Monday, February 23, 2009

What's to come?!

Well as a first post to this blog I will likely look back on today and ask "Why did I get into this?" In order to quell that thought and give you a taste of whats going on in my head I'd like to give all some of the essays and articles that are floating around on my HDD's.

  • What the hell is going on this year? There are attacks getting posted every day and no one cares? No news? No action? *I plan on taking on this issue and talking about the modern spin doctors of security and the ways to start firing up community and business alike to stop the bleeding sieve.
  • Security Testing/Services companies. Are there any good shops out there? How can you tell, what questions to ask of them, and what is the difference between security value and slick marketing. I'm gonna rant for awhile here because this one drives me crazy
  • PAPER TIGERS and the fall of consulting. I want to explore the new era of security engineers. I think that the testing/services shops are just as much to blame OR EVEN MORE to blame than the companies getting hacked. Come on, lets hire a $50/hr fighter who's never been in the ring to train us for our PayPerView Main event.
  • Training Security engineers. Too much tech and not enough business makes Mr. Engineer a worthless commodity.
  • How to spend your security dollar and get free testing towards your compliance initiatives. This will detail the use of techniques to review the business objectives, long/sort term security strategy, and the pertinent risk to how they interact. There is a way to spend FAR less and gain exponential protection. * I'll do this one sooner than later, as everyone is sweating the budget crunch.
  • Where to get started. How to drink the ocean of security and protection strategies one sip at a time. This will come from the perspective of the many engagements we have done as VIRTUAL CSO's for large and small organizations. The meat of this will be how to stay calm under fire and create a reasonable goal oriented security program founded on ROI not just fear. ** after all.. I don't see a lot of people scared right now after 2 major processors got hit?!?
Social Engineering
  • The modern Social engineer and the talents needed to ACTUALLY provide value. This will go over the skills needed in the SE space to truly provide value from a service provider perspective. How to integrate into testing methodologies and find results that clients can take action on.
  • THE METHOD: SE in 5 distinct phases (Intelligence Collection, Vulnerability Analysis, Planning, Exploitation, and Digging for the gold). If I hear one more person rant to me about how SE is not repeatable and it is a service that lies only on the skill of the engineer I am going to lose it. SE is a method, It has distinct steps, Intel, Vulns, exploits and *shells*. I will start to outline what those are and how to make it something that can be Tracked and trended EVERY time.
  • Information gathering. The most important skill. If you didn't get in... its probably because of poor Intel work, lets take another look at how and what we need to collect in Intel and Recon.
  • Exploitation tech. the real technology in SE. This one will probably be a few posts.
  • Client side attacking in SE projects and how/why you MUST be doing it
  • Phishing in Pen-tests and how/why you MUST be doing it.
  • Revisiting google for SE. Tips and tricks on getting the information you need in a Red Team/SE event are very different than the gdork that you are used to.
Random others:
  • War stories: entertaining tales from the front line of Red Team/SE and other Risk assessments.
  • The security sales game.
  • Behind the scenes. The really fun stuff that happened during Tiger Team ( not safe for TV)
  • and more..

I hope to provide an outlet to vent research,sleepless nights, 10 hour introspective flights, experiences, and what I have learned about security thus far. I also make this disclaimer... I'm not an expert... I just play one on TV =o)

On we go.


  1. Looking forward to ALL of it!


    I'm a blog nerd too.

  3. I'm definitely looking forward to your thoughts on the social engineering since I've heard the same arguments and have had trouble trying to figure out how to teach social engineering

  4. Would you entertain others helping you blog every once and a while?
    Being in the front lines of the sales world, I would like to talk or ping you about objection handling as well as product specifics.