Orion's Quest: Modern Pentesting by Kevin Johnson Secure Ideas

[Music]

[Music] we just walked in earlier I said where was I yesterday and I asked Britney the person who handles like making me go places and this guy yells out Omaha so I'm going to mess with people cuz I need

room there see the problem is I walk around and if I walk around here I'm going to fall and that's not good I have never fallen off stage I know I put that out there I I did my first Public Presentation in 1992 I'm old right um I really am I turned 51 this year and uh I'm falling apart I was just talking to somebody recently and I was like you know when I was younger I could go to a concert and be like I used to go to punk hardcore concert it's been in the mosh pit whatever until like 2 3:00 in the morning I'd get up be at work at 5:00 a.m. and be like yeah let's go again

this not off it's on here can you guys hear me back on the video recording isness we're good okay they say yes can everybody hear me okay awesome so uh I'd like I'd be up until like 2 3:00 in the morning at a concert get up at 5:00 be at work work all day go to another concert I'd be great if I sneeze wrong my back hurts I don't know what the hell happened I go to sleep wake up and I'm sore somebody referred to me as Princess in the pee the other day and then he came in the next day sore from the way he slept I'm like haha [ __ ] you but so we're going to talk about Orion's

Quest today and um just so you know I've got a couple qualifiers before we get started I'm going to talk about some things make sure you guys understand it um so basically for the next 45 50 minutes I'm going to do hacker Story Time with Kevin we're going to talk about various attacks we're going to talk about how they work we're going to talk about why we do them and discuss what the goal is because let me be very clear I have the world's best job I am a professional hacker my job is and we get we get paid for this it's freaking incredible my job is to go in Break Stuff tell you your baby is ugly

and go home right I have no responsibility to fix things like I give recommendations like oh you should do this right things like that but my job is literally just to break in to assess risk to figure out how to get in and do this and what is the risk to the organization as such I have fun what I always say is that my job entails me giggling all day and if I'm testing your organization you don't want me to giggle because then you're going to end up in a talk like this it's just the way it works right we won't name you but you'll know right but the reality is when I talk about what I

do I miss two words every time I tell the stories I talk about what ah we did this we attacked this bank we stole $25 million from that organization they didn't notice for three months then they made us give it back that's the wad part like we get to steal this stuff and then we don't get to keep it that just seems mean right like they tease us right but okay good guys whatever right I always forget to say with permission at the end the story so we broke into that bank and stole that we ended up in the Vault of a bank which by the way Scrooge McDuck lied to us vaults are not that cool um

they should be like swimming around in the money but no you don't get to do that um W you know it's ridiculous now you ever like all of a sudden hit something like oh my God that's weird the sheer number of vaults that I have been in seems unreasonable yeah it's probably around a 100 yeah Bank vaults are easy to get into sadly um we actually we did this one test we broke in uh we convinced people it was social engineering we actually got the security guard to wheel The Shred bins across the street to our hotel room uh six of them and um then we called our contactor and said hey we have your shred bins and they said bring

them back so we went and got the same security guard and he helped wheel them back to the bank and at no point did he say why are we taking these to a hotel room um which seems odd for a security guard so about about B about about sorry buffering three months later uh they called us back and they said we fixed the problem okay can you test again and we're like okay so we go and they had wanted posters hanging up behind the counter if you see these people call security so one of the guys with me was Jay Beal and Jay's picture was up on the wall is a wanted poster and so he walks up to

the teller and he says to her oh my God that looks just like me and she says oh my God it does and he says my wife will never believe that there was a wanted poster that looks like me would you mind taking a picture so he walked behind the counter posed with the wanted poster of him she took the picture with her phone then texted it to him so he had her phone number for social engineering later that day and then he walked into the back of the bank notice the issue right so that's the first qualifiers I'm going to forget to say with permission second qualifier I am full of tangents I will try to make the the

tangents relevant I don't promise anything I'm full of lots of things and my eyes are brown uh so that is this what we're going to talk about today is Orion's Quest and that's just a fun way to talk about things the goal here we have an issue in this industry I have ranted about this quite a bit ranted in Omaha ranted in San Diego I'll be ranting again in Baltimore in a week or two two okay thanks uh see Britney knows where I'm supposed to be so does that guy [Laughter] but sorry I you do understand you're going to be my example the entire hour okay good and um everybody throws [ __ ] at him

