>>I’ll tell you a story of when we were developing a product here States-side. We worked with one very gifted development team and we put all of our eggs into that basket.
They were doing great work for us but eventually, there was a business event where they left.
-------
"Business event" aka budget cuts? Benefit cuts? Change in leadership? Bad leadership?
People in the US often do not leave if things stay the status quo, managed well, and are given appropriate accolades for their performance. Absurd way to deflect blame and justify cutting fair wages
I often right click where I want to click then left click out of the right click menu. It solves my subconscious desire to click, and lets my mind accept waiting. Plus, no negative effects, like going to the wrong link :). Perhaps it might help!
A combo of in house tools for creating findings from "non-standard" tools, (standard tools being nessus, app scan, etc.) Such as pen tests, responsible disclosure, red teamings, etc. We partner with Kenna Security pretty heavily in terms of tracking and consolidating our vulnerabilities, along with remediation prioritization and strategy
Yes the ones I know do it full time as their only income AFAIK. Most do live in low cost of living areas, none of them that I know are living in places like San Fran :)
Everyone is trying to get a piece of the pie :) trickiest thing right now is defining what an "asset" truly is.
An asset could be ephemeral cloud infrastructure, an uncompiled piece of code, an API endpoint, a server, a compiled application, a third party vendor, a group of microservices, a fax machine, an employee, a filing cabinet with sensitive information, a virtually defined CI/CD pipeline, and a million other things. At what point do you cross line from paranoia to proper asset inventory, tracking, triaging, remediation, etc. How do you find commonality between all of these devices, critical infrastructure, and data?
Bonus points of trickiness, how do you manage inventory when it changes constantly like cloud, like a third party, a web app, etc. Things like certificate management get extremely dicey. Where do you cross the line between data management, asset management, etc. It's currently the most open area of IT and Cyber that there is, and no one, in my opinion, has a grip on it.
I know a few folks who do full time between things like SynAck and BugCrowd. SynAck is the ideal model in my opinion for pivoting to full time vs part time as a professional bug bounty individual, although it takes a ton of skill and hardwork. I'd say it's the exception moreso than the norm.
If you are interested in learning more about SynAck and it's model shoot me an email: [email protected] I can try and setup some contacts from their side that are working full time on platforms like it
I am referring to a CIA (confidentiality, integrity, availability) related incident. Less so the availability. If an attack was truly motivated, the web stack / application stack is not how you compromise the system. The user is how you compromise the system. Do you have proper physical security to prevent unauthorized access? Do you have proper password and 2 factor auth configured? Do you educate your employees on how to identify phishing? There are numerous other ways to compromise a system than remotely via the web or application stack :)
>>Nobody is doing anything to try reduce or manage complexity so it's only getting worse.
I disagree, I see a number of large corporations starting to standardize either 1) their entire development stack from IDE all the way to how the code is deploy 2) Reengineering entire languages to have one language be used e.g Quartz at BofA 3) at the very least, companies are starting to standardize their middleware stacks, to at least avoid the configuration related issues of having a development team managing that.
While I do agree, that the complexity of third party libraries has exploded and is increasingly difficult to manage, I'd say companies are well on their way to standardizing that, with tools like Nexus, SonaType, Blackduck, etc.
We're obviously a long ways away from being even 75% effective across the board, but to say nobody is managing the complexity is a bit short sighted :)
The biggest areas for growth for Cyber at the moment are of the not-so-sexy jobs. The asset inventory, patch management, vulnerability management, third party management, risk management, etc. If you are good at any of those and are innovating in any of those areas, you are as close to naming your own price as you can get in Cyber.
As for the most "needed" areas of Cyber, it comes down to education. Not your bachelors degree, but educating and raising awareness to your business, your IT staff, and even your development teams. It's extremely tricky to measure your return on investment, but almost always it comes down to a lack of knowledge causing one massive hole in the fence, leading to a breach.
No amount of controls will stop someone truly motivated and skilled, so you're better off raising the fence a bit higher and hoping that it deters the truly malicious.
Disclosure: I run Vulnerability Management and Assessments globally for one of the largest companies in the world, so my answer may be a bit bias :)
I think this is a bit short sighted and shows a lack of knowledge of the industry and the subject.
