Nabil Hannan

Nabil Hannan is a Field CISO at NetSPI. He leads the company’s advisory consulting practice, focusing on helping clients solve their cyber security assessment, and threat & vulnerability management needs. His background is around building and improving effective software security initiatives, with deep expertise in the financial services sector. He has over 15 years of experience in cyber security consulting from his tenure at Cigital/Synopsys Software Integrity Group, where he has identified, scoped, and delivered on software security projects (architectural risk analysis, penetration testing, secure code review, malicious code detection, vulnerability remediation, mobile security assessments, etc.). Nabil has also worked as a Product Manager at Research In Motion/BlackBerry and has managed several flagship initiatives and projects through the full software development life cycle.
More by Nabil Hannan
WP_Query Object
(
    [query] => Array
        (
            [post_type] => Array
                (
                    [0] => post
                    [1] => webinars
                )

            [posts_per_page] => -1
            [post_status] => publish
            [meta_query] => Array
                (
                    [relation] => OR
                    [0] => Array
                        (
                            [key] => new_authors
                            [value] => "65"
                            [compare] => LIKE
                        )

                    [1] => Array
                        (
                            [key] => new_presenters
                            [value] => "65"
                            [compare] => LIKE
                        )

                )

        )

    [query_vars] => Array
        (
            [post_type] => Array
                (
                    [0] => post
                    [1] => webinars
                )

            [posts_per_page] => -1
            [post_status] => publish
            [meta_query] => Array
                (
                    [relation] => OR
                    [0] => Array
                        (
                            [key] => new_authors
                            [value] => "65"
                            [compare] => LIKE
                        )

                    [1] => Array
                        (
                            [key] => new_presenters
                            [value] => "65"
                            [compare] => LIKE
                        )

                )

            [error] => 
            [m] => 
            [p] => 0
            [post_parent] => 
            [subpost] => 
            [subpost_id] => 
            [attachment] => 
            [attachment_id] => 0
            [name] => 
            [pagename] => 
            [page_id] => 0
            [second] => 
            [minute] => 
            [hour] => 
            [day] => 0
            [monthnum] => 0
            [year] => 0
            [w] => 0
            [category_name] => 
            [tag] => 
            [cat] => 
            [tag_id] => 
            [author] => 
            [author_name] => 
            [feed] => 
            [tb] => 
            [paged] => 0
            [meta_key] => 
            [meta_value] => 
            [preview] => 
            [s] => 
            [sentence] => 
            [title] => 
            [fields] => 
            [menu_order] => 
            [embed] => 
            [category__in] => Array
                (
                )

            [category__not_in] => Array
                (
                )

            [category__and] => Array
                (
                )

            [post__in] => Array
                (
                )

            [post__not_in] => Array
                (
                )

            [post_name__in] => Array
                (
                )

            [tag__in] => Array
                (
                )

            [tag__not_in] => Array
                (
                )

            [tag__and] => Array
                (
                )

            [tag_slug__in] => Array
                (
                )

            [tag_slug__and] => Array
                (
                )

            [post_parent__in] => Array
                (
                )

            [post_parent__not_in] => Array
                (
                )

            [author__in] => Array
                (
                )

            [author__not_in] => Array
                (
                )

            [search_columns] => Array
                (
                )

            [ignore_sticky_posts] => 
            [suppress_filters] => 
            [cache_results] => 1
            [update_post_term_cache] => 1
            [update_menu_item_cache] => 
            [lazy_load_term_meta] => 1
            [update_post_meta_cache] => 1
            [nopaging] => 1
            [comments_per_page] => 50
            [no_found_rows] => 
            [order] => DESC
        )

    [tax_query] => WP_Tax_Query Object
        (
            [queries] => Array
                (
                )

            [relation] => AND
            [table_aliases:protected] => Array
                (
                )

            [queried_terms] => Array
                (
                )

            [primary_table] => wp_posts
            [primary_id_column] => ID
        )

    [meta_query] => WP_Meta_Query Object
        (
            [queries] => Array
                (
                    [0] => Array
                        (
                            [key] => new_authors
                            [value] => "65"
                            [compare] => LIKE
                        )

                    [1] => Array
                        (
                            [key] => new_presenters
                            [value] => "65"
                            [compare] => LIKE
                        )

                    [relation] => OR
                )

            [relation] => OR
            [meta_table] => wp_postmeta
            [meta_id_column] => post_id
            [primary_table] => wp_posts
            [primary_id_column] => ID
            [table_aliases:protected] => Array
                (
                    [0] => wp_postmeta
                )

            [clauses:protected] => Array
                (
                    [wp_postmeta] => Array
                        (
                            [key] => new_authors
                            [value] => "65"
                            [compare] => LIKE
                            [compare_key] => =
                            [alias] => wp_postmeta
                            [cast] => CHAR
                        )

                    [wp_postmeta-1] => Array
                        (
                            [key] => new_presenters
                            [value] => "65"
                            [compare] => LIKE
                            [compare_key] => =
                            [alias] => wp_postmeta
                            [cast] => CHAR
                        )

                )

            [has_or_relation:protected] => 1
        )

    [date_query] => 
    [request] => SELECT   wp_posts.ID
					 FROM wp_posts  INNER JOIN wp_postmeta ON ( wp_posts.ID = wp_postmeta.post_id )
					 WHERE 1=1  AND ( 
  ( wp_postmeta.meta_key = 'new_authors' AND wp_postmeta.meta_value LIKE '{bfe91f9cc21f76a31b085b17ee4840a730e62cd0567eb7edd998336c4b1871a9}\"65\"{bfe91f9cc21f76a31b085b17ee4840a730e62cd0567eb7edd998336c4b1871a9}' ) 
  OR 
  ( wp_postmeta.meta_key = 'new_presenters' AND wp_postmeta.meta_value LIKE '{bfe91f9cc21f76a31b085b17ee4840a730e62cd0567eb7edd998336c4b1871a9}\"65\"{bfe91f9cc21f76a31b085b17ee4840a730e62cd0567eb7edd998336c4b1871a9}' )
) AND wp_posts.post_type IN ('post', 'webinars') AND ((wp_posts.post_status = 'publish'))
					 GROUP BY wp_posts.ID
					 ORDER BY wp_posts.post_date DESC
					 
    [posts] => Array
        (
            [0] => WP_Post Object
                (
                    [ID] => 31564
                    [post_author] => 53
                    [post_date] => 2024-02-20 09:59:20
                    [post_date_gmt] => 2024-02-20 15:59:20
                    [post_content] => 




Watch Now

Overview

Incorporating Artificial Intelligence (AI) into your business or developing your own machine learning (ML) models can be exciting! Whether you are purchasing out-of-the-box AI solutions or developing your own Large Language Models (LLMs), ensuring a secure foundation from the start is paramount — and not for the faint of heart.  

Looking for guidance on how to safely adopt generative AI? Look no further. There’s no better guiding light than other security leaders that have already experienced the process — or are going through it as we speak.  

NetSPI Field CISO, Nabil Hannan, welcomed two AI security leaders for a discussion on what they’ve learned throughout their experiences implementing Generative AI in their companies. Chris Schneider, Senior Staff Security Engineer at Google, and Tim Schulz, Distinguished Engineer, AI Red Team at Verizon, shared their perspectives on cybersecurity considerations companies should address before integrating AI into their systems and proactive measures can organizations take to avoid some of the most common cybersecurity pitfalls teams face. 

Access the on-demand webinar to hear their discussion on:  

  • Cybersecurity questions to ask before starting your AI journey  
  • Common pitfalls and challenges you can avoid 
  • Stories from security leaders on the top lessons they’ve learned   
  • Security testing approaches for AI-based systems  
  • And more! 

Key Highlights 

03:27 - AI as a misnomer 
12:22 – What to consider before implementing AI 
17:51 – Aligning AI initiatives with cybersecurity goals 
10:41 - Perspectives on community guidance 
24:35 - Cybersecurity pitfalls with Generative AI 
34:51 - Testing AI-based systems vs traditional software 
41:50 - Security testing for AI-based systems 
47:58 – Lessons learned from implementing AI 

Artificial Intelligence can be a misnomer because it implies that there’s a form of sentience behind the technology. In most cases when talking about AI, we’re talking about technology that digests large amounts of data and gives an output quickly. Can you share your perspective on the technology and how it’s named?  

Tim: Tim explains that generative AI has influenced the discourse on the essence of artificial intelligence, sparking debates over terminology. The widespread familiarity with AI, thanks to its portrayal in Hollywood and elsewhere, has led to diverse interpretations. However, he notes the existing definition fails to accommodate the nuanced discussions necessitated by technological advancements. This discrepancy poses a significant challenge. While the term "AI" is easily recognizable to the general public, the field's rapid evolution demands a reassessment of foundational definitions. Expert opinions vary, which is why discussions like these are constructive because it’s better to have diverse perspectives rather than categorizing any particular viewpoint as unpopular. 

Chris: Chris makes a case for AI being a term more widely recognized by the public compared to machine learning. The historical marketing associated with AI makes it more familiar to people and increases its appeal. However, he cautions the influence of popular media may distort factual aspects and contribute to exaggerated claims, often made by celebrities. As a scientist, he advocates for a cautious approach, emphasizing the importance of basing discussions on demonstrated capabilities and evidence from past experiences. Differing opinions can be valid if they are not sensational, such as concerns about a robot uprising, which is divergent from the field's focus on probabilistic forecasting and observed behaviors. AI is a process involving memorization, repetition, and probabilistic synthesis rather than independent intelligence or foresight. 

What are some aspects to consider before organizations start their journey to leverage AI-based technologies? Are there common pitfalls that organizations run into? 

Tim: Tim believes it’s important to assess available resources for AI adoption. AI isn’t a simplistic, plug-and-play solution. Rather it has significant infrastructure and engineering efforts necessary for seamless integration. The complexity results in a vital need to dedicate resources and adopt a comprehensive approach. Moreover, AI literacy plays a crucial role in facilitating effective communication and decision-making.  

Tim cautions against the risk of being outmaneuvered in discussions by vendors and advocates for seeking partnerships or trusted advisors to bridge knowledge gaps. The industry needs to embrace continuous learning and adaptation in response to evolving regulations and the dynamic nature of AI technology. Outsourcing can be a viable option to streamline operations for those reluctant to commit to ongoing maintenance and operational efforts. 

Are there ways organizations can ensure their AI initiatives align with their cybersecurity goals and protocols? 

Chris: Speaking as a prospective employee at Google, but not officially on behalf of Google, Chris explains one of the ways he approaches this is to use the Android AppSec Knowledgebase within Android Studio. This tool provides developers with real-time alerts regarding common errors or security risks, often accompanied by quick fixes. It’s updated with ongoing efforts to expand its functionality to encompass machine learning implementations, aligning with Google's Secure AI Framework (SAIF). The framework offers guidelines and controls to address security concerns associated with ML technologies, although it may not cover all emerging issues, prompting ongoing research and development. Chris emphasizes the adaptability of these controls to suit different organizational needs and highlights their open-source nature, allowing individuals to apply custom logic. He mentions drawing inspiration from existing literature and industry feedback, aiming to contribute positively to the community, while acknowledging the learning curve and the complexity involved. 

Do you have any perspectives on the community guidance that’s being generated? Anything you’re hoping to see in the future?  

Tim: Tim notes a significant challenge in the AI domain is the gap between widespread knowledge and expert-driven understanding. Despite the rapid advancements in AI, Tim observes a lack of comprehensive knowledge across organizations due to the sheer volume of developments.  

Community efforts have had a positive impact on sharing knowledge so far, but challenges remain in discerning quality information amidst the abundance of resources. Major tech companies like Google, Meta, and Microsoft have contributed by releasing tools and addressing AI security concerns, facilitated by recent executive orders. However, the absence of a common toolset for testing models remains a challenge. Tim commends the efforts of large players in the industry to democratize expertise but acknowledges the ongoing barrier posed by the need for specialized knowledge. Broadening discussions beyond model deployment is important to address emerging complexities in AI. 

What have you seen as some of the most common cybersecurity pitfalls that organizations have encountered when they implement AI technologies? Do you have any recommendations to avoid those? 

Tim: Tim says it’s inevitable that Generative AI will permeate organizations in various capacities, requiring heightened security measures. AI literacy is essential in understanding and safeguarding AI systems, which differs significantly from conventional web application protection.  

Notably, crafting incident response plans for AI incidents poses unique challenges, given the distinct log sources and visibility gaps inherent in AI systems. While efforts to detect issues like data poisoning are underway, they remain primarily in the research phase. Explainable AI and AI transparency is incredibly important in enhancing visibility for security teams.  

Distinguishing between regular incident response and AI incident response processes is crucial, potentially involving different teams and protocols. Dynamics are shifting within data science teams, now grappling with newfound attention and security concerns due to Generative AI. Bridging the gap between data science and cybersecurity teams requires fostering collaboration and adapting to evolving processes. Legal considerations also come into play, as compliance requirements for AI systems necessitate legal counsel involvement in decision-making processes.  

These ongoing discussions reflect the dynamic nature of AI security and underscore the need for continual adaptation and collaboration among stakeholders. The field is developing rapidly with new advancements emerging often on a daily, weekly, or even hourly basis. Drawing from personal experience, Tim emphasizes the unprecedented speed at which research transitions into practical applications and proof-of-concepts (POCs), ultimately integrating into products. This remarkable acceleration from research to productization represents an unparalleled advancement in technology maturity timelines. 

Chris: The concept of "adopt and adapt" is helpful here, noting both traditional and emerging issues with code execution. Machine learning introduces unintentional variants in input and output, posing challenges for software developers. A modified approach for machine learning has multiple stages, including pre-training and post-deployment sets. While traditional infrastructure controls may suffice, addressing non-infrastructure controls, particularly on devices, proves more challenging due to physical possession advantages. Hybrid models, such as those seen in the gaming industry, offer a viable approach, particularly for mitigating risks like piracy. He highlights the need for robust assurances in machine learning usage, especially concerning compliance and ethical considerations. 

Traditional software testing paradigms may not apply to AI-based systems that are non-deterministic. What makes testing AI-based systems unique compared to traditional software?  

Chris: Considering security aspects, the focus is on achieving security parity with current controls. However, addressing emerging threats or new capabilities in machine learning poses challenges. If existing controls prove inadequate for these scenarios, alternative approaches must be explored. For instance, the synthesis of identity presents significant concerns, as advancements in technology allow for sophisticated audio synthesis with minimal sample data requirements. This underscores the need for proactive measures to address evolving security risks. 

In security, the focus is on achieving security parity with current controls while addressing emerging threats or new capabilities in machine learning. For instance, the synthesis of identity presents significant concerns, as advancements in technology enable sophisticated audio and video synthesis, allowing for impersonation and potentially fraudulent activities. Preventing such misuse is a pressing concern, with efforts aimed at developing semantic and provable solutions to combat these challenges.  

Additionally, there's a distinction between stochastic and non-stochastic software, with an increasing emphasis on the collection of vast amounts of data without strict domain and range boundaries. This shift challenges traditional security principles, particularly the importance of authenticating data before processing it, as emphasized by Moxie Marlinspike's "Doom principle."  

Despite the widespread acceptance of indiscriminate data ingestion, there's growing recognition of the risks associated with it, such as prompt injection and astroturfing. Testing the security of systems against inconsistent behaviors and untrusted data sources has always been challenging, with approaches like utility functions proposed to address these complexities. Finding the right balance between control and innovation remains a central dilemma, with both excessive control and insufficient oversight posing risks to the integrity and reliability of systems. 

From a Red Teaming perspective, what measures should organizations take to ensure comprehensive security testing for AI-based systems? What tips or tricks have been effective in your experience that you wish you had known earlier? 

Tim: Tim explains that one of the aspects organizations need to consider is the testing phase, especially during deployment of AI-based systems like web applications integrated with language models. Understanding the intended behavior is crucial, and simulating user interactions helps in documenting various use cases accurately. Cost is another significant aspect to evaluate, as API usage can incur charges based on request/response rates. Red teaming or penetration testing should explore context length expansion tactics to avoid unforeseen financial burdens, especially when manipulating parameters to change response lengths.  

Efficient resource utilization is paramount, considering that most organizations won't deploy or train massive models due to cost constraints. Therefore, managing expenses and implementing guardrails for API usage becomes imperative. Additionally, safeguarding brand reputation is crucial, particularly for public-facing platforms, where Generative AI content could potentially lead to negative publicity if misused. Thus, a comprehensive approach to security and Red Teaming in AI systems involves addressing not only technical controls but also considering broader implications and partnering with responsible AI teams to mitigate risks effectively. 

If you could go back in time and share one lesson with your younger self that would have helped on your AI journey, what would it be? 

Chris: Synthesizing content can offer benefits, yet it entails inherent trade-offs. The ability to produce unique interactions correlates with the tolerance for risk that the business is willing to accept. This aspect is quantified by a term known as "temperature" in business jargon. Conversely, if the generated content pertains to sensitive information like payment details, it can present challenges that need careful consideration before implementation. Miguel Rodriguez's suggestion regarding pre- and post-training, as well as pre- and post-deployment phases, serves as an excellent starting point. Additionally, augmenting these phases with considerations for networking, hardware, operating systems, and application context helps fortify the threat model review process. 

Tim: Similar to what Chris mentioned, sending specific resources on honing in on lessons about neural networks could be beneficial. Overall, the key is to continue using these systems. Besides understanding the theory, interacting with the systems and trying different prompts is crucial. Experimenting with advertised hacks and cheats found online can provide insights into their effectiveness. Diversity of thought is important as it offers various approaches to exploring these systems. Therefore, focusing on experimentation and continual learning is essential for gaining knowledge in this field. 

Hear the full discussion between Nabil, Chris, and Tim by requesting the on-demand webinar using the form above or continue your AI security learning by accessing our eBook, “The CISO’s Guide to Securing AI/ML Models.” 

[wonderplugin_video iframe="https://youtu.be/LC9E44mDJEY" lightbox=0 lightboxsize=1 lightboxwidth=1200 lightboxheight=674.999999999999916 autoopen=0 autoopendelay=0 autoclose=0 lightboxtitle="" lightboxgroup="" lightboxshownavigation=0 showimage="" lightboxoptions="" videowidth=1200 videoheight=674.999999999999916 keepaspectratio=1 autoplay=0 loop=0 videocss="position:relative;display:block;background-color:#000;overflow:hidden;max-width:100%;margin:0 auto;" playbutton="https://www.netspi.com/wp-content/plugins/wonderplugin-video-embed/engine/playvideo-64-64-0.png"]

[post_title] => Hindsight’s 20/20: What Security Leaders Wish They Knew Before Implementing Generative AI  [post_excerpt] => [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => what-to-know-before-implementing-generative-ai [to_ping] => [pinged] => [post_modified] => 2024-03-27 13:40:01 [post_modified_gmt] => 2024-03-27 18:40:01 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?post_type=webinars&p=31564 [menu_order] => 3 [post_type] => webinars [post_mime_type] => [comment_count] => 0 [filter] => raw ) [1] => WP_Post Object ( [ID] => 31424 [post_author] => 53 [post_date] => 2023-11-06 16:30:58 [post_date_gmt] => 2023-11-06 22:30:58 [post_content] =>
Watch Now

Morphing your IT defenses to bounce back better. Driving innovation quickly while maintaining IT resiliency and cybersecurity is no small challenge. Cloud outages, wobbly supply chains, ransomware attacks, and other steep challenges may limit your staff and budget. This session will cover some new innovations that will help IT clear hurdles and explain how to keep innovation and resilience afloat at the same time.

In this webinar, you will learn:

  • How cloud migration can impact security and ROI
  • What tools can help identify vulnerabilities and integrate into development workflows
  • How companies should prioritize deployment styles
  • Why the integration of security practices will impact the decision

[wonderplugin_video iframe="https://youtu.be/C9nz4N-uPak" lightbox=0 lightboxsize=1 lightboxwidth=1200 lightboxheight=674.999999999999916 autoopen=0 autoopendelay=0 autoclose=0 lightboxtitle="" lightboxgroup="" lightboxshownavigation=0 showimage="" lightboxoptions="" videowidth=1200 videoheight=674.999999999999916 keepaspectratio=1 autoplay=0 loop=0 videocss="position:relative;display:block;background-color:#000;overflow:hidden;max-width:100%;margin:0 auto;" playbutton="https://www.netspi.com/wp-content/plugins/wonderplugin-video-embed/engine/playvideo-64-64-0.png"]

[post_title] => Innovation & Cyber Resiliency [post_excerpt] => [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => innovation-cyber-resiliency [to_ping] => [pinged] => [post_modified] => 2023-11-30 16:20:35 [post_modified_gmt] => 2023-11-30 22:20:35 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?post_type=webinars&p=31424 [menu_order] => 9 [post_type] => webinars [post_mime_type] => [comment_count] => 0 [filter] => raw ) [2] => WP_Post Object ( [ID] => 31485 [post_author] => 53 [post_date] => 2023-11-01 11:02:25 [post_date_gmt] => 2023-11-01 16:02:25 [post_content] =>
Watch Now

A novel 0-day vulnerability referred to as, “HTTP/2 Rapid Reset,” was reported, which abuses certain features of HTTP/2 protocol and allows for Distributed Denial of Service (DDoS) attacks at an unprecedented scale.

Hear perspectives from NetSPI Field CISO Nabil Hannan, and Security Research Engineer Isaac Clayton to get their take on the CVE and learn more about NetSPI's quick response to help security leaders with identification and remediation.

In this webinar they'll discuss:

  • What is CVE-2023-44487 and who is impacted
  • How to determine if you are vulnerable
  • Best practices for remediation
  • ASM’s role in CVE management

Read more about NetSPI's analysis of HTTP/2 Rapid Reset in this article.

[wonderplugin_video iframe="https://youtu.be/iLedcMoHmU4" lightbox=0 lightboxsize=1 lightboxwidth=1200 lightboxheight=674.999999999999916 autoopen=0 autoopendelay=0 autoclose=0 lightboxtitle="" lightboxgroup="" lightboxshownavigation=0 showimage="" lightboxoptions="" videowidth=1200 videoheight=674.999999999999916 keepaspectratio=1 autoplay=0 loop=0 videocss="position:relative;display:block;background-color:#000;overflow:hidden;max-width:100%;margin:0 auto;" playbutton="https://www.netspi.com/wp-content/plugins/wonderplugin-video-embed/engine/playvideo-64-64-0.png"]

[post_title] => NetSPI LinkedIn Live: HTTP/2 Rapid Reset [post_excerpt] => [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => http-2-rapid-reset [to_ping] => [pinged] => [post_modified] => 2023-11-16 11:03:32 [post_modified_gmt] => 2023-11-16 17:03:32 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?post_type=webinars&p=31485 [menu_order] => 12 [post_type] => webinars [post_mime_type] => [comment_count] => 0 [filter] => raw ) [3] => WP_Post Object ( [ID] => 30779 [post_author] => 53 [post_date] => 2023-08-07 11:27:54 [post_date_gmt] => 2023-08-07 16:27:54 [post_content] =>

See Pentesting in Action and Learn Best Practices from the CISOs at Nuspire and NetSPI

Organizations spend millions of dollars on security controls, yet they still get breached. And often, the breach resulted from something basic like a default password or unlocked door. This is where pentesting is valuable because organizations can learn where their gaps are and remedy them before a real, costly cyberattack occurs.