but you're used to it exactly so um so we as an industry we focus very often on the wrong things we focus on highs and criticals that nessus or rabid rapid 7 tell us right we focus on the things that we don't actually we don't move the needle I will tell you right now that as I walk through these stor stories as I give you examples of how I do all this stuff almost none of the attacks we do are found in automated tools listed as a higher group and the problem that we do is that we very often don't actually understand the systems or organizations or businesses that we're testing how many times have you heard a

security prick say well we have to fix that because reputational F right if we get hacked our reputation will be damaged and I'll point out that every single public company that has had a breach in the last 20 years their stock price is higher today than it was before the breach there's a slight dip right after the breach that's when you buy because the stock will rebound and go higher in every single case this is not Financial advice I'm an idiot but that's the reality reputational harm is the lazy way of saying I don't know what your risk is but I want to sound smart okay period no I'm not saying there's no such thing as reputational

harm I am saying that it is very unlikely that your organization is going to be harmed reputationally in a way that matters to you now I will point out that I said this in a class once I was up in Detroit I think it was doesn't matter I was teaching the class and I said that and I had a guy in the room say Kevin you're wrong my company has done a lot of research into this and reputational harm is absolutely our biggest risk and I looked at the guy and I'm like your company's wrong he's like no it's not we've done research we're better than you we know things I said great I'll bite where do you

work Comcast and that's what I did I busted out laughing on stage in this classroom guy got pissed he's like no no no Kevin you're wrong our reputation is critical and I'm like [ __ ] you man I'm a Comcast subscriber your reputation can't get [Applause] lower as a subscriber I'd like you to get hacked the hackers would run your network better than you do there's a reason that people say oh at least I'm not using Comcast but anybody here work for Comcast I I'm okay with that I just want to know who I'm making cry but Comcast sucks they're not as bad as check marks don't buy check marks so I promised them I would say that

every time I was on stage and I've kept that promise because unlike their organization I don't lie so I'm Kevin Johnson who am I me I've been Kevin for 51 years I've been Kevin Johnson for 18 less than that I am the founder and CEO which is the fancy way of saying head nerd of secure ideas we're a uh consulting firm out of Jacksonville Florida we've been in business for about 14 years August it'll be 14 uh we are hiring if you uh want to be a penetration tester we have open positions right now please send us your resume and then I will tell you our only sales pitch of the day because I suck at

sales pitches Britney will tell you if you work with a nonprofit charity we offer free services the rule is you can't be a jerk charity we don't care about your politics we don't care about your religion you can't be a jerk charity I'll give you an example of a jerk charity Westborough Baptist Church they protest funerals they are a jerk charity right I have offered many a time to give a free pentest to Westboro Baptist Church I just would not give them the report but I am also an ions faculty and last year I was elected to the global board for OAS I am a nerd I am so nerdy I built a Chewbacca costume and wear

it I visit kids in the hospital I'm a member of the 51st right so there's lots of cool things I do open source things classes all that kind of stuff I'm supposed to be really good at bragging uh Britney gets mad at me because I'm not right we're fun we have a booth if you want to come talk to us we'll brag there so what are we going to talk about today well we're going to talk about Orion's Quest and then I'm going to walk through three different types of attacks these are categories of attacks these are where we focus okay and the goal here as we talk about is to understand what we do and the reason I

say that is uh what we do is critical and I'm not saying that because we do it but the reality is that humans suck at risk assessments we do right I was just in Omaha literally yesterday I'm on stage I asked this question how many people here are afraid of sharks like half the room's like oh yeah shark suck right I'm like no no no no I don't just mean like oh jaw is scared the [ __ ] out of me when I was a kid I mean actively afraid of sharks like half the room kept their hands up and I pointed out that Nebraska is a landlocked state it is almost impossible for somebody in Nebraska to be bitten by a

shark the way they would have to happen is somebody would have to be transporting a shark from one aquarium to another aquarium and they would have to hit that truck with their car and then get bitten by the shark right probably unlikely do you know that you are more likely to be crushed by a soda machine than bitten by a shark that's a real statistic more people are crushed by soda machines but Discovery Channel do Discovery Channel does not have soda machine week we have Shark Week more people are killed by cows do you know how embarrassing it has to be to be killed by Bessie well I was there at 3:00 a.m. trying to milk the cow and she kicked me

