Thinking Like A Hacker
Using compelling stories and metaphors, Ted Harrington, author of Hackable: How To Do Application Security Right, and Executive Partner at Independent Security Evaluators, explains the process of hacking and the importance of being able to think like a hacker. He encourages leaders to get excited about information security investments and look for ways of gaining a competitive edge from those investments.
To access and download the entire podcast summary with discussion highlights --
https://www.dchatte.com/episode-24-thinking-like-a-hacker/
Using compelling stories and metaphors, Ted Harrington, author of Hackable: How To Do Application Security Right, and Executive Partner at Independent Security Evaluators, explains the process of hacking and the importance of being able to think like a hacker. He encourages leaders to get excited about information security investments and look for ways of gaining a competitive edge from those investments.
To access and download the entire podcast summary with discussion highlights --
https://www.dchatte.com/episode-24-thinking-like-a-hacker/
Connect with Host Dr. Dave Chatterjee and Subscribe to the Podcast
Please subscribe to the podcast so you don't miss any new episodes! And please leave the show a rating if you like what you hear. New episodes release every two weeks.
Connect with Dr. Chatterjee on these platforms:
LinkedIn: https://www.linkedin.com/in/dchatte/
Website: https://dchatte.com/
Cybersecurity Readiness Book: https://www.amazon.com/Cybersecurity-Readiness-Holistic-High-Performance-Approach/dp/1071837338
Welcome to the Cybersecurity Readiness Podcast
Introducer:
Series with Dr. Dave Chatterjee. Dr. Chatterjee is the author of
Cybersecurity Readiness:
A Holistic and High-Performance
Cybersecurity Readiness:
Approach. He has been studying cybersecurity for over a decade,
Cybersecurity Readiness:
authored and edited scholarly papers, delivered talks,
Cybersecurity Readiness:
conducted webinars, consulted with companies, and served on a
Cybersecurity Readiness:
cybersecurity SWAT team with Chief Information Security
Cybersecurity Readiness:
Officers. Dr. Chatterjee is an Associate Professor of
Cybersecurity Readiness:
Management Information Systems at the Terry College of
Cybersecurity Readiness:
Business, the University of Georgia, and Visiting Professor
Cybersecurity Readiness:
at Duke University's Pratt School of Engineering.
Dr. Dave Chatterjee:
Hello, everyone, I'm delighted to
Dr. Dave Chatterjee:
welcome you to this episode of the Cybersecurity Readiness
Dr. Dave Chatterjee:
Podcast Series. Today, I have the pleasure of talking with Ted
Dr. Dave Chatterjee:
Harrington, Executive Partner at Independent Security Evaluators
Dr. Dave Chatterjee:
and he's also the author of Hackable: How To Do Application
Dr. Dave Chatterjee:
Security Right. His company, made up of ethical hackers was
Dr. Dave Chatterjee:
born out of the Ph. D. Program at the Johns Hopkins University.
Dr. Dave Chatterjee:
They have been doing security assessments and security
Dr. Dave Chatterjee:
consulting for a long time for both large enterprises and
Dr. Dave Chatterjee:
funded startups and everyone in between. Since 2005, they have
Dr. Dave Chatterjee:
been hired by hundreds of companies, and they have helped
Dr. Dave Chatterjee:
discover 10s of 1000s of security vulnerabilities. Their
Dr. Dave Chatterjee:
work has appeared in The New York Times, Wall Street Journal,
Dr. Dave Chatterjee:
Washington Post, USA Today, Financial Times, Wired, and CBS
Dr. Dave Chatterjee:
News on Assignment. Hey, Ted, welcome.
Ted Harrington:
Thanks for having me. Excited to be here.
Dr. Dave Chatterjee:
So let's talk about hacking. For the
Dr. Dave Chatterjee:
benefit of the listeners, provide an overview of hacking
Dr. Dave Chatterjee:
like hacking 101, what is it? What are the many consequences?
Ted Harrington:
Sure, so I like this question a lot, because the
Ted Harrington:
concept of hacking and the concept of hackers is pretty
Ted Harrington:
misunderstood. So maybe we start there, like what is what is
Ted Harrington:
hacking? What is a hacker and a lot of times people talk about
Ted Harrington:
this idea, you know, hackers as if they're bad, right? That the
Ted Harrington:
hackers are malicious, or associated with wrongdoing or
Ted Harrington:
evil or whatever. And that's only partly true, because that's
Ted Harrington:
a certain that is certainly a type of hacker. But hackers, the
Ted Harrington:
term hacker is neutral. It's neither good nor bad. It's a
Ted Harrington:
hacker is someone who is a problem solver. They're
Ted Harrington:
creative. They're someone who looks at the way a system works
Ted Harrington:
and says, you know, can it behave differently than what was
Ted Harrington:
intended to do? Can I create something. So that's really what
Ted Harrington:
hackers are, and then the fork in the road comes to motivation,
Ted Harrington:
right? So if someone is doing this, because they want to
Ted Harrington:
obtain some sort of personal gain, they want to harm others.
Ted Harrington:
That's what attackers would be certainly. But the other forks
Ted Harrington:
of the road are ethical hackers, people who do the same things
Ted Harrington:
use the same tools, the same techniques, still want to find
Ted Harrington:
those issues with how a system works. But they do it because
Ted Harrington:
they want to fix the system, they want to make it better,
Ted Harrington:
they want to improve it. And that's the corner of the world
Ted Harrington:
that I come from, that our people all come from. And both
Ted Harrington:
are hackers. So really fundamentally, that's what
Ted Harrington:
hacking is hacking is looking at something and saying, you know,
Ted Harrington:
can it be differently, and there's this classic TV series
Ted Harrington:
called MacGyver that, you know, maybe younger generations might
Ted Harrington:
not be familiar with. I've never even actually really seen
Ted Harrington:
MacGyver myself. But I'm very familiar with the concept of
Ted Harrington:
MacGyver. And he's, you know, this dude, who would just he
Ted Harrington:
create things out of, he'd take things that were supposed to do
Ted Harrington:
one thing and make it do something else. Like if there
Ted Harrington:
was one episode where he, I think he needed to start a car
Ted Harrington:
or something and he took a paperclip, which the purpose of
Ted Harrington:
a paperclip is to clip together paper. And he used this to like
Ted Harrington:
somehow, you know, ignite the engine in a vehicle. That's a
Ted Harrington:
hacker that's someone who says, you know, things supposed to
Ted Harrington:
work in a certain way, can I make it behave differently, and
Ted Harrington:
then motivation determines whether that's a good thing or a
Ted Harrington:
bad thing.
