Modern Social Engineering
March 17, 2009
I’ve spent a lot of my time lately working on projects related to social engineering. Writing articles, prepping class material, and just generally having conversations and brushing up on my skills. For those that don’t already know, Chris Nickerson and I are doing a full five-day class on Social Engineering at ChicagoCon in May, and there’s much to prep for.
In preparation, and to give people a brief taste, Chris and I did a webinar last week. Check out the video for the webinar over at EH.net
Also, since Chris leaked it already (when someone SE’d him on EH.net), I’ll post a small snippet of one afternoon of course outline here:
Determining Tests
• Types of testing
o Direction of attacks
o External
? Electronic
• Phishing
• Client-side / browser side exploitation
• Metasploit
• Core
• By hand
• Malicious attachments
? Person to Person
• Phone
• Written
• Social Networks/IM
• Public Manipulation
o Internal
? Person to Person
• Gaining access to physical credentials
• Solicitation
• Direct interaction
• Creating spies / information leak sources
o Methods (al mamalik,qulaam, kgb,cia,others)
o Trading information
• Becoming an employee
? Electronic
• CD/Key drops
• Authentication bypass
• Key /perimeter bypass
• Falsification of credentials
• RFID/ HID copying
Check out the webinar, and hopefully you sign up for the class.
Getting Information Security Training Right
December 17, 2008
Anybody who has talked to me in the past few years knows that one of the things that I’m most passionate about is evolving one’s career. Whether it’s the work I do with career coaching, my talks and research with Lee Kushner on infosec careers, or just my blog posts here, it’s a favorite topic of mine.
The topic of certifications go hand in hand with career management – in fact, when Lee and I talk, one of our slides lists “What certification should I get?” as our “least favorite question“. Because we get it every time we talk to anybody.
One of the other things I’ve been doing of late is teaching classes to help people become more effective penetration testers. Penetration testing is where I started my career, and I really enjoy helping people learn those skills and develop that part of their capabilities. So, for the first few months after I left Neohapsis, I was working with one of the more well-known training organizations, and I expected to be able to make a difference.
Unfortunately, my expectations were underwhelmed. Where the organization promised “deluxe acommodations” for their students, we were booked at the Quality Inn. Where they promised “cutting-edge techniques”, they got information and exercises that were 5 years old.
Anybody who has worked with me knows I’m a bit of a stickler for doing right by my clients. And this wasn’t right. And I was frustrated because, despite my emails to the leadership of the organization, I was seeing no improvement.
So, I was sharing this frustration with my associates over at Foreground Security (who also run The Hacker Academy. And they agreed with me. But they did it one better: they challenged me. Dave and Aaron said:
“Can you do better?”
When I told them I could, they threw down the gauntlet.
“Give it a shot. What would it need?”
After a few conversations, we came up with a few different things. First and foremost, the curriculum needs to be up to date. No more teaching stuff that is five years old and calling it “state of the art”. Exercises should be consistent with what Foreground’s team of pen-testers are seeing on real engagements on a daily basis. If tools/exploits/techniques stop being relevant, then we teach their replacements.
Second: the curriculum needs to be KEPT up to date. And so do the students. And the students need access to a quarterly update of all the things that are new. No more of the “get ‘em out the door” way of doing things – let’s ensure that every student who goes through this class is given access to continuing information that will let them stay current.
Third: Let’s give them real facilities with solid, repeatable technology and processes. And it shouldn’t matter whether they take a class from us in Orlando, DC, San Francisco or Switzerland, the experience should be the same.
And, finally: Instructors should be trained to give the same material in the same way each time.
In short, we’ll run it like a business. And we’ll treat our students the way that they deserve to be treated.
Well, Dave and Aaron liked that so much that they told me to go for it. And they put out a press release about it. Our first class with the new curriculum I’m designing is going to be in mid-January, in Orlando. Because, really… who wants to be anywhere but Florida in January?
Email me if you have questions. Or email Aaron Cohen to find out the logistics, price, signup, etc.
The Importance of Turnover
December 8, 2008
We in North America love our sports metaphors. I was reminded of that recently when I was speaking with the president of a successful and relatively forward-thinking security company, and he was telling me about his management philosophy.
“I want the people on my team to stick around. I mean, look at the New England Patriots – you think they build a dynasty with huge amounts of turnover? Nope – they kept the core of that team intact over the years.”