like that sucks when I die which I hope is not for a while I hope it's a good story right not crushed by a soda machine or kicked by a cow I I think that's I don't have high hopes for things I don't have big aspirations right but those are the two I would like but we suck at risk assessments the way we can tell this is how many people here are worried about SSL version one on their Network good I got one hand I'm going to ask you sir why it's been depreciated for a while it's been depreciated for a while that's true that is a 100% true thing and I would have accepted also my Auditors are jerks

about it right because your Auditors are jerks let me ask the audience anybody here ever heard of a compromise that was caused by SSL version one no I've been asking that question for 20 plus years which is about how long SSL V1 has been deprecated if I remember correctly right there are exactly zero known breaches caused by SSL V1 yet we have organizations that their entire business model is helping people fix SSL and TLS issues and I'm not saying run SSL V1 like don't don't walk out of here and say Kevin says encryption is useless I mean I did say those words but I don't mean them right but the reality is I'm not attacking you because you're

using weak encryption I'm attacking you because you're users click links and your users click links not because they're dumb but because we build our systems to require them to click links right we build our systems insecurely on purpose and then we complain about users We complain about developers We complain about SSL the goal is to find the holes that matter I was out in California at a movie studio they had hired us to teach their staff security awareness we're doing these weird presentations and one of the things I asked was hey what's your biggest concern and they had us do we did I want to say it was like 75 different sessions over a few months and

every time we would do a session it would be a different group right and this one group came in and I asked the question what is your biggest worry what is your biggest concern what is the thing that if I stole it your your group would be in trouble and the there's a room there's like 150 people in the room and they're all saying different things well you know the raw movies that are unedited would be bad oh our employee data would be bad and this one lady said celebrity cell phones that's all she said celebrity cell phones the room went silent and then the rest of the room started making fun of the idea they all worked on the

same team they all did the same job and they're making fun of this lady now oh what are you talking about and this woman [ __ ] stuck to it she's like no celebrity cell phones are the biggest piece of data that our group is responsible for if we lose it we're in trouble and the people are like no celebrities have enough money they can get a new cell phone what's the big deal you're wrong blah blah blah and I'm like hey hey hey stop one second so I look at the lady and I'm like hey ma' why why are you concerned about I'm not arguing it I don't know I asked the question right why are you worried about

celebrity cell phones and she goes oh it's really simple we have to have the celebrities actual cell phone number that actually reach Scarlett Johansson or you know Brad Pit or whatever right I don't even know if they're real celebrity yeah they're real celebrities right those are real names okay good uh sorry I'm bad with names I don't even remember mine she said we have to have their actual cell phone the one that they carry the one that we can reach them because if you know something happens if we have to reach like we have to re and that's a privacy issue for celebrities especially the big names and so we have in our contract that if we lose the cell phone

number if it is exposed through something we did we have pre-agreed to a seven fig payout to it we can't argue it we don't have they don't have to sue us just have to say hey my cell phone got out and you did it and we write them a check with seven numbers on it right and I'm like well I think you're right celebrity cell phones are your biggest issue this entire team's job was to handle the contracts between celebrities and the studio and that team was not aware that that was in their own contract right that's why we hunt that's why we look at this stuff we were trying to figure out what is actually the

problem right so this is what we do and where do we focus well one of the most common places we start with are applications why because applications well they're everywhere right our entire businesses are web apps nowadays you know I still remember oh God I'm old I still remember 1995 when HTML was really put forward as a standard I know some of you didn't exist in 1995 I sorry we're building applications today that do everything from control the power grid to nuclear reactors to satellites to whether or not you can get a date tonight right our entire businesses run in applications yet when you look at the testing tools and things like that and the requirements that

people have for you know regulations and contracts it's almost all Network focused right most pent testers today will touch web apps but not really dig deep into them right I will tell you right now that in every pen test we do at secure ideas if the applications are in scope that's how we get them period and it's not cuz we're amazingly good I mean don't get me wrong I think we're amazingly good but I'm biased right it's that there's so many applications out there and the apps aren't built to be secure they're built to solve a problem and bluntly that's okay because no company is in business to be secure nobody makes more money because they are

secure security is a nice to have don't get me wrong I'd like everybody to have that nice to have right but we focus on these apps and we go in and we test them and then what we find is that the app has been built to function not to be secure and so we're now able to show those holes for example there's a membership system this organization had 9 million members they spent years building a membership portal this was the crown jewels for them now when we start a test when a company comes to us and we want to get scoped they'll say to us uh we want you to do a pentest and we'll