Dr. Dave Chatterjee:
That's interesting. That's an
Dr. Dave Chatterjee:
interesting way of looking at hacking. I never thought about
Dr. Dave Chatterjee:
it as hackers as problem solvers. But I see from where
Dr. Dave Chatterjee:
you're coming. With the growing expansion of attack surfaces and
Dr. Dave Chatterjee:
evolution of attack vectors. It's hard for organizations to
Dr. Dave Chatterjee:
keep up with the latest hacking methods and techniques. And
Dr. Dave Chatterjee:
that's why companies often hire organizations that are made up
Dr. Dave Chatterjee:
of ethical hackers to help them stay on top of information
Dr. Dave Chatterjee:
security management to the extent possible. So shed some
Dr. Dave Chatterjee:
light on why hackers might be interested in breaching systems
Dr. Dave Chatterjee:
of certain types of organizations over others, if
Dr. Dave Chatterjee:
that's the case, that may not be the case. And related to that,
Dr. Dave Chatterjee:
are any organization types more vulnerable than others? Yeah,
Ted Harrington:
let's tackle those separately, because they
Ted Harrington:
let's
Ted Harrington:
are two slightly different questions. But that can be
Ted Harrington:
conflated. So why would an attacker attack a specific
Ted Harrington:
organization? I think this is a wonderful question. And it goes
Ted Harrington:
to the heart of one of the very common misunderstandings that
Ted Harrington:
people have about attackers. Most people think that this idea
Ted Harrington:
of we've already broken down that there's, you know, hackers
Ted Harrington:
can be good, or hackers can be bad. But even amongst the bad
Ted Harrington:
hackers, they're not all the same thing. But we often talk
Ted Harrington:
about them as if they're all the same thing. And that's actually
Ted Harrington:
not true. So different attacker groups, they're motivated to
Ted Harrington:
achieve different outcomes. So the most common one, almost
Ted Harrington:
everybody talks about hackers as being profit motivated. And that
Ted Harrington:
is indeed a very compelling motivation for many types of
Ted Harrington:
attackers. I mean, basically, anyone who engages in ransomware
Ted Harrington:
profit is the motive. Almost everyone, there's, there's cases
Ted Harrington:
where maybe you use that to hide your other motive, but so
Ted Harrington:
someone who wants to make money that's like organized crime as
Ted Harrington:
an example, they are attacking because they want to make money.
Ted Harrington:
But then you've got groups that are more interested in
Ted Harrington:
notoriety, right. So maybe it's someone who just they want to
Ted Harrington:
prove they can do it, or they want to go to brag about it, or
Ted Harrington:
they want to, yeah, they just want the notoriety associated
Ted Harrington:
with it. That's a different motivation from someone who may
Ted Harrington:
be like anonymous, the hacker collective that fits in the
Ted Harrington:
group of what are called hacktivists, which they attack
Ted Harrington:
organizations in order to make a statement. And then there's
Ted Harrington:
nation states that attack organizations in order to pursue
Ted Harrington:
their geopolitical objectives. And so when we think about
Ted Harrington:
different attackers having different motivations that comes
Ted Harrington:
into play, in terms of how we now think about how we defend,
Ted Harrington:
because we think about, well, what are we trying to protect,
Ted Harrington:
and is what we have something that an attacker could pursue
Ted Harrington:
their specific motivation for. So they want to feel like a lot
Ted Harrington:
of companies, they'll say, Well, I don't have anything valuable,
Ted Harrington:
I don't protect any valuable data. So no one's going to
Ted Harrington:
attack me because I don't have valuable data and no one's gonna
Ted Harrington:
make money off of attacking me. And hopefully, what I just
Ted Harrington:
illustrated makes it clear that that's actually not the case.
Ted Harrington:
You know, you might not have valuable data, but maybe you
Ted Harrington:
have, maybe your organization can be swept up in a botnet.
Ted Harrington:
Your computational power can be used in a broader DDoS type
Ted Harrington:
attack. Maybe your organization has some sort of influential
Ted Harrington:
information on maybe population trends or things that are
Ted Harrington:
happening on a national level that another nation might want
Ted Harrington:
to understand. So we have to understand the attacker, why
Ted Harrington:
they're motivated in order to help ourselves think about what
Ted Harrington:
do we need? Why would someone attack us?
Dr. Dave Chatterjee:
Very true, very true. We hear this phrase
Dr. Dave Chatterjee:
'thinking like a hacker' a lot. The ability to think like a
Dr. Dave Chatterjee:
hacker is considered a best practice in cybersecurity
Dr. Dave Chatterjee:
governance. I'd like to probe a little deeper into it. Can you
Dr. Dave Chatterjee:
shed some light on that?
Ted Harrington:
Yeah, I'm, I'm definitely one of those people
Ted Harrington:
who's out there banging this drum. I say this to anyone who
Ted Harrington:
will listen that Yeah, to defend against an attacker, we need to
Ted Harrington:
think like an attacker. Um, and this this idea of more
Ted Harrington:
generally, you know, think like a hacker, whether that's a you
Ted Harrington:
know, good type of hacker or a bad type Agere. This is
Ted Harrington:
absolutely mission critical for organizations to be able to
Ted Harrington:
secure their what it is, whatever it is, they're trying
Ted Harrington:
to protect the most, they really need to think like, someone who
Ted Harrington:
would attack a system. And that's not very easy actually to
Ted Harrington:
do. And most people aren't wired that way. I often think of this,
Ted Harrington:
like the movie, The Matrix. Maybe this is a little bit of a
Ted Harrington:
spoiler, but the movie has been out for, like 25 years. So if
Ted Harrington:
you haven't seen it yet, that's on you. And then I'm spoiling
Ted Harrington:
it. You know, you find out partway through this movie, that
Ted Harrington:
you know, everyone who's living normal life, like we live normal
Ted Harrington:
life, you know, here on Earth, all of a sudden, you're actually
Ted Harrington:
in a simulation. And when you unplug from the matrix, you
Ted Harrington:
realize you're, you're now living reality, but the reality
Ted Harrington:
is really ugly. You're in this like post apocalyptic world and
Ted Harrington:
it's like everything cold your food is basically like eating
Ted Harrington:
dust. It's, it's a terrible life, but you have freedom. And
Ted Harrington:
I often think of that's what it's like, once you can think
Ted Harrington:
like a hacker is like once you unplug from the matrix, and you
Ted Harrington:
see kind of all the darkness in the world. Hold, there's no
Ted Harrington:
going back. And so it's not for everybody, not everybody should
Ted Harrington:
not think that everybody doesn't have the capability to see the
Ted Harrington:
world that way. And most people probably don't want to see the
Ted Harrington:
world that way. But those of us who are engaged in this as a
Ted Harrington:
profession, or even as a hobby, this is the way that we see it.
Ted Harrington:
And the reason that this is important is, I guess, think of
Ted Harrington:
it like, what's any metaphor, I don't know, think of a sports
Ted Harrington:
metaphor, right? If you're, if you're playing against an
Ted Harrington:
opponent coming up this weekend, how are they going to think
Ted Harrington:
about their plan to try to win the game against you, right, you
Ted Harrington:
have to put yourself in the shoes of your opponent, in order
Ted Harrington:
to be able to understand how will you like what's, what's the
Ted Harrington:
lens through which they see you, and how will you be attacked.
Ted Harrington:
And that's why this idea of thinking like a hacker is
Ted Harrington:
really, really important. Because, again, to use a sports
Ted Harrington:
metaphor, like when when we think as defenders, that sort of
Ted Harrington:
like someone who's, you know, playing basketball, and they're,
Ted Harrington:
they're playing defense on their heels, right. And so anyone
Ted Harrington:
who's played really any ball sports, any team sports knows
Ted Harrington:
that if your weight is on your heels, it's really, really hard
Ted Harrington:
to react to the ball coming at you. And so the advice is, you
Ted Harrington:
always have to be on your toes, you have to be leaning forward,
Ted Harrington:
not leaning backwards. And so when we think like defenders,
Ted Harrington:
we're leaning backwards, we're sort of like waiting for the
Ted Harrington:
world to come to us. But that makes it really hard to react.
Ted Harrington:
Instead, we should be leaning forward, we should be on our
Ted Harrington:
toes. And we should be thinking like, Hey, we're actually on the
Ted Harrington:
offense, not on the defense. And that's what think like a hacker
Ted Harrington:
helps you do.