In this webinar, you’ll hear from cybersecurity veterans J.R. Cunningham, CSO at Nuspire, and Nabil Hannan, Field CISO at NetSPI, who will share their pentesting stories – from the perspective of both the pentester and the organization being pentested.

They’ll cover:

  • Why pentesting is essential for any size organization
  • Pentesting examples, including social engineering, application-level issues and SQL injection
  • Overseeing pentesting from the client’s perspective, including how to manage expectations with leadership
  • How to best leverage pentesting results to fix security gaps
  • And more!

[wonderplugin_video iframe="https://youtu.be/WK8lNyjC1pA" lightbox=0 lightboxsize=1 lightboxwidth=1200 lightboxheight=674.999999999999916 autoopen=0 autoopendelay=0 autoclose=0 lightboxtitle="" lightboxgroup="" lightboxshownavigation=0 showimage="" lightboxoptions="" videowidth=1200 videoheight=674.999999999999916 keepaspectratio=1 autoplay=0 loop=0 videocss="position:relative;display:block;background-color:#000;overflow:hidden;max-width:100%;margin:0 auto;" playbutton="https://www.netspi.com/wp-content/plugins/wonderplugin-video-embed/engine/playvideo-64-64-0.png"]

[post_title] => Offensive vs. Defensive Security: Cyber Stories from the Field [post_excerpt] => [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => offensive-vs-defensive-security [to_ping] => [pinged] => [post_modified] => 2023-09-14 16:23:39 [post_modified_gmt] => 2023-09-14 21:23:39 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?post_type=webinars&p=30779 [menu_order] => 16 [post_type] => webinars [post_mime_type] => [comment_count] => 0 [filter] => raw ) [4] => WP_Post Object ( [ID] => 30693 [post_author] => 53 [post_date] => 2023-07-31 09:06:42 [post_date_gmt] => 2023-07-31 14:06:42 [post_content] =>

Entering a high stakes sports competition without a game plan is a reliable way to lose a matchup. The same applies to cybersecurity: running your business without a proactive security plan is an effective way to get breached.

But what exactly does a winning cybersecurity playbook look like? In this panel, NetSPI’s Nabil Hannan sits down with Hudl’s Robert LaMagna-Reiter and PGA Tour’s J Oliva to learn how they get proactive with security planning and share pointers on how to create a cybersecurity playbook with winning potential.

Tune in for a discussion on:

  • Mastering the Game | Incident response planning and best practices for improving detections
  • Uniting the Team | Building a collaborative environment around offense and defense
  • Playing to Win | Asset and vulnerability management trials and triumphs
  • Scoring Success | Identifying the most effective KPIs for measuring program accomplishments

Whether you’re familiar with the world of sports or not, you’ll leave this cybersecurity timeout with actionable advice from your peers, equipping you to get the lead over adversaries and secure your business like a pro.

Be sure to check out the additional resources below, which may be useful as well.

[wonderplugin_video iframe="https://youtu.be/iQqvh39-cA0" lightbox=0 lightboxsize=1 lightboxwidth=1200 lightboxheight=674.999999999999916 autoopen=0 autoopendelay=0 autoclose=0 lightboxtitle="" lightboxgroup="" lightboxshownavigation=0 showimage="" lightboxoptions="" videowidth=1200 videoheight=674.999999999999916 keepaspectratio=1 autoplay=0 loop=0 videocss="position:relative;display:block;background-color:#000;overflow:hidden;max-width:100%;margin:0 auto;" playbutton="https://www.netspi.com/wp-content/plugins/wonderplugin-video-embed/engine/playvideo-64-64-0.png"]

[post_title] => Get Your Head in the Game: How to Create a Winning Cybersecurity Playbook [post_excerpt] => [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => get-your-head-in-the-game-cybersecurity-playbook [to_ping] => [pinged] => [post_modified] => 2023-08-29 15:23:07 [post_modified_gmt] => 2023-08-29 20:23:07 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?post_type=webinars&p=30693 [menu_order] => 18 [post_type] => webinars [post_mime_type] => [comment_count] => 0 [filter] => raw ) [5] => WP_Post Object ( [ID] => 30324 [post_author] => 65 [post_date] => 2023-06-13 09:00:00 [post_date_gmt] => 2023-06-13 14:00:00 [post_content] =>

In simple terms, an API (application programming interface) is a piece of software used to talk to other pieces of software. The use of APIs continues to spike with no signs of slowing down. This presents more pathways that have the potential to be exploited, especially if API security isn’t prioritized through activities such as application penetration testing. Oftentimes security for APIs isn’t part of the development phase, but rather addressed after a launch if at all. 

The growing need for securing APIs over the last five years inspired Open Web Application Security Project (OWASP) to create the API Security Top 10, a list of the top API vulnerabilities facing developers and DevSecOps today. The 2023 list was just released and concluded API1:2023 – Broken Object Level Authorization and API2:2023 - Broken Authentication have remained in the top places for security concerns since 2019, showing us more work is needed to address these core vulnerabilities. 

Knowing that more and more APIs are being used to build software, security implications need to be top of mind for all IT leaders.

API Security is the Underdog We’re All Rooting For 

Organizations require clarity on the fact that API security needs to be prioritized alongside other security domains. Traditionally, software goes through security testing as a whole, instead of testing the APIs individually. This form of testing leads to missed information and possible vulnerabilities for adversaries to take advantage of.

Typically software includes many APIs, and automated scanning tools aren’t able to provide comprehensive results. Manual testing is needed to fully understand the breadth of security implications — which is a challenge for many organizations due to time, resource, and budget constraints.

API Security versus Application Security 

API security is a subset of application security that is more challenging because APIs are harder to remember to secure, given their development process and lack of use case foreshadowing.  

When a developer is building small bits of software, like APIs, they may not be able to foreshadow how it will ultimately be used, so security can fall to the wayside. Rather, when developers build a larger software application (general applications), security professionals often automatically think of adding security controls such as authentication, input validation, or output coding. The shift that needs to happen when working with APIs is that those automatic security responses are built into the requirements to become an inherent property of the APIs.

What's the difference between Web Application Penetration Testing and API Penetration Testing? Take a look!

API Security Best Practices 

The traditional pillars of AppSec apply to making APIs more secure, such as input validation, output coding, authentication, error handling, and encryption to name a few. IT security leaders need to think of these pillars and all the different ways in which APIs can be used to build out comprehensive security controls.  

In short, organizations need to build secure development frameworks with APIs that take the security considerations out of the developers’ hands – since they often don’t possess a security-first mindset – and build security directly into the APIs themselves. 

Go back to the basics. Every CISO can benefit from this practice. Just like with general software security, if you don’t go back to the basics first, you won’t be able to mature the program. Right now, the basics are where organizations are struggling. NetSPI’s 2023 Offensive Security Vision Report had similar findings. These foundational security flaws are ever-present, and we're still challenged by the basics across attack surfaces.

Questions to Consider Before API Pentesting 

API penetration testing is conducted in a similar manner to traditional web application testing. However, there are several nuances to API pentesting that must be considered during the scoping phase. Overall consultants require engagement from API developers to ensure that testing is done thoroughly. These questions explore what is specifically needed to maximize API pentesting success – from the very beginning.

1. Production vs Staging: Is it possible to provide testers with an API staging environment? 

NetSPI recommends providing penetration testers with a staging API environment. If testing is done in staging, the testers can use more thorough and invasive/comprehensive attacks. If testing is done in production, then testers will be forced to resort to more conservative attacks to avoid negatively affecting the system and disrupting the end-users.  

2. Rate Limiting: How is rate limiting implemented on the target API? Is rate limit testing in scope for this engagement? 

By leveraging rate limiting flaws, attackers can exploit race condition bugs or rack up costly service hosting bills.  

3. WAF Disabled: Is it possible to disable the API’s WAF or allow list the penetration tester’s IP range during the testing window? 

If possible, we recommend API WAFs are disabled when testing occurs. If testing is done in production, consider allow listing your testing team’s IP range. Read more on how it adds value to API pentesting here

4. New Features: Are there any new features in scope that we should focus on? 

New features that haven’t been reviewed for security issues are more likely to be vulnerable than hardened code.  

5. Denial of Service (DoS) Testing: During the test, will DoS testing be in scope? 

Denial of Service vulnerabilities of APIs can have a catastrophic impact on software systems.  

6. Source Code Assisted Testing: Will source code be provided to consultants during the test? 

By providing source code, consultants are enabled to test applications more thoroughly without additional cost. For additional information on source code assisted penetration tests, check out our article on “Why You Should Consider a Source Code Assisted Penetration Test.” 

Due to their programmatic nature, APIs provide additional customer interaction during the scoping process. By providing testers with the information listed above, testers are able to provide maximum value during an API penetration test and maximize the return on investment. 

Prioritize API Security with NetSPI's API Penetration Testing. Get Started.

Predictions for the Future of Security API 

Going forward, we’ll likely see a software development paradigm shift over the next five years that combines features from REST and SOAP security. There is likely to be a software development paradigm where some features from each method are used to create a combined superior method – something we’re already starting to see with Adobe and Google. This combination will take security out of the hands of the developers and allow for better “secure by design” adoption. We must enable developers to innovate with confidence.

Additionally, the concept of identity and authentication is changing — we need to move away from the traditional use of usernames and passwords and two-factor authentication, which relies on humans not making any errors. The authentication workflow will shift to what companies like Apple are doing around identity management with innovations like the iOS16 passkeys, and could even impact the OWASP API Security Top 10. This will be developed through APIs. 

APIs provide incredible value with connectivity between systems. They are here to stay, making API security a much-needed focus. NetSPI’s Application Penetration Testing gives your team a proactive advantage with identifying, prioritizing, and remediating vulnerabilities in a single platform. Bring proactivity to your API security by requesting a quote today.

[post_title] => Getting Started with API Security Best Practices  [post_excerpt] => API security has become a top priority and NetSPI’s API pentesting can help you get started with API security best practices. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => get-started-with-api-security-best-practices [to_ping] => [pinged] => [post_modified] => 2023-08-29 17:56:26 [post_modified_gmt] => 2023-08-29 22:56:26 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=30324 [menu_order] => 103 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [6] => WP_Post Object ( [ID] => 29416 [post_author] => 77 [post_date] => 2023-02-09 09:00:00 [post_date_gmt] => 2023-02-09 15:00:00 [post_content] =>

On February 9, NetSPI's Nick Landers and Nabil Hannan were featured in the Digital Journal article called What Cybersecurity Risk to AI Chatbots Pose?. Read the preview below or view it online.

+++

ChatGPT is a tool from OpenAI that enables a person to type natural-language prompts. To this, ChatGPT offers conversational, if somewhat stilted, responses. The potential of this form of ‘artificial intelligence’ is, nonetheless, considerable.

Google is launching Bard A.I. in response to ChatGPT and Microsoft is following closely with an application called Redmond.

What do these tools mean for the expanding threat landscape? To find out, Digital Journal sought the opinions of two NetSPI representatives.

First is Nabil Hannan, Managing Director at NetSPI. According to Hannan businesses seeking to adopted the technology need to stand back and consider the implications: “With the likes of ChatGPT, organizations have gotten extremely excited about what’s possible when leveraging AI for identifying and understanding security issues—but there are still limitations. Even though AI can help identify and triage common security bugs faster – which will benefit security teams immensely – the need for human/manual testing will be more critical than ever as AI-based penetration testing can give organizations a false sense of security.”

Hannan adds that things can still go wrong, and that AI is not perfect. This could, if unplanned, impact on a firm’s reputation. Hannan adds: “In many cases, it may not produce the desired response or action because it is only as good as its training model, or the data used to train it. As more AI-based tools emerge, such as Google’s Bard, attackers will also start leveraging AI (more than they already do) to target organizations. Organizations need to build systems with this in mind and have an AI-based “immune system” (or something similar) in place sooner rather than later, that will take AI-based attacks and automatically learn how to protect against them through AI in real-time.”

The second commentator is Nick Landers, VP of Research at NetSPI.

Landers looks at wider developments, noting: “The news from Google and Microsoft is strong evidence of the larger shift toward commercialized AI. Machine learning (ML) and AI have been heavily used across technical disciplines for the better part of 10 years, and I don’t predict that the adoption of advanced language models will significantly change the AI/ML threat landscape in the short term – any more than it already is. Rather, the popularization of AI/ML as both a casual conversation topic and an accessible tool will prompt some threat actors to ask, “how can I use this for malicious purposes?” – if they haven’t already.”

What does this mean for cybersecurity? Landers’ view is: “The larger security concern has less to do with people using AI/ML for malicious reasons and more to do with people implementing this technology without knowing how to secure it properly.”

He adds: “In many instances, the engineers deploying these models are disregarding years of security best practices in their race to the top. Every adoption of new technology comes with a fresh attack surface and risk. In the vein of leveraging models for malicious content, we’re already starting to see tools to detect generated content – and I‘m sure similar features will be implemented by security vendors throughout the year.”

Landers concludes, offering: “In short, AI/ML will become a tool leveraged by both offensive and defensive actors, but defenders have a huge head start at present. A fresh cat-and-mouse game has already begun with models detecting other models, and I’m sure this will continue. I would urge people to focus on defense-in-depth with ML as opposed to the “malicious actors with ChatGPT AI” narrative.”

Read the article at Digital Journal!

[post_title] => Digital Journal: What Cybersecurity Risk do AI Chatbots Pose? [post_excerpt] => NetSPI's Nick Landers and Nabil Hannan shared insights on what AI tools ChatGPT and Bard A.I. and mean for the expanding threat landscape. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => digital-journal-cybersecurity-risks-ai [to_ping] => [pinged] => [post_modified] => 2023-03-10 09:02:24 [post_modified_gmt] => 2023-03-10 15:02:24 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=29416 [menu_order] => 146 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [7] => WP_Post Object ( [ID] => 28903 [post_author] => 65 [post_date] => 2022-11-23 15:48:12 [post_date_gmt] => 2022-11-23 21:48:12 [post_content] =>

On November 23, NetSPI Managing Director, Nabil Hannan, was featured in the VentureBeat article called Why API Security is a Fast-growing Threat to Data-driven Enterprises. Read the preview below or view it online.

+++

As data-driven enterprises rely heavily on their software application architecture, application programming interfaces (APIs) occupy a significant position. APIs have revolutionized the way web applications are used, as they aid communication pipelines between multiple services. Developers can integrate any modern technology with their architecture by using APIs, which is highly useful for adding features that a customer needs.  

By nature, APIs are vulnerable to exposing application logic and sensitive data such as personally identifiable information (PII), which makes them an easy target for attackers. Often available over public networks (accessible from anywhere), APIs are typically well-documented and can be quickly reverse-engineered by malicious actors. They are also susceptible to denial of service (DDoS) incidents. 

The most significant data leaks are due to faulty, vulnerable or hacked APIs, which can reveal medical, financial and personal data to the general public. In addition, various attacks can occur if an API is not secured correctly, making API security a vital aspect for data-driven businesses today.

The Future of API Security

“We’re most likely going to see a different software paradigm shift in the next five years that combines features from REST and SOAP security. I believe there will be a software development paradigm where features from each method are used to create a combined superior method,” Nabil Hannan, managing director at NetSPI, told VentureBeat. “This combination will take security out of the hands of the developers and allow for better ‘secure by design’ adoption.”

Hannan said that the concept of identity and authentication is changing, and we need to move away from usernames and passwords and two-factor authentication, which relies on humans not making any errors. 

“The authentication workflow will shift to what companies like Apple are doing around identity management with innovations like the iOS16 keychain. This will be developed through APIs in the near future,” he said.

You can read the full article at VentureBeat!

[post_title] => VentureBeat: Why API Security is a Fast-growing Threat to Data-driven Enterprises [post_excerpt] => NetSPI Managing Director, Nabil Hannan, was featured in the VentureBeat article called Why API Security is a Fast-growing Threat to Data-driven Enterprises. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => venturebeat-why-api-security-is-a-fast-growing-threat-to-data-driven-enterprises [to_ping] => [pinged] => [post_modified] => 2023-01-23 15:10:02 [post_modified_gmt] => 2023-01-23 21:10:02 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=28903 [menu_order] => 180 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [8] => WP_Post Object ( [ID] => 28873 [post_author] => 65 [post_date] => 2022-11-20 14:40:00 [post_date_gmt] => 2022-11-20 20:40:00 [post_content] =>

On November 20, NetSPI Managing Director, Nabil Hannan, was featured in the Datamation article called 5 Top Penetration Testing Trends in 2022. Read the preview below or view it online.

+++

Penetration testing is based on the premise that one of the best ways to safeguard the enterprise is to pretend to be a hacker and find the number of ways you can break into a business. 

The FBI uses this strategy. It often recruits criminals such as forgers and thieves who proved especially effective at crime and in thwarting the efforts of law enforcement. These former criminals become consultants who are highly skilled at spotting scams. Frank Abagnale is one of the most famous, the subject of the movie, “Catch Me If You Can”.  

Penetration testing is a formalization of this approach. A series of tools have been developed that are designed to automatically probe the network and systems for different weaknesses. 

1. Understand The External Attack Surface 

Nabil Hannan, managing director, NetSPI, has noted a greater focus on testing and understanding the external attack surface of organizations. 

Over the last two years, with the shift to working from home, businesses had to make drastic and rapid transformations in the way they operate. As a result, not only did the threat model of their business change, but the external facing attack surface of their organization evolved.

Enterprises now have assets that are exposed to the internet and are regularly changing — and these changes are occurring more rapidly with cloud-hosted systems. That’s one of the drivers behind attack surface management solutions, such as NetSPI’s ASM. They are being leveraged by organizations to continuously monitor attack surfaces and proactively identify any areas of risk in a timely manner.

“Creating and managing an accurate inventory of internet-facing assets and being able to identify potential exposures and vulnerabilities have become key focuses for many organizations,” Hannan said. 

You can read the full article at Datamation!

[post_title] => Datamation: 5 Top Penetration Testing Trends in 2022 [post_excerpt] => NetSPI Managing Director, Nabil Hannan, was featured in the Datamation article called 5 Top Penetration Testing Trends in 2022. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => datamation-5-top-penetration-testing-trends-in-2022 [to_ping] => [pinged] => [post_modified] => 2023-01-23 15:10:03 [post_modified_gmt] => 2023-01-23 21:10:03 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=28873 [menu_order] => 182 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [9] => WP_Post Object ( [ID] => 28375 [post_author] => 65 [post_date] => 2022-09-08 17:21:00 [post_date_gmt] => 2022-09-08 22:21:00 [post_content] =>

On September 8, NetSPI Managing Director Nabil Hannan was featured in Security Magazine's article on National Insider Threat Awareness Month 2022. Read the preview below or view it online.

+++

September is National Insider Threat Awareness Month, which emphasizes the importance of safeguarding enterprise security, national security and more by detecting, deterring and mitigating insider risk.

The risks of espionage, violence, unauthorized disclosure and unknowing insider threat actions are higher than ever; therefore, maintaining effective insider threat programs is critical to reducing any security risks and increasing operational resilience.

National Insider Threat Awareness Month is an opportunity for enterprise security, national security and all security leaders to reflect on the risks posed by insider threats and ensure that an insider threat prevention program is in place and updated continuously to reflect the evolving threat landscape.

Below, in honor of National Insider Threat Awareness Month, security leaders offer advice on how to reduce insider threat risks effectively.

Nabil Hannan, Managing Director, NetSPI:

To account for internal threats, there must be a mindset shift in what constitutes an organization’s threat landscape. Most companies focus exclusively on external threats and view their own people as trustworthy. As a result, insider threats are often under-addressed cybersecurity threats within organizations. We learned with SolarWinds that detecting such a threat is vastly different from traditional pen testing, code review or other vulnerability detection techniques. 

Security teams need to move from only looking for vulnerabilities to also looking for suspicious or malicious code. With a vulnerability, the threat actor interacts with the attack surface in a way that exploits a weakness. With malicious code, the threat actor is either choosing or creating the attack surface and functionality because they have control over the system internally. 

So, instead of the threat actor exploiting vulnerabilities in the attack surface, now the threat actor creates the attack surface and exercises the functionality that they implement. Failing to implement threat modeling that studies potential threats to both vulnerabilities and malicious code can set your organization up with a false sense of security.

You can read the full article at Security Magazine!

[post_title] => Security Magazine: National Insider Threat Awareness Month 2022 [post_excerpt] => On September 8, NetSPI Managing Director Nabil Hannan was featured in Security Magazine's article on National Insider Threat Awareness Month 2022. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => security-magazine-national-insider-threat-awareness-month [to_ping] => [pinged] => [post_modified] => 2023-01-23 15:10:16 [post_modified_gmt] => 2023-01-23 21:10:16 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=28375 [menu_order] => 216 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [10] => WP_Post Object ( [ID] => 28374 [post_author] => 65 [post_date] => 2022-09-06 14:01:00 [post_date_gmt] => 2022-09-06 19:01:00 [post_content] =>

On September 6, NetSPI Managing Director Nabil Hannan was featured in VMblog's article on September is National Insider Threat Awareness Month - Experts Weigh In. Read the preview below or view it online.

+++

September marks National Insider Threat Awareness Month, a time dedicated to emphasize the importance of detecting, deterring and reporting insider threats. This began as a collaborative effort by U.S. government agencies, three years ago and has now grown to both the public and private sector. 

In honor of the month, industry experts have shared their thoughts on different strategies organizations can use to protect themselves from these threats.

Nabil Hannan, Managing Director, NetSPI 

"To account for internal threats there must be a mindset shift in what constitutes an organization's threat landscape. Most companies focus exclusively on external threats and view their own people as trustworthy. As a result, insider threats are often under addressed cybersecurity threats within organizations. We learned with SolarWinds that detecting such a threat is vastly different from traditional pen testing, code review or other vulnerability detection techniques. Security teams need to move from only looking for vulnerabilities to also looking for suspicious or malicious code. With a vulnerability, the threat actor interacts with the attack surface in a way that exploits a weakness. With malicious code, the threat actor is either choosing or creating the attack surface and functionality because they have control over the system internally. So, instead of the threat actor exploiting vulnerabilities in the attack surface, now the threat actor creates the attack surface and exercises the functionality that they implement. Failing to implement threat modeling that studies potential threats to both vulnerabilities and malicious code can set your organization up with a false sense of security."

You can read the full article at VMblog!

[post_title] => VMblog: September is National Insider Threat Awareness Month - Experts Weigh In [post_excerpt] => On September 6, NetSPI Managing Director Nabil Hannan was featured in VMblog's article on September is National Insider Threat Awareness Month - Experts Weigh In. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => vmblog-national-insider-threat-awareness-month-experts-weigh-in [to_ping] => [pinged] => [post_modified] => 2023-01-23 15:10:17 [post_modified_gmt] => 2023-01-23 21:10:17 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=28374 [menu_order] => 219 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [11] => WP_Post Object ( [ID] => 28022 [post_author] => 65 [post_date] => 2022-07-05 08:00:00 [post_date_gmt] => 2022-07-05 13:00:00 [post_content] =>

Bolstering over 350 exhibitors and more than 190 expert sessions, Infosecurity Europe is one of the largest gatherings of cybersecurity professionals in Europe. This year, the NetSPI team made an appearance in the exhibitor hall.  

During Infosecurity Europe, NetSPI officially announced its expansion into the EMEA region. We’ve experienced growing demand from EMEA organizations, and we feel that NetSPI is well-positioned to deliver in this region. 