say why we don't mean why the hell do you want a pentest we mean what are your goals what is your worry what do you want to focus on and this organization said that their biggest worry was people getting membership information right like okay cool if we could get access to membership information that was a problem so we started playing with the app with permission first thing we did register for an account hi new user here great give me this information I gave the information upload your ID here's a picture of my ID and it was my ID my ID has been stolen so many times whatever right my social is 591 52 3693 you can Google that that's how many

times I've been compromised let's be clear if you want to steal an identity mine is not the one you want just say it right so I uploaded the det details got there and then you go to a page and the page says please review your information and if it's correct hit submit and I noticed at the top of the screen you know in the URL bar yo so hidden secret very difficult to get to it said something like you know member review. JSP question mark account number equals 9 million in one I'm like oh that's interesting what if I change that to a 9 million and I pressed enter and I had another dude's information and I set that number to 41

because 41's an awesome number I know I know some of you are cringing because you thought I meant 42 and misspoke I did not well 42 is a great number 41 is better if you have ever been a cashier it's a quarter Diamond nickel a penny it's everyone you just go right down the and there's your change 41 cents I'm weird but I also love palindromes oh God palindromes are awesome people who don't know their words and phrases that are spelled the same backwards and forwards like race car or A Man A Plan A Canal Panama that is right that's so I changed it to 41 I had somebody else's data we were able to in

about a three-hour period Download 9 million people's information we don't always take the information when we do that most of the time we figure out that it's possible and then we go to the customer and say what about this in this case they had internal reasons that we had to actually steal the full data set right I hate doing that do you know how much risk I feel that I have having 9 million people's data on my computer right it's encrypted I try to protect it but you also realize that I had credit card dat does that make me a level one Merchant you got to think about these things right it doesn't by the way I

talked to Visa I actually tried to talk to the PCI Council and they ignored the email which I kind of understand because getting an email that says hey if I steal 9 million credit card numbers does that make me a level one Merchant seems like a prank I get that now in hindsight that I didn't phrase it correctly I talked to somebody at Visa they said no it's kind of like a baa in healthcare right yeah so it makes sense okay so we stole the data that's a problem right that took us about a minute and a half to figure out we're a minute and a half into a pentest and we've already figured out how to get to

the thing they're most worried about why did they not find that already well we talked to them about that they running automated tools right and I'm not saying don't run automated tools but don't think running automated tools equate a pent test right it missed this that's stupid and I know why the automated tool missed it because the automated tool can't identify what data is coming back it can't identify what is sensitive so when it changed that number did whatever it did and it got information back it had no way to know that that was sensitive that that was the problem right and they were running the latest version of TLS so everything was good another example of this military

contractor right obviously a military contractor they're a little bit worried about classified data right so they asked us to come in and test okay kind of cool so what did we do we walked in we signed hey we're here and they put us in a conference room and they said break in so the first thing we did was we connected their Wi-Fi their guest Network the information of which was on a sign that was visible from outside the building right because on the front desk so we joined the wireless network and it dropped us into a captive portal you've all seen those right you can use the wireless but don't do bad stuff do you agree

sure I totally agree I won't do bad things and we figured out that their captive Portal had a command execution ution fla let's be very clear this was in 2023 it's 2023 if your application has command execution of ATI oh I'm sorry did I say that out loud I think I did you're an idiot and I don't say that often like I really believe that most developers are trying good stuff but command execution on a server today the [ __ ] is wrong with you so this captive portal we had command execution so what did we do we executed commands and we got control of their domain controller you know their active directory domain controller let me be

clear if you are on the wireless guest Network talking to the domain controller of a military contractor that gets people [Music] upset it was day one of the test when we did our call with their ciso we explained what was going on we said hey here's where we're at and the guy's like oh okay so next steps you're going to like try to get control of the domain controller and I'm like I feel like I said that out loud so I said to the guy dude I'm sorry I maybe I misspoke maybe you didn't understand whatever you know I wasn't clear I have control of your domain controller right now I am on your domain controller which

by the way why the hell is RDP enabled on on your domain controller but that's a different conversation and there was silence on the phone for a second because we were on a call with this guy and the guy said okay cool thanks go home like no man we got more stuff to do he's like no you don't go home like we got four more days plus the rest of today on site he's like no I guess you didn't understand me go home we were on a part of their Network he did not think it was possible for us to get to and his biggest concern was that we were going to gain access somehow to