Dr. Dave Chatterjee:
And so, you know, as you said, that you
Dr. Dave Chatterjee:
don't expect everyone to think like a hacker. Now, maybe the
Dr. Dave Chatterjee:
cybersecurity professionals in the organization, who are paid
Dr. Dave Chatterjee:
to, you know, be proactive, make recommendations on how to secure
Dr. Dave Chatterjee:
the organization, from new attack types, maybe they are the
Dr. Dave Chatterjee:
ones who should be thinking like a hacker. But I'm just curious
Dr. Dave Chatterjee:
to know, your thoughts and perspectives on the other group,
Dr. Dave Chatterjee:
the folks who generally get compromised, they are not very
Dr. Dave Chatterjee:
security savvy, they learn as best they can, what they're told
Dr. Dave Chatterjee:
by the organization. For those folks, obviously, they are not
Dr. Dave Chatterjee:
the type that you'd recommend, think like a hacker. But what
Dr. Dave Chatterjee:
advice do you have for them?
Ted Harrington:
Yeah, so as you can, as you're gonna see,
Ted Harrington:
throughout the crowd, I'm big on metaphors. So let's, let's use
Ted Harrington:
the metaphor of someone who builds skyscrapers, right? So
Ted Harrington:
that particular type of contractor that takes a specific
Ted Harrington:
skill set, developed over a long period of time, you know, how to
Ted Harrington:
build a skyscraper. Now, if someone comes to you and says,
Ted Harrington:
Hey, we've got this other skyscraper over here, and we
Ted Harrington:
need to demo it, we need to demolish it. You know how these
Ted Harrington:
things, you build these things all day? Can you demolish this
Ted Harrington:
one? They'd be like, maybe like, I guess I know the fundamentals
Ted Harrington:
of how it's built. But like, that's not what I do. That's not
Ted Harrington:
my profession. That's not my chosen craft. So what do they
Ted Harrington:
do? They say, Well, why don't we get a demo expert in here to do
Ted Harrington:
the demo, and I'll work with them. And I'll say, you know,
Ted Harrington:
we'll, we'll talk through the mechanics of this building. And,
Ted Harrington:
and that's how we'll have a successful demolition. But
Ted Harrington:
they're two completely different crafts. So the first piece of
Ted Harrington:
advice is, you need to work with somebody, like you're the
Ted Harrington:
builder, you need to work with a breaker, right? So companies who
Ted Harrington:
are out there building, whatever system that you're building, you
Ted Harrington:
definitely want to work with ethical hackers, because they
Ted Harrington:
help you because they bring that expertise, that, as you
Ted Harrington:
correctly noted, isn't necessarily the core part of
Ted Harrington:
what it is that you're doing. It's similar to like any
Ted Harrington:
expertise that you would partner with externally, so companies
Ted Harrington:
all the time will partner with, you know, outside counsel,
Ted Harrington:
outside accountants outside, you know, pick your expertise,
Ted Harrington:
they'll, they'll say, Hey, you're gonna come and sort of be
Ted Harrington:
the surgical strike that does this specific thing that we
Ted Harrington:
don't actually fully staffing out. So that's the first thing
Ted Harrington:
is, you know, work with outside organizations. Second thing is
Ted Harrington:
to, even though that that's what has to happen is you have to
Ted Harrington:
work with outside organizations who specialize in this thing.
Ted Harrington:
You want to also make sure that you understand the principles.
Ted Harrington:
So if we use that, the skyscraper metaphor, the guy who
Ted Harrington:
or the guy or the gal who builds a skyscraper should also know
Ted Harrington:
where the weaknesses are and know and know how it might
Ted Harrington:
crumble if it's not built correctly. Now, that doesn't
Ted Harrington:
mean they're gonna go out and do demo, but they're going to know
Ted Harrington:
like, Hey, this is a, you know, this type of joint stresses in a
Ted Harrington:
in a bad way, we should make sure we don't use that type of
Ted Harrington:
joint. And I'm way oversimplifying the practice of
Ted Harrington:
building a skyscraper for sure. But you know, it's for
Ted Harrington:
illustrative purposes. And so that's the second piece of
Ted Harrington:
advice is make sure you understand the principles so
Ted Harrington:
your work with someone else, but still, you have to make sure
Ted Harrington:
that they understand the principles yourself. And then
Ted Harrington:
the third is this. It's abstract, but it's keep asking
Ted Harrington:
these questions, right? It's your whatever it is that you do
Ted Harrington:
in any profession, your core expertise, you're going to, you
Ted Harrington:
know, that's where the focus of your develop effort developing
Ted Harrington:
yourself is going to be. But there's always going to be these
Ted Harrington:
things on the periphery that like, oh, I should probably know
Ted Harrington:
about that. But maybe I'm not the expert in that. But by
Ted Harrington:
asking the questions of what do I need to know about x? So the
Ted Harrington:
person who's listening to this right now, who builds systems
Ted Harrington:
and says, What do I need to know about security? That question is
Ted Harrington:
so important, it's so powerful, because just by asking it, it
Ted Harrington:
leads you to the type of growth that is necessary, in order to
Ted Harrington:
make sure you understand the principles even though the, the
Ted Harrington:
entity or the person who's going to be responsible for this is
Ted Harrington:
going to be someone else, you can't completely delegate it to
Ted Harrington:
someone else.
Dr. Dave Chatterjee:
I agree. I wholeheartedly agree. In fact,
Dr. Dave Chatterjee:
as you were talking, a thought came to mind. I wish you know,
Dr. Dave Chatterjee:
that. There are more demonstrations, visual
Dr. Dave Chatterjee:
demonstrations, graphical illustrations, and various forms
Dr. Dave Chatterjee:
of presentations made available to the masses, where people get
Dr. Dave Chatterjee:
to see how hackers think, how hackers act. And I realized that
Dr. Dave Chatterjee:
can get very technical, but that's where the skill lies. Can
Dr. Dave Chatterjee:
we present the technical stuff in a non technical way you, you
Dr. Dave Chatterjee:
use metaphors and you, you know, kind of talked about several
Dr. Dave Chatterjee:
movies. So maybe we need more media help here to popularize
Dr. Dave Chatterjee:
thinking like a hacker. So everyone on the street literally
Dr. Dave Chatterjee:
has some sense of what these guys are up to how they are
Dr. Dave Chatterjee:
thinking how they try to attack, not to suggest that this would
Dr. Dave Chatterjee:
make everyone an expert, but at least it whets the appetite, it
Dr. Dave Chatterjee:
gives them a basic understanding. And that would
Dr. Dave Chatterjee:
help the organization to mobilize support from from all
Dr. Dave Chatterjee:
parts of the organization. Thoughts, reactions?