I know for a fact that almost every large institution of even the slightest quality is currently in full panic mode regarding their cyber posture. Look at JPMC, spending nearly 1 billion dollars a year on cyber. I know most of the other big financials are right there as well in terms of % of revenue.
In the financial industry alone, there's a huge uptick in regulatory responsibility globally for asset, vulnerability, and threat management. The SWIFT (messaging system that all major banks communicate and send money on) auditors and regulators are requiring almost all of these issues be "solved" for or having a meaningful workflow within your respective organization. Guess what happens if you don't meet it? You have a serious finding against your institution and you will struggle to do business with any of the other more mature cyber organizations that rely on SWIFT. Worse yet, when large customers request the output of these audits and findings -- if you do not comply, they will move their money. I know several of the largest financials lost massive clients and revenue due to not complying with the cyber standards set forth by SWIFT.
I know for a fact within the US the OCC (governing body for financial institutions regarding cyber) is coming down very hard on the cyber posture of a lot of the banks and is making them move faster, otherwise they face a long uphill battle to expand or make significant changes within the US.
>>1. Aside from: linux cmds, nmap, metasploit, sqlmap, mimikatz, kali's well known tools - what other tools are often used by pen testers ?
I think those + your typical scanners (Nessus, Nexpose, etc). One gap I know of, is proper organizational tooling. I.e how do store your results / reports / findings in an effective manner to be consumed downstream via other tooling. For us, it was a big uplift to standardize how our pen testers store and score results. We ultimately end of settling on a numeric score rather than "High" "Medium", "Low", etc and mapping back to CWE.
>>2. How is MFA beaten in today's enterprises ?
I think there are a variety of ways -- the biggest gap I've seen is improper configuration. I.e, not properly enforcing MFA on all aspects of your application. What if I steal your session and call the API to disable MFA on your account? Are all of your forms / pages / etc accounted for? Or just your home page?
>>3. Do most engagements assume one is already in the network ? If not, how does one scan (basic OSINT towards their externally facing website, but let's assume that is very secure)
There are definitely multiple levels of how tests happen in larger enterprises, we have some pivot externally to internally (both virtually externally, and physically externally, e.g getting past physical security). So it really depends on how much your budget is and your paranoia level :)
>>4. How well do pen testers know the defense side and amalgamation of so many defensive tools - how do they learn what to beat ? Is it really as simple as try to fingerprint and then look for known vulnerabilities on msf ? Or do pen testers not care if xyz enterprise is using this version of Palo Alto or a carbon black EDR etc.
Some testers come from engineering backgrounds and have deployed the tooling in the past and know a bit about it. We've even found vulnerabilities in some of the defensive tooling and products themselves. But, I've enforced the policy of not caring for my organization. Controls fail, new techniques come out, tooling becomes out dated.
We do factor defensive controls into the localized "prioritization" score for how we make developers and engineers prioritize what to fix, but ultimately, our pen testers do not care. Not to say that's the same for everyone else.
>>5. How do you keep up ? aside from Reddit
The "massive" banks have a lot of great user groups and information sharing -- personally, I keep up by constantly developing in my free time. If I'm not a great developer, then I'm not going to be great at what I do now.
>>6. any advice to future job seekers working their way into learning more infosec ?
Don't focus too much on being the most skilled hacker. Focus on the field you want to work in, and target the types of attacks and vectors that would be relevant to that area. Too many testers I interview are only focused on "look at how quickly I can place a shall on this box!" vs. talking to me about how "as a bank, you are more likely susceptible to physical attacks on ATMs and tunneling through some approved firewall rules to the core infrastructure, here's how I'd scope out some of the issues and pivot from there".
Granted my view is from more of an executive level than an actual tester these days, but I still have my share of fun finding things broken across the environment and discovering vulnerabilities and flaws :)
YMMV, but, in my experience the biggest difference between these platforms and "real world" is the amount of data available (generally). At big companies, if you were to run a red team exercise or pen test, most of the probing and data gathering you do is on confluence, open git repos, and other places of documentation. Not running nmap or sitting in the middle of two services and inspecting packets. That's not to say that more advanced testers don't employ those methods, but the reality is, the most effective way is to expose yourself to the data available in front of you.
Disclosure: I run Vulnerability Management and Assessments globally for one of the largest companies in the world
Happy to have a chat -- I run VM for a large tech company and have a lot of openings