classified data right so he ended the test he was very happy with well he wasn't very happy with the test well he wasn't very happy with the results I guess is the words right and he sent us home all because the captive Portal had a flaw that it shouldn't have this is a military contractor do you and this is not a small military contractor do you know know how many tests they do do you know how many organizations are attacking them on a daily basis and we came in and within the first half of day one we had control of the domain controller and I'd like to say that's cuz we're [ __ ] awesome and we are but the

reality was that was an easy attack we weren't even that impressed with what we did right you ever do that like you do something and people are like oh my God that's amazing you're like I don't what are you talking about that's Tuesday that's what that was it wasn't even Taco Tuesday tacos are great I'm hungry but so we focus on this stuff we go after these attacks right which brings us to physical attacks we break into buildings right when you do a physical test when you're evaluating a building you are not trying to evaluate the response time of the police you're trying to evaluate the controls right so we go after these organizations we try

to break in we and but we work with the organization to like have them turn off the alarm right CU you don't want me to break the alarm cuz let's be blunt I can get into every single building because do you know that every window in the world can be opened at least once right guaranteed one time I can open that window I may not be able to close it when I'm done but I can get in that window so that's not what we're doing we're testing the controls on the doors so we had a bank we were testing right we had a 30 foot ladder that's not true day one we thought our 20ft ladder was tall enough

and it was not so we had to go back on day two because I was outvoted my idea was at 9:00 at night we were going to instacart a 30 foot ladder from Home Depot I thought it'd be awesome the problem I couldn't figure out how to do was how to get instacart to deliver to the parking lot of the bank not the bank you know what I mean like hey don't don't knock on the door bring the ladder to the sketchy people wearing hoodies which is funny because I don't wear hoodies but so the next day we go back Jennifer who is awesome amazing contester she is 20 ft in the air on this ladder dressed like a ninja Andrew

Kathy and I are on the ground and our truck is blocking the ATM we didn't think this one through and a dude pulls up to go to the ATM and we're like [ __ ] we're caught this guy gets out of the car and he does this I don't see anything I didn't see your faces I'm just going to the ATM he does the ATM we're all like what the [ __ ] I didn't see anything I just going back to my car he gets in his car he drives off we're all like [ __ ] man cops are coming right because you don't want to get caught you want to get shot right like

these are possibilities nobody came we broke into the building we stole stuff we left we tell our contact they look up the dude on the ATM records and they call him hey man we're just doing a customer satisfaction survey we saw that you used the ATM last night we just wanted to know how it went this guy goes it was great they're like were there any problems any Oddities anything that would you cause issue no man that dude doesn't snitch cuz he knows right this guy like what the [ __ ] you get a call from your bank there's a 30 foot ladder up against the wall some woman's halfway up the building no man

nothing was wrong it was good right but we were able to break into this Bank through a second floor door that was used for smokers to come outside and smoke it was a little employee lounge and all we did was we take a door puller shove it through the crack between the double doors turn it sideways pull it back it hits the crash bar right we show it to the customer and the customer say how'd you get up there we're like ladder we repelled I don't know what you like Spider-Man or something I don't know right and so we go after these things we test them to evaluate what it looks like to the attacker because the

reality is and let me be very clear this bank that we were testing actually does well well at security I looked at their controls because we were testing the network also Network also and they were locked down pretty tight while yes we got into the building they had other controls that were pretty decent I mean we got into the data center also that was fun we used a ladder that the maintenance guys had in a closet that was unlocked and went through the drop ceiling because the data center walls didn't go all the way up right they had this really cool lock on the door they had all these controls on the data center door to Like a Man

Trap to get into the data center all this cool [ __ ] and all we did was climb a step ladder into a drop ceiling and let me be very clear my fat ass going over a wall is not an image anybody needs to see but we have pictures so and then you just leave professional evil stickers in the data center right so the next day people are coming in like those are cool stickers wait a minute right this is the type of stuff we do but here's where the main focus is this is the place we get the best results we attack the security team why because the security team thinks they're better than everybody else very

often not always right because you know that all absolutes are false including that one right very often the security team becomes our Target why because the security team is deploying things they're bypassing controls they're not following the processes and then we get in one of our favorite things to do is to plug into your network and wait for nessus to scan us CU we know it will or I'm sorry rapid seven oh I'm sorry whatever right and how did you configure your automated scanner you gave it domain admin credentials well you have to please hear the quotes and italics and sarcasm around have to there so the minute you scan our machine we take that set of credentials you just