Ted Harrington:
Yeah, well, let me try to illustrate with maybe
Ted Harrington:
a metaphor that most people can relate to. Most people don't
Ted Harrington:
like waiting in line. Right? I think that's just, even though
Ted Harrington:
everyone does wait in line, like people literally spend money and
Ted Harrington:
vacation time to go to places like Disneyland, because they
Ted Harrington:
want to wait in line all day. So they can, you know, wait in line
Ted Harrington:
for an hour to take a three minute ride. Not for me, but
Ted Harrington:
hey, you know, whatever floats your boat, but I think but, but
Ted Harrington:
most people, even though they wait in those lines, they pay to
Ted Harrington:
wait in those lines, they take time off their job to wait in
Ted Harrington:
those lines, people would still say they don't like waiting in
Ted Harrington:
the line. I think that's sort of a universal human condition. No
Ted Harrington:
one, no one is enjoying the line. So let me tell you about a
Ted Harrington:
story that I had involving a line and this is this story
Ted Harrington:
actually is a form of social engineering. But the components
Ted Harrington:
to it describe exactly the process that an attacker would
Ted Harrington:
go through. So if we can imagine a bar, and the bar is going to
Ted Harrington:
be you know, a bar, like a nightclub. This bar represents
Ted Harrington:
our, it represents a, a system that someone is building. So I
Ted Harrington:
this was a few years ago, I wound up going to this, this
Ted Harrington:
bar, and I was meeting up with some friends. And I can't
Ted Harrington:
remember why I needed to go to this specific bar. But I mean,
Ted Harrington:
it was like someone's birthday, but I had to go to this. It
Ted Harrington:
wasn't like, we'll just go to another bar, and there was this
Ted Harrington:
huge line. And then when you you get through this whole long line
Ted Harrington:
takes a half an hour or whatever, then you pay a cover
Ted Harrington:
charge to get in. And I didn't want anything to do with either
Ted Harrington:
of those. I was like I don't want to wait in line and then
Ted Harrington:
pay you know, whatever. 20 bucks just just for the right to now
Ted Harrington:
go in and I'll spend more money. So I did what you know, really
Ted Harrington:
any hacker minded person does the first thing I did was I
Ted Harrington:
assessed the system I looked at how does the system work? Okay,
Ted Harrington:
well, there's a line that gets you in and, and then you pay a
Ted Harrington:
cover when you're in and that grants you access. But I noticed
Ted Harrington:
there's also this other area for a VIP entrance. And that VIP
Ted Harrington:
entrance, you can only there's no line, there's no cover, but
Ted Harrington:
you can only go in if you're on the list. So that's the second
Ted Harrington:
thing I did was I said alright, well, how could the challenge
Ted Harrington:
question was how can I make them believe I'm on the list? I'm not
Ted Harrington:
on the list, but how can I make them believe it? So that's the
Ted Harrington:
second thing that attackers will do, though. They'll essentially
Ted Harrington:
set out a challenge statement for themselves. Like what's the
Ted Harrington:
goal? What am I trying to do? And in this case, I was trying
Ted Harrington:
to get the privileges of someone on the VIP list when I didn't
Ted Harrington:
have those privileges. That's called privilege escalation. So
Ted Harrington:
then the next thing I did was what any attacker Do I, I probed
Ted Harrington:
some I established some assumptions about how the system
Ted Harrington:
worked. And my assumption was, if I can produce the name of
Ted Harrington:
someone on that list, they will assume I'm on the list. So that
Ted Harrington:
was my goal, I needed to produce a name on the list. I did not
Ted Harrington:
know any names. So here's what I did. So I walk right up to the
Ted Harrington:
VIP hostess, and I say, Hi, I'm on the list. Now, again, I just
Ted Harrington:
told you I'm not I'm not listed. She doesn't know this, but I'm
Ted Harrington:
not on the list. So I said, Hi, I'm on the list. So when she
Ted Harrington:
asks me, What My name is telling her my name wasn't going to
Ted Harrington:
help, because I'm not on the list. And guessing is like,
Ted Harrington:
what's the chances? I guess somebody's name, right? Like,
Ted Harrington:
it's so like, why even bother? So I'm not gonna guess. So
Ted Harrington:
instead, I issue what's called a specially crafted input. Now,
Ted Harrington:
this is when an attacker is probing a system to see how it's
Ted Harrington:
going to react. And in this case, a specially crafted input
Ted Harrington:
was I said, Well, I'm with the group, I made an assumption that
Ted Harrington:
the there was going to be a group, and the group would be on
Ted Harrington:
the VIP list. And so when she said which group again, I
Ted Harrington:
didn't, you know, same problems, I didn't know the names of any
Ted Harrington:
group guessing wasn't going to help. So again, I asked, I
Ted Harrington:
issued another specially crafted input, and I said, I'm with the
Ted Harrington:
big group. And I was making an assumption that that would be
Ted Harrington:
something that would be on the list, there would be one group
Ted Harrington:
larger than others. And with that, she looks down at her
Ted Harrington:
clipboard, she flips a couple pages, and she says, Oh, the
Ted Harrington:
Smith party. And I said, Yes, I am with the Smith party. And
Ted Harrington:
with that, I had achieved the goal, I associated myself with a
Ted Harrington:
name on the list, she opens the velvet rope escorts, we passed
Ted Harrington:
the law and pass the cover charge. And, you know, I went
Ted Harrington:
into the bar, I should say, as a sidebar, I am an ethical hacker.
Ted Harrington:
So even though I did not pay the cover charge, I'm more than made
Ted Harrington:
up for it with over tipping my bar staff, everyone, the only
Ted Harrington:
person who lost money that night was probably me, like everyone
Ted Harrington:
made out. But I didn't have to wait in line, which is what I
Ted Harrington:
didn't want to do. But the point of that story, whether you like
Ted Harrington:
going to bars or not, or you've never even been to a bar, we've
Ted Harrington:
all been in situations we don't like waiting in line. And that
Ted Harrington:
story can illustrate in a way that I think everyone can relate
Ted Harrington:
to the process that attackers go through.
Dr. Dave Chatterjee:
Excellent. That's a very, very interesting
Dr. Dave Chatterjee:
and telling story. In fact, that reminds me, this is not so much
Dr. Dave Chatterjee:
about how hackers hack, but how to be on your guard to be on
Dr. Dave Chatterjee:
your defense. And I wasn't that night, where I went to a
Dr. Dave Chatterjee:
restaurant at great city, I won't name it here. And it was a
Dr. Dave Chatterjee:
Halloween, I think, and it was a haunted restaurant. So we were
Dr. Dave Chatterjee:
having dinner there. And the lights were very dim. And you
Dr. Dave Chatterjee:
know, they were trying to create that atmosphere I was in my
Dr. Dave Chatterjee:
family. So we had dinner. And then when the waitress came up
Dr. Dave Chatterjee:
asking for the credit card, I gave it to her without thinking
Dr. Dave Chatterjee:
twice that I should be scanning the card right there. And then I
Dr. Dave Chatterjee:
shouldn't be giving it to somebody. And next moment. Well,
Dr. Dave Chatterjee:
you know, that night, everything went off. Well, we checked out
Dr. Dave Chatterjee:
and we had a good night's rest. Next morning, I was driving my
Dr. Dave Chatterjee:
son for his tennis match. And then I got a call. I was not
Dr. Dave Chatterjee:
planning to take the call. It was an 800 number call. But then
Dr. Dave Chatterjee:
I did. I'm glad I did. It was a Bank of America representatives
Dr. Dave Chatterjee:
asking where I was the previous night. And then he was able to
Dr. Dave Chatterjee:
share some data and facts that told me that my card got hacked.