Well, I personally don’t agree with his stance. I have always believed that teams that stay together for too long lose the freshness and innovativeness that is required for success in these times. I heard a great quote (attributed to Tom Peters) recently:
“If the rate of change outside your organization is greater than the rate of change inside your organization, then the end is near.”
Brilliant. And true (in my experience).
But not in the opinion of my colleague. Nor, in the opinion of the New England Patriots, apparently.
But I’m a football fan as well, and something about that didn’t smell right.
So, I put together some research on the matter. And it showed exactly what I’d expect – the New England Patriots are a dynasty not because they keep their core together, but because they have built a system that manages turnover.
To summarize the research: from 2003-2008, the Patriots had approximately 33% turnover among staff and players – that is, the entire team could be expected to be replaced EVERY 3 YEARS. Yet they remained competitive during that time.
In fact, only 13 players TOTAL (3 offensive, 5 defensive, and 5 coaches) were on the team for all five of those years. (And they’re hardly “core”, unless one considers the long snapper and the running backs coach “core”). The two most important of those are Tom Brady and Bill Belichick, and even Brady’s importance has been minimized this year, given the play of Matt Cassel in the same system.
More importantly, when you look at the coaches, the turnover has all been where it would be presumed to be most important: at the top. The team has used 3 offensive coordinators and 3 defensive coordinators in those 5 years – in product development terms, that’s like switching VPs of Marketing and Engineering 3 times in 5 years.
So, I assert that the New England Patriots make my point: the reason that a company (or a football team) is successful isn’t its ability to avoid turnover, but its ability to create (esp. talent development and knowledge capture) systems and (most importantly) a culture that minimizes the impact of turnover.
Coming Soon: Security People on Video
December 4, 2008
Because what we all need is to see more of that, right?
Seriously, though – I’m working with a cool new project and I wanted to share a bit of a preview. The site is called Demos on Demand for Security. It’s sort of like a Revision3 for Security, and has brought aboard some pretty cool people as hosts. I’m not going to share all the names, but it should be obvious from the sample videos that Richard Steinnon is going to be one of the hosts. (If you’re interested in being a host or a guest, feel free to email me
I’m also excited to announce that I’ll be doing a regular (at least a couple times per month) show with my favorite person in the industry to debate with – the always fun and lively Michael Santarcangelo. Sort of a Hannity and Combs of security, so to speak. With hard-hitting (but entirely “fair and balanced”) interviews of the people in the security industry.
The first episode of that show should be up in the next few weeks, so keep watching both here, and at the DoDS site for updates.
Working hard
December 1, 2008
Over the years, I have become a big fan of football – less because of what goes on during the games as what happens behind the scenes. One need only look at the life of a professional football player or coach to understand the difference between the work ethic of someone who is a moderate success, and someone who ascends to the ultimate top of his/her field.
This has been a fantastic week for that curiosity on my part. First, there’s a great article in Sports Illustrated about the preparation that Derek Brooks makes every week. The article is reprinted here. Relevant quote:
“It may be surprising that a 10-time Pro Bowl linebacker would study players who are still three or four years from making it to the NFL. But even now, the day before he faced the Vikings, the 35-year-old Brooks settled into his den again to watch Florida quarterback Tim Tebow and running back Percy Harvin in the Gators’ rout of South Carolina. “Some people relax or get recharged by going to Europe or going to the beach,” Brooks said. “For me it’s studying young kids. The one edge I feel no one will ever have over me is the mental edge of knowing players.”
This is a guy who is a veteran and future Hall of Famer. Anybody care to guess what got him there?
Even more interesting is this week’s version Peter King’s “Monday Morning QB” column – King breaks down the week that the Arizona Cardinals just had and exactly what the schedule was:
“From 8 p.m. to midnight, the coaches met to finish the gameplan, working on red-zone, goal-line and nickel plays. Most coaches were at the facility for 17 hours, minimum, on Monday.”
The work required to be successful at the level of NFL players should be instructive as to what it takes to be at that level in any career or job.
A Branding Exercise
October 29, 2008
I talk about it all the time: the most important thing that you must do for your career is branding your name. Your “Personal Brand” IS your career.
I happened upon an interesting thought exercise for branding when talking with Melina the other day. We were talking about her business, and I asked the following question:
“What problem do you want your clients to have when they think of your name?”
That’s an incredibly powerful way to conceive of branding. It speaks to all elements of what a brand is – what you’re an expert on, what you’re known for, and how you help your clients on a daily basis.
This is true whether you’re branding a business or developing your personal brand. Change it around for personal branding:
What problems do you want your boss/peers/colleagues to have when they think about calling you?