handed us and we pivot onto a domain controller or a server or whatever and we take control of that system you gave us the hash and oh by the way your admin password is weak stop making your admin password bad stuff about your boss or about that other employee you have the hots for because it makes very uncomfortable conversations when your boss says what was the password ask them I'm not telling you I didn't know you could physically do that your head's where the worst part is why do you want to type that password every day seriously I get it you hate your boss I hate my boss too and it's me but I don't type [ __ ] Kevin every day

as a password do you know how many people do 26 but I don't get it weak ass passwords and resets right the number of times I actually compromised a network I won't say who it was but he looks a lot like me and might be my twin brother and he was using his password from when we were 14 I happen to know that password right we do this all the time the reality is here's what it boils down to it's it's very very simple and this is where we're going to wrap up right we as infosec we as security people we have to get out of our Tower we have to stop thinking we're special we need to be lighting the way

hence the Orion constellation is what we're using here to show people where to be and not the stupid [ __ ] how many of you [ __ ] walk around your organization and change the background wallpaper on the computer when people leave their machine unlocked or send out yeah you shouldn't have raised your hand stop being a dick cuz all you're doing is pissing people off and while I'm aware that pissing them off is better than pissing on them is probably not moving the needle because the person that you walked up to their desktop and sent out bulk email saying hey I'm buying Donuts tomorrow CU that's a popular one the next time that person has an

actual security problem the next time that person has something going on that they need help with you're not the [ __ ] they're calling because they're going to remember you change their wallpaper you embarrassed them and hey by the way guess what next time they walk by your computer which I know is unlocked right you know it too I it doesn't matter whose it was I I mean let me be clear I've done it myself I'm a I'm an [ __ ] it's in court records and I don't mean Divorce Court where that's common the reality is that our job is to help we should be evaluating and understanding the actual risks to our organization what our organization is

concerned about and then focusing the limited resources we have at moving the [ __ ] needle that simple running nessus against a network and yelling about the fact that we haven't patched that machine that nobody talks to or does anything to and ignoring the fact that our applications that are exposed to the internet have security flaws for the last 20 years is a problem we need to focus we have to do the right things not just what we want to do right we have boring jobs quite often do you know how much it sucks to write reports but the reality is our report is the most important part of our job right how we present the information is the

most part of any best biggest reason we exist right and we have to learn so often we have to evaluate what we're doing and what our opinions are and fix them right it's pretty simple we all are Lucky in what we get to do we are look I'm poor white trash I know what government cheese TS like and I have been given an opportunity to do fun [ __ ] and get paid more than I'm probably worth right as such I have a moral requirement to share the information I know every single one of you should be sharing what you know know every single one of you should be helping your organization get better and you can't do it by focusing

in the wrong spots right I will say this and then I'll let us go because we'll open it up for questions if anybody has any questions or whatever right we got a couple minutes left I'll say this in the future if you're doing something and you're not sure what the actual risk is if you're looking at something and you think you know but you're not 100% sure I offer any one of my consultants for questions and I don't mean that as in you can call us and we'll bill you we're not lawyers we don't bill you when we think of you but if you're dealing with something and you're not sure if you're dealing with something and people are pushing

back because that happens all the time call us email us we'll help you if you need to we'll sign a non-disclosure agreement so that you don't get in trouble for sharing internal information with some random third party okay Britney who is our head of sales I always may call her out and embarrass her right and I want to be very clear I said she's our head of sales and many of you cringed I'm sure of it right because we all [ __ ] hate sales people you know we do she knows it here's the cool thing Britney actually trained to be a pentester she actually went to school and learned how to do what we do she's

probably smarter than you are I know she's smarter than I am right and then somehow she ended up in sales and we won't hold that against her but so when you talk to her she actually knows how to do what we do and she knows who in the organization is the right person to answer your question for you right and she's not going to try to pimp out a call to get a pen test all that kind of [ __ ] don't get me wrong if you need a pen test you need to talk to her because she wants to sell those right we have this rule at secure ideas that you know we have to do payroll every two

weeks it's asinine so we got to make money somehow because our staff you know they actually ask for benefits what is that crap insurance right but we'll answer questions for you anytime you need okay so any questions today yes uh so when you're interviewing for pen testing Consultants what qualities do you look for and how do you identify this okay so the question was when you're interviewing for pentesters what quality do you look for and how do you interview for those it's very simple we like cuddley pentesters so if you have fur that that is good no what we look for in pentesters is we want people who have actually built systems or administered systems right we want people with a