Dr. Dave Chatterjee:
And it was already being used in the state of California. And I
Dr. Dave Chatterjee:
was on the eastern part of the country. So I knew that somebody
Dr. Dave Chatterjee:
had gotten access to it. So this is an example where even those
Dr. Dave Chatterjee:
of us who are conscious about this phenomenon will play a
Dr. Dave Chatterjee:
role. Even they can get caught napping and they can get
Dr. Dave Chatterjee:
compromised, and which has happened to me not once but
Dr. Dave Chatterjee:
several times. And that's all the more I believe the need for
Dr. Dave Chatterjee:
reiterating reinforcing some fundamental principles, some
Dr. Dave Chatterjee:
guidelines and recommendations. Because I believe that the very
Dr. Dave Chatterjee:
best of people have been, can be or will be breached in the
Dr. Dave Chatterjee:
future. So that is great. Good discussion on that topic.
Dr. Dave Chatterjee:
Switching gears a little bit. Let's talk about security
Dr. Dave Chatterjee:
assessments. It's reasonable to assume that most organizations
Dr. Dave Chatterjee:
are engaging in security assessments. But the more
Dr. Dave Chatterjee:
nuanced question is, are they engaging in the right kinds of
Dr. Dave Chatterjee:
security assessments with methodologies that best align
Dr. Dave Chatterjee:
with their desired outcomes? What are your thoughts?
Ted Harrington:
You are preaching to the choir right
Ted Harrington:
now? That is that is the question in that matter that
Ted Harrington:
absolutely is the question that matters. Wow. So the way you
Ted Harrington:
actually framed the question first was, you know, we're
Ted Harrington:
assuming that most organizations are getting security
Ted Harrington:
assessments. I hope that is true. I guess it should be
Ted Harrington:
stated that that's assuming an organization is something worth
Ted Harrington:
protecting, that is actually an important item to note. So if
Ted Harrington:
you don't have something worth protecting, then like, why would
Ted Harrington:
you invest in protecting it doesn't matter. But assuming you
Ted Harrington:
do, I mean, someone who's listening to a show like this,
Ted Harrington:
you probably do. Right? You wouldn't be investing your time,
Ted Harrington:
in listening to Ted ramble until random metaphors, if you didn't
Ted Harrington:
have something to protect, so we're assuming have something to
Ted Harrington:
protect, you're getting these security assessments done. And
Ted Harrington:
the real problem that I see, I mean, one of the motivations to
Ted Harrington:
want to write a book was because I saw this rampant problem all
Ted Harrington:
over the place, which is that the way that we talk about
Ted Harrington:
security testing, and we I'm talking about collectively, the
Ted Harrington:
security community, but also those who engage with security
Ted Harrington:
community who hire security professionals to do security
Ted Harrington:
testing, we talk about it in very imprecise ways. And it
Ted Harrington:
winds up leading to some really bad outcomes. So what most
Ted Harrington:
people want when they're hiring, security testing? Well, there
Ted Harrington:
are different motivations for why someone would go hire one.
Ted Harrington:
But they're usually something like, well, I need to prove it
Ted Harrington:
to someone else. And I need to actually secure the thing. So
Ted Harrington:
those are, sometimes hopefully, it's both sometimes it's just
Ted Harrington:
one, like, I need to prove this, I don't care what it is, I need
Ted Harrington:
to prove it to someone else that I did a security test. But In
Ted Harrington:
but in the case of, you know, the more progressive companies
Ted Harrington:
definitely, they're actually trying to improve the security
Ted Harrington:
of the system. They're not just going through the motions. But
Ted Harrington:
the problem is, the way we talk about security testing is we use
Ted Harrington:
terms incorrectly all the time. So people often will ask for
Ted Harrington:
penetration testing. That's sort of the term that's become the
Ted Harrington:
catch all. But penetration testing is a very specific type
Ted Harrington:
of thing. But complicating that problem, they're asking for
Ted Harrington:
penetration testing, they're usually sold something else.
Ted Harrington:
Like if you Google that term, right now, almost all the
Ted Harrington:
results you're gonna get, not all of them, but at least three
Ted Harrington:
quarters of them are something else, they're going to be
Ted Harrington:
vulnerability scanning, they're not penetration testing. But
Ted Harrington:
then what makes it even more complicated is that what people
Ted Harrington:
actually need usually isn't actually penetration testing at
Ted Harrington:
all. What they usually need is what's called vulnerability
Ted Harrington:
assessments. And I can definitely I've, of course, I've
Ted Harrington:
metaphors, I can explain the difference between these these
Ted Harrington:
three types. But the point that I want to leave on answering
Ted Harrington:
your question here is that those are three really different
Ted Harrington:
things. They entail different investments of time, and money
Ted Harrington:
and person power, and they deliver different things. So
Ted Harrington:
when people are asking for something, they're getting
Ted Harrington:
something else, and yet they actually needed a third thing
Ted Harrington:
altogether, have we actually achieved the mission? Right?
Ted Harrington:
Have we actually accomplished what we set out to accomplish,
Ted Harrington:
and that is a really big problem.
Dr. Dave Chatterjee:
There are a few things that you've mentioned
Dr. Dave Chatterjee:
more than once now, and I believe it, it's worth
Dr. Dave Chatterjee:
reiterating, re emphasizing, and that is, an organization needs
Dr. Dave Chatterjee:
to know, or needs to have a good understanding of what it wants
Dr. Dave Chatterjee:
to secure. And what are the tools, the methodologies, the
Dr. Dave Chatterjee:
techniques that are out there? Now, one is not expecting an
Dr. Dave Chatterjee:
organization, especially smaller organizations resource
Dr. Dave Chatterjee:
constrained to have the kinds of expertise to make those calls,
Dr. Dave Chatterjee:
but they need to reach out and get help. Again, you know,
Dr. Dave Chatterjee:
trying to follow your example of using a metaphor. It's like,
Dr. Dave Chatterjee:
when you go to a doctor, and or you're, you're thinking of going
Dr. Dave Chatterjee:
to a doctor, because you feel there is an issue. And so you're
Dr. Dave Chatterjee:
doing your best due diligence possible, doing your searches,
Dr. Dave Chatterjee:
you know, talking to people getting advice. So you have a
Dr. Dave Chatterjee:
planning process in place. And it's important, why is it
Dr. Dave Chatterjee:
important because it's your health. And I like to use the
Dr. Dave Chatterjee:
health metaphor, because when it comes to security, that's the
Dr. Dave Chatterjee:
security is the health of the organization. It is I believe
Dr. Dave Chatterjee:
that there is not far where we'll be ranking organizations
Dr. Dave Chatterjee:
on their security health rating. So therefore, developing an
Dr. Dave Chatterjee:
understanding of what the security needs are, and who is
Dr. Dave Chatterjee:
the right person who can provide the help or who are the right
Dr. Dave Chatterjee:
people who can deliver the goods is absolutely mission critical.
Dr. Dave Chatterjee:
So therefore, your points are very well made that to recognize
Dr. Dave Chatterjee:
what kind of help you need from a security standpoint. And that
Dr. Dave Chatterjee:
will immediately help align what you get by way of security
Dr. Dave Chatterjee:
mechanisms, along with your overall organizational goals and
Dr. Dave Chatterjee:
strategies. So I just wanted to re emphasize there anything else
Dr. Dave Chatterjee:
you'd like to add to that?