Aside from the hustle and bustle of the conference itself, we devoted much of our time to the exhibitor hall – where we noticed a few interesting themes. Continue reading for our three key observations from Infosecurity Europe and our conversations with the EMEA cybersecurity community. 

Automate Where Necessary 

Walking the floor, the automation message was prevalent among vendor solutions. However, in conversations with end users, the underlying message was that automation needs to serve a purpose, linked to, for example, improving cybersecurity workflows and processes. As Lalit Ahluwalia, writes in this Forbes article, the top drivers for automation include the lack of skilled workers, lack of standardization, and the expanded attack surface

It is also important to understand that technology alone should not be viewed as a “silver bullet.” There is a fundamental need to ensure that skilled humans can triage the data to ensure accurate results and that the information delivered is valuable and actionable.  

Automation should enable humans to do their job better and spend more time on the tasks that matter most (e.g., in penetration testing, looking for critical vulnerabilities that tools cannot find). For more on the importance of people in cybersecurity, read Technology Cannot Solve Our Greatest Cybersecurity Challenges, People Can

Tightening of Venture Capital Funding and Cybersecurity Budgets 

Another heavily discussed topic at Infosecurity Europe centered around funding, budgets, and priorities. 

With the onset of COVID-19, we noticed an over-expansion of cybersecurity vendors – this was evident in the exhibitor space. We attribute this partly to the rise in remote work, increased ransomware attacks in the past year, and companies’ expanding attack surfaces.  

The cause for concern? 

With the current global economic downturn, many vendor solutions are now seen as a “nice to have”, budgets are being squeezed, and end users are prioritizing their investments based on risk.  

We also had conversations with end users who felt that the whole market is becoming a “Noah’s ark” of solutions – i.e., there are a lot of solutions that have been built in the hope end users see value. We foresee not just a consolidation of the vendors in the market, but also a consolidation of the actual solutions that end users view as critical to their needs. 

The reality is that financial winds of change are blowing, whether it is customers focusing on maximising the return on their budget, or investment dollars looking for a home, there is a tightening coming. While our industry is relatively well-placed to withstand these financial pressures, the ability to build those trusted relationships with our customers and help them achieve tangible positive outcomes will be a key differentiator. 

Emphasis on Business Enablement  

It was refreshing to see many vendors focus less on fear, uncertainty, and doubt and more on business enablement and benefits to the customer.  

Understanding how technology supports initiatives that enable a company to grow is a win-win tactic in our book. This is a positive change and one that will help customers understand which products and services are vital as they mature their security programs.  

The Future of Information Security in EMEA 

There is no doubt that cybersecurity is a vital component of every business, and that was evident at the conference. We’re excited to be a part of the momentum in the EMEA region and support the global cybersecurity community through our platform driven, human delivered methodology and our focus on business enablement. 

Infosecurity Europe may be over, but that doesn’t mean our conversation has to end. Connect with NetSPI today to learn how we can meet your global offensive security needs.

[post_title] => Infosecurity Europe 2022: Observations from the ExCel [post_excerpt] => Learn about three top key observations from Infosecurity Europe you need to know and what they mean. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => infosecurity-europe-oberservations [to_ping] => [pinged] => [post_modified] => 2023-05-23 08:58:05 [post_modified_gmt] => 2023-05-23 13:58:05 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=28022 [menu_order] => 245 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [12] => WP_Post Object ( [ID] => 28005 [post_author] => 65 [post_date] => 2022-06-28 08:00:00 [post_date_gmt] => 2022-06-28 13:00:00 [post_content] =>

In recent years, more organizations have adopted the “shift left” mentality. This concept moves application security testing earlier in the software development life cycle (SDLC) versus the traditional method of implementing security testing after deployment of the application.  

By shifting left, an organization can detect application vulnerabilities early and remediate them, saving time and money, and ultimately not delaying the release of the application.  

But not everything comes wrapped in a beautiful bow. In application security, I witnessed that shifting left comes with its fair share of trouble – two in fact: 

  • Overworked and understaffed teams
  • Friction between application security engineers and development teams 

During his time at Microsoft, Idan Plotnik, co-founder and CEO at Apiiro experienced these two roadblocks and created an application security testing tool that addressed both. I recently had the opportunity to sit down with him to discuss the concept of shift left and other application security challenges.  

Continue reading for highlights from our conversation including contextual pentesting, open-source security, and tips on how a business can better prepare for remote code execution vulnerabilities like Log4Shell. For more, listen to the full episode on the Agent of Influence podcast.  

Why is it important to get more context on how software has changed and apply that to pentesting? 

Idan Plotnik: One of the biggest challenges we are hearing is that organizations want to run penetests more than once throughout the development life cycle but are unsure of what and when to test. You don't want to spend valuable time on the pentester, the development team, and the application security engineer to run priority or scoping calls in every release. You want to identify the crown jewels that introduce risk to the application. You want to identify these features as early as possible and then alert your pentesting partner so they can start pentesting early on and with the right focus. 

It's a win-win situation.  

On one hand, you reduce the cost of engineers because you're not bombarding them with questions about what you've changed in the current release, when and where it is in the code, and what are the URLs for these APIs, etc.  

On the other hand, you’re reducing the costs of the pentest team because you’re allowing them to focus on the most critical assets in every release.  

Nabil Hannan: The traditional way of pentesting includes a full deep dive test on an application. Typically, the cadence we've been seeing is annual testing or annual requirements that are driven by some sort of compliance pressure or regulatory need.  

I think everybody understands why it would be valuable to test an application multiple times, and not just once a year, especially if it's going through changes multiple times in a year. 

Now, the challenge is doing these tests can often be expensive because of the human element. I think that's why I want to highlight that contextual testing allows the pentester to hone and focus only on the areas where change has occurred.  

Idan: When you move to agile, you have changes daily. You need to differentiate between changes that are not risky to the organization or to the business, versus the ones that introduce a potential risk to the business. 

It can be an API that exposes PII (Personally Identifiable Information). It can be authorization logic change. It can be a module that is responsible for transferring money in a trading system.  

These are the changes that you need to automatically identify. This is part of the technology that we developed at Apiiro to help the pentester become much more contextual and focused on the risky areas of the code. With the same budget that you have today, you can much more efficiently reduce the risks.  

Learn more about the partnership between NetSPI and Apiiro. 

Why is open-source software risk so important, and how do people need to think about it? 

Idan: You can’t look at open source as one dimension in application security. You must take into consideration the application code, the infrastructure code, the open-source code, and the cloud infrastructure that the application will eventually run on.  

We recently built the Dependency Combobulator. Dependency confusion is one of the most dangerous attack vectors today. Dependency confusion is where you’re using an internal dependency without a proper naming convention and then an attacker goes into a public package manager and uses the same name.  

When you can't reach your internal artifact repository or package manager, it will automatically fall back and access the package manager on the internet. Then, your computer will fetch or download the malicious dependency with the malicious code, which is a huge problem for organizations.  

The person who founded the dependency confusion attack suddenly receive HTTP requests from within Microsoft, Apple, Google, and other enterprises because he found some internal packages while browsing a few websites. He just wanted to play with the concept of editing the same packages with the same name to the public repository. 

This is why we need to help the community and provide them with an open-source framework that they can extend, so that they can run it from their CLI or CI/CD pipeline for every internal dependency. Contributing to the open-source community is an important initiative.  

What can organizations do to be better prepared for similar vulnerabilities to Log4Shell? 

In December 2021, Log4Shell sent security teams into a frenzy ahead of the holiday season. Idan and I discussed four simple steps organizations can take on to mitigate the next remote code execution (RCE) vulnerability, including: 

  1. Inventory. Inventory and identify where the vulnerable components are.
  2. Protection. Protect yourself or your software from being attacked and exploited by attackers from the outside.
  3. Prevention. Prevent developers from doing something or getting access to the affected software to make additional changes until you know how to deal with the critical issue.
  4. Remediation. If you do not have that initial inventory that is automated and happening systemically across your organization and all the different software that is being developed, you cannot get to this step.  

For the full conversation and additional insights on application security, listen to episode 39 of the Agent of Influence podcast.

Listen to Agent of Influence, Episode 39 with Idan Plotnik now
[post_title] => Addressing Application Security Challenges in the SDLC [post_excerpt] => Learn how Idan Plotnik, CEO of Apiiro, addresses challenges in application security and tips to help businesses protect against Log4Shell. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => application-security-challenges-sdlc [to_ping] => [pinged] => [post_modified] => 2023-04-28 13:35:01 [post_modified_gmt] => 2023-04-28 18:35:01 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=28005 [menu_order] => 248 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [13] => WP_Post Object ( [ID] => 28010 [post_author] => 65 [post_date] => 2022-06-24 12:35:00 [post_date_gmt] => 2022-06-24 17:35:00 [post_content] =>

On June 24, 2022, NetSPI Managing Director Nabil Hannan published an article in Solutions Review called Four Ways to Elevate Your Penetration Testing Program. Read the preview below or view it online.

+++

Let’s set the scene. For years, organizations have undergone compliance-based penetration testing (pentesting), meaning they only audit their systems for security vulnerabilities when mandated to do so by regulatory bodies. However, this “check-the-box” mindset that’s centered around point-in-time testing is leaving organizations at risk for potential exploitation.

From August-October 2021 alone, a total of 7,064 new Common Vulnerabilities and Exposures (CVE) numbers were registered – all of which could go undetected if a business does not have an established proactive security posture.

With malicious actors continuously evolving and maturing their attack techniques, organizations must leave this outdated mindset behind and take the necessary steps to develop a comprehensive, always-on penetration testing program. Here’s a look at how this can be accomplished.

Adopt an ‘as-a-Service’ Model

Traditional pentesting programs operate under a guiding principle: organizations only need to test their assets a few times a year to protect their business from potential vulnerabilities properly. During this engagement, a pentester performs an assessment over a specified period and then provides a static report outlining all of the found vulnerabilities. While once deemed the status quo, there are many areas for inefficiencies in this traditional model.

With threats increasing, organizations must take a proactive approach to their security posture. Technology-enabled as-a-Service models overhaul traditional pentesting programs by creating always-on visibility into corporate systems. For an as-a-Service model to succeed, the engagement should allow organizations to view their testing results in real-time, orchestrate faster remediation, and perform always-on continuous testing.

This hyperfocus on transparency from both parties will drive clear communication, with the pentesters available to address any questions or concerns in real-time – instead of just providing an inactionable static report. Additionally, it allows teams to truly understand the vulnerabilities within their systems so they can begin remediation before the end of the pentesting engagement.

Lastly, when working in an as-a-Service model, pentesters can help organizations become more efficient with their security processes, as they work as an extension of the internal team and can lend their industry expertise to help strengthen their clients’ security posture.

Read the full article online here.

[post_title] => Solutions Review: Four Ways to Elevate Your Penetration Testing Program [post_excerpt] => On June 24, 2022, NetSPI Managing Director Nabil Hannan published an article in Solutions Review called Four Ways to Elevate Your Penetration Testing Program. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => endpoint-security-elevate-penetration-testing-program [to_ping] => [pinged] => [post_modified] => 2023-01-23 15:10:30 [post_modified_gmt] => 2023-01-23 21:10:30 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=28010 [menu_order] => 250 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [14] => WP_Post Object ( [ID] => 27989 [post_author] => 65 [post_date] => 2022-06-21 11:44:00 [post_date_gmt] => 2022-06-21 16:44:00 [post_content] =>

On June 21, 2022, NetSPI Managing Director Nabil Hannan published this article on TechTarget called How to Address Security Risks in GPS-enabled Devices. Read the preview below or view it online.

+++

Trendy consumer gadgets are reaching the market at an expedited rate in today's world, and the next new viral product is right around the corner. While these innovations aim to make consumers' lives easier and more efficient, the rapid development of these products often creates security risks for users -- especially as hackers and malicious actors get more creative.

When commercial drones were brought to market as recreational tools in 2013, for example, consumers jumped at the chance to use them for a wide range of personal purposes, from photography to flying practice. Many security risks emerged, however, and it became clear that drones can be used maliciously to do anything from tracking and monitoring to causing physical harm and societal disruption.

GPS-enabled devices are now experiencing the same growing pains.

The Current Threat Environment

GPS-enabled devices have been on the market for a while, but consumer use has boomed in recent years. The newest device making waves is Apple's AirTag -- a small device that tracks personal items such as keys, wallets and backpacks.

With an affordable price tag, consumers have jumped at the opportunity to keep track of their belongings more easily. As adoption has grown, however, so have security and privacy concerns. Malicious actors can easily slip these devices into peoples' belongings and track them.

While the risk to consumers is clear, businesses and influential figures can also be targeted. GPS-enabled devices can be used to track day-to-day business movements and identify exploitable weak points.

Apple has remediated some of these risks by releasing a personal safety guide outlining the steps users should take if they find an unknown AirTag or suspect someone has gained access to their product. Yet these risks highlight a broader problem with GPS-enabled devices. Threat modeling in the design phase of tech development must evolve to uncover emerging security risks -- before consumers get their hands on the devices.

Read the full article online.

[post_title] => TechTarget: How to Address Security Risks in GPS-enabled Devices [post_excerpt] => On June 21, 2022, NetSPI Managing Director Nabil Hannan was featured in this TechTarget interview called How to Address Security Risks in GPS-enabled Devices. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => techtarget-security-risks-gps-enabled-devices [to_ping] => [pinged] => [post_modified] => 2023-01-23 15:10:31 [post_modified_gmt] => 2023-01-23 21:10:31 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=27989 [menu_order] => 253 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [15] => WP_Post Object ( [ID] => 27749 [post_author] => 65 [post_date] => 2022-05-10 07:00:00 [post_date_gmt] => 2022-05-10 12:00:00 [post_content] =>

What is the typical authentication setup for personal online accounts? The username and password. 

For too long, we have depended on this legacy form of authentication to protect our personal data. As more people rely on the internet to manage their most important tasks — online banking, applying for loans, running their businesses, communicating with family, you name it — many companies and services still opt for the typical username and password authentication method, often with multi-factor authentication as an option, but not a requirement.  

To combat the sophisticated attacks of hackers today, multi-factor authentication methods must be considered the bare minimum. [For those unfamiliar with the concept, multi-factor authentication, or MFA, requires the user to validate their identity in two or more ways to gain access to an account, resource, application, etc.] Then, starting on that foundation, security leaders must consider what other identity and access management practices can they implement to better protect their customers? 

For more insights on this global challenge, we spoke with authentication expert Jason Soroko, CTO-PKI at Sectigo, during episode 40 of the Agent of Influence podcast to learn more about the future of multi-factor authentication, symmetric and asymmetric secrets, digital certificates, and more. Continue reading for highlights from our discussion or listen to the full episode, The State of Authentication and Best Practices for Digital Certificate Management

Symmetric Secrets vs. Asymmetric Secrets  

The legacy username and password authentication method no longer offers enough protection. Let’s take a deep dive into symmetric secrets and asymmetric secrets to better understand where we can improve our processes. 

Symmetric secrets are an encryption method that use one key for both encrypting and decrypting a piece of data or file. Here’s a fun anecdote that Jason shared during the podcast: “Let’s say you and I want to do business. We agree that I could show up at your door tomorrow and if I knock three times, you will know it's me. Well, somebody could have overheard us having that conversation to agree to knock three times. It’s the same thing with a username and password. That's a shared symmetric secret.” 

According to Jason, the issue with this method is that the secret had to be provisioned out to someone or, in today’s context, keyed into memory on a computer. This could be a compromised endpoint on your attack surface. Shared secrets have all kinds of issues, and you only want to utilize them in a network where the number of resources is extremely small. And we should no longer use them for human authentication methods. 

Instead, we need to shift towards asymmetric secrets.   

Asymmetric secrets, which are used to securely send data today, have two keys: private and public. The public key is used for encryption purposes only and cannot be used to decrypt the data or file. Only the private key can do that. 

The private key is never shared; it never leaves a secured place (e.g., Windows 10, Windows 11, trusted platform module (TMP), etc.) and it’s what allows the authentication to occur securely. Not only that, but asymmetric secrets don’t require the 123 steps of authentication, improving the user experience overall. The ability for a hacker to guess or steal the asymmetric secret is much more difficult because it is in a secure element, Jason explains. 

Of course, some organizations have no choice but to stick with ancient legacy systems due to financial reasons. But the opportunity here is to complement that legacy authentication method with other controls so you can enhance your authentication system. 

Pitfalls of SMS Authentication 

If you’re considering SMS authentication, I hate to be the breaker of bad news, but that doesn’t offer comprehensive protection. SMS authentication was never built to be secure, and it was never intended to be used the way it is used popularly today. Now, not only do we have the issue of people using a protocol that’s inherently insecure by design, but hackers can easily intercept authentication messages sent via SMS. 

As Jason shared on the podcast, the shocking truth is that SMS redirection is commercially available. It only costs around $16 to persuade the telecommunications company to redirect SMS messages to wherever you want them to go, which shows how easily hackers can obtain messages and data. 

Learn more about telecommunications security, read: Why the Telecoms Industry Should Retire Outdated Security Protocols. 

Three Best Practices for Managing Digital Certificates 

Even with the implementation of multi-factor authentication, how do you know if a person or a device is trustworthy to allow inside your network? 

You achieve that with digital certificates also known as public key certificates. They’re used to share public keys and verify the ownership of a public key to the person or device that owns it. 

With so many people moving to remote work, this only amplifies the number of digital certificates to authenticate each day. It’s important to manage your digital certificates effectively to mitigate the risk of adversaries trying to access your organization’s network. 

For additional reading on the security implications of remote work, check out these articles: 

To get you started toward better digital certificate management, Jason shared these three best practices: 

  1. Take inventory: Perform a proper discovery of all the certificates that you have (TLS, SSL, etc.) to gain visibility into how many you have.
  2. Investigate your certificate profiles: Take into consideration your DevOps certificates, your IoT certificates, etc., and delve into how the certificates were set up, who set them up, how long the bit-length is, and whether is it a proper non-deprecated cryptographic algorithm.
  3. Adapt to new use cases: Look towards the future to determine if you can adapt to new use cases (e.g., can this be used to authenticate BYOD devices or anything outside the Microsoft stack, how will the current cryptographic algorithms today differ in the future, what about hybrid quantum resistance, etc.). 

The Future of Multi-Factor Authentication 

As mentioned at the beginning for this article, multi-factor authentication should be considered the bare minimum, or foundation, for organizations today. For organizations still on the fence about implementing this authentication method, here are three reasons to start requiring it: 

  • A remote workforce requires advanced multi-factor authentication to verify the entities coming into your network.
  • Most cyberattacks stem from hackers stealing people’s username and password. Multi-factor authentication adds additional layers of security to prevent hackers from accessing an organization’s network.
  • Depending on which method your organization utilizes, multi-factor authentication provides a seamless login experience for employees — sometimes without the need for a username or password if using biometrics or single-use code. 

More organizations are choosing to adopt multi-factor authentication and we can only expect to see more enhancements in this area.  

According to Jason, artificial intelligence (AI) will play an important role. Take convolutional neural networks for example. This is a type of artificial neural network (AAN) used to analyze images. If we were to apply convolutional neural networks to cybersecurity, we could train it to identify malicious known binaries or patterns quickly and accurately. Of course, this is something to look forward to in the foreseeable future. 

An area we’ve certainly made much progress on, though, is the ability to use machine learning to determine malicious activity in the credit card fraud detection space. 

Multi-Factor Authentication is Only the First Step 

At a bare minimum, every organization should start with multi-factor authentication and build from there. One-time passwords, email verification codes, or verification links are user-friendly and go a long way in effective authentication.  

Cyberwarfare coupled with a remote workforce and government scrutiny should prompt companies everywhere to bolster their cybersecurity defenses. The authentication methods and best practices Jason Soroko shared with me on the Agent of Influence podcast are a step in the right direction toward protecting your organization, employees, and — most importantly — your customers. 

Put your IAM and authentication processes to the test against real attacker techniques. Explore NetSPI’s red team operations.
[post_title] => Multi-Factor Authentication: The Bare Minimum of IAM [post_excerpt] => Learn how protecting your organization, employees, and customers starts with multi-factor authentication. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => multi-factor-authentication-the-bare-minimum-of-iam [to_ping] => [pinged] => [post_modified] => 2023-06-12 13:40:44 [post_modified_gmt] => 2023-06-12 18:40:44 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=27749 [menu_order] => 272 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [16] => WP_Post Object ( [ID] => 27746 [post_author] => 65 [post_date] => 2022-05-05 14:56:11 [post_date_gmt] => 2022-05-05 19:56:11 [post_content] =>

On May 5, 2022, Nabil Hannan was featured in the VMblog Get Expert Advice During World Password Day 2022. Preview the article below, or read the full article online.

+++

Did you know, today, May 5th, is World Password Day! The Registrar of National Day Calendar has designated the first Thursday of May of each year as World Password Day, and it is meant to promote better password habits - something we could all use, I'm sure. Passwords are critical gatekeepers to our digital identities, allowing us to access online shopping, banking, social media, private work, and life communications. 

We use a lot of online services in our daily lives. And we're constantly having to deal with the possibility of so many different types of attacks, making digital protection more and more important. So let World Password Day be a reminder and encourage people to protect themselves with a series of strong passwords.

To help get a handle on things, a number of industry security experts have chimed in to share their perspectives and opinions with VMblog readers.


--

Nabil Hannan, Managing Director, NetSPI

“World Password Day serves as a moment in time for organizations to re-evaluate password security best practices. Today, a strong authentication strategy must include policies for safe password storage, the most important aspect of password security. Additionally, at a bare minimum, every organization should start with multi-factor authentication and build from there. One-time passwords, email verification codes, or verification links are user-friendly and go a long way in effective authentication.

From a user perspective, all staff working within or alongside the organization should be required to use strong, complex passwords that follow NIST’s latest guidelines. Security leaders may also practice the principle of least privilege, where only those who need access to certain information have it. With these best practices, organizations can better bolster protection and set themselves up for success on World Password Day and beyond.”

[post_title] => VMblog: Get Expert Advice During World Password Day 2022 [post_excerpt] => On May 5, 2022, Nabil Hannan was featured in the VMblog Get Expert Advice During World Password Day 2022. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => vmblog-expert-advice-world-password-day-2022 [to_ping] => [pinged] => [post_modified] => 2023-01-23 15:10:39 [post_modified_gmt] => 2023-01-23 21:10:39 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=27746 [menu_order] => 274 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [17] => WP_Post Object ( [ID] => 27699 [post_author] => 65 [post_date] => 2022-04-25 09:02:00 [post_date_gmt] => 2022-04-25 14:02:00 [post_content] =>

On April 25, 2022, Nabil Hannan was featured in the CSO article, SolarWinds breach lawsuits: 6 takeaways for CISOs. Preview the article below, or read the full article online.

+ + +

The SolarWinds compromise of 2020 had a global impact and garnered the resources of both public and private sectors in an all-hands-on-deck remediation effort. The event also had a deleterious effect on the SolarWinds stock price. These two events, were, predictably, followed by a bevy of civil lawsuits. Fast forward to late March 2022 and we have a federal court saying the suit that named SolarWinds; its vice president of security and CISO, Tim Brown; as well as two prime investor groups Silver Lake and Thoma Bravo may go forward.

As Violet Sullivan, cybersecurity and privacy attorney of client engagement at Redpoint Cybersecurity, observes, the judge finds that the plaintiffs “may have a claim, so the judge is going to hear it.” She explains, “It’s not what is being said in the order that is interesting. It’s what will be shown during the discovery process that is interesting. There will be questions in this suit including: Will the forensic reports be available during the discovery or covered by attorney-client privilege?”

