Challenges In Compliance And Security

Challenges In Compliance And Security

I recently had the honor of giving the second day keynote at the 2017 BSides San Francisco conference. The focus of my talk was on the multi-faceted relationships between regulatory and organizational compliance and information security. In many cases I've been a part of, the relationship is somewhat adversarial despite its original intention; compliance acting as a framework or tool for organizations to achieve a quantifiable measure of security posture.…

A Modern Day Take On The Trojan Horse

A Modern Day Take On The Trojan Horse

I'm going to use this post to elaborate on one particularly fun composite attack scenario that I helped put together a while back. This story involves a client working with some sensitive government agencies, a few different technical attack scenarios, and as the title suggests...a modern day version of the original trojan horse (quite literally). The client who hired our red team was concerned with two distinct threat actors…

#Reflections on Organizational Change from Psychological Operations and Guerilla Warfare

#Reflections on Organizational Change from Psychological Operations and Guerilla Warfare

I recently finished reading the CIA Manual for Psychological Operations in Guerilla Warfare and thought there was some interesting parallels to driving political/organizational change in business. I want to capture those thoughts here along with my general thoughts about the book. Overview The book starts by defining what guerilla warfare and psychological operations is through the lens of the CIA/OSS, basically a political weapon to drive and control…

Role-Based Social Engineering And Why It Matters

Role-Based Social Engineering And Why It Matters

Social engineering is an effective tool in any penetration testers utility belt, it almost always provides a way into an organization...that first essential foothold. For those providing social engineering testing services though, providing and proving value can be a little tricky. Social engineering as a testing tactic can usually be broken down in two ways: Opportunistic (point-in-time) social engineering Role-based social engineering Opportunistic attacks are what's most frequently discussed…

The Problem Of Relying On Point-In-Time Vulnerabilities In Red Teaming

The Problem Of Relying On Point-In-Time Vulnerabilities In Red Teaming

Red teaming in the context of information security is an assessment strategy that is all about adversary modeling, which is very useful for identifying various types of vulnerabilities (both directly and indirectly exploitable). Most of the approaches to red teaming in various articles, journals, conferences, etc focus on identifying point-in-time vulnerabilities which are subsequently strung together to form an attack chain. These issues may be identified a number of ways,…