Ted Harrington:
Well, just that the doctor patient metaphor for
Ted Harrington:
security is so good. And there's so many aspects of that
Ted Harrington:
relationship that we can, you know, tie back to security, and
Ted Harrington:
I'm just deciding whether or not to go down all those different
Ted Harrington:
rabbit holes right now. But I'll definitely tie back to one or
Ted Harrington:
more of them as as we go. But, um, if we want to use the doctor
Ted Harrington:
metaphor, and the context of the question that you're asking
Ted Harrington:
about, like, how do we make sure we're getting the right thing? I
Ted Harrington:
think it's, that's actually, maybe that's a good metaphor for
Ted Harrington:
us to use, because it's like when people go into the doctor's
Ted Harrington:
office, and they're like, Oh, I checked on WebMD, my, you know,
Ted Harrington:
my symptoms or whatever. And so they, they've self diagnosed, so
Ted Harrington:
they go into the doctor, and they're like, I need a, I don't
Ted Harrington:
know, insert jargon, technical term right now. And the doctor
Ted Harrington:
is like, we'll get to that limit. Let me instead, evaluate
Ted Harrington:
your symptoms, see where we're at. And I'll tell you, then, you
Ted Harrington:
know, what we need. But the problem that happens in security
Ted Harrington:
would be like, so doctors, I guess I don't know what I'm
Ted Harrington:
about to say for 100% Certain, because I am not a doctor. But
Ted Harrington:
my understanding is that in medicine, a procedure has a
Ted Harrington:
name. And that's a universally understood procedure. The
Ted Harrington:
problem with what's happening with security. So let's say I
Ted Harrington:
don't know what the technical term would be, let's just say
Ted Harrington:
it's called knee replacement. You know, someone goes in, and
Ted Harrington:
they're like, I think I might, you know, my knees bother me, I
Ted Harrington:
need some help with my knee. And then a doctor is like, you need
Ted Harrington:
a knee replacement. The problem, insecurity would be like, when
Ted Harrington:
one doctor says knee replacement, he means I'm going
Ted Harrington:
to replace your knee, another doctor means I'm going to give
Ted Harrington:
you orange juice. And a third doctor means I'm going to give
Ted Harrington:
you a physical, and you're like, these are all using the same
Ted Harrington:
term to describe really, really different things. And the
Ted Harrington:
patient doesn't know any better to like, because the patient's
Ted Harrington:
going to the expert. That's why this is a real problem. Like if
Ted Harrington:
you went to the doctor, and three different doctors said the
Ted Harrington:
same term, but they meant three different things. You probably
Ted Harrington:
wouldn't go to the doctor anymore. And that's why is such
Ted Harrington:
a significant problem.
Dr. Dave Chatterjee:
Yep, very cool. You know, I, I authored a
Dr. Dave Chatterjee:
book, which, which was published by SAGE last year on
Cybersecurity Readiness:
A Holistic and High-Performance
Cybersecurity Readiness:
Approach. In that book, I, I presented a framework, it's
Cybersecurity Readiness:
called the Commitment, Preparedness and Discipline
Cybersecurity Readiness:
framework that is associated with 17 cybersecurity readiness
Cybersecurity Readiness:
success factors. And I'm not going to go down that list, but
Cybersecurity Readiness:
I wanted your thoughts on some of them, which I have found to
Cybersecurity Readiness:
be very important for an organization to secure
Cybersecurity Readiness:
themselves or get the resources they need to secure themselves.
Cybersecurity Readiness:
And one of those success factors happens to be hands-on top
Cybersecurity Readiness:
management. And it's a challenge out there. In terms of how to
Cybersecurity Readiness:
get top management attention, how to get top management
Cybersecurity Readiness:
actively engaged in cybersecurity planning,
Cybersecurity Readiness:
execution, monitoring. Just curious because you're in the
Cybersecurity Readiness:
field, and you are you and your company are engaging in engaging
Cybersecurity Readiness:
with numerous organizations. What are you seeing out there,
Cybersecurity Readiness:
in terms of top management commitment to information
Cybersecurity Readiness:
security?
Ted Harrington:
Well, it's it's definitely becoming more and
Ted Harrington:
more of a priority for executive leadership. I think you probably
Ted Harrington:
could have any number of security professionals on here
Ted Harrington:
to answer that question that would probably all say, some
Ted Harrington:
version of the same thing, right, which is like, security
Ted Harrington:
is a business problem, not a technical problem. We need to
Ted Harrington:
speak in the language of leaders, which is, you know, in
Ted Harrington:
terms of numbers and outcomes, and all that stuff. And we need
Ted Harrington:
to make sure that we, you know, don't make it technical and all
Ted Harrington:
that. So I would say all those things, too. But instead, what I
Ted Harrington:
want to share is something that I see the most progressive
Ted Harrington:
organizations doing that are the ones who are getting it right.
Ted Harrington:
And they're currently in the minority. They're on if we think
Ted Harrington:
about, you know, a bell curve. They're on the early early
Ted Harrington:
adopter side. And my hope is that eventually we're going to
Ted Harrington:
get the whole world thinking this way. And the way is this
Ted Harrington:
one Most people think about security as avoid a bad thing,
Ted Harrington:
right, let's not get hacked. That is, in fact, a good way to
Ted Harrington:
think about security. But it's incomplete. We also need to
Ted Harrington:
think about not just how do we avoid a bad thing? But how do we
Ted Harrington:
get a good thing? So not just how do we not get hacked? But
Ted Harrington:
how do we gain an advantage. And one of the things that is very,
Ted Harrington:
very obvious to me, as I look at the companies really across
Ted Harrington:
industries across sectors, the ones who do two things, first,
Ted Harrington:
actually secure their systems. And then secondly, in an
Ted Harrington:
authentic and credible way, prove it, they gain this
Ted Harrington:
incredible competitive advantage over their competitors. So if
Ted Harrington:
that's a company, they're competing the way a company
Ted Harrington:
will, you know, for customers and market share. But there's
Ted Harrington:
other ways you can compete, too, whether that's maybe you're a
Ted Harrington:
nonprofit, and you need donors, maybe you're a government, and
Ted Harrington:
you need your political influence, or whatever. people
Ted Harrington:
and companies and organizations, they want to do business with
Ted Harrington:
organizations that are secure, they want trust is the
Ted Harrington:
foundation of so they trust someone, they're going to want
Ted Harrington:
to work with them, or at least if they don't trust them,
Ted Harrington:
they're going to be hesitant to work with them. And so this is
Ted Harrington:
one of the things that I see executives at the more
Ted Harrington:
progressive organizations capturing, they see it, they
Ted Harrington:
look at it, and they're like, if we only think of security as a
Ted Harrington:
bad avoid a bad thing, what we're going to do is we're going
Ted Harrington:
to make some risk based decisions about, look, this is
Ted Harrington:
just a tax on the business. How do we reduce the tax to the
Ted Harrington:
right amount that's not so low that we expose ourselves to huge
Ted Harrington:
risk, but we're not overspending? That's the way
Ted Harrington:
that's the way most people actually think about security,
Ted Harrington:
when it's the idea of avoid a bad thing. But now when you
Ted Harrington:
change the frame, and you say, Well, how do we get a good
Ted Harrington:
thing? How do we get this competitive advantage? Now
Ted Harrington:
you're looking at it as an investment. And you're saying
Ted Harrington:
it's no longer a cost center to reduce? It's an advantage to
Ted Harrington:
optimize? How do we spend in a way that helps us beat the
Ted Harrington:
competition? How do we move faster? How do we get more
Ted Harrington:
enterprises using us than someone else? And I found that
Ted Harrington:
to be the thing that really gets leaders excited, because it's no
Ted Harrington:
longer this, like, this is annoying, I don't want to talk
Ted Harrington:
about this, make make this problem go away. That's the way
Ted Harrington:
most people think about security. Now it is, oh, wait a
Ted Harrington:
minute, there is an untapped opportunity to gain a
Ted Harrington:
competitive edge. No one else is doing it or not enough people
Ted Harrington:
are doing it. Talk to me about that. That's what progressive
Ted Harrington:
organizations are doing right now.