Resource Cybersecurity According to Risk

CISOs are uniquely positioned to provide insight on the threat landscape to business operations and together create the appropriate risk management plan. I recently mentioned how cybersecurity is often something companies get around to. The SolarWinds cyberattack and the resultant civil lawsuits are demonstrating the need for the well-documented investment in cybersecurity must be at the forefront.

The managing director of NetSPI, Nabil Hannan, says, “Internal threats are still a lingering and often under-addressed cybersecurity threat within organizations, especially when compared to the resources applied toward external threats. But, with buy-in from an organization's leadership team, CISOs can have the resources needed to develop a proactive and ongoing threat detection governance program.”

Those who hesitate may find themselves playing catch up as they are spurred along by the new U.S. Securities and Exchange Commission initiative on the need for publicly sharing information security breach information within four days of discovery that the breach is material will affect direct change. Similarly, the SEC’s desire to have companies describe how they address cybersecurity will drive greater transparency within many companies. This SEC effort will pull infosec out of the back room and to the forefront, like policies, procedures, resourcing, and expertise will be on full display via the required SEC filings.

[post_title] => CSO: SolarWinds breach lawsuits: 6 takeaways for CISOs [post_excerpt] => On April 25, 2022, Nabil Hannan was featured in the CSO article, SolarWinds breach lawsuits: 6 takeaways for CISOs. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => cso-solarwinds-breach-lawsuits-6-takeaways-for-cisos [to_ping] => [pinged] => [post_modified] => 2023-01-23 15:10:41 [post_modified_gmt] => 2023-01-23 21:10:41 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=27699 [menu_order] => 280 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [18] => WP_Post Object ( [ID] => 27600 [post_author] => 65 [post_date] => 2022-04-12 07:00:00 [post_date_gmt] => 2022-04-12 12:00:00 [post_content] =>

In application security, DevOps, and DevSecOps, “shift left” is a guiding principle for how organizations should implement security practices into the development process. For this reason, today’s application security testing tools and technologies are built to facilitate a shift left approach, but the term has taken on a new meaning compared to when it first entered the scene years ago.

Over the past decade, software development has drastically changed with the proliferation of impactful technology, such as APIs and open-source code. However, shift left has remained a North Star for organizations seeking to improve application security. Its meaning has become more nuanced for those attempting to achieve a mature application security framework.

I recently sat down with Maty Siman, Founder and CTO at Checkmarx on our Agent of Influence podcast to discuss application security and the concept of shift left. You can listen to the full episode here. Let’s explore four highlights from the discussion:

The “Lego-ization” of Software 

In the past, developers would build their solutions from the ground up, developing unique libraries to carry out any desired functionality within an application. Today, developers leverage a wide range of tools and technologies, such as web services, open-source code, third party solutions and more, creating software that is ultimately composed of a variety of different components.

As Maty alluded to during the Agent of Influence podcast, many in the industry have referred to this practice as the “lego-ization” of software, piecing together different premade, standardized Lego blocks to form a unique, sound structure.

While both traditional and modern, lego-ized methods are forms of software development, they demand a different set of expertise. This is where mature application security frameworks become invaluable. Maty explains that today’s developers are often working around the clock to keep up with the pace of digital transformation; they cannot just focus on code for vulnerabilities. They must also look at how the different components are connected and how they communicate with one another.

Each connection point between these components represents a potential attack surface that must be secured – but addressing this can also become a source of friction and perceived inconvenience for developers.  

The Impact of Today’s Open Source and API Proliferation 

The recent proliferation of software supply chain security threats has made the situation even more complex and dire for software developers, as malicious actors look to sneak malicious code into software as it’s being built.

As Siman explains during our podcast conversation, open source code makes up anywhere from 80 to 90 percent of modern applications. Still, developers are pulling these resources from a site like GitHub often without checking to see if the developer who created the package is trustworthy. This further exacerbates the security risk posed by the lego-ized development practices we see today, Maty warns.

Additionally, in recent years, there has been an explosive growth in the usage of APIs in software development. Organizations now leverage thousands of APIs to manage both internal and external processes but have not paid enough attention to the challenge of securing these deployments, according to Maty.

However, efforts have been made to set organizations on the right path in securing APIs, such as the OWASP API Security Project – but there is still a lot of work to be done. Check out the OWASP API Top 10 list, co-written by Checkmarx’s Vice President of Security Research, Erez Yalon.

Read: AppSec Experts React to the OWASP Top 10 2021

Many organizations are not aware of which or how many APIs their services take advantage of, which presents an obstacle towards securing them. As a result, Maty explains that the concept of a “software bill of materials,” or SBOM, is beginning to take shape as organizations seek to better understand the task at hand.

With APIs quickly becoming a favored attack vector for cybercriminals, the importance of developers getting a handle on API security cannot be overstated, which is especially crucial for application penetration testing. Simultaneously, the task is an immense one that many developers see as a headache or hindrance to their main goal, which is to deliver new software as quickly as possible. 

Shifting Left in an Evolving Application Development Landscape  

While the trends outlined above certainly present significant challenges when it comes to application security, they are not insurmountable. Maty advises that organizations can and should implement certain changes in their approach to application security to better support developers with appropriate application security testing tools and other resources.

One of the main issues organizations face in modern application security testing, including application penetration testing or secure code review, lies in the effort to shift left. Shift left is sometimes seen as a source of friction in the developer community. It is about finding and managing vulnerabilities as early as possible, which has only become more difficult and complex as development has evolved.

Read: Shifting Left to Move Forward: Five Steps for Building an Effective Secure Code Review Program

The amount of innovation in software development and implementation means that shifting as far left as possible is not always feasible or even the best approach. While detecting vulnerabilities in code as early as possible is a priority in application security, attempting to force developers to do so too early in the development process can exhaust developers and slow software delivery, as Maty advises.

For example, the use of integrated development environment (IDE) plugins can often make developers feel hindered and nagged by security rather than empowered by it. While they represent a shift to the extreme left in terms of security, they are not always a good idea to impose on developers.

No Right Way to Shift Left in Application Security 

Ultimately, the proper way to shift left is going to vary across organizations, depending on the software they are building and what is going into it. It is paramount to take a tailored approach that balances the security responsibilities placed on developers with the need to maintain agility and deliver software quickly.

Application development has changed significantly, and we can expect it to continue to change in the coming years. Creating and maintaining a mature application security framework will depend on maintaining a proper understanding of the tools and technologies developers are using and adjusting the organizational approach to application security accordingly.

For more, listen to episode 32 of Agent of Influence with Maty of Checkmarx:

For more, listen to episode 32 of Agent of Influence with Maty of Checkmarx: “Shift Left, But Not Too Left”: A Conversation on AppSec and Development Trends.
[post_title] => Application Security: Shifting Left to the Right Degree [post_excerpt] => Read application security best practices from our cybersecurity podcast discussion with Maty Siman, CTO at Checkmarx. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => shift-left-secure-software [to_ping] => [pinged] => [post_modified] => 2023-04-07 09:17:27 [post_modified_gmt] => 2023-04-07 14:17:27 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=27600 [menu_order] => 284 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [19] => WP_Post Object ( [ID] => 27514 [post_author] => 65 [post_date] => 2022-03-11 13:44:00 [post_date_gmt] => 2022-03-11 19:44:00 [post_content] =>

On March 11, 2022, Nabil Hannan guest authored a TechTarget article titled, How to Build a Security Champions Program. Preview the article below, or read the full article online here.

+ + +

Application security is more important than ever, as apps remain one of the most common attack vectors for external breaches. Forrester's latest "State of Application Security" report stated organizations are starting to recognize the importance of application security, and many have started embedding security practices more tightly into their development stages — a big step in the right direction.

It's important to understand, however, that building a world-class application security program can't happen overnight. A great deal of foundational work must be done before an organization can achieve results, including sharpening security processes around the software development lifecycle (SDLC) to identify, track and remediate vulnerabilities more efficiently. These efforts will eventually bring organizations to a high level of maturity.

Adoption of security in the SDLC is often lacking in many organizations. The answer to this problem lies within an organization's employee population. Companies should establish a security champions program, where certain employees are elected as security advocates and drivers of change.

To create a strong cybersecurity culture, security champions should be embedded throughout an entire organization. These individuals should have an above-average level of security interest or skill, with the goal of ultimately evangelizing and accelerating the adoption of a security-first culture — not only through software and application development, but throughout the organization.

Developing a security champions program doesn't need to be complicated. This four-step process helps organizations establish their program with ease.

Continue reading How to Build a Security Champions Program on TechTarget.

[post_title] => TechTarget: How to Build a Security Champions Program [post_excerpt] => On March 11, 2022, Nabil Hannan guest authored a TechTarget article titled, How to Build a Security Champions Program. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => techtarget-build-security-champions-program [to_ping] => [pinged] => [post_modified] => 2023-01-23 15:10:49 [post_modified_gmt] => 2023-01-23 21:10:49 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=27514 [menu_order] => 297 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [20] => WP_Post Object ( [ID] => 27447 [post_author] => 65 [post_date] => 2022-03-08 07:00:00 [post_date_gmt] => 2022-03-08 13:00:00 [post_content] =>

The Federal Communications Commission (FCC) recently announced its proposal to update data breach laws for telecom carriers.

A key change in the proposal? Eliminating the seven-business-day waiting period required of businesses before notifying customers of a breach.  

Although the proposed FCC change would allow companies to address and mitigate breaches more quickly, it does not solve the greater issue at hand: The sensitive data collected by the telecoms industry is constantly at risk of being exploited by malicious actors.  

The Telecoms Threat Environment 

Protecting data within the telecoms industry is instrumental in ensuring customer privacy and safety.  

When telecom companies experience a data breach, hackers often target customer proprietary network information (CPNI) – “some of the most sensitive personal information that carriers and providers have about their customers,” according to the FCC. This includes call logs, billing account information, as well as the customer’s name, phone number, and more.  

In August 2021, T-Mobile suffered the largest carrier breach on record, with over 50 million current and former customers affected.  

To protect customers from further breaches, the telecoms industry must deploy configurations securely, enable end-to-end encryption, and return to security basics by enabling automation in vulnerability discovery and penetration testing.  

Misconfiguration Risk 

Networks, specifically telecommunications channels, continue to increase in complexity, causing an increased risk for misconfigured interfaces within organizations.  

From these misconfigurations, attackers can stitch together multiple weaknesses and pivot from one system to another across multiple organizations.  

In October 2021, LightBasin, a hacking group with ties to China, compromised telecom companies around the world. LightBasin used multiple tools and malware to exploit weaknesses in systems that were configured with overly permissive settings and neglected to follow the principle of least privilege.  

These hacking tactics are not unique. Had the telecoms industry instituted the proper channels for alerting and blocking on common attack patterns and known tactics, techniques, and procedures (TTPs) that attackers use widely they may have been able to prevent the LightBasin attack.  

Additionally, to protect against future attacks and data breaches, industries should build proper standards and automation to ensure that configurations are deployed securely and consistently monitored.  

The Need for End-to-End Encryption 

Enabling end-to-end encryption within mobile communication networks could help to combat some of the lateral movement strategies used by LightBasin and similar hacker groups.  

This lateral movement within telecommunications networks can be challenging for the industry to address for multiple reasons. The overarching issue? Telecommunications systems were not originally developed with security in mind and are not secure by design.  

The telecoms systems have flaws that cannot be fixed without major architectural changes and these systems have evolved to be utilized in a way that’s outside of the original creators’ intent.  

In particular, these mobile communications networks were not built with a quality of service guarantee or any type of end-to-end encryption to ensure that users’ data is not exposed while in transit.  

WhatsApp, for example, uses the Signal protocol to asymmetrically encrypt messages between users. The encrypted messages then get transmitted the via a WhatsApp facilitated server.  

This ensures that only the intended recipient can decrypt the message and others who attempt to do so will fail. Legacy telecoms players should adopt a similar approach for added protection to users’ communications.  

While end-to-end encryption can protect against lateral movement strategies, this does not mean the security is infallible. Just because the communication channel is secure doesn’t ensure application security. Users are still vulnerable to social engineering attacks, malware, and, as in WhatsApp’s case, the app itself may be vulnerable.  

To truly secure user data, the telecoms industry security must invest in holistic security strategies including application security testing.  

For more on end-to-end encryption, read Why Do People Confuse “End-to-End Encryption” with “Security”? 

Collaboration and Coordination 

As the telecoms industry begins to prioritize security, organizations harnessing the networks must also prioritize security.  

This includes ensuring multi-factor authentication between users and systems, the principle of least privilege, or even proper input validation and output encoding.  

In tandem, the telecoms industry should strive to build automated vulnerability management processes where possible. This ensure continuous checks and balances are in place to secure all deployed systems – both at the software and infrastructure levels.  

Where hackers have only become more sophisticated in the technology and methods used to acquire data, the telecoms industry has neglected to keep up.  

Currently, messages and calls can be spoofed, data is not encrypted while in transit, and the quality of service and protection is not guaranteed. We have adopted a network with inherent flaws in its design from a security perspective, and these systems are used by billions of people across the globe.  

The change in FCC guidelines mark significant progress. Given the current threat environment, security efforts in the telecoms industry must be prioritized to ensure billions of people and their data are protected. 

Learn more about the benefits of vulnerability management for the telecoms industry in our case study with a fast-growing provider.
[post_title] => Why the Telecoms Industry Should Retire Outdated Security Protocols [post_excerpt] => Learn how the telecommunications industry can invest in end-to-end encryption to secure user data and prevent breaches. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => why-telecoms-should-retire-outdated-security-protocols [to_ping] => [pinged] => [post_modified] => 2023-06-12 13:46:44 [post_modified_gmt] => 2023-06-12 18:46:44 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=27447 [menu_order] => 299 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [21] => WP_Post Object ( [ID] => 27392 [post_author] => 65 [post_date] => 2022-02-18 18:00:00 [post_date_gmt] => 2022-02-19 00:00:00 [post_content] =>

On February 18, 2022, Nabil Hannan was featured in a LifeWire article titled, Why Unwanted Tracking Is on the Rise. Preview the article below, or read the full article online here.

+ + +

It's never been easier to track your possessions thanks to gadgets like Apple AirTags, but they also contribute to a growing privacy problem.

Apple recently said it would improve AirTag safeguards after reports of people being tracked surreptitiously using AirTags. However, some experts say Apple's efforts won't be sufficient to protect users.

"Even with the personal safety guide released by Apple, consumers are still subject to increased risks, as it only gives consumers some tools to use if they suspect their device has been compromised," Nabil Hannan, managing director at cybersecurity firm NetSPI, told Lifewire in an email interview.

AirTags or CreepTags?

AirTags send out Bluetooth signals that nearby Apple devices can detect. Many people have claimed they've been tracked by people using AirTags without their knowledge.

[post_title] => Lifewire: Why Unwanted Tracking Is on the Rise [post_excerpt] => On February 18, 2022, Nabil Hannan was featured in a LifeWire article titled, Why Unwanted Tracking Is on the Rise. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => lifewire-why-unwanted-tracking-is-on-the-rise [to_ping] => [pinged] => [post_modified] => 2023-01-23 15:10:53 [post_modified_gmt] => 2023-01-23 21:10:53 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=27392 [menu_order] => 307 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [22] => WP_Post Object ( [ID] => 27381 [post_author] => 65 [post_date] => 2022-02-15 04:00:00 [post_date_gmt] => 2022-02-15 10:00:00 [post_content] =>

On February 15, 2022, Nabil Hannan was featured in a TechNewsWorld article titled, 49ers Blitzed by Ransomware. Preview the article below, or read the full article online here.

+ + +

While their downstate rivals the Los Angeles Rams were busy winning Super Bowl LVI, the San Francisco 49ers were being clipped in a ransomware attack.

News of the attack was reported by the Associated Press after cybercriminals posted documents to the dark web that they claimed were stolen from the NFL franchise.

In a public statement obtained by TechNewsWorld, the team noted: “We recently became aware of a network security incident that resulted in temporary disruption to certain systems on our corporate IT network.”

Looking for Street Cred

Nabil Hannan, managing director at NetSPI, a penetration testing company in Minneapolis, maintained that it’s unusual for a ransomware gang to post exfiltrated data on the web without making any ransom demands.

“I would assume this is due to the fact that they weren’t able to hold any critical systems hostage,” he told TechNewsWorld.

“The gang may have been able to encrypt/steal some files or systems that were categorized as non-critical, but they likely knew that they wouldn’t be able to receive any ransom payout for such information,” he surmised.

“Most likely this was an act to get ‘street creds’ and pose that they were able to steal information from such a high profile organization to show their reach and ability to break into any system,” he said.

[post_title] => TechNewsWorld: 49ers Blitzed by Ransomware [post_excerpt] => On February 15, 2022, Nabil Hannan was featured in a TechNewsWorld article titled, 49ers Blitzed by Ransomware. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => technewsworld-49ers-blitzed-by-ransomware [to_ping] => [pinged] => [post_modified] => 2023-01-23 15:10:53 [post_modified_gmt] => 2023-01-23 21:10:53 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=27381 [menu_order] => 309 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [23] => WP_Post Object ( [ID] => 27276 [post_author] => 65 [post_date] => 2022-02-01 16:12:33 [post_date_gmt] => 2022-02-01 22:12:33 [post_content] =>

While in the Kingdom of Saudi Arabia for the @Hack cybersecurity conference, we noticed a disconnect in the understanding of penetration testing. Many of the people we spoke with assumed pentesting and bug bounty programs were one and the same.

Spoiler alert: that assumption is incorrect. While they share a similar goal, pentesting services and bug bounties vary in impact and value.

In an effort to demystify the two vulnerability discovery activities, in this blog we will cover how each are used in practice, key differences, and explain the risks associated with solely relying on bug bounties.

What is a Bug Bounty Program?

Simply put, a bug bounty program consists of ethical hackers exchanging critical vulnerabilities, or bugs, for recognition and compensation. 

The parameters of a bug bounty program may vary from organization to organization. Some may scope out specific applications or networks to test and some may opt for a “free-for-all" approach. Regardless of the parameters, the process remains the same. A hacker finds a vulnerability, shares it with the organization, then, once validated, the organization pays out a bounty to the hacker. 

For a critical vulnerability finding, the average payout rose to $3,000 in 2021. Bounty payments have come a long way since 2013’s ‘t-shirt gate,’ where Yahoo offered hackers a $12.50 company store credit for finding a number of XSS (cross-site scripting) vulnerabilities – yikes.

What is Penetration Testing?

Penetration testing is an offensive security activity in which a team of pentesters, or ethical hackers, are hired to discover and verify vulnerabilities. Pentesters simulate the actions of a skilled adversary to gain privileged access to an IT system or application, such as cloud platforms, IoT devices, mobile applications, and everything in between. 

Pentesting also helps organizations meet security testing requirements set by regulatory bodies and industry standards such as PCI and HIPAA.

Pentesters use a combination of automated vulnerability discovery and manual penetration testing techniques. They work collaboratively to discover and report all vulnerability findings and help organizations with remediation prioritization. Pentesting partners like NetSPI work collaboratively with in-house security teams and are often viewed and treated as an extension of that team.

Penetration testing has evolved dramatically over the past five years with the emergence of penetration testing as a service (PTaaS). PTaaS enables more frequent, transparent, and collaborative testing. It streamlines vulnerability management and introduces interactive, real-time reporting. 

As an industry, we’ve shifted away from traditional pentesting where testers operate behind-the-curtain, then deliver a long PDF list of vulnerabilities for security teams to tackle on their own.

What is Penetration Testing?
For a more detailed definition, how it works, and criteria for selecting your penetration testing partner, read our guide.

6 Core Differences Between Pentesting and Bug Bounties

So, what are the greatest differences between pentesting and bug bounties? Let’s break it down into six components: personnel, payment, vulnerabilities, methodology, time, and strategy.

Personnel

Pentesters are typically full-time employees that have been vetted and onboarded to provide consistent results. They often work collaboratively as a team, rather than relying on a single tester. 

Bug bounty hackers operate as independent contractors and are typically crowdsourced from across the globe. Working with crowdsourced hackers can open the door to risk, given you cannot be 100% confident in their intentions and motives. 

Will they sell the intel they gather to a malicious party for additional compensation? Will they insert malicious code during a test? With full-time employees, there are additional guardrails and accountability to ensure the hacking is performed ethically.

Payment

With penetration testing vendors, the payment model can vary. Cost is often influenced by the size of the organization, the complexity of the system or application, vendor experience, the scope, depth, and breadth of the test, among other factors. 

With a bug bounty program, the more severe the vulnerability, the more money a bug bounty hunter makes. Keep in mind that negotiation of the bounty payment is very common with bug bounty programs, so it is important to factor in the time and resources to manage those discussions.

Additionally, one cause for concern with bug bounty payments is that instead of reporting vulnerabilities as they are found, it’s common for hackers to hold on to the most severe vulnerabilities for greater payout and recognition during a bug bounty tournament. 

Vulnerabilities

Because of the pay-per-vulnerability model bug bounty programs follow, it’s no surprise that many are focused solely on finding the highest severity vulnerabilities over the medium and low criticality ones. However, when chained together, lower severity vulnerabilities can expose an organization to significant risk.

This is a gap that penetration testing fills. Penetration testers chain together seemingly low-risk events to verify which vulnerabilities enable unauthorized access. Pentesters do prioritize critical vulnerabilities, but they also examine all vulnerabilities with a business context lens and communicate the risk each could pose to operations if exploited.

Vulnerability findings aside, there are also key differences in how the results are delivered. With bug bounties, it’s up to the person who found the vulnerability to decide when to disclose the flaw to the program – or save it for a tournament as mentioned above, or even disclose it publicly without consent.

Modern penetration testing companies like NetSPI operate transparently and report findings in real time as they are discovered. Plus, pentesters validate and retest to confirm the vulnerability exists, evaluate the risk it poses, and determine if it was fixed effectively.

Methodology

The greatest difference in the testing methodology of bug bounty programs and penetration testing services is consistency.

From our discussions with security leaders, the biggest challenge they face with bug bounty programs is that service, quality, project management, and other key methodology factors often lack consistency. Notably, the pool of independent contractors varies across experience and expertise. And the level of effort diminishes as rewarding, critical vulnerabilities are found and researchers move on to opportunities with greater opportunity for compensation.

Penetration testing is more methodical in nature. Testers follow robust checklists to ensure consistency in the testing process and make certain that they are not missing any notable gaps in coverage. They also hold each other accountable by working on teams. At NetSPI, our pentesters use the workbench in our Resolve PTaaS technology platform to collaborate and maintain consistency.

For any organization that has legal, regulatory, or contractual obligations for a robust security testing bug bounties simply cannot meet those requirements. Bug bounty programs are opportunistic. There is no assurance of full coverage testing as they do not adhere to defined methodology or checklists to ensure consistency from assessor to assessor, or assessment to assessment. Some bug bounties can use checklists upon request – for a hefty added cost.

Time

While bug bounty programs are evergreen and always-on, traditional penetration testing has been limited by time-boxed assessments.

To address this, first and foremost we recommend organizations provide their pentesting team with access to source code or perform a threat modeling assessment to equip their team with information a malicious hacker could gain access to in the wild. This allows pentesters to accurately emulate real attackers and spend more time finding business critical vulnerabilities.