Job Searches and Career Management
October 27, 2008
Over at his blog today, Jason Alba posted a bunch of comparisons of Job Search and Career Management, all in the form:
Job Search is to _____ as Career Management is to _____
I figured I’d post some additional ones:
Job search is to accident as career management is to plan.
Job search is to workout as career management is to training.
Job search is to dating as career management is to marriage.
Seth Godin on Choosing A Job
October 27, 2008
Seth wrote a post recently on the importance of where you work and its effect on your career. In the post, he said:
“And yet, there are plenty of books about getting a job, but no books I know of about choosing a job.””
That’s exactly why I wrote Forget the Parachute, Let Me Fly the Plane last year. One of the most frustrating experiences I’ve gone through while coaching people on their careers is to have them accept jobs without doing the background research on the company.
So, I wrote a book about how to get a job that actually works for you.
You know, I was going to write an entire post on this… but I said it best on pg. 74 of Forget the Parachute:
“But, what about Monster? What about Craigslist?”. That damn inner skeptic again. “Shouldn’t I just type in the name of my job on the internet and apply to anybody who has it?”
No. We’re going to align you with companies first. Then, you’re going to go get the job from them. Because you’re already like them and they’re like you: if we align right, it’ll be like you already have the job. They just don’t know it yet.
“But…”, I can hear your inner skeptic saying. “That’s not how I learned it.“
Of course it’s not. Because what you learned is what everyone else does. And it’s why I had the opportunity to quote the statistic earlier that 3 in every 4 people around you is looking for a new job right now.
If you do what you’ve always done, you’ll get what you’ve always got.
Then, you do a few exercises that help you to research and find companies that fit with who you are and what you’re truly looking for.
Seth has it right in his new post: where you work matters. A lot. So spend the time figuring out whether the companies you’re looking at align with who you are and where you want to go.
ChicagoCon – Recession-proofing Your Career
October 24, 2008
So, as I mentioned in this post, I’ll be doing a breakout session next weekend at ChicagoCon. The description on the conference website is:
“Information security is one of the most difficult industries to navigate a career in. The industry is new, and the skills are ever-changing. The nature of the industry is that the biggest threats are always in the newest technologies, which means that if you’re not actively running, you’re falling behind. Not to mention that there’s no industry standard for certification, for knowledge, or even for what “security” actually is. It’s confusing at the best of times.
And this isn’t the best of times.
As the industry gets more complex and the economy tightens, a solid career plan and the skills to pull off that plan are going to become ever more important. Industry veteran and respected career speaker and coach Mike Murray will work with the attendees of ChicagoCon to discuss the fundamental skills needed, and put the audience of this breakout session through exercises that will help clarify that plan, and move forward toward their ultimate career goals.”
But I wanted to provide some deeper information for those who might be interested or want to know more.
We’re going to talk about:
- Uncovering Opportunities – Finding a job in troubled times
- Life Jackets – Keeping your head above water until you’ve found that job
- The Art of Indispensibility – Making it harder for your company to let go of you
- Preparing for the Worst – Ensuring that you’re ready to go even before you get laid off
We’ll also talk about real situations that members of the the audience are having, and I’ll be working with people in the class one-on-one to help them prepare themselves for whatever is going to happen next in their careers.
The Dumbest Prediction I’ve Heard in a While
October 23, 2008
I was reading Hoff’s recent post on virtualization, and I found myself needing to write a bit of a rant. I don’t usually have much to say about what Hoff writes about, because virtualization isn’t an area that I spend any time on. But in Hoff’s critique of Tarry Singh’s latest post, there was something that blew my mind.
Tarry asserts in his post that one of the good things about hackers spending time finding vulnerabilities is that (and I quote):
“Security and Compliance will be core focus of all organizations (as regulators will come knocking at your doorsteps)”
Umm… I hate to say it, but that ain’t ever gonna happen. No matter how many regulators show up on someone’s doorstep, that counts as one of the least well-thought-out predictions I’ve ever heard.
Simply put:
- McDonald’s core focus will always be on making hamburgers.
- Nike’s core focus will always be on making shoes/clothing for athletes.
- Ford’s core focus will always be on making cars.
If those organizations ever make “Security and Compliance” their core focus, they won’t have businesses anymore.
While we may think that security is important, the day that it surpasses the core focus of any business (that isn’t in the security and compliance business) is the day that that business has taken their eye off the ball. By definition.