Dr. Dave Chatterjee:
brilliant, absolutely brilliant. I love the
Dr. Dave Chatterjee:
way you put it. One has to look at information security
Dr. Dave Chatterjee:
capability as a distinctive competency. And focusing on
Dr. Dave Chatterjee:
developing the competency, using that competency or leveraging
Dr. Dave Chatterjee:
that competency to achieve a competitive edge is the way to
Dr. Dave Chatterjee:
go. The moment you are thinking of security ah that's one more
Dr. Dave Chatterjee:
thing we have to do, we don't have a choice, that really
Dr. Dave Chatterjee:
doesn't cut it. Rather, taking a very optimistic approach, and
Dr. Dave Chatterjee:
saying -- yes, there is this is a problem. This is a constant
Dr. Dave Chatterjee:
issue that we have to deal with. So let's see, we can convert the
Dr. Dave Chatterjee:
so called problem into an opportunity and be the best we
Dr. Dave Chatterjee:
can be in managing this risk. I love that kind of a mindset,
Dr. Dave Chatterjee:
that kind of approach. And I'm sure people who are listening
Dr. Dave Chatterjee:
are making note of it. I'm sure many, many organizations, many
Dr. Dave Chatterjee:
senior executives approach it that way. So, Ted, a couple of
Dr. Dave Chatterjee:
months ago, probably in a podcast session, a renowned
Dr. Dave Chatterjee:
cybersecurity expert lamented that companies keep making the
Dr. Dave Chatterjee:
same mistakes over and over again. So I asked him, I said,
Dr. Dave Chatterjee:
What kind of mistakes are they making over and over again? And
Dr. Dave Chatterjee:
he talked about vulnerability management, patch management.
Dr. Dave Chatterjee:
And, you know, you being in the business, leading a team of
Dr. Dave Chatterjee:
ethical hackers, I'm sure you see that a lot. What are your
Dr. Dave Chatterjee:
thoughts about what is so difficult or challenging about
Dr. Dave Chatterjee:
patch management, vulnerability management, that to use his
Dr. Dave Chatterjee:
words again, that companies keep making the same mistakes?
Ted Harrington:
Well, I definitely agree with the
Ted Harrington:
problem that companies continue making the same mistakes over
Ted Harrington:
and over again, I would not limit it just to this particular
Ted Harrington:
issue of patch management. I'm a little befuddled myself as to
Ted Harrington:
why patch management continues to be such an issue. And that's
Ted Harrington:
not to diminish how hard it is. It's hard. Patch management is
Ted Harrington:
difficult. What I, for me personally, like if my job was
Ted Harrington:
to be In charge of patch management, I'd be terrible at
Ted Harrington:
it. Because what it requires for patch management are the kinds
Ted Harrington:
of things that like the your brain is wired in a certain way
Ted Harrington:
to excel at that I think the kind of person who's really good
Ted Harrington:
at like, maybe accounting, the kind of person who wants to make
Ted Harrington:
sure that the numbers perfectly zero out and everything's like
Ted Harrington:
exactly an order the way that should be. Patch management is
Ted Harrington:
kinda like that to like you have that absolute overriding drive
Ted Harrington:
for the perfection. But you can take that you combine it with
Ted Harrington:
the fact that patches, sometimes break systems and braking
Ted Harrington:
systems gets in the way of operational uptime, and
Ted Harrington:
operational uptime, and a lot of situations is non negotiable, or
Ted Harrington:
operational downtime is not allowable. So there's all these
Ted Harrington:
complexities to it. But really, I think that what's happening if
Ted Harrington:
we go broader than just patch management, and we say, well,
Ted Harrington:
why do we keep making the same problem, like making the same
Ted Harrington:
mistakes over and over and over again? And I think it's because
Ted Harrington:
we don't necessarily truly understand the problem. And we
Ted Harrington:
don't truly understand the solution. And the we I'm
Ted Harrington:
describing here is the people who have the problem, and
Ted Harrington:
certain corners of the security community who are willing to
Ted Harrington:
present the incorrect solution. We talked about penetration
Ted Harrington:
testing before. And that's a great example of where, you
Ted Harrington:
know, there are people willing to sell companies a penetration
Ted Harrington:
test, that isn't a penetration test, they're willing to do
Ted Harrington:
that. Now, maybe they don't know that there's a difference.
Ted Harrington:
That's negative, that's negligent. Or they do know
Ted Harrington:
there's a difference, and they're misrepresenting it
Ted Harrington:
anyway. That's irresponsible. So whichever it is, is not good.
Ted Harrington:
But the problem is, that's a two sided problem, right? That
Ted Harrington:
companies were building things like we talked about before,
Ted Harrington:
it's not there every moment of every day working on how do you
Ted Harrington:
break things, they're looking to their expert partners to help
Ted Harrington:
them and the expert partner isn't actually presenting the
Ted Harrington:
appropriate solution, those two issues combined become this
Ted Harrington:
like, kind of catastrophic problem.
Dr. Dave Chatterjee:
Yep. True. So here comes my final two
Dr. Dave Chatterjee:
questions. First one is, What lessons do organizations refuse
Dr. Dave Chatterjee:
to learn? Have you come across anything like that? Do you have
Dr. Dave Chatterjee:
any thoughts on that? And I don't mean to stump you. So feel
Dr. Dave Chatterjee:
free to say what's the next one? And I'm happy to throw out the
Dr. Dave Chatterjee:
next one.
Ted Harrington:
No, I like that question. Actually, a lot. I
Ted Harrington:
would the way I would answer that, though, is I don't think
Ted Harrington:
you could say there's a universal, there's not like one
Ted Harrington:
lesson that everybody refuses to learn. But within every
Ted Harrington:
organization, there is at least one lesson that everybody that
Ted Harrington:
that organization refuses to learn. The one that as an
Ted Harrington:
example, that it saddens me actually, I was gonna say it
Ted Harrington:
irritates me or angers me. I was like, what's the right word for
Ted Harrington:
this? But I think it saddens me is the way that sometimes
Ted Harrington:
politics work in large enterprises. I've seen it happen
Ted Harrington:
time and time again, where, you know, one executive will build a
Ted Harrington:
program in a certain way. And that program is succeeding in
Ted Harrington:
some way. And then the next, you know, that executive either gets
Ted Harrington:
promoted or gets poached go somewhere else. And then the
Ted Harrington:
next executive comes in, and the way that exec, that new
Ted Harrington:
executive is going to quote unquote, create their own thing,
Ted Harrington:
right, is going to create their opportunity to get promoted, or
Ted Harrington:
get poached to go somewhere else. They need to do something
Ted Harrington:
unique. They can't just do what's already been done. And so
Ted Harrington:
that, what do they have to do? They have to look at the this
Ted Harrington:
program that's already been built, and say, we're gonna do
Ted Harrington:
it totally differently, because I know a better way. But if it's
Ted Harrington:
already working, why are you tearing it down? And that is
Ted Harrington:
actually a pretty significant problem in corporate America
Ted Harrington:
today, that that sort of political need, which I
Ted Harrington:
actually, I have no problem with someone needing to say, I need
Ted Harrington:
to make my mark on this organization so that I can make
Ted Harrington:
more money and provide more for my family. And like, what's
Ted Harrington:
wrong with that? That's amazing. But unfortunately, the way that
Ted Harrington:
it typically has to play out is by dismantling some other thing
Ted Harrington:
that already worked. And so now you have in these, it's kind of
Ted Harrington:
amazing when you see large enterprises, how inefficient
Ted Harrington:
they can be. Because every few years as there's this turnover,
Ted Harrington:
and you know, executive positions. You You've, you're
Ted Harrington:
kind of starting things all over again. And I mean, how many
Ted Harrington:
people listening right now work in a large enterprise and go
Ted Harrington:
through a reorganization? Like every three or four years,
Ted Harrington:
you're like, I'll just wait this out, because by the time it
Ted Harrington:
actually is implemented, there's going to be a reorg you know.