The pentesting industry is rapidly evolving and is becoming more continuous, thanks to the PTaaS delivery model and attack surface management. Gone are the days of annual pentests that check a compliance box. We see a huge opportunity for integration with attack surface management capabilities to truly offer continuous testing of external assets.

Strategy

Penetration testing is a strategic security activity. On the other hand, bug bounty programs are very tactical and transactional: find a vulnerability, report it, get paid for it, then move on to the next hunt.

As noted earlier, penetration testing is often viewed as an extension of an internal security team and collaborates closely with defensive teams. You can also find pentesting partners that offer strategic program maturity advisory services. Because of this, pentesters deeply understand the systems, networks, applications, etc. and can assess them holistically. This is particularly beneficial for complex systems and large organizations with massive technology ecosystems.

Furthermore, strategic partnerships between penetration testing vendors and their partners lead to a greater level of trust, institutional knowledge, and free information exchange. In other words, when you work with a team of penetration testers on an ongoing basis, their ability to understand the mechanics of your company and its technologies lends itself to discovering both a greater number and higher quality of vulnerabilities.

Final Thoughts

The way penetration testing has and continues to evolve fills many of the gaps left by bug bounty programs. There is certainly room for both bug bounty programs and penetration testing in the security sector – in many cases the services complement one another. However, it is important to understand the implications and risks associated when deciding where to focus your efforts and budget. 

[post_title] => Penetration Testing Services vs. Bug Bounty Programs [post_excerpt] => What are the greatest differences between pentesting and bug bounties? We break it down into six components: personnel, payment, vulnerabilities, methodology, time, and strategy. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => penetration-testing-services-versus-bug-bounty [to_ping] => [pinged] => [post_modified] => 2023-08-22 09:52:04 [post_modified_gmt] => 2023-08-22 14:52:04 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=27276 [menu_order] => 311 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [24] => WP_Post Object ( [ID] => 27280 [post_author] => 65 [post_date] => 2022-02-01 07:00:00 [post_date_gmt] => 2022-02-01 13:00:00 [post_content] =>

On February 1, 2022, Nabil Hannan was featured in SHRM's article on the UKG ransomware attack. Preview the article below, or read the full article online here

+ + +

Along ordeal for customers of Ultimate Kronos Group (UKG) is nearing an end. The vendor has restored its time-keeping and payroll services after a ransomware attack disrupted the lives of thousands of HR professionals and employees alike.

But experts say fallout from the attack will continue, given that some customer data was stolen, companies will have to transition manual records back into UKG systems and shaken clients are questioning their future with the vendor.

In a public update on Jan. 22, UKG said it had restored core time, scheduling and payroll capabilities to all customers impacted by the ransomware attack on its Kronos Private Cloud system. The statement said UKG is now focused on the "restoration of supplemental features and nonproduction environments" and is offering video-based recovery guides to help customers reconcile their data.

The outage—which lasted more than a month for many UKG clients—forced thousands of organizations to scramble to create manual workarounds. It happened during a particularly challenging time of year; employers had to find ways to pay workers holiday pay and overtime as employees worked extra shifts to cover staff shortages caused by the omicron variant of the coronavirus and ongoing resignations.

UKG and companies using its services may be facing legal action. "Unfortunately, some customer data was stolen in the attacks and that creates a secondary concern for UKG and its clients," said Allie Mellen, a security and risk analyst with research and advisory firm Forrester. UKG confirmed in its latest public statement that the personal data of at least two of its customers had been "exfiltrated" or breached.

.....

Cautionary Tale for HR Tech Vendors

HR technology analysts say vendors and their clients should brace themselves for similar attacks as more hackers train their sights on sensitive employee data rather than customer data.

"The reality is we're going to see more of these attacks," said Trevor White, a research manager specializing in HCM technologies with Nucleus Research in Boston. "The question for HR vendors is how they'll limit disruption to their customers as they go about solving problems related to ransomware and other cyberattacks. Unless you pay the ransom, these things can take weeks to solve."

Nabil Hannan, managing director for NetSPI, an enterprise security testing and vulnerability management firm in Minneapolis, said too many organizations still focus on protecting customer data at the expense of securing employee data.

"Hackers are getting more creative and focusing more of their efforts on finding ways to lock up systems that on their face may not seem as critical but that have far-reaching impacts, like HR data," Hannan said.

[post_title] => SHRM: Concerns Linger Following UKG Ransomware Attack [post_excerpt] => On February 1, 2022, Nabil Hannan was featured in SHRM's article on the UKG ransomware attack. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => shrm-concerns-linger-following-ukg-ransomware-attack [to_ping] => [pinged] => [post_modified] => 2023-01-23 15:10:54 [post_modified_gmt] => 2023-01-23 21:10:54 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=27280 [menu_order] => 310 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [25] => WP_Post Object ( [ID] => 27239 [post_author] => 91 [post_date] => 2022-01-25 12:09:02 [post_date_gmt] => 2022-01-25 18:09:02 [post_content] =>

On January 25, 2022, Travis Hoyt, Florindo Gallicchio, Charles Horton, and Nabil Hannan were featured in TechRound's 2022 Cybersecurity Predictions round up. Preview the article below, or read the full article online here.

  • Explore industry expert predictions on what’s in store for cybersecurity in 2022.
  • Cyber-attacks have remained a key concern throughout the COVID-19 pandemic. With 2021 now over, what does the new year have in store for cybersecurity?
  • We’ve collected predictions from industry experts, including HelpSystems’s Joe Vest, Gemserv’s Andy Green and more.

With many businesses continuing to work from home where possible and settling into a more hybrid style of work, cybersecurity has been a key concern across a range of industries.

Here, we’ve collected opinions from industry experts on what they predict 2022 has in store for cybersecurity.

Travis Hoyt, CTO at NetSPI

Attack surface management: “As organisations continue to become more reliant on SaaS technologies to enable digital transformation efforts, the security perimeter has expanded. Organisations now face a new source of cybersecurity risk as cybercriminals look to exploit misconfigurations or vulnerabilities in these SaaS technologies to wage costly attacks. In 2022, we can expect that organisations will become more focused on SaaS posture management and ensuring that their SaaS footprint is not left open as a vector for cyberattacks. This trend will be further accelerated by the insistence of insurance providers that organisations have a detailed understanding of their SaaS deployments and configurations, or face higher premiums or even a refusal of insurance altogether.”

Next generation architectures open new doors for security teams: “Interest in distributed ledger technology, or blockchain, are beginning to evolve beyond the cryptocurrency space. In 2022, we’ll begin to see the conversation shift from bitcoin to discuss the power blockchain can have within the security industry. Companies have already started using this next generation architecture, to better communicate in a secure environment within their organisations and among peers and partners. And I expect we’ll continue to see this strategy unfold as the industry grows.”

CFOs will make or break ransomware mitigation: “For too long, companies have taken a reactionary approach to ransomware attacks – opting to pay, or not pay, after the damage has already been caused. I expect to see CFOs prioritising conversations surrounding ransomware and cyber insurance within 2022 planning and budgetary meetings to develop a playbook that overalls all potential ransomware situations and a corresponding strategy to mitigate both damage and corporate spend. If they don’t lead with proactivity and continue to take a laggard approach to ransomware and cyber insurance, they are leaving their companies at risk for both a serious attack and lost corporate funds.”

Florindo Gallicchio, Managing Director and Head of Strategic Solutions at NetSPI

Cybersecurity budgets will rebound significantly from lower spend levels during the pandemic: “As we look to 2022, cybersecurity budgets will rebound significantly after a stark decrease in spending spurred by the pandemic. Ironically, while COVID-19 drove budget cuts initially, it also accelerated digital transformation efforts across industries – including automation and work-from-home infrastructure, which have both opened companies up to new security risks, leading to higher cybersecurity budget allocation in the new year. Decisions are being made in Fortune 500+ companies with CFOs on the ground, as these risk-focused enterprises understand the need for larger budgets, as well as thorough budgeted risk and compliance strategies. Smaller corporations that do not currently operate under this mindset should follow the lead of larger industry leaders to stay ahead of potential threats that emerge throughout the year.”

Charles Horton, Chief Operations Officer at NetSPI

Company culture could solve the cybersecurity hiring crisis: “It’s no secret that cybersecurity, like many industries, is facing a hiring crisis. The Great Resignation we’re seeing across the country has underscored a growing trend spurred by the COVID-19 pandemic: employees will leave their company if it cannot effectively meet their needs or fit into their lifestyle. From a retention perspective, I expect to see department heads fostering a culture that’s built on principles like performance, accountability, caring, communication, and collaboration. Once this team-based viewpoint is established, employees will take greater pride in their work, producing positive results for their teams, the company and themselves – ultimately driving positive retention rates across the organisation.”

Nabil Hannan, Managing Director at NetSPI

2022 is the year for API security: “In 2022, we will see organisations turn their attention to API security risks, deploying security solutions and conducting internal audits aimed at understanding and reducing the level of risk their current API configurations and deployments create. Over the past few years, APIs have become the cornerstone of modern software development. Organisations often leverage hundreds, and even thousands, of APIs, and ensuring they are properly configured and secured is a significant and growing challenge. Compounding this issue, cyberattackers have increasingly turned to APIs as their preferred attack vector when seeking to breach an organisation, looking for vulnerable connection points within API deployments where they can gain access to an application or network. For these reasons, securing APIs will be a top priority throughout 2022.”

The Skills Shortage Will Continue Until Hiring Practices Change: “In 2022 the cybersecurity skills gap will persist, but organisations that take a realistic approach to cybersecurity hiring and make a commitment to building cybersecurity talent from the ground up will find the most success in addressing it. The focus in closing the skills gap often relies on educating a new generation of cybersecurity professionals through universities and trade programs, and generally encouraging more interest in young professionals joining the field. In reality, though, these programs will only have limited success. The real culprit behind the skills gap is that organisations often maintain unrealistic hiring practices, with cybersecurity degrees and certification holders often finding untenable job requirements such as 3+ years of experience for an entry level job.”

[post_title] => TechRound: Cybersecurity Predictions for 2022 [post_excerpt] => On January 25, 2022, Travis Hoyt, Florindo Gallicchio, Charles Horton, and Nabil Hannan were featured in TechRound's 2022 Cybersecurity Predictions round up. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => techround-cybersecurity-predictions-for-2022 [to_ping] => [pinged] => [post_modified] => 2023-01-23 15:10:56 [post_modified_gmt] => 2023-01-23 21:10:56 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=27239 [menu_order] => 315 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [26] => WP_Post Object ( [ID] => 27220 [post_author] => 53 [post_date] => 2022-01-24 16:47:10 [post_date_gmt] => 2022-01-24 22:47:10 [post_content] =>
Watch Now

Overview 

Today's approaches to defense in depth for application security are siloed and lack context, thus results have fallen short. But a layered approach is the key to building a world-class AppSec program that spans the entire Software Development Lifecycle (SDLC). So, how does our approach need to change? 

In this webinar, you’ll hear from three experts at each of the core security touchpoints within the Software Development Life Cycle (SDLC): at the code level, pre-deployment, and post-deployment.

Speakers include Nabil Hannan, managing director at NetSPI, Moshe Zioni, VP of strategy research at Apiiro, and Samir Sherif, CISO at Imperva. 

During this webinar, speakers will discuss:

  • Key timeframes to implement security testing – and why 
  • How to incorporate risk context across the SDLC 
  • Best practices for application penetration testing and secure code review 
  • Proper implementation of application security tools for continuous monitoring 
  • Plus, more tips to achieve a layered application security strategy 

Key highlights:

  • 1:21 – The state of AppSec testing 
  • 3:55 – Contextual AppSec testing 
  • 14:45 – Best practices for application pentesting and secure code review  
  • 30:40 – The implementation journey 
  • 42:00 – Q&A 

The State of AppSec Testing 

To get started, it’s important to have an understanding of the current state of today’s AppSec programs and application security in general.  

Key challenges with application security include:

  1. Siloed: Application security programs are siloed in most organizations. AppSec-related activities often happen without being in sync with the rest of the organization, but effective application security requires collaboration across the board.
  2. Lacks context: A lot of testing happens in different phases of the software development lifecycle (SDLC), but oftentimes it tends to lack context. Testing may be driven by customer needs or regulatory and compliance requirements, but often there’s not enough testing being done based on an organization’s software context and understanding when and why you need to test systems, other than specific requirements from external pressures. 
  3. Results fall short: When application security testing is siloed, lacks context, and doesn’t have proper strategy, the results are more likely to fall short.   

A layered testing approach is the key to building a world-class AppSec testing program that spans the entire SDLC, including code level, pre-deployment, and post-deployment.   

Contextual AppSec Testing 

For AppSec testing to be effective, context from across the SDLC is required to understand risk.  

Some of the benefits of context in each stage across the SDLC include:

  • Design 
    • Prioritize and trigger threat model sessions
    • Trigger contextual compliance reviews 
  • Branch 
    • Trigger contextual security code reviews and enrich data from SAST/SCA/GWs 
    • Trigger contextual compliance reviews 
    • Automate manual risk questionnaires 
    • Automate code governance 
  • Repository 
    • Gain complete visibility into AppSec infrastructure and CSS 
    • Actionable remediation work plan 
    • Trigger incremental plan testing 
    • Reduce SAST & SCA FP and prioritize results 
    • Detect compromised results  
  • CI/CD 
    • Prevent build-time code injection attacks (SolarWinds)  

Best Practices for Application Pentesting and Secure Code Review  

Understanding best practices for application pentesting and secure code review can help ensure your approach is as effective as possible.

Here are some ways optimize your application pentesting: 

1. Risk-based pentesting is key 

  • Understand how your business makes money 
  • Prioritize remediation of vulnerabilities that pose the greatest risk to the organization 
  • Loop in finance and risk leadership 
  • Contextual pentesting 

2. Strategy is the future 

  • Informed pentesting is more valuable, as hackers aren’t bound by time 
  • Threat modeling and secure design reviews 
  • Pair point-in-time testing with always-on monitoring 
  • Bug bounty vs. pentesting 

3. Enable manual testing  

  • Enable your testing team to find vulnerabilities that tools miss 
  • According to NetSPI testing data, 63% of critical vulnerabilities are found through manual testing 
  • External network pentesting finds 10x more critical vulnerabilities than a single network vulnerability scanning tool 

4. Take a holistic approach 

  • Validation of security controls 
  • Understanding how everything works together  

Another important aspect is building an effective secure code review program. Some step to do this include:

  1. Establish a security culture and listen to your developers 
  2. Create simple and effective methodologies and processes 
  3. Plan application onboarding and scan frequency 
  4. Understand that remediation matters most 
  5. Measure and improve over time  

As you formalize your company’s AppSec program, following a maturity checklist can help set the program up for success.

Make sure to include the following steps your application security program maturity checklist:

  • Formalize your roadmap 
  • Governance in the SDLC 
  • Establish metrics that matter 
  • Be an AppSec ambassador

The Journey to Implement AppSec 

When it comes to how an organization looks at and approaches application security in general, breadth is an important framework to redefine and conceptualize application security.

This framework includes: 

  • Shift-left to dev training and code analysis 
  • Heavy focus on in-app and perimeter protections 
  • Shift-right to advanced, proactive, and managed services  

Left-to-right application security features the following solutions: 

  • Awareness and education
    • Learning, training, threat modeling 
  • Code analysis
    • SAST, DAST, IAST, SCA, code risk 
  • In-app protection 
    • RASP, CWPP (EW) 
  • Perimeter protection 
    • WAAP, CWPP (NS), DDoS, Zero Trust 
  • Advanced solutions 
    • Bot, insights, fraud, 3rd party, TI, CDR, DLP 
  • Proactive solutions 
    • VM, CSPM, CIEM, BAS, EASM, MDR 

Partner with NetSPI to Improve Application Security  

NetSPI’s Application Security as a Service helps organizations manage multiple areas of their application security program.

Our AppSec as a service capabilities combine the power of technology through our vulnerability management and orchestration platform with our leading cybersecurity consulting services featuring expert human pentesters to ensure you can build and manage a world-class application security program.

Learn more about our AppSec as a service offerings and partner with NetSPI to drive your application security program forward to meet your security objectives. Schedule a demo today

[wonderplugin_video iframe="https://youtu.be/bml1NTFqxFA" lightbox=0 lightboxsize=1 lightboxwidth=1200 lightboxheight=674.999999999999916 autoopen=0 autoopendelay=0 autoclose=0 lightboxtitle="" lightboxgroup="" lightboxshownavigation=0 showimage="" lightboxoptions="" videowidth=1200 videoheight=674.999999999999916 keepaspectratio=1 autoplay=0 loop=0 videocss="position:relative;display:block;background-color:#000;overflow:hidden;max-width:100%;margin:0 auto;" playbutton="https://www.netspi.com/wp-content/plugins/wonderplugin-video-embed/engine/playvideo-64-64-0.png"]

[post_title] => Application Security In Depth: Understanding The Three Layers Of AppSec Testing [post_excerpt] => [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => application-security-in-depth-understanding-the-three-layers-of-appsec-testing [to_ping] => [pinged] => [post_modified] => 2023-07-12 12:43:09 [post_modified_gmt] => 2023-07-12 17:43:09 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?post_type=webinars&p=27220 [menu_order] => 50 [post_type] => webinars [post_mime_type] => [comment_count] => 0 [filter] => raw ) [27] => WP_Post Object ( [ID] => 27166 [post_author] => 65 [post_date] => 2022-01-18 07:00:00 [post_date_gmt] => 2022-01-18 13:00:00 [post_content] =>

Today’s business environment extends far beyond traditional brick and mortar organizations. Due to an increased reliance on digital operations, the frequency and complexity of supply chain cyber attacks — also known as vendor risk management or third-party security — are growing exponentially. It’s apparent that business leaders can no longer ignore supply chain security.

Not only did we see an increase in supply chain attacks in 2021, but the entire anatomy of an organization’s attack surface has evolved significantly. With more organizations shifting to a remote or hybrid workforce, we’ve seen a spike in cloud adoption and a heavy reliance on digital collaboration with third-parties.

Over the past few years we’ve introduced many new risks into our software supply chains. So, how do we ensure we don’t become the next SolarWinds or Accellion? In this blog, we reveal four supply chain security best practices to get you started on solid footing.

First, understand where the threats are coming from. 

With so many facets of the supply chain connected through digital products, organizations and security leaders need to understand which sectors are most vulnerable and where hackers can find holes — both internally and externally.

A recent study found that 70% of all breaches are caused by an outside force, and 17% were specifically from malware. This is to be expected. As software developers have been outsourced more frequently, the doors have opened to traditional malware attacks and breaches. Businesses need to understand how and where their resources can be accessed, and whether these threats can be exploited. However, malicious code detection is known to be very difficult. Standard code reviews won’t always identify these risks, as they can be inserted into internally-built software and mimic the look and feel of regular code. This is one of the biggest trends leaders must be aware of and fully understand which threats could impact their organization.

In addition to malware, hackers have begun attacking multiple business assets outside of an organization's supply chain through “island hopping.'' We’re seeing 50% of today’s cyber attacks use this technique. Security leaders need to identify and monitor island hopping attacks frequently to stay ahead of the vulnerability. Gone are the days where hackers target an organization itself — instead adversaries are going after an organization's partners to gain access to the initial organization's network.

Supply Chain Security Best Practices

How do organizations ensure they don’t become the weakest link in the supply chain? First and foremost, be proactive! Businesses must look at internal and external factors impacting their security protocol and implement these four best practices.

1. Enforce security awareness training.

Ensure you are training your staff not only when they enter the organization, but also on a continuous basis and as new business emerges. Every staff member, regardless of level or job description, should understand the organization's view and focus on security, including how to respond to phishing attempts and how to protect data in a remote environment. For example, in a retail environment, all internal employees and third-party partners should understand PCI compliance, while healthcare professionals need a working knowledge of HIPPA. The idea is to get everyone on the same page so they understand the importance of sensitive information within an organization and can help mediate a threat when it is presented.

2. Enact policy and standards adherence.

Adherence to policies and standards is how a business keeps progressing. But, relying on a well-written standard that matches policy is not enough. Organizations need to adhere to that policy and standards, otherwise they are meaningless. This is true when working with outside vendors as well. Generally, it’s best to set up a policy that meets an organization where it is and maps back to its business processes – a standard coherence within an organization. Once that’s understood, as a business matures, the policy must mature with it. This will create a higher level of security for your supply chain with less gaps.

In the past, we’ve spent a lot of time focusing on policies and recommendations for brick and mortar types of servers. With the new remote work and outsourcing increasing, it’s important to understand how policies transfer over when working with vendors in the new remote setting. 

3. Implement a vendor risk management program.

How we exchange information with people outside of our organization is critical in today’s environment. Cyber attacks through vendor networks are becoming more common, and organizations need to be more selective when choosing their partners.

Once partners are chosen, security teams and business leaders need to ensure all new vendors are assessed with a risk-based vendor management program. The program should address re-testing vendors according to their identified risk level. A well-established, risk-based vendor management program involves vendor training — follow this three-tiered approach to get started: 

  • Tier one: Organizations need to analyze and tier their vendors based on business risk so they can hone in on different security resources and ensure they’ve done their due diligence where it matters most. 
  • Tier two: Risk-based assessments. The higher the vendor risk, the more their security program should be accessed to understand where an organization’s supply chain could be vulnerable – organizations need to pay close attention here. Those categorized as lower risk vendors can be assessed through automated scoring, whereas medium risk vendors require a more extensive questionnaire, and high-risk vendors should showcase the level of their security program through penetration testing results. 
  • Tier three: Arguably most important for long term vendor security. Re-testing vendor assessments should be conducted at the start of a partnership, and as that partnership grows, to make sure they’re adhering to protocol. This helps confirm nothing is slipping through the cracks and that the safety policies and standards in place are constantly being met. 

4. Look at the secondary precautions. 

Once security awareness training, policy, and standards are in place, and organizations have established a successful vendor risk management program, they can look at secondary proactive measures to keep supply chain security top of mind. Tactics include, but are not limited, to attack surface management, penetration testing services, and red team exercises. These strategic offensive security activities can help identify where the security gaps exist in your software supply chain.

Now that so many organizations are working with outside vendors, third-party security is more important than ever. No company wants to fall vulnerable due to an attack that starts externally. The best way to prepare and decrease vulnerability is to have a robust security plan that the whole company understands. By implementing these four simple best practices early on, businesses can go into the new year with assurance that they won’t be the weakest link in the supply chain — and that they’re safeguarded from external supplier threats.

Want to learn more about how to strengthen your software supply chain security? Watch the on-demand webinar: "How NOT To Be The Weakest Link In The Supply Chain"
[post_title] => Best Practices for Software Supply Chain Security [post_excerpt] => Take these four steps to improve your software supply chain security. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => best-practices-software-supply-chain-security [to_ping] => [pinged] => [post_modified] => 2023-08-22 09:53:35 [post_modified_gmt] => 2023-08-22 14:53:35 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=27166 [menu_order] => 318 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [28] => WP_Post Object ( [ID] => 27147 [post_author] => 65 [post_date] => 2022-01-11 11:49:08 [post_date_gmt] => 2022-01-11 17:49:08 [post_content] =>

Cybersecurity is a moving target. As adversaries evolve, the methodologies we use to protect our businesses must evolve in tandem.  

Penetration testing is a great example of a category that must continuously innovate to keep pace with attackers. After all, the goal of penetration testing services is to emulate real-world attack tactics, techniques, and procedures (TTPs) as accurately as possible. 

