We get our final set of questions answered in the interview with Dave Kennedy, addressing DerbyCon, today’s infosec, and more security-related matters.
– DerbyCon community and the number of speakers grow. What new are you planning for DerbyCon 3.0?
– What have you learned running DerbyCon?
– That the community is just freaking awesome and the people inside of it are amazing. Our community is full of so many bright and talented people that it’s just crazy. People that haven’t spoken before, people we haven’t heard of, and people we have heard of. All coming together on one platform to share information, learn and collaborate. What I’ve learned from all of this is that the community that I’m a part of is one of some amazing folks that I learn from everyday.
– You have done a presentation with Kevin Mitnick at DerbyCon, besides that, do you have any mutual projects?
– Kevin and I are good friends and do things together quite often. He’s an amazing individual with a ton of experience and history. We work well together and have a great amount of respect for one another. He’s just awesome.
– You are always so friendly and it seems you have a lot of friends – but do you have enemies?
– I’m sure there are enemies out there – I seem to get along with everyone somehow :) My personal belief is to like everyone and give them the amount of respect they deserve because we all have different experiences, different paths, different ways of thinking. That’s what makes us awesome and unique. If someone doesn’t like my opinion or something I say – I love that and hope they let me know. No one is wrong in any regard, and everyone has the right to be heard. Great people all around and I’ve been very fortunate to know some great friends and people.
– Have you ever been hacked?
– I’m sure I have. Naive to think that I’ve never been. I reload things quite frequently just out of paranoia. Try to put enough things in place to prevent or minimize the damage.
– As a pen tester, have you met an organization with super strong and effective security where all your breach attempts failed?
– Sure – but it’s all depending on time. I’ve been on a penetration test for a week where a customer had three IP addresses and nothing on their externally facing perimeter. Social engineering was out of scope and had no real-world way of attacking them. It happens :)
– During your conference talks you often speak about real-world examples from your work. Could you please speak about the most ultimate / strange case from your pen testing experience?
– I think one of the greatest times I’ve had on a penetration test was recently. Doing a penetration test for a bank and we had broken in through an externally facing application. We ran into some hurdles and didn’t understand the systems, so we figured out how the administrator was for this application and called him up impersonating someone else in the company. The individual was more than happy to give us all the information and understanding we needed in order to successfully wire some money out of the company. I think whenever there’s a test between logical and the human element – it gets super exciting.
– What irritates you in infosec? What technology is missing in infosec?
– My biggest pet peeve and one that I’m passionate about is companies that are attempting to solve their security through pointed solutions and fixes. Our industry is rampant with pieces of software and hardware that just doesn’t work or may work a little tiny bit. Companies are spending millions on technologies that solve little to no problems of the root cause. Instead of doing hard work and building up a security program from the ground up, we are looking for shortcuts to get us there faster and completely forget about everything else. The attacks I get to use on penetration tests are these sexy zero days or some insane leet hack. It’s basic, basic, basic stuff that we don’t pay attention to. Default credentials, MS08-067, default installs, misconfigurations – stuff we should know how to fix by now.
– How successful are you in changing your customers’ security values and outlook?
– It really depends on if the customer is doing the security services for the right reason. If it’s for PCI or HIPAA or whatever, then in most cases they don’t care and just want to pass. If the company is trying to fix their security, I think the message can be put in a way that relates to their business and how to protect their assets. In that case and when you can talk business and business impact – companies typically change or at least start to get it. Some really get it and just need us to show them the way.
– You vs. China Cyber Command – how will you defend?
– The funny thing about China Cyber Command is the attacks they are using are no different than anything we’ve seen out there. Nothing highly sophisticated or zero-dayish (although they may on certain occasions). If we focus on detection, focus on layers, and focus on education of our business…I think we can successfully defend or at least minimize what happens. That takes hard work, time, budget, and a staff to do it.
– Overall, what is your number 1 protection advice?
– In order for any security program to be successful – it has to start with education and awareness. When I was a CSO of a Fortune 1000 company, I would fix peoples home computers if they brought them in. I would be troubleshooting Active Directory issues at 2AM, I would be implementing the latest patch to systems to fix a bug. I would overly communicate what we were doing, why, and how people would be impacted. Would sit there and listen to their complaints and not dismiss them and see how I could figure out a way for both solutions. You have to show people that you aren’t big brother and the reason you are doing this is out of the protection of the business and to help. When you have that sort of awareness in a company – the culture changes and security takes hold. Everything else will fall into place.
Read previous: Questions and Answers with Dave Kennedy. Part 2