background in something other than pen testing because bluntly I can teach anybody how to hack something I can't teach anybody how to understand how the business runs right so when we assess things so if your background is that you were a a a admin you were a developer you were on the help desk you were a chef right we actually have a pentester she's one of the best pentesters we've got she spent 20 years running restaurants as a head chef right she has done she was the corporate Chef for an organization for years doing instruction on nutrition and everything else like that and then for some reason she decided hacking was fun and she got a

job with us and we actually thought it was a risk right like oh man she was a chef like uh maybe she can make us good lunches right but her ability to understand what the organization is doing and pick the logic flaws in the systems is incredible right it's Kathy by the way I realized I didn't name who it was Kathy's incredible right so that's what we want we want a variety of experiences and then we'll have you come in as a pen tester does that answer the question absolutely awesome and then the person next to you have their hand up yeah uh I was curious about if you have any moment you remember where you

pivoted your thinking in terms ofing right you thought something right realiz so are there moments where I pivoted my thinking that I thought something was right then it wasn't I'm assuming that what you mean is I was going to do something because I felt like it was allowed and then I realized I was breaking a rule no like uh like in terms of like TS not being the right what you want to focus oh absolutely that's actually a great example because when I was younger in the industry when I was first starting out I absolutely focused on what nessus said was critical right I would yell at I'm the one of the people that would regularly say those

[ __ ] users they click everything as if it was their fault right and then what I've realized is that we as security need to think about what does that user need to do their job right and then we go from there right so that's that those are good examples of it um yeah I don't know that's a good question I think those examples work but I could probably come up with more if I thought more of it does that make sense cool I saw a hand over

here what made me he's curious he wants to know what made me start my own company instead of working for somebody else uh well HR at many of the companies I've worked for will explain to you why I don't do well in Corporate America uh I have a habit of uh telling people they're stupid um in writing and um so no the reason I started secure ideas was an accident uh bluntly uh I worked for for for for a consulting firm in Guardians and uh I got tired of travel and uh so I looked for a job I got got recruited Bank of America approached me to help build a red team in their audit

department and uh when I went to my you know my current boss to say how much notice do you need he said well can you do stuff on the side I'm like [ __ ] I don't know so I went to my new boss and said hey man can I do some stuff on the side to help transition and it turned out my new boss negotiated with HR to get me an exception to the rules and so the idea was Monday I would start at the bank and then Monday night I would start secure ideas and do work for ardians and yeah work for a month Maybe too and then you know Christmas would be great for my

family you know my ex-wife was happy about the extra money whatever and then we would go from there um that was uh almost 14 years ago and uh 27 people so uh my uh banking career lasted exactly two and a half months uh I was a vice president I thought that was impressive until I found out that tellers are vice presidents and um so uh that's what started the business uh I always wanted to run my own business because I thought it'd be fun it's not um but that's it really just started accidentally does that make sense so not the coolest story in the world but you know any other questions yes sir so did you say how do I or do I how

do I get organizations to care about being secure and not just being compliant it's actually pretty simple we explained to them that if they care and focus on actually securing stuff they will be compliant it's that simple right uh if organizations are focusing on just compliance they're not actually being compliant right because if you look at all of the compliant standards they all end or have somewhere in them that you have to be doing the right thing you have to raise the bar for security organizations that believe that being compliant is just checking a box don't understand that they're not actually compliant so we work with them to understand that by working towards secur which that's not a place right you can't

be secure you just have to work toward raising the bar being as secure as possible if you focus on that compliance is Trivial at that point and what we then show them because again remember I said focus on what businesses care about we don't just say to them you'll be compliant we show to them that by focusing on being more secure becoming compliant like being blessed as compliant will be more efficient which means it will cost you less which means that you'll have more money to spend on other things right and so by leveraging those two things we can actually get them to focus on security we also help with the idea that if you come to me and

we talk to you about how you want to do stuff and all you want to do is be compliant we don't hire we don't let you hire us we don't do checkbox tests right um we are in a good position Britney may not like this because you know she's commission based but um is that we don't have to take every job that comes in right and so that makes it easy easier for us that help cool and last question anything cool get the hell out of here have a good day come see us at our booth [Music]

[Music]