Traditional penetration cannot keep pace with the realities of business agility and hacker ambitions. Without innovation and evolution, it remains slow, stodgy, inconsistent, and simply checks a compliance box. So, how do we drive the industry forward? Strategy is key, according to Manish Khera, CISO at a national utilities company. 

I recently invited Manish on the Agent of Influence podcast, a place to share best practices and trends in the world of cybersecurity and vulnerability management. We dove deep into the future of penetration testing, among other topics. When discussing the evolution of pentesting, he believes strategy is key – and I couldn’t agree more. Taking a strategic approach to security testing is vital. Continue reading to learn why, and for highlights from our conversation. 

Do you believe the security mindset has migrated to a more proactive approach today? Or do you think there's more work that needs to happen? 

Manish: I think we have become more proactive. Is it working? Hard to say. We have created proactive programs like AppSec and the concept of shifting left for example. We talk about security assessments and consulting, and security is getting involved earlier on projects. We’re making sure that it's not a “stage gate” pentest that occurred to assess a project. We've obviously grown and matured in that regard.  

So, what is the right approach? If we're too proactive, we may miss some of the needs for last-minute reviews. A pentest before a go-live for an external facing application, for example, is a good best practice. Ideally, we have good application security processes in place early on – SAST, DAST, whatever scans, plugins, et cetera, to get a better feel of low hanging fruit. It is a tough hill to climb balancing proactive and reactive security, but we are getting better. 

Nabil: You mentioned something that resonates well with how I talk about pentesting. Ultimately, people tend to start their security practices with penetration testing as a way to discover vulnerabilities. But I think as you mature, you have to change that mindset to view pentesting as a way to determine how effective our other controls are. Keeping that in mind... 

How does penetration testing need to evolve based on the trends you're seeing in the industry? 

Manish: I think you and I are on of one mind in this space. I do agree with you 100%, that pentesting has to evolve. The idea of it being a report card or simply finding vulnerabilities, when it should be the sum total of great activities up to that point. For future pentesting, we must do a couple different things.

Listen Now: Application Security and Penetration Testing Insights from a Utilities Sector CISO. Episode 29 of Agent of Influence with Manish Khera

Organizations should be more thoughtful about their approach. We should be willing to spend the money to threat model down to give proper avenues for pentesting vendors or your internal pentesting team. Organizations are often afraid to engage a pentesting vendor over a long period of time, and we feel we’ve spent too much money pentesting. However, we need to threat model, work with that vendor, and spend time with them to make sure they have enough time and resources to not just find vulnerabilities that are lucky to find, but also business context vulnerabilities. 

If I say “you have two weeks to get this done” that is not really a good pentest. Get that vendor in, spend a day with them, have them understand what the actual threat vectors are, understand the important parts of that application and data sets are, what the target would be from an informed, authenticated user, and so on. Then give them time to figure it out. The vendor should be smart about it too. It’s on both sides to be smart about it. It can't be a time box, very slim budget event. It's got to be thoughtful and threat-focused versus, “I have 50k to spend on a pentest.” 

I also think that the “shift left” marketing schemes have to come into play. We've got to get better integrated in using scans, using ID plugins, and teaching developers how to code better. We call this a security champions program. Have somebody from the development team join the appsec team and work with them to better understand appsec processes. Then, they go back to the development team and become champions that speak the same language as across teams. 

All of a sudden, pentesting becomes an event that clears the scorecard. If you practice good security up to that point, the vulnerabilities you find are more likely to be small efforts versus huge efforts that delay projects from going live. I hope that pentesting matures in that regard – but only time will tell.

Threat modeling can be time consuming, but valuable. Can you share a scenario where you found that threat modeling something, and then using that to drive a pentest or a security activity, was more valuable? 

Manish: The first time you do threat modeling is always the heaviest lift. Determining what framework to follow and how to create the process so that it is repeatable is most time consuming. But it does get easier over time if you follow a consistent framework. Especially if you have the same teams involved or a threat modeling champion engaged when a vendor comes in to do the threat modeling engagement.  

In terms of a key win or scenario, every time we do it, we find a better way to approach a pentest or improve our security activities. Every threat modeling assessment produces something that is shocking or surprising. I think you should always do it, because there’s always an opportunity to gain a better understanding of your applications and enable better tests. 

Essentially, coming in “blind” to do a pentest is rarely as valuable as having more details and information about how the system is architected. Taking an approach where you're enabling your pentesters with as much detail as possible only allows you to get better results. I'm not a big fan of “black box” testing or unauthenticated testing. We should assume that an adversary has deep inside knowledge of the environment, because they likely do. They can buy it or coerce somebody to give it to them – they can get it one way or another. We have to open our eyes to that scenario. We want informed testing and we want detailed reviews. That's how we drive value. 

For more on the future of penetration testing – plus, insights on cybersecurity challenges in the utilities sector, consultancy vs. in-house security leadership roles, how to build a security champions program, and more – listen to episode 29 of Agent of Influence, featuring Manish Khera.

[post_title] => Strategic Penetration Testing is the Future [post_excerpt] => Learn why taking a strategic penetration testing approach is vital. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => future-of-penetration-testing-strategy [to_ping] => [pinged] => [post_modified] => 2023-08-22 09:54:15 [post_modified_gmt] => 2023-08-22 14:54:15 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=27147 [menu_order] => 320 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [29] => WP_Post Object ( [ID] => 26881 [post_author] => 65 [post_date] => 2021-12-07 16:28:08 [post_date_gmt] => 2021-12-07 22:28:08 [post_content] =>

On December 7, 2021, NetSPI Managing Director Nabil Hannan was a featured guest on ITSPmagazine’s Redefining Security Podcast, where they discuss the new OWASP Top 10 2021. Listen below or view online here.

Episode Summary

Every few years, a group of individuals work together to deliver what has become a staple in application security practices: The Open Web Application Security Project (OWASP) Top 10. In the 2021 edition, the team took a fresh look at the data and what it means. Everything changed while staying the same.

Episode Notes

Every few years, a group of individuals work together to deliver what has become a staple in application security practices: The Open Web Application Security Project (OWASP) Top 10. In the 2021 edition, the team took a fresh look at the data and what it means. Everything changed while somehow stayed the same.

The real changes are in how organizations should look at this information and how to use it to make a difference in their application development and information security programs. While data analytics played a huge role in changing the game for the OWASP Top 10 for 2021, it's the humans that will see the outcomes come to fruition. Or, at least we hope.

____________________________

Guests

Diana Kelley
On ITSPmagazine https://www.itspmagazine.com/itspmagazine-podcast-radio-hosts/diana-kelley

Andrew van der Stock
On LinkedIn | https://www.linkedin.com/in/vanderaj/
On Twitter | https://twitter.com/vanderaj

Nabil Hannan
On LinkedIn | https://www.linkedin.com/in/nhannan/
On Twitter | https://twitter.com/nabilhannan

[post_title] => ITSP Magazine: The OWASP Top 10 2021 Edition: What Changed And What Must You Change In Application Development Given The Updated Top List Of Broken (AKA Weak Or Vulnerable) Things? [post_excerpt] => On December 7, 2021, NetSPI Managing Director Nabil Hannan was a featured guest on ITSPmagazine’s Redefining Security Podcast, where they discuss the new OWASP Top 10 2021. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => itsp-magazine-redefining-security-owasp-top-10-2021 [to_ping] => [pinged] => [post_modified] => 2023-01-23 15:11:04 [post_modified_gmt] => 2023-01-23 21:11:04 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=26881 [menu_order] => 336 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [30] => WP_Post Object ( [ID] => 26810 [post_author] => 65 [post_date] => 2021-12-07 07:00:00 [post_date_gmt] => 2021-12-07 13:00:00 [post_content] =>

Shortly after Thanksgiving, we packed our bags and ventured off to Riyadh, Saudi Arabia for the inaugural @Hack cybersecurity event. We were invited to exhibit at the SecureLink booth, who we recently partnered with to expand NetSPI’s services to the Middle East and Africa (MEA).

Over the past two years, the Kingdom of Saudi Arabia has gone through accelerated digital transformation, driven heavily by its Vision 2030 reform plan. And with this digital transformation, comes expanded attack surfaces and more exposure to cyber threats. This was a key theme and concern during the event – and a large part of why the event was organized in the first place.

It was exciting to see the energy and enthusiasm around technology and cybersecurity (almost as exciting as when we realized that @Hack was synonymous with “attack”). @Hack organizers estimated that more than 14,000 people from 70 countries were in attendance, many of which we spoke to at the NetSPI stand about the state of security in Saudi Arabia, penetration testing, cybersecurity education, cybersecurity jobs, and more.

As we packed up to head to our next destinations, we took time to reflect on our conversations, the people we met, and the key themes we observed on the show floor.

Cybersecurity Maturity in the Kingdom of Saudi Arabia

The Kingdom of Saudi Arabia has only recently focused on transforming their technological infrastructure and has invested in becoming a technological powerhouse in the region. At the conference itself, we saw the use of QR codes, mobile payments, digital sharing of contact information, and more. Although their technology adoption is very high, there is an opportunity for the region to mature its understanding of and focus on cybersecurity challenges.

One of the younger attendees came from Egypt and participated in the “bug bounty” challenge. He came in 2nd place and mentioned how the challenge to him was simple compared to what he was used to in his home country. To us, this indicates that security is not necessarily at the forefront of Saudi Arabia’s considerations when acquiring or deploying technology, and there is some catching up it needs to do to ensure security keeps pace with its technological developments.

We also recognized that most of the cybersecurity work performed is based on what is mandated by the Kingdom of Saudi Arabia government. Penetration testing services are not a large part of that discussion today, but we anticipate security testing activities – pentesting, secure code review, threat modeling, red team, design reviews – will be part of the requirements very soon.

The State of Penetration Testing

At the event, we were surprised to hear that the concept of penetration testing is new to most people and organizations in the region. In many of our conversations, we heard that they were interested in purchasing products and software solutions that could take care of all security concerns. But, as we know, even the largest technology companies can make security mistakes (see: Microsoft Azure CVE-2021-4306).

There were a number of misconceptions about penetration testing that we helped to address at the show. Notably, the difference between penetration testing and simply running an automated scanner tool or a monitoring solution.

The explosion in technology adoption over the last few years has caused many companies to rapidly seek new and innovative security solutions, however, the adoption of pentesting services in the Middle East will be largely driven by regulation.

Youth and Women in Cybersecurity

@Hack brought a diverse group of people together. Students as young as 11 stopped by our booth and were eager to learn from us. It was incredible to see the younger generation’s interest in cybersecurity careers and education. Questions we were asked include, “how can we learn more?”, “where can I find more resources?”, “what resources should I look at to become a pentester?”, and “can you hire me and train me?”

A large portion of those coming into the industry are students who have learned from global online communities, including bug bounties, capture the flag, and online forums. For continued reading, this Arab News article highlights some of the young attendees involved at the event.

Across the globe, there are initiatives to get women more involved in cybersecurity. Cybersecurity Ventures and WiCys predict that women will hold 25 percent of cybersecurity jobs globally by the end of 2021, up from 20 percent in 2019. This was evident @Hack.

Women were equally, if not more, involved at the conference than their male counterparts in terms of communication, interest, types of questions they were asking, etc. The transition to more progressive ideologies in the region has clearly resulted in a large influx of highly educated and motivated women wanting to break into the space.

Overall, the event was a great opportunity to connect and share information with security peers across the globe and we hope they will put on @Hack next year. With our new SecureLink partnership, we’re excited to continue educating the region on the benefits of penetration testing and the value it brings when done well. Want to connect with us at the next big cybersecurity event? We’re heading to RSA Conference in San Francisco, February 7-10, 2022. Schedule a meeting with us!

Explore our penetration testing, adversary simulation, and attack surface management services.
[post_title] => @Hack: Cybersecurity Transformation in Saudi Arabia [post_excerpt] => Read highlights and lessons learned from the 2021 @Hack cybersecurity conference in the Kingdom of Saudi Arabia. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => athack-cybersecurity-transformation-saudi-arabia [to_ping] => [pinged] => [post_modified] => 2023-01-23 15:11:04 [post_modified_gmt] => 2023-01-23 21:11:04 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=26810 [menu_order] => 337 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [31] => WP_Post Object ( [ID] => 26670 [post_author] => 65 [post_date] => 2021-11-16 07:00:00 [post_date_gmt] => 2021-11-16 13:00:00 [post_content] =>

The number of security controls and activities any given cybersecurity leader manages is continuously evolving. For instance, this year, the Global InfoSec Awards features 212 different categories – from penetration testing to insider threat detection to breach and attack simulation. That’s 212 different technologies or security activities CISOs could be implementing dependent on their needs.

This highlights the importance of taking a step back to recognize the activities making the greatest difference in your security program. AF Group CISO Seth Edgar does just that during our Agent of Influence podcast interview. For Seth, asset management, vulnerability management, and authentication topped his list of cybersecurity best practices.

Continue reading to learn how these security activities are changing the game for Seth and for highlights from our discussion around his unconventional career path, lessons learned from reverse engineering, and cyberattack trends in the insurance space. For more, listen to the full episode on the NetSPI website, or wherever you listen to podcasts.

What have you learned from your experience as a middle school teacher that you apply to your role as a CISO? 

Middle school is an area of your life that's memorable for a lot of reasons. As a teacher, delivering materials to students in a manner they can consume is an ever-changing battle. Not only is there the struggle to remain interesting and relevant to a roomful of 12-year-olds, but also understanding how to communicate a complex subject or introduce a new, complex theme. I couldn't stop at relaying the information. “I've put it out there, now it's on you to consume,” was not an effective strategy. I had to make sure that the concepts were reinforced and delivered in a manner they could grasp because my goal was for them to be successful. 

As CISO, I'm doing the exact same thing. Most of my job is education and a portion of my job is security, budget, and people management. I'm teaching people why security is important. What is higher or lower risk. I'm talking to executives and communicating the ROI of security. In doing so, I have to gauge on the fly whether they're tracking with what I'm saying, or whether we're going to need to revisit the topic from a different angle.

I get exposure to upper-tier leadership within my organization, but those interactions are limited. They have to be because they're scheduled. It's not like a classroom where I'm with the students every single day. If we missed it today, we'll get it tomorrow – same time, same place. With business leaders I've got to get it right the first time. 

Just like in a classroom, you have to get to know the students before you can truly teach them. And at the end of the day, you must make your material relevant and usable for them, make it understandable and draw upon their background. It must also be presented in a manner that makes sense, without oversimplification. All those techniques are exactly what I'm doing right now as a CISO, just with a different body of knowledge. Finding that the balance between simplification and understanding is a challenge, but it's something that I can draw upon from my prior experience and from my undergraduate education to help me communicate complex security topics clearly to my leadership team.

Are there components of what you learned from reverse engineering that you apply in practice today?

I am a big fan of learning by doing. It's way different completing a sample problem than it is touching real software. It is helpful to have a deep technical background to be able to have conversations with technical folks and establish credibility. However, the more important lesson that I pulled from those early days doing reverse engineering is that it's okay to have trial and error. It's okay to make mistakes and learn from them. 

As a leader, I don't punish mistakes, we learn from them. If that mistake is repetitive, I'm likely going to move you away from doing that that role within our organization. But mistakes are part of the learning process. They're important. We too often think, ‘I'm not going to do anything because if I screw it up, I'm going to get in trouble.’ That's not how we learn, that's not the way that systems are developed, and it's certainly not the way you have a breakthrough. So, the most important lesson I learned from reverse engineering was learning how to make a mistake, recover, and use it to inform the next steps going forward.

There's been a lot of news recently about the insurance space, such as the CNA Financial ransomware attack. Are there certain attack trends that you're paying close attention to today?

We are watching a lot right now. Ransomware is a high risk and a top-of-mind issue, not only from a perspective of ransomware prevention, but also from an insurance perspective. We don't touch this area much in my role, but cybersecurity insurers are starting to realize that their model may need to change because the risk profile has ramped up significantly. If you look at how ransomware has grown, we have seen this crazy upward trend in financial impact and sophistication – nobody wants to get hit. At the same time, if it is not going to happen to you, it is very likely will happen to a third- or a fourth- or a fifth-party provider. That’s where supply chain security issues come into play.

With COVID-19, many went from a fully on premise workforce to a fully remote workforce almost overnight. There are inherent network risks and security models that bank on a perimeter-centric security. There's a large knowledge exchange that had to happen with groups of people who always report into a building that have maybe never used a VPN or had to do any kind of multifactor authentication before, whereas other people have been doing it for a decade or more. There's going to be that subset of your users that this is the first rodeo they've ever had with remote workforce security protocols

We've seen interesting scams arise out of this. Wire fraud transfer scams have always been existent but are taking advantage of companies that have changed business models. Attackers try and monetize whatever it is they get their hands on. If I'm an attacker, if I compromise an email account, I want to turn that into some sort of monetization as quickly as possible. 

There is one clever attack that I’ve heard described among my peers. Let's say I compromise a mailbox and immediately search for the word “invoice” looking for unpaid invoices. I find out who the sender of that invoice is and create a look alike domain for that sender. Now I spoof that exact user that sent the invoice in the first place and say, “This invoice is overdue and needs to be paid.” It creates that sense of urgency just like a normal attack would and then, you get them to change the wire transfer number. Now they're stuck in a position where they're trying to describe a decently complex attack to probably an under resourced small- to medium-sized business. 

Many organizations don't have the capability to view and understand how the user got into their environment and it becomes a game of finger pointing. It's an awkward and difficult situation to be in. This brings up the importance of validating senders and sources. A positive business best practice in this situation would be to reach out and validate the information with a verified contact.

What are the most effective security activities you're implementing today?

The most effective security activities that are changing the game for me have revolved around strong asset management, patching, and vulnerability management practices. 

Beyond that, having strong authentication is equally critical. Not only multifactor, but checking system state, user agent strings, consistent source IP, and similar practices. I can know, with relatively simple rule set, whether a log in is attempted with a new IP, device, or if it is a new source for this user’s authentication, and act accordingly. We've seen some incredible progress, just not only in our own development or tooling, but leveraging products we already have available. They're not perfect, none of them are airtight. But it gives us a certain probability or a reasonable level of assurance that this user is who they claim to be – or not.

As mentioned earlier, moving your workforce to remote is a hard problem to solve in areas like vulnerability remediation and patch management. Getting software updated, especially if it was historically on-premise, is a major shift. If you're working with an incomplete asset inventory right out of the gate, you have no indication what your success ratio is. This is an age-old problem that organizations still struggle with today. Whether you have good asset management can tell you whether your security program is successful.

The bright side? Vulnerability management and asset management are areas that can be improved and understanding your attack surface is a good first step. The Print Nightmare vulnerability is a great example of this. Once alerted, having a good understanding of the devices that need to get print drivers locked down on and what devices you need to make changes to rapidly reduce your exposure proved vital in that situation. 

Want to hear more from Seth Edgar? Listen to episode 35 of Agent of Influence!
[post_title] => Q&A: Asset Management, Vulnerability Management, and Authentication are Changing the Game for this CISO [post_excerpt] => AF Group CISO Seth Edgar shares which security activities are making the greatest difference in his security program via the Agent of Influence cybersecurity podcast. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => vulnerability-management-authentication-ciso-priorities [to_ping] => [pinged] => [post_modified] => 2022-12-16 10:51:46 [post_modified_gmt] => 2022-12-16 16:51:46 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=26670 [menu_order] => 351 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [32] => WP_Post Object ( [ID] => 26665 [post_author] => 53 [post_date] => 2021-11-12 12:30:08 [post_date_gmt] => 2021-11-12 18:30:08 [post_content] =>
Watch Now

What’s next for enterprise security professionals? No one can know for certain, but NetSPI’s expert bench of security pros – pulling from their decades of cybersecurity leadership and daily conversations with some of the world’s most prominent organizations – have a few ideas as to where the industry is headed.

Watch our 2022 cybersecurity predictions webinar, where our panel will tackle some of the most debated topics of the past 365 days and predict how each will evolve in the new year and beyond. Topics include: 

  • The cybersecurity hiring crisis
  • Application security program maturity
  • Attack surface management
  • The evolution of ransomware
  • Cybersecurity budget allocation
  • And next generation architectures (see: blockchain)

[wonderplugin_video iframe="https://youtu.be/rLcwnJAO5Qo" lightbox=0 lightboxsize=1 lightboxwidth=1200 lightboxheight=674.999999999999916 autoopen=0 autoopendelay=0 autoclose=0 lightboxtitle="" lightboxgroup="" lightboxshownavigation=0 showimage="" lightboxoptions="" videowidth=1200 videoheight=674.999999999999916 keepaspectratio=1 autoplay=0 loop=0 videocss="position:relative;display:block;background-color:#000;overflow:hidden;max-width:100%;margin:0 auto;" playbutton="https://www.netspi.com/wp-content/plugins/wonderplugin-video-embed/engine/playvideo-64-64-0.png"]

[post_title] => 2022 Cybersecurity Predictions:
What to Expect in the New Year [post_excerpt] => [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => 2022-cybersecurity-predictions-what-to-expect-in-the-new-year [to_ping] => [pinged] => [post_modified] => 2023-06-22 20:39:36 [post_modified_gmt] => 2023-06-23 01:39:36 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?post_type=webinars&p=26665 [menu_order] => 51 [post_type] => webinars [post_mime_type] => [comment_count] => 0 [filter] => raw ) [33] => WP_Post Object ( [ID] => 26628 [post_author] => 65 [post_date] => 2021-11-04 09:56:02 [post_date_gmt] => 2021-11-04 14:56:02 [post_content] =>

On November 4, 2021, NetSPI Managing Director Nabil Hannan was featured in an article by TechRepublic:

In the latest effort to combat cybercrime and ransomware, federal agencies have been told to patch hundreds of known security vulnerabilities with due dates ranging from November 2021 to May 2022. In a directive issued on Wednesday, the Cybersecurity and Infrastructure Security Agency (CISA) ordered all federal and executive branch departments and agencies to patch a series of known exploited vulnerabilities as cataloged in a public website managed by CISA.

The directive applies to all software and hardware located on the premises of federal agencies or hosted by third parties on behalf of an agency. The only products that seem to be exempt are those defined as national security systems as well as certain systems operated by the Department of Defense or the Intelligence Community.

All agencies are being asked to work with CISA's catalog, which currently lists almost 300 known security vulnerabilities with links to information on how to patch them and due dates by when they should be patched.

...

Within 60 days, agencies must review and update their vulnerability management policies and procedures and provide copies of them if requested. Agencies must set up a process by which it can patch the security flaws identified by CISA, which means assigning roles and responsibilities, establishing internal tracking and reporting and validating when the vulnerabilities have been patched.

However, patch management can still be a tricky process, requiring the proper time and people to test and deploy each patch. To help in that area, the federal government needs to provide further guidance beyond the new directive.

"This directive focuses on patching systems to meet the upgrades provided by vendors, and while this may seem like a simple task, many government organizations struggle to develop the necessary patch management programs that will keep their software and infrastructure fully supported and patched on an ongoing basis," said Nabil Hannan, managing director of vulnerability management firm NetSPI.

"To remediate this, the Biden administration should develop specific guidelines on how to build and manage these systems, as well as directives on how to properly test for security issues on an ongoing basis," Hannan added. "This additional support will create a stronger security posture across government networks that will protect against evolving adversary threats, instead of just providing an immediate, temporary fix to the problem at hand."