Dr. Dave Chatterjee:
Yep. So let me give you my answer to the
Dr. Dave Chatterjee:
question I posed to you. So, you know, two things happen, as your
Dr. Dave Chatterjee:
probably aware, it is the medium sized organizations that
Dr. Dave Chatterjee:
generally capitulate after a major cyber attack, they go out
Dr. Dave Chatterjee:
of business, there is data to support that. 60 to 70%, of
Dr. Dave Chatterjee:
small and medium sized enterprises cease to exist,
Dr. Dave Chatterjee:
which is a very rough consequence, probably the most
Dr. Dave Chatterjee:
severe consequence. But then there are large organizations.
Dr. Dave Chatterjee:
And again, I won't take any names here, who, for lack of a
Dr. Dave Chatterjee:
better word, made some very reckless mistakes, that
Dr. Dave Chatterjee:
borderlines gross negligence, and breach has happened. There
Dr. Dave Chatterjee:
were severe consequences. But they get bailed out for a
Dr. Dave Chatterjee:
variety of reasons. And that's where my concern lies. Not that
Dr. Dave Chatterjee:
we're going to solve this problem here, and neither am I
Dr. Dave Chatterjee:
trying for you to suggest what the solution should be. But
Dr. Dave Chatterjee:
that's where my concern is that when these organizations get
Dr. Dave Chatterjee:
bailed out, do they learn the lessons and they or are they do
Dr. Dave Chatterjee:
they make the necessary changes. And these are not symbolic
Dr. Dave Chatterjee:
things that you put out there to impress the media and impress
Dr. Dave Chatterjee:
your investors. But it goes deeper into their processes into
Dr. Dave Chatterjee:
how security is approached by the organization, whether
Dr. Dave Chatterjee:
security is built into their organizational culture. In my
Dr. Dave Chatterjee:
book, I talk about creating and sustaining a high-performance
Dr. Dave Chatterjee:
information security culture, it's hard to do. But it is
Dr. Dave Chatterjee:
definitely something that organizations should, should
Dr. Dave Chatterjee:
strive towards. So that's from where I was coming, when I asked
Dr. Dave Chatterjee:
you that question.
Ted Harrington:
It's hard to say without being on the inside of
Ted Harrington:
every organization, right, whether they've learned their
Ted Harrington:
lesson or not, but you see plenty of cool success stories,
Ted Harrington:
you know, I'm in the aftermath of major breaches, including the
Ted Harrington:
industry around whoever the victim was, you know, the movie
Ted Harrington:
business is a great example. Sony, you know, went through
Ted Harrington:
that really very public. You know, that was a real bummer
Ted Harrington:
that that breach for everyone who not just the people at Sony,
Ted Harrington:
but the people who work with Sony in the movie business is a
Ted Harrington:
it's kind of a small world, everyone kind of knows everyone.
Ted Harrington:
And, you know, there was a lot of a lot of hearts went out for
Ted Harrington:
that. That was a really tough time for a lot of people. But
Ted Harrington:
it's really cool to see in the aftermath, how the security
Ted Harrington:
programs at different studios, got more funding got more
Ted Harrington:
people, they got more sophisticated. And that's a cool
Ted Harrington:
aftermath. I mean, yeah, you don't want a company to go
Ted Harrington:
through what Sony went through. That's, that's terrible. But if
Ted Harrington:
it has to happen, then let's make sure that some really
Ted Harrington:
positive result. And that's, that's definitely what's been
Ted Harrington:
happening. So that was pretty cool. That was pretty cool to
Ted Harrington:
see that.
Dr. Dave Chatterjee:
That's great to hear. I'm glad you
Dr. Dave Chatterjee:
shared that with us. There are I'm sure many, many positive
Dr. Dave Chatterjee:
stories of recovery, and, you know, coming back revitalized
Dr. Dave Chatterjee:
and in ways that has made the organization better. So that's
Dr. Dave Chatterjee:
good to hear. Hey, as much as I would like to keep talking with
Dr. Dave Chatterjee:
you, I've been enjoying this, you know, we are getting to the
Dr. Dave Chatterjee:
end of our time here. So let's try to wrap things up with you
Dr. Dave Chatterjee:
sharing any final takeaways for the audience. Any final thoughts
Dr. Dave Chatterjee:
for the audience?
Ted Harrington:
Yeah, I mean, I definitely always like to end on
Ted Harrington:
a high note. And I feel like the story I just told was, was a
Ted Harrington:
high note. So there we go, you already have your high note. You
Ted Harrington:
know, we're seeing industries react really well in the
Ted Harrington:
aftermath of, of breaches. But I think that I would just leave
Ted Harrington:
people with this fact that the security community is a
Ted Harrington:
passionate one that really is trying to improve things every
Ted Harrington:
day. Ethical hackers included amongst that, and that, to me is
Ted Harrington:
really exciting to live in it and to see it and to those of
Ted Harrington:
you who maybe are wanting to join security, or maybe you are
Ted Harrington:
not in security, but you work with security companies, just
Ted Harrington:
know that there's a really passionate group, let's move
Ted Harrington:
forward. And yeah, I mean, that just we can end on that note,
Ted Harrington:
and if anyone wants to know anything more about, you know,
Ted Harrington:
if any of the ideas we talked about you wanted to ask me
Ted Harrington:
about, personally, you want to follow me on social media, you
Ted Harrington:
want to know more about my book, you you want help with your
Ted Harrington:
security testing program. Just hit me up, I'm easy to find at
Ted Harrington:
Ted harrington.com. And everything you could need to
Ted Harrington:
know is right there.
Dr. Dave Chatterjee:
Fantastic Ted, thank you again for your
Dr. Dave Chatterjee:
time. It's been a pleasure.
Ted Harrington:
Thank you for having me.
Dr. Dave Chatterjee:
A special thanks to Ted Harrington for his
Dr. Dave Chatterjee:
time and insights. If you like what you heard, please leave the
Dr. Dave Chatterjee:
podcast a rating and share it with your network. Also,
Dr. Dave Chatterjee:
subscribe to the show, so you don't miss any new episodes.
Dr. Dave Chatterjee:
Thank you for listening, and I'll see you in the next
Dr. Dave Chatterjee:
episode.
Introducer:
The information contained in this podcast is for
Introducer:
general guidance only. The discussants assume no
Introducer:
responsibility or liability for any errors or omissions in the
Introducer:
content of this podcast. The information contained in this
Introducer:
podcast is provided on an as-is basis with no guarantee of
Introducer:
completeness, accuracy, usefulness, or timeliness. The
Introducer:
opinions and recommendations expressed in this podcast are
Introducer:
those of the discussants and not of any organization.