those who develop new tools (or improve existing tools) and participate in continuous learning in their free time typically have the capability to be extremely innovative. With a well-rounded workforce and mindset, organizations can gain an edge on their competition, disproving the notion that who you get determines the quality of the services delivered.

To be successful in the world of vulnerability management and pentesting, it’s critical that providers offer a balance between creative disruption and methodical, systematic structure. Together, both right-brained and left-brained talent and solutions result in the very best tests that help organizations stay ahead of ever-changing attack surfaces.

The post Innovation and Consistency: The Right and Left Brain of Vulnerability Management appeared first on NetSPI.

Conflicting Objectives

At a macro view, the objectives of software development and application security align. Organizations need software and security to operate. But at the micro level, each team has very different objectives that don’t align.

Development teams are measured on delivering functional code on time and on budget, yet development teams regularly struggle to meet release deadlines. There are various reasons as to why, some avoidable and some not. Common reasons include scope creep, scope underestimation, unforeseen roadblocks, and bad planning.

The application security team is at least partially measured on how many vulnerabilities they find. If they don’t find vulnerabilities, that means the development team did a good job, but the security team has a hard time justifying the value they provide. Security teams scrutinize applications deeply because their reputation depends on what they can find. More often than not, they succeed in doing their jobs. The vulnerabilities they find have to be fixed.

The application security testing (AST) process further increases the deadline pressure experienced by development teams. Fixing vulnerabilities takes time and delays code pushes. The outcome is a double whammy. First, development team’s ability to deliver on time is put in jeopardy. Second, the developers feel as though their own reputations have been tarnished if their code is found to have flaws.

It’s no wonder development teams often chafe, drag their feet, or otherwise hinder the application security testing process. They submit to testing because it’s required, but they are generally not willing participants.

Evaluating Possible Solutions

Rational arguments for application security are already well understood by developers. Training and explanations do nothing to align the conflicting objectives and outcome of application security testing. Reasoning and rationale can only increase willingness so much.

Some organizations try to bake security into the software development lifecycle (SDLC). Time is allocated for application security testing between the release date and the production target. As development projects slip, security is often the first thing to be pushed out so the deadline can be met. Development teams would rather get all the features in and risk an unknown number of security flaws, hoping none exist. This reasoning leads back to the conflicting objectives.

Automation built in during the SDLC to help catch problems early can reduce the findings during a pentest. There is a diminishing return, though. More scanners will not eliminate all of the vulnerabilities found during a pentest. And this does not solve the conflicting objectives.

Five Steps to Buy in

The best security solutions are also the most convenient. Security is often viewed as a necessary evil by those burdened by the requirements. Reducing the effort needed is the best way to improve buy-in and willingness.

Application security testing orchestration (ASTO) delivers on convenience in many ways:

Step 1

Test scheduling should be as simple as possible. Ideally it should be possible to allow self-service for development teams to view, filter, and schedule security testing slots based on the availability of application security testing resources. This approach reduces the human effort needed to coordinate and schedule tests.

Software delivery dates often slip. Rescheduling pentesting at the last minute can cause a great deal of disruption to the security team. In this case, a backlog of scheduled tests can provide a buffer. For the backlog to work, scoping information for scheduled tests must be ready well ahead of time.

Step 2

Make the process of scoping security testing as seamless and convenient as possible. Your application security testing orchestration tool should track the application scope information on an ongoing basis. Annual application security tests should allow for development stakeholders to carry over prior information. Stakeholders should review and revise it prior to testing, but it’s much easier to revise than to write the entire form again.

Passing a Word document back and forth with comments and track changes gets messy and is hard to manage. Scoping questionnaires should be collaborative web interfaces where security and development can both participate. After the development team has submitted revised scoping information, the security team should review it quickly and verify it from a queue.

If any errors or discrepancies are found, communication should be easy to follow and track. Comments and markup on the scoping form are an ideal way to enable the communication flow. The web form can be mapped into a database in a standardized way and used in automated processes, which is something a Word document cannot do.

Step 3

Vulnerabilities will be found during testing. Providing full context of how to fix the vulnerabilities with high-quality remediation instructions can save the developers much time. Avoid making the developers work to figure out how to fix the problem by providing a remediation instructions library with vetted content. Sure, pentesters can write instructions, but consistency and quality will come from a standard library.

Step 4

Developers work in their own tools. Giving them a laundry list .CSV file of vulnerabilities or a static report is not going to make it easy for them. Don’t make them load the list into their tool or force them to track on a spreadsheet. Manual processes risk losing track of vulnerabilities and increasing developers’ workloads.

Integrate directly with the development SCRUM tool. Push vulnerabilities into developers’ existing workflow with the included remediation instructions to save them time and effort . Having a bidirectional sync with the SCRUM tool also makes it much easier to track remediation.

Step 5

Retesting and verifying that vulnerabilities have been fixed should be expedient and as automated as possible. Waiting to retest for weeks or months after a developer has fixed the problem will only increase the frustration the developers feel. Some scanners can automatically verify a vulnerability has been fixed, which can be triggered based on an application security testing orchestration process. Adding retest tasks to a queue for the application security team and having a service level agreement (SLA) on the task will also ensure that the security team is following up on the fix in a timely fashion.

Conclusion

While it may not be possible to entirely remove the conflict between application security and software development, it’s certainly possible to ease the inconvenience. Development teams understand the need for security. The experience is generally the problem. Improve the user experience for your developers, just like you would for any customer, and you will have a much easier time getting buy-in for the application security testing process.

The post Make it Easy on the Development Team appeared first on NetSPI.