Read the full TechRepublic article here: https://www.techrepublic.com/article/us-government-orders-federal-agencies-to-patch-100s-of-vulnerabilities/

[post_title] => TechRepublic: US government orders federal agencies to patch 100s of vulnerabilities [post_excerpt] => The Cybersecurity and Infrastructure Security Agency is maintaining a database of known security flaws with details on how and when federal agencies and departments should patch them. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => techrepublic-us-government-orders-federal-agencies-to-patch-100s-of-vulnerabilities [to_ping] => [pinged] => [post_modified] => 2022-12-16 10:51:47 [post_modified_gmt] => 2022-12-16 16:51:47 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=26628 [menu_order] => 354 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [34] => WP_Post Object ( [ID] => 26557 [post_author] => 65 [post_date] => 2021-10-19 07:00:00 [post_date_gmt] => 2021-10-19 12:00:00 [post_content] =>

Being a cybersecurity leader is not for the faint of heart. The increasing sophistication of adversaries and number of successful breaches puts significant pressure on security teams today. For advice, I invited Pacific Northwest infosec leader David Quisenberry to join me on the Agent of Influence podcast, a series of interviews with industry leaders and security gurus where we share best practices and trends in the world of cybersecurity and vulnerability management

During our conversation, David shared four ways he’s approaching cybersecurity leadership today by:

  1. Tapping into his wealth management experience.
  2. Collaborating across the organization.
  3. Working closely with his local security community as the president of OWASP Portland, Oregon.
  4. Creating a solid network of mentors.

Continue reading for highlights from our conversation around wealth management, collaboration mentorship, OWASP Portland, and more. You can listen to the full episode on the NetSPI website, or wherever you listen to podcasts.

Can you tell me about your career transition from wealth management to cybersecurity?

David Quisenberry: The decisions you make, the careers you go down, the things you do – everything's interrelated and connected. There are some differences, but there are also a lot of similarities. In wealth management, you deal a lot with risk tolerance. Like companies, when someone is just starting off as an investor, they don't have a lot of money and they're much more willing to take on risk and do things that a more established person, family, or trust might not do with their money because they have a fiduciary standard to make sure that they invested wisely for all the beneficiaries. 

Again, like companies, when they're building out their foundation of revenue, security may not be as front and center to a lot of the decisions that get make. But as companies grow, a lot of enterprise corporations view security and risk tolerance much differently. They want to understand all the risks that go into each decision they make as a business. Risk tolerance is a similar theme. 

Another thing that's very similar between the world of wealth management and the world of cybersecurity is you’re always reading, always studying. As a wealth manager, you're constantly keeping up to speed on all the trends with global investment flows, global economics, and mutual funds. That obviously translates into the security world where you're reading and learning things all the time. 

Lastly, convincing others to take action. As a wealth manager, there's this tension, especially if you're working with families where you want them to save as much as possible so that they can have a lot of money in retirement for their kids, for their charities. They care about their future self, but they also want to live life. There are these tensions, and you have to convince someone to spend their dollars one way versus the other. This is very similar to security work with developers, product owners, product managers, et cetera. It's a constant game of understanding all the various priorities and working together to identify that sweet spot of paying security debt, staying on top of future security debt, as well as getting other features built to drive your business forward. 

You are taking some unique approaches to better collaborate across different teams within your organization. Can you share with us the approach you're taking? Are there things that worked well or not?

David Quisenberry: One of the philosophies I have about most things is “relationships first.” As an information security manager, I've tried to take the approach of being available and approachable. If somebody sends me a question or an email, most of the time I will drop what I'm doing so that I can answer them in that moment. Even when people get frustrated with me, I take the opportunity to take a step back and think, “We have a tension right now. But they're thinking about security. What's not clear? How do I communicate the why?” If I can accurately explain the why, it's going to help so much. I try to take that relationship first approach, identify those early wins, and set clear expectations of what is a milestone and then celebrate those when we hit them.

It’s important to have regular monthly meetings with the scrum masters with the various leadership teams for the different products, engineering managers, project managers. I encourage them to ask questions and know that we're going to have an opportunity to dig into things. To prepare for those meetings, we have a working agenda that both parties can add to, and I also try to give visibility into data and analytics. 

As the president of the OWASP chapter in Portland, how did you get involved with the community? And what are some interesting things that you're doing that might be different from other chapters? 

David Quisenberry: David Merrick introduced me to the chapter. I started going to the chapter meetings whenever I could. Around late 2018/2019, I started being mentored by the previous chapter President, Ian Melvin, who's been an amazing mentor and really helped me along in my progress. He got me more involved on the on the leadership side. 

What I found is most OWASP chapters have leadership that have been laboring hard for a long time to keep the chapter going. If you're willing to help bring in speakers, engage in membership, promote social media activity, or think of topics to present, they'll open up. Especially if you prove yourself and that you can deliver on it. What I found with the Portland chapter was that, as I started getting involved, we needed to meet developers where they're at. 

We did a lot early on when I took over as president of the Portland OWASP chapter. We built out a mentorship program where we had around 24 people with varying skill levels meeting regularly. We really ramped up our social media presence, specifically Twitter and LinkedIn. We used meetup.com which helped us solidify returning visitors and provided an easy mechanism for people to RSVP to our monthly meetings. By the end of 2019, we were close to 50-60 people per meeting. And we brought in a lot of great speakers. 

And then then COVID-19 hits, and suddenly you can't meet in person anymore. We had to do everything virtually, but we were able to continue our path of monthly, or bi-monthly meetings. We also have another thing that we do as a local chapter, which is study sessions. More hands-on, shorter sessions or labs and then 40-minutes hands on keyboard. Working with Burp Suite or Wireshark. You name it. We started a podcast in late 2019 and that's been super successful. We had 6,500 listeners or so over this last year and some interesting guests. We're also exploring some other opportunities for cybersecurity training with other chapters. We’ve been trying to collaborate more with the chapters around us and that's been going quite well. 

NetSPI’s Portland, OR office is growing. Check out our open cybersecurity careers in PDX!

I wouldn't be where I am today without my involvement with OWASP. If you're interested in truly excelling and expanding your horizons in the security space, these community meetings and chapters really pay dividends in the long run. I'd be curious to get your perspective on any guidance you have on how to choose a mentor that's right for you?

David Quisenberry: The first thing I would say is don't have one mentor. And I think of it almost as a personal board of directors. For myself what I want is people from across the spectrum. So, business leaders, engineering leadership, security leadership, different types of security leadership. I want 4-10 people that I talk with quarterly, some people more often. I want to be able to have multiple perspectives to bounce ideas off when I'm having a hard time with something at work or a moral decision I need to make or just trying to understand what is normal or what is acceptable. 

One of the big things that I always try to push with my mentors is what are you learning? What are you reading? What are the things that you go back to time and time again? There is a saying that I always think about: “If you dig, you get diamonds.” Where can you dig to get diamonds? With mentors, I try to have a lot of people, I try to be real with them, and make it clear that this is only between us. And I also try to pay it forward. I want to help people and lots of people have helped me. 

There is a book by Keith Ferrazi I read a long time ago, it's called Never Eat Alone. It's all about how people like to help people. We're all hesitant to ask for advice or ask for help. But the most successful people ask for help all the time. As humans, we like to help each other. His whole thing is to find out what you want to do and where you want to get, and then build a relationship action plan to move your way there. He's also big on building your network before you really need it. If you're in a job hunt, and you're trying to build your mentorship, or mentor platform at that point in time, that's going to be hard to do. But if you're in career, and you start building that network, and you don't need to use it for a couple years, by the time you do need to use it those people will know that you're genuine and know who you really are. They'll be more than willing to help you. 

For more, listen to episode 23 of Agent of Influence. Or, connect with David on LinkedIn or listen to the OWASP Portland podcast.

Agent of Influence Episode 23 with David Quisenberry

[post_title] => Q&A: David Quisenberry Discusses Cybersecurity Careers, Collaboration, Mentorship, and OWASP Portland [post_excerpt] => Read cybersecurity career and leadership advice from David Quisenberry, OWASP Portland President. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => david-quisenberry-cybersecurity-careers-mentorship-owasp-portland [to_ping] => [pinged] => [post_modified] => 2022-12-16 10:51:48 [post_modified_gmt] => 2022-12-16 16:51:48 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=26557 [menu_order] => 358 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [35] => WP_Post Object ( [ID] => 26525 [post_author] => 53 [post_date] => 2021-10-08 15:09:54 [post_date_gmt] => 2021-10-08 20:09:54 [post_content] =>
Watch Now

Overview 

Supply chain security, vendor risk management, third-party security. Each of these synonymous cybersecurity terms has become widely used, thanks to the increase in the exploitation of threat vectors from outside of an organization. 

So, what can software vendors and third-party technology partners do to ensure they don’t become the weak link in the supply chain? 

In this webinar you’ll get two different viewpoints on supply chain security from two NetSPI team members, Field CISO, Nabil Hannan, who will explore the topic from the software development perspective, and Managing Director, Chad Peterson, who will approach it from a business risk perspective. 

  • Their differing views on supply chain security  
  • The anatomy of a supply chain attack  
  • Considerations and best practices for securing the supply chain   
  • How vendors can get proactive to show potential partners that they are NOT the weakest link  
  • The future of supply chain security 

Key highlights: 

Defining the supply chain 

When it comes to supply chain security, it’s important to look at it from two sides – business risk and insider threat.

Business risk includes: 

  • Critical assets and intellectual property 
  • Internal risk programs 
  • Business partners  

Insider threat includes:

  • Internal software development 
  • Unique capabilities of the adversary  

Supply chain and risk 

From a business risk perspective, the supply chain landscape has changed substantially over the years. 

Here are some of the key motivators of change:

  • Perimeter transparency: Today’s environments extend well beyond the traditional brick and mortar business, with cloud and software as a service and remote work now being the norm.  
  • Reliance on business partners: Organizations today are relying on partners to support essential pieces of their business, including business processes, infrastructure, and application development.  
  • Increased attack surface: Outsourcing and the transparency of the perimeter have resulted in a loss of control for internal security teams. Additionally, external and internal environments have become blurred and there’s now an increased emphasis on privileged access.  

As a result of this changing landscape, the anatomy of attacks has evolved for many organizations.  

Some of the ways in which attacks are changing include:

  • Island hopping: Because companies are doing a better job of protecting their own environments, attacks are no longer exclusively focused directly at the organization, but rather within the supply chain. Emerging attack methods include network-based, reverse email, and watering hole attacks.  
  • External motivations: Organizations are increasingly outsourcing their software development for cost savings and to have additional resources to expedite and accelerate software development. To support this, more software developers are being hired from outside the U.S., which can pose challenges with managing insider threats in the supply chain. 
  • Internal motivations: It can be challenging for organizations to know for certain that when they hire developers, they’re not malicious and that they’ll truly perform the work they’ve been hired to do. Another related concern is when U.S.-based employees outsource their own software development jobs to developers in China or elsewhere, which can give individuals outside the company access to an organization’s code or other sensitive data. Many organizations don’t have a full picture of what’s happening within their company, which can pose supply chain security risks in the long run.  

Traditional malware vs. malicious code 

A key piece of effective supply chain security is understanding the differences between traditional malware and malicious code.

  • Traditional malware is installed on systems from external sources, usually downloaded through different attack vectors like phishing, and is a result of outside attackers trying to compromise systems at a larger scale, such as sending a phishing email to thousands of people at once, hoping at least someone will click on it.  
  • Malicious code is code is much more targeted and inserted into software that’s built internally, usually inserted by an internal employee, and looks and feels like regular, non-malicious code. Internal adversaries include different types of employees, such as software developers, administrators or operations team members, and change management team members, all of whom have access to internal systems.  

Proactive supply chain security measures  

While the supply chain threats that businesses face today are significant, there are some proactive measures organizations can put in place to ensure supply chain security is effective.

Consider the following proactive measures at your organization: 

  • Security awareness training: Ensure you’re training your staff on security best practices to follow. Have a process in place for the training to be provided to all new employees, as well as an annual refresher training with all employees. 
  • Policy and standards adherence: Implement organizational policies and standards that are a reflection not only of best practices, but are followed and in line with business processes.  
  • Vendor management: Assess all new vendors using a risk-based vendor management program. The program should also address retesting vendors in accordance with their identified risk level.    

The three proactive measures outlined above are some of the foundational steps your organization can take to elevate your supply chain security. Some of the other critical components to consider bringing in to improve supply chain security include attack surface management, penetration testing, and red team exercises.  

What’s next in supply chain security?  

When it comes to internal software development and associated risks from a supply chain perspective, the next steps to take after identifying malicious risk are not as simple as some may think. The reason it’s not straightforward is because the typical vulnerability escalation process now includes the adversary, because internal resources are seen as potential threats. As a result, “just fix the vulnerability” isn’t a viable mitigation strategy and organizations need to instead define governance the process and controls around managing malicious code.  

Malicious code risk mitigation steps can range from rather benign to very serious and may include: 

  1. Suspicious, but not malicious 
  2. Circle of trust invitation 
  3. Passive monitoring 
  4. Active suppression 
  5. Executive-level event 

NetSPI’s supply chain security capabilities  

Leading businesses trust NetSPI for continuous threat and exposure management, leveraging our team, technology, and comprehensive methodology to detect and remediate vulnerabilities.

Learn more about how our Attack Surface Management, penetration testing, and red team testing capabilities can help identify where security gaps exist in your software supply chain. Connect with an expert team member by scheduling a demo today.

[wonderplugin_video iframe="https://youtu.be/xBYMzqZd4eA" lightbox=0 lightboxsize=1 lightboxwidth=1200 lightboxheight=674.999999999999916 autoopen=0 autoopendelay=0 autoclose=0 lightboxtitle="" lightboxgroup="" lightboxshownavigation=0 showimage="" lightboxoptions="" videowidth=1200 videoheight=674.999999999999916 keepaspectratio=1 autoplay=0 loop=0 videocss="position:relative;display:block;background-color:#000;overflow:hidden;max-width:100%;margin:0 auto;" playbutton="https://www.netspi.com/wp-content/plugins/wonderplugin-video-embed/engine/playvideo-64-64-0.png"]

[post_title] => How NOT to be the Weakest Link in the Supply Chain [post_excerpt] => [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => how-not-to-be-the-weakest-link-in-the-supply-chain [to_ping] => [pinged] => [post_modified] => 2023-09-01 07:05:14 [post_modified_gmt] => 2023-09-01 12:05:14 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?post_type=webinars&p=26525 [menu_order] => 52 [post_type] => webinars [post_mime_type] => [comment_count] => 0 [filter] => raw ) [36] => WP_Post Object ( [ID] => 26522 [post_author] => 65 [post_date] => 2021-10-04 14:11:00 [post_date_gmt] => 2021-10-04 19:11:00 [post_content] =>

On October 4, 2021, NetSPI Managing Director Nabil Hannan was featured as a guest contributor for TechTarget:

Software and applications are present in everything from consumer goods to medical devices to submarines. Many organizations are evaluating their application security, or AppSec, to ensure their strategies are mature and not vulnerable to cyber attacks.

According to Forrester Research, applications remain a top cause of external breaches. The prevalence of open source, APIs and containers only adds to the complexity of the problem.

Most organizations struggle to understand how to approach AppSec program maturity. Given many organizations have switched from Waterfall to Agile in their software development lifecycle (SDLC), practitioners are asking, "How do we continue to evolve our AppSec programs?"

Roadmaps can help navigate these issues. Organizations looking to develop mature programs need to be mindful of inherent team biases. For example, if the AppSec team comes from a pen testing background, the program may lean toward a bias. If the team is experienced in code review, then bias may shine through, too. While both disciplines are important and should be a part of an AppSec program, the experiences may cause bias when a more objective approach is needed.

Many mature AppSec frameworks exist, but a one-size-fits-all approach is not going to work. Every organization has unique needs and objectives around thresholds, risk appetite and budgets. This is largely why prescriptive frameworks, such as Microsoft Security Development Lifecycle, Software Security Touchpoints or Open Software Assurance Maturity Model, are not the answer. It's best to tailor roadmaps on the specific needs and objectives of a particular organization.

5 principles for implementing an AppSec program

These five tenets can serve as a guide for implementing a mature AppSec program.

  1. Make sure people and culture drive success
  2. Insist on governance in the SDLC
  3. Strive for frictionless processes
  4. Employ risk-based pen testing
  5. Determine when to use automation in vulnerability discovery

Read Nabil's 5 principles for AppSec program maturity on TechTarget's SearchSecurity: https://searchsecurity.techtarget.com/post/5-principles-for-AppSec-program-maturity

[post_title] => TechTarget: 5 principles for AppSec program maturity [post_excerpt] => Applications remain a top cause of external data breaches. Follow these five principles to achieve application security program maturity. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => techtarget-5-principles-for-appsec-program-maturity [to_ping] => [pinged] => [post_modified] => 2022-12-16 10:51:50 [post_modified_gmt] => 2022-12-16 16:51:50 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=26522 [menu_order] => 363 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [37] => WP_Post Object ( [ID] => 26519 [post_author] => 65 [post_date] => 2021-10-04 05:00:00 [post_date_gmt] => 2021-10-04 10:00:00 [post_content] =>

NetSPI Managing Director Nabil Hannan sat down with BBC World News anchor Lewis Vaughan Jones on October 4, 2021 to talk about a global social media outage. Nabil discusses the current state of the world's software ecosystem, what it means for modern businesses, and the potential of a passwordless world.

Watch the clip below:

https://youtu.be/iOU0wLDt444
[post_title] => NetSPI Software Security Expert Nabil Hannan Featured on BBC World News [post_excerpt] => NetSPI Managing Director Nabil Hannan sat down with BBC World News anchor Lewis Vaughan Jones on October 4, 2021 to talk about a global social media outage. Nabil discusses the current state of the world's software ecosystem, what it means for modern businesses, and the potential of a passwordless world. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => bbc-world-news-global-social-media-outage [to_ping] => [pinged] => [post_modified] => 2022-12-16 10:51:50 [post_modified_gmt] => 2022-12-16 16:51:50 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=26519 [menu_order] => 362 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [38] => WP_Post Object ( [ID] => 26360 [post_author] => 65 [post_date] => 2021-09-07 07:00:00 [post_date_gmt] => 2021-09-07 12:00:00 [post_content] =>

Building an application security (AppSec) program that stays current is no easy feat. Add to that the ubiquity of software and applications in everything from consumer goods to medical devices to submarines.There is an increasingly urgent need for organizations to take another look at their AppSec strategies to ensure they are not left vulnerable to cyberattacks and continuously measure and improve their program maturity.

Heads up: Building a world-class, mature AppSec security program is something that needs to be accomplished in phases. It will not happen overnight. A great deal of foundational work needs to be in place before an organization can achieve positive results. 

When analyzing AppSec programs, we often find a number of sizable gaps in how vulnerabilities are managed as well as opportunities for improvement, especially related to security processes around the software development lifecycle (SDLC). Addressing these issues and harmonizing the various security processes will help give organizations the capability and vision to identify, track, and remediate vulnerabilities more efficiently, eventually elevating the organization to the level of maturity it seeks.

Following is a checklist to help organizations think through the issues around AppSec maturity to build a program that produces valuable security results.

  Ensure Your Security Practices are Current

Given how rapidly application development techniques and methodologies are transforming – and the rate at which software is developed today – companies need to ensure that their security practices are staying current with the ever-changing pressures around compliance/governance, software deployment, DevOps, SDLC, and training. Understanding the current level of maturity and developing a data-driven plan to evolve your AppSec program is key to the success of an organization’s security efforts.

  Leverage Real World Data to Benchmark Your AppSec Program

Put a stake in the ground and objectively determine the status of your AppSec program. Comparing your organization’s program with real world data across multiple business verticals will help augment your efforts and determine areas that require focus. Base your security decision on your specific business needs andlessons learned from other mature programs in your industry.

  Put Roadmaps in Place to Prioritize and Allocate Resources

The AppSec and software engineering teams within an organization should constantly partner to evolve and improve the AppSec posture for all software assets. This collaboration will help determine how to improve upon current efforts while uncovering additional activities that should be adopted to meet business goals. Putting in place a formalized roadmap for this collaboration allows an organization to better prioritize its business initiatives, budgets, and resource allocation while reducing the overall AppSec risk faced by the organization.

Roadmap stipulation: Use caution and watch for bias. Organizations that are serious about developing a mature program need to be mindful that there may be inherent team biases based on familiarity. For example, if the AppSec team comes from a penetration testing background, the program may lean toward a pentesting bias. Is the team’s experience in code review? Then that bias may shine through. While both disciplines are important and should be a part of an AppSec program, my point is that there may be bias when a more objective approach is needed. 

Also understand that there are many frameworks to mature application security. A one-size-fits-all approach is not going to work because every organization has unique needs and objectives around thresholds, risk appetite, and budget availability. 

  Insist on Governance in the SDLC

Setting up governance within the SDLC is critical. Why? If security teams don’t define what they are trying to accomplish or what security looks like within the SDLC process, it leaves too much ambiguity for who is accountable. Creating governance around SDLC will also help define where an organization needs to build in testing, both manual and automated, from a vulnerability discovery perspective.

  Track Your Progress; Benchmark Your Efforts Against Your Peers

Benchmarking your AppSec program by leveraging industry standard frameworks allows you to measure AppSec program maturity consistently and objectively, and make informed decisions based on your business objectives.

Benchmarking scorecards, supported with visuals, enable high-bandwidth conversations with your organization’s leadership team and provides an opportunity to showcase the positive influence that your AppSec program is having on the organization’s business goals. Additionally, you can leverage data from your benchmarking efforts to compare your efforts to others within your peer vertical group, and other business verticals that are also leveraging the same industry standard AppSec framework. 

  Employ Risk-Based Application Penetration Testing

When looking to mature an AppSec program, organizations should view application penetration testing as a gate validating that everything implemented in the SDLC is working, not just a discovery of vulnerabilities. Pentesting services should be the method used to determine the effectiveness of your secure SDLC and all the automated and manual processes implemented. Oftentimes, organizations will approach this concept in the reverse by starting with penetration testing

Additionally, having a dynamic pentesting platform that offers data points and risk scores aids in objectively identifying where AppSec is immature and what needs to be prioritized to remediate vulnerabilities that present the greatest risk.  

  Determine When to Use Automation in Vulnerability Discovery

To build an optimum, mature AppSec program, it is important to determine when it is best to use automation in vulnerability discovery and when to employ manual penetration testing. In short, an effective AppSec program includes the ability to manage and employ threat modelingmanual penetration testing, and secure code review, augmented with automated vulnerability discovery tools that are deployed at various phases of the SDLC process. 

For example, automatic testing like dynamic scanning, static analysis, and interactive security testing may be sufficient day to day, but manual penetration testing is warranted when significant architectural changes or technology upgrades to software systems are made. Finding balance in vulnerability discovery is important. It isn’t an either/or.

Vulnerabilities found in production cost roughly $7,600 to fix – 9,500% more than the $80 it would cost to fix those same vulnerabilities when they are detected early in the development process.

– WhiteSource reporting on a joint study by IBM and Ponemon Institute

  Insist on Metrics for Proper Data and Analysis

Consistent, timely, and accurate DevSecOps data measurements are important feedback for any organization to capture and analyze as it looks to govern development operations. Quality metrics (numbers with analysis and meaning in context) can ensure visibility, accountability, and management of software security initiatives. Proper application security program metrics allow you to articulate the AppSec program’s value to your organization’s leadership. The benefit? Being able to properly evangelize the value of your AppSec effortsmakes it easier to procure funding and improve the security risk posture of your organization. Additionally, understanding the data at hand to be able to answer contextualized business questions allow for better strategic decision making.

  Maturity Attained: Be an Ambassador

What does an organization do once it determines its AppSec program is mature? First, decide if a mature program is a long-term goal. Obviously, security always needs to be a priority, but ongoing maturity programming can be expensive and time consuming. Secondly, there will undoubtedly always be areas that require more attention. While addressing them, I encourage organizations to share their program successes with the broader market. Become a leader and use AppSec maturity as a differentiator that can drive customer and team member goodwill, brand differentiation, and market leadership.

[post_title] => A Checklist for Application Security Program Maturity [post_excerpt] => [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => checklist-application-security-program-maturity [to_ping] => [pinged] => [post_modified] => 2023-04-07 09:19:32 [post_modified_gmt] => 2023-04-07 14:19:32 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=26360 [menu_order] => 368 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [39] => WP_Post Object ( [ID] => 26333 [post_author] => 65 [post_date] => 2021-08-31 07:00:00 [post_date_gmt] => 2021-08-31 12:00:00 [post_content] =>

When the term “reality check” is used, it’s intended to get someone to recognize the truth about a situation. In a fast-moving industry like cybersecurity, reality checks from its leaders are necessary. Thinking pragmatically about the solutions to our biggest challenges helps drive the industry forward. 

I recently sat down with Splunk global advisory CISO Doug Brush on the Agent of Influence podcast, a series of interviews with industry leaders and security gurus where we share best practices and trends in the world of cybersecurity and vulnerability management. During our conversation he shared three major cybersecurity reality checks: 

  • Most tools out there are going to be part of the picture, but they're not going to solve everything. The slow progression of incident response today is not a technology problem.
  • Chinese-based organizations, such as DJI Drones and TikTok, have much in common with the Bay Area tech community. We have a lot to learn from them.
  • A top-down mentality must be applied to mental health in cybersecurity. Prioritizing mental health should be adopted at the C-Suite level.

Read on for highlights from our conversation around the evolution of incident response, security practices at Chinese-based organizations, mental health in cybersecurity, and more. You can listen to the full episode online here, or wherever you listen to podcasts.

Nabil: You've done many different incident response investigations. How that has that evolved over time – or over the course of your career?

Doug: I wish incident response has evolved more. I would say it's a slow evolution. Early on, it was very manual process to parse things. Say if you're doing dead box forensics, or even memory forensics to a large degree, there weren’t tools that could automate some of those processes. 

By no means is a tool an answer to all problems, but it's going to help build efficiencies if you understand the process. We had to deconstruct things in hex editors, it was a very manual process and took a very, very long time. Now, you can script automate a lot of those and these tools can build databases – so that’s gotten better.

When I see things like the SolarWinds incident, we focus on the TTPs around how somebody gets in. And once they get in, they move laterally, privilege escalation, build backdoors, get domain, get other accounts, and build this persistence mechanism. We've been tracking this since 2006/2007. There's nothing new about it. And that's the frustrating part to me. While we think some of the technologies evolved to allow us to be more efficient, some of the root things that we should be looking for, we are not. I think there needs to be a greater focus on detection and response and building our response capabilities, as opposed to an afterthought past defense.

Nabil: Is there a reason why that hasn't happened yet, or why it's taking so long?

Doug: It's hard. And it's not a technology problem. I work for a technology vendor, I would like to say. “we're the best in the world and we can stop everything, detect anything,” but that's not the reality. Most of the tools out there are going to be part of the picture, but they're not going to solve everything. 

When you look at the entire security operations, it's going to be people, process, then technology. Technology is only a small percentage, it's not your entire program. We get really excited about cool, new shiny objects. We all go to Black Hat and RSA, and we all pat ourselves on the back that all these new things are coming out. The reality is that we're solving the same problems we saw 30 years ago. We don't have good asset inventory. We don't have visibility of our environments.

Nabil: Let's shift gears to talk about a topic that I quite enjoy. I would love to learn about your work with various Chinese based organizations – DJI Drones and TikTok. In particular, what do you think about the privacy and security concerns that people bring up about using their technology?

Doug: It gets overly politicized at times. Inevitably, the Chinese government has their agenda, and I would add the blanket statement that there are also a lot of Chinese companies that don't necessarily align with how the Chinese government operates. Some of these companies I've talked to have said, “You folks in the U.S. think we're the enemy and think we're stealing all this data. But we're just a startup.”

The thing that surprised me most in Shenzhen was that the tech center reminded me of the Bay Area. It was very westernized and had a startup vibe with many young professionals. That's the fallacy that we have: they’re against us. We don’t realize how much we have in common. They have a distrust of their government, just as we have a distrust of our own government. They have a mentality of “trust but verify” more than we appreciate. They have some built out documented and thoughtful programs when it comes to governance and organization.

In reality these companies are trying to create cool products just as we are. The reason DJI Drones became so popular is because they work really well. They built a vertically integrated manufacturing process where they weren’t using third parties – they had control over their supply chain. They manage third party risk well in advance. There are a lot of things that these organizations do that allow them to be competitive in the capitalistic and development space that we need to learn from. 

We have to change this mindset that, because you’re in a specific country, you have to share the viewpoints of whatever the loudest political party is at that time. We need to try to look at things in a more pragmatic and realistic way.

Nabil: You're a big advocate for mental health. It's a huge issue and an area of focus today in the security industry, especially due to things like staffing shortages and burnout. What advice do you have for security leaders when addressing mental health?

Doug: Yeah, it's a tough one, there's no doubt about it. The last few years have been particularly tough, but it’s an issue that's been coming up for a long time that we don't talk about enough. First of all, we need to have honest and frank discussions about it. There was a nominated study in 2019 that looked at global cybersecurity professionals. 91% of the CISOs surveyed said that their stress levels were suffering and 60% felt really disconnected from their work role. In the U.S., almost 90% of CISOs have never taken a two-week break from their job. And a lot of them feel that a breach is inevitable in their environment. 

We talk about top-down security and top-down leadership, which should go for mental health too. It has to be something that is adopted at the board and C-Suite level. Leaders should recognize that they’re only as good as the people that are working for them… when they're at their best. Humans aren’t batteries, you can't just revolve through them. The cost of acquiring the good cybersecurity professional right now is very high and CISOs are even harder to find and you don't want to be churning through these people. Continuously hiring people, training them, and getting them onboarded, increases the cost and reduces efficiencies. We need to change this idea of how we hire. 

I would say it's changed since I started in consulting. It was very easy to continue this idea that you had to work 80-90 hours a week. More of the folks that I've hired in the past decade or so have focused on balancing mental health. We shouldn’t expect someone to work overtime each week if we want the best from them. Happier staff results in better work, more efficiencies, higher employee retention – which, in turn, results in happier customers and more top line revenue.

When people feel the best, they perform at their best. This idea that it's mental health versus business is a zero-sum game. If we construct that from the leadership level down and appreciate the fact that you can do more to retain your employees by giving them a better self-care environment, they're going to be better employees for you. Investing in employee health, mental health, and wellbeing is non-negotiable. 

Nabil: Can you also share a little bit about the neurodiversity initiatives you're supporting at Splunk?

Doug: The mental health aspect is just one part of the neurodiversity journey. When we talk about diversity in the workplace it should also include neurological differences like autism, ADHD, mood, and other functions. These have historically been viewed with a negative perception, but they’re just natural variation in the human genome. These folks have exceptional abilities alongside what is traditionally been viewed as a “disability.” Recognizing that it’s not something that needs to be fixed is a shift that needs to be adopted and supported. 

Instead of saying, “thou shalt think like we do,” it's this idea that a diverse mental environment is going to give you more candidates, and probably a better output. When I've had a diverse staff and we all get in the room, I don't get affinity bias. My greatest fear is that I'm going to build my own echo chamber of people telling me what I want to hear. We need diversity in thought to increase better output for our customers. You’ll find that you get a better outcome overall when you bring a lot of different people to the table.

For more, listen to episode 33 of Agent of Influence. Or, connect with Doug on LinkedInTwitter, or listen to his podcast, Cyber Security Interviews.

Listen Now to Episode 33 of Agent of Influence with Doug Brush - The Evolution of Incident Response, Lessons Learned from Chinese-Based Tech Companies, Mental Health, and More
[post_title] => Q&A: Doug Brush Talks Incident Response, DJI Drones, and Mental Health in Cybersecurity [post_excerpt] => Read highlights from our Agent of Influence podcast episode with security leader Doug Brush. He discusses incident response, DJI Drones, Mental Health, and more. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => doug-brush-incident-response-dji-drones-mental-health-cybersecurity [to_ping] => [pinged] => [post_modified] => 2022-12-16 10:51:53 [post_modified_gmt] => 2022-12-16 16:51:53 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=26333 [menu_order] => 369 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [40] => WP_Post Object ( [ID] => 25984 [post_author] => 65 [post_date] => 2021-07-20 07:00:00 [post_date_gmt] => 2021-07-20 12:00:00 [post_content] =>

Cybersecurity leaders hold one of the most difficult positions today, as they’re often tasked with protecting an entire organization from sophisticated threats with limited resources. I recently sat down with founding partner and CTO at Security Curve Diana Kelley on the Agent of Influence podcast, a series of interviews with industry leaders and security gurus where we share best practices and trends in the world of cybersecurity and vulnerability management, to discuss key challenges and opportunities security leaders face today. Read on for highlights from our conversation around communicating cybersecurity ROI, building an application security program, inclusivity in the cybersecurity industry, and more. 

Nabil: Connecting and conveying a particular message to the C-suite is a common challenge across the security industry. What has worked well for you when communicating ROI or asking for budget from leadership? 

Diana: Cybersecurity ROI can be tough to communicate. First, remember, if you're going to the executives or presenting to the C-suite, you have to look at the world through their lens. We tend to, as technical people, look at it through our lens – which is okay for our understanding, but it is the fiduciary responsibility of the stakeholders of the company to make it profitable. It is important to always think about that, think about how security translates to profitability. Do not go into a leadership or board meeting with technical detail, go in there with “this is what it means” or “this is how it impacts our bottom line.” 

Second, do not dismiss the fact that their lens is different, as if it is somehow denigrated. The craziest thing I’ve experienced was a technical person in front of a board of directors say, “I'm the risk expert here.” They may have been the technical risk expert, but they didn't understand that the job of the board is risk assessment. It's a different lens of risk assessment, focused on business and profit, but it's still risk. 

People always say to speak in the language of business. The way to do this in practice is to remember their lens of profitability, remember that risk is about business risk, and then tie your technical risk in a business way that isn't deeply technical, but is very strong and powerful. You can also share examples, such as, “Did a similar customer lose money due to a competitor having the same problem?” or “Is there new legislation coming down the pipeline that's going to change our implementation and strategy?”

Finally, do not forget to engage leadership in the decision-making process. You want to avoid being demanding, which often happens after a breach or audit. Early on, engage with leadership and communicate the security issues, what it could mean to your profitability, and explain how the security team can help improve or protect the business in the future. Most importantly, ask if they agree that the investment is a good way to spend the organization’s money and ensure you have a consensus. 

Nabil: Let's talk about application security. What insight would you give people as they try to decide what frameworks they should use and how to navigate the different options out there?

Diana: Organizations must get an application security program in place – a secure software development lifecycle (SSDLC). This is the most critical part. As far as frameworks go, BSIMM is a good option to understand what other companies that look like you are doing in terms of application security. It allows organizations to have a maturity model to build towards. 

Have a framework in place to start implementing an application security program, create standards for your developers, and start application security testing early on. Identify your application security requirements and understand the threat model so that you can start to build and think about the test harness as soon as possible. It's more important to start implementing rather than focusing on which framework you choose.

It concerns me that now we're getting into this big shift in the enterprise where we're no longer writing code from the ground up, we're doing a lot of low-code no-code. This is fantastic in terms of what we're able to build and how quickly we're able to build it. But companies that are now creating low-code no-code solutions are using a lot of functions and libraries and they are not thinking about it as custom-built code. 

I've heard many times, “we don't actually build any applications.” Then, you start talking to the company and you find out that they have many scripts that are pulling in functions from the cloud, they're using cool tools like Zappy or Airtable, but they're giving access into parts of their data sets, and they don't realize those scripts are code. I'm hopeful that companies don’t solely have an application security program in place, but also an understanding that they need to extend this program to the low-code no-code serverless world that we are moving towards.

Nabil: A lot of the work that you do is focused on inclusivity in the security industry. What advice do you have for security leaders looking for new talent?

Diana: With Women in Cybersecurity (WiCyS) specifically, we’re very focused on bringing women into cybersecurity, but there are many different non-profits out there that are looking at cohorts and sectors that have not been involved in cybersecurity in the past. I think security leaders could benefit from getting involved with these organizations to look for internships for externships.

It's very common for leaders to say, we can't find any diverse talent and we had to hire somebody who looks like everybody else because there were no other candidates. Often, it's not that you didn't look far enough or hard enough. And that may be because they're not in your network. If your network doesn't extend out broadly to different groups of people, then work to expand it. 

Be open to people that may not have college degrees, as every job in cybersecurity doesn't necessarily need a four-year liberal arts degree. Maybe there is somebody who has recently graduated from high school that's completed the right training. Rethink what you know, how you're hiring, who you're hiring, open that aperture wider, and work with those communities that are encouraging inclusivity. 

Another tip is to think critically about how you’re writing job descriptions. There is research that shows that women will not apply for a job unless they match about 90% of the criteria or higher, whereas men will apply if they only match 50%. If you write a job description that includes every experience and skill under the sun because you want to get great resumes, what you’re actually doing is turning off the candidates who are reading that job description and believe that, if they don't have 90 percent or 100 percent of the criteria, they're not going to be eligible for the job. Rethink your job descriptions: do not gender the job descriptions and make sure that they're not overstuffed. Write it for what are you looking for and focus on what is important. You’ll be surprised at the resumes it brings in.

Listen to Agent of Influence Episode 30 featuring Diana Kelley
[post_title] => Q&A: Diana Kelley Discusses ROI, Application Security, and Inclusivity [post_excerpt] => Read this blog to learn security expert Diana Kelley’s insights on communicating cybersecurity ROI, how to build an appsec program, and hiring for inclusivity. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => diana-kelley-roi-application-security-inclusivity [to_ping] => [pinged] => [post_modified] => 2024-03-29 14:41:39 [post_modified_gmt] => 2024-03-29 19:41:39 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=25984 [menu_order] => 382 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [41] => WP_Post Object ( [ID] => 25942 [post_author] => 65 [post_date] => 2021-07-16 17:06:17 [post_date_gmt] => 2021-07-16 22:06:17 [post_content] =>

On July 16, 2021, NetSPI Managing Director Nabil Hannan was featured as a guest contributor for TechTarget:

At the end of the day, for those of us on DevSecOps teams, it is all about managing risk, even in the highly regulated healthcare industry. Compliance around medical records and privacy concerns is a driver, so development and security professionals must take aggressive steps to prioritize risk management as the healthcare industry continues to be a frequent target of bad actors. According to Gartner, the worldwide end-user spending on public cloud services is forecasted to grow 18.4% in 2021 to a total of $304.9 billion, up from $275.5 billion in 2020. "The pandemic validated the cloud's value proposition," Gartner Research Vice President Sid Nag said.

The monetary loss from cybercrime goes beyond just affecting healthcare with an estimated $945 billion cost in 2020, according to McAfee. For those working in the healthcare industry, realize that a 2020 breach analysis report by IBM and Ponemon Institute found that healthcare breaches were the costliest. In other words, not managing risk is expensive.

Gartner also reported COVID-19 forced organizations to preserve cash and optimize IT costs, support and secure a remote workforce, and ensure resiliency. And the cloud became a convenient means to address all three. If this scenario sounds familiar to your organization, the following are four insights to consider that will help to protect data in the cloud.

Read Nabil's 4 tips for secure cloud migration on TechTarget's SearchSecurity: https://searchsecurity.techtarget.com/post/4-healthcare-risk-management-tips-for-secure-cloud-migration

[post_title] => Tips for a secure cloud migration for Healthcare [post_excerpt] => From improving the security posture and updating threat modeling to securing cloud data, learn about four risk management tips for healthcare organizations migrating to cloud. [post_status] => publish [comment_status] => closed [ping_status] => closed [post_password] => [post_name] => techtarget-4-healthcare-risk-management-tips-for-secure-cloud-migration [to_ping] => [pinged] => [post_modified] => 2023-08-22 09:16:41 [post_modified_gmt] => 2023-08-22 14:16:41 [post_content_filtered] => [post_parent] => 0 [guid] => https://www.netspi.com/?p=25942 [menu_order] => 383 [post_type] => post [post_mime_type] => [comment_count] => 0 [filter] => raw ) [42] => WP_Post Object ( [ID] => 25569 [post_author] => 65 [post_date] => 2021-06-15 07:00:00 [post_date_gmt] => 2021-06-15 07:00:00 [post_content] =>

It is amazing how much the cybersecurity industry has grown and evolved over the years. If you just look back even just a couple of years, the strategic conversations we were having have certainly changed. The space is evolving, and each of us in the industry are having to evolve with it to stay current. One area that has evolved greatly over time is risk management, specifically the role of the Chief Risk Officer.

To dig deeper on its evolution, I sat down with CEO and founder of Risk Neutral Jeff Sauntry on the Agent of Influence podcast, a series of interviews with industry leaders and security gurus where we share best practices and trends in the world of cybersecurity and vulnerability management. Read on for highlights from our conversation around risk management, the role of the Chief Risk Officer, and more.

Nabil: Let's start by talking about risk management. How did you make that transition from cybersecurity to risk management?

Jeff: For me, it was a natural evolution to upskill my vocabulary as I started interacting with more senior business leaders and board members. When the board members and the C-suite have normal discussions, they're still discussing challenges and opportunities, but they're speaking in terms of risk, cost, and outcomes. In cybersecurity, we're often discussing threats and consequences. Something was getting lost in translation, so I decided to build on my strong technical and cybersecurity background and dig into risk management and the ability to become a more effective communicator.

Nabil: What would you say are some of the key characteristics that make someone great at risk management?

Jeff: My whole career had risk management components to it, but I did not yet understand risk as an empirical domain. That’s one of the reasons I chose to make this pivot. I also made the investment of time and resources to go to Carnegie Mellon and get my Chief Risk Officer certification. What was great about that is I went from being very myopic, maybe talking about technology, operational, or compliance risk, and then opening my eyes to the fact that there are five major risk categories that every business has to worry about: Strategic risk – which is by far the most important if you don't get that one right, nothing else matters – then operational, finance, compliance, and then reputational risk comes into play if any of the first four fail.

Nabil: Tell me more about your experience at Carnegie Mellon.

Jeff: Most of us in cybersecurity are very familiar with some of the great work Carnegie Mellon has done with the maturity model of Capability Maturity Model Integration (CMMI), the insider threat program, and they have been a great partner with the government in terms of coming up with funded cybersecurity programs. I was familiar with the quality of the Carnegie Mellon products and insights, and when I read the curriculum, I thought to myself, “this is going to be really awesome.” One thing I wanted to avoid was that I didn't want the course to be comprised of completely fintech leaders. For a lot of people fintech and financial services firms lead the way in terms of Chief Risk Officers and managing risk from a quantifiable perspective. But I knew the risk domain was much bigger and I wanted to be a well-rounded risk professional. Having a very broad group of peers in my cohort really helped me as well as the caliber of instructors that they brought in that could talk about the different ways to look at risk. I feel that I can now talk about enterprise risk management programs and not have such a myopic view around cybersecurity-, technology-, or compliance-related risk.

Nabil: Do you think the way organizations approach cybersecurity risk today needs to evolve?

Jeff: One hundred percent! It's one of those things that you're embarrassed about because you've been part of the problem for so long. We have to take a hard look in the mirror. I've looked back at some of the conversations I’ve had and they're almost cringeworthy. Given the knowledge I have gained in the last two years about risk management, I wish I could go back and redo conversations with certain clients. 

Nabil: From your experience, how has the role of the Chief Risk Officer evolved?

Jeff: A big part of this evolution is the cybersecurity profession. In general, cybersecurity is very focused on technical skills. That's naturally how a lot of us come up through our profession and education. But, it's even more important to understand that if you can't explain the outcome of your results or your findings, it's not going to resonate with clients. It's as if you never did a security engagement if you can't get the message or the impact across. That's where I think the risk management professional is evolving. Improving soft skills that so that cybersecurity risk can have a seat at the table rather than someone coming in to tell them that the sky is falling. The Chief Risk Officer has to be a true peer to the rest of the C-suite, they should even have a solid line into the board of directors. Most companies should think about having a dedicated Risk Management Committee at the management level that's complemented by one at the board level so that risk gets the right amount of time and attention. Then, you’ll have people with the right skill set in the room having the right discussions. 

One of the important things that came out the financial services industry is that they found if you embed risk managers structurally within each business unit there to please their boss and rubber stamp high risk decisions, it can end badly. This is part of what got us into the problem of the big financial meltdown in 2008/2009. It should have been a canary in the coal mine moment for risk management as a profession to say, “you have to be very careful about allowing the Chief Risk Officer to operate independently.” They need the right reporting structures and shouldn’t be allowed to be fired on a whim because they raised their hand and said, “I think this is a little too risky for us.” So, I think the evolution of the chief risk officer is at a very exciting point in time right now.

Nabil: Let's talk a little bit about your advisory board work. Do you have any advice for others who are looking to work in that capacity?

Jeff: You need to be very pragmatic, just like you would plan your secondary education and your master's degree in your career. From a board journey perspective, it's very much the same thing. You should start with an organization that you’re passionate about in order to understand: What are the procedures? What are the roles that are played? What are the different committees? Then, as you decide that you want to pursue service on a private board or a public board, think about the additional skill sets that you may need related to your fiduciary responsibilities and insurance and what are some of the personal and professional liabilities. Set a game plan for yourself, make some investments of time and money, and really figure out what it takes to be a board professional. I think it's very worthwhile. People with a strong technical and cybersecurity background definitely have something to contribute to advisory boards from a cognitive diversity perspective as organizations face digital transformations and threats from a wider range of actors each year.

Nabil: You are a scuba instructor and a captain of the US Merchant Marines. What parallels do you draw between being a scuba instructor or captain and risk management?

Jeff: All of us have something to learn from an environmental, social, and governance perspective. One of the reasons I'm a merchant marine captain is that people covet what they know. I thought it was extremely important to get people under the water and really understand things like what plastics are doing to our oceans to understand that, yes, the stuff you throw out your car actually does make it into environments that we care about.

Everything related to instructing scuba is about risk management. The standards they have for teaching, how many students you can have per instructor, the burden being on the instructor to determine whether it's safe to do certain things, the insurance I have to carry – all that stuff is designed to minimize risk to the students and staff. It's incredible how they handle violations of policy. There's a professional journal and if somebody does something wrong, they put it out there for everyone to learn from. 

The reality is when you take those people out onto the ocean and you're responsible for them, you need to bring them back healthy and safe. This comes down to a couple thing: What experiences do I bring to those situations based on the training I've had on the water? What is the quality of the vessel and the equipment that I'm relying on to help me deal with those situations? How prepared am I for this situation? And those are the three things as a captain that you can control.  

Those core concepts resonate wi