Thinking Like A Hacker

Welcome to the Cybersecurity Readiness Podcast

Series with Dr. Dave Chatterjee. Dr. Chatterjee is the author of

A Holistic and High-Performance

Approach. He has been studying cybersecurity for over a decade,

authored and edited scholarly papers, delivered talks,

conducted webinars, consulted with companies, and served on a

cybersecurity SWAT team with Chief Information Security

Officers. Dr. Chatterjee is an Associate Professor of

Management Information Systems at the Terry College of

Business, the University of Georgia, and Visiting Professor

at Duke University's Pratt School of Engineering.

Hello, everyone, I'm delighted to

welcome you to this episode of the Cybersecurity Readiness

Podcast Series. Today, I have the pleasure of talking with Ted

Harrington, Executive Partner at Independent Security Evaluators

and he's also the author of Hackable: How To Do Application

Security Right. His company, made up of ethical hackers was

born out of the Ph. D. Program at the Johns Hopkins University.

They have been doing security assessments and security

consulting for a long time for both large enterprises and

funded startups and everyone in between. Since 2005, they have

been hired by hundreds of companies, and they have helped

discover 10s of 1000s of security vulnerabilities. Their

work has appeared in The New York Times, Wall Street Journal,

Washington Post, USA Today, Financial Times, Wired, and CBS

News on Assignment. Hey, Ted, welcome.

Thanks for having me. Excited to be here.

So let's talk about hacking. For the

benefit of the listeners, provide an overview of hacking

like hacking 101, what is it? What are the many consequences?

Sure, so I like this question a lot, because the

concept of hacking and the concept of hackers is pretty

misunderstood. So maybe we start there, like what is what is

hacking? What is a hacker and a lot of times people talk about

this idea, you know, hackers as if they're bad, right? That the

hackers are malicious, or associated with wrongdoing or

evil or whatever. And that's only partly true, because that's

a certain that is certainly a type of hacker. But hackers, the

term hacker is neutral. It's neither good nor bad. It's a

hacker is someone who is a problem solver. They're

creative. They're someone who looks at the way a system works

and says, you know, can it behave differently than what was

intended to do? Can I create something. So that's really what

hackers are, and then the fork in the road comes to motivation,

right? So if someone is doing this, because they want to

obtain some sort of personal gain, they want to harm others.

That's what attackers would be certainly. But the other forks

of the road are ethical hackers, people who do the same things

use the same tools, the same techniques, still want to find

those issues with how a system works. But they do it because

they want to fix the system, they want to make it better,

they want to improve it. And that's the corner of the world

that I come from, that our people all come from. And both

are hackers. So really fundamentally, that's what

hacking is hacking is looking at something and saying, you know,

can it be differently, and there's this classic TV series

called MacGyver that, you know, maybe younger generations might

not be familiar with. I've never even actually really seen

MacGyver myself. But I'm very familiar with the concept of

MacGyver. And he's, you know, this dude, who would just he

create things out of, he'd take things that were supposed to do

one thing and make it do something else. Like if there

was one episode where he, I think he needed to start a car

or something and he took a paperclip, which the purpose of

a paperclip is to clip together paper. And he used this to like

somehow, you know, ignite the engine in a vehicle. That's a

hacker that's someone who says, you know, things supposed to

work in a certain way, can I make it behave differently, and

then motivation determines whether that's a good thing or a

bad thing.

That's interesting. That's an

interesting way of looking at hacking. I never thought about

it as hackers as problem solvers. But I see from where

you're coming. With the growing expansion of attack surfaces and

evolution of attack vectors. It's hard for organizations to

keep up with the latest hacking methods and techniques. And

that's why companies often hire organizations that are made up

of ethical hackers to help them stay on top of information

security management to the extent possible. So shed some

light on why hackers might be interested in breaching systems

of certain types of organizations over others, if

that's the case, that may not be the case. And related to that,

are any organization types more vulnerable than others? Yeah,

let's tackle those separately, because they

let's

are two slightly different questions. But that can be

conflated. So why would an attacker attack a specific

organization? I think this is a wonderful question. And it goes

to the heart of one of the very common misunderstandings that

people have about attackers. Most people think that this idea

of we've already broken down that there's, you know, hackers

can be good, or hackers can be bad. But even amongst the bad

hackers, they're not all the same thing. But we often talk

about them as if they're all the same thing. And that's actually

not true. So different attacker groups, they're motivated to

achieve different outcomes. So the most common one, almost

everybody talks about hackers as being profit motivated. And that

is indeed a very compelling motivation for many types of

attackers. I mean, basically, anyone who engages in ransomware

profit is the motive. Almost everyone, there's, there's cases

where maybe you use that to hide your other motive, but so

someone who wants to make money that's like organized crime as

an example, they are attacking because they want to make money.

But then you've got groups that are more interested in

notoriety, right. So maybe it's someone who just they want to

prove they can do it, or they want to go to brag about it, or

they want to, yeah, they just want the notoriety associated

with it. That's a different motivation from someone who may

be like anonymous, the hacker collective that fits in the

group of what are called hacktivists, which they attack

organizations in order to make a statement. And then there's

nation states that attack organizations in order to pursue

their geopolitical objectives. And so when we think about

different attackers having different motivations that comes

into play, in terms of how we now think about how we defend,

because we think about, well, what are we trying to protect,

and is what we have something that an attacker could pursue

their specific motivation for. So they want to feel like a lot

of companies, they'll say, Well, I don't have anything valuable,

I don't protect any valuable data. So no one's going to

attack me because I don't have valuable data and no one's gonna

make money off of attacking me. And hopefully, what I just

illustrated makes it clear that that's actually not the case.

You know, you might not have valuable data, but maybe you

have, maybe your organization can be swept up in a botnet.

Your computational power can be used in a broader DDoS type

attack. Maybe your organization has some sort of influential

information on maybe population trends or things that are

happening on a national level that another nation might want

to understand. So we have to understand the attacker, why

they're motivated in order to help ourselves think about what

do we need? Why would someone attack us?

Very true, very true. We hear this phrase

'thinking like a hacker' a lot. The ability to think like a

hacker is considered a best practice in cybersecurity

governance. I'd like to probe a little deeper into it. Can you

shed some light on that?

Yeah, I'm, I'm definitely one of those people

who's out there banging this drum. I say this to anyone who

will listen that Yeah, to defend against an attacker, we need to

think like an attacker. Um, and this this idea of more

generally, you know, think like a hacker, whether that's a you

know, good type of hacker or a bad type Agere. This is

absolutely mission critical for organizations to be able to

secure their what it is, whatever it is, they're trying

to protect the most, they really need to think like, someone who

would attack a system. And that's not very easy actually to

do. And most people aren't wired that way. I often think of this,

like the movie, The Matrix. Maybe this is a little bit of a

spoiler, but the movie has been out for, like 25 years. So if

you haven't seen it yet, that's on you. And then I'm spoiling

it. You know, you find out partway through this movie, that

you know, everyone who's living normal life, like we live normal

life, you know, here on Earth, all of a sudden, you're actually

in a simulation. And when you unplug from the matrix, you

realize you're, you're now living reality, but the reality

is really ugly. You're in this like post apocalyptic world and

it's like everything cold your food is basically like eating

dust. It's, it's a terrible life, but you have freedom. And

I often think of that's what it's like, once you can think

like a hacker is like once you unplug from the matrix, and you

see kind of all the darkness in the world. Hold, there's no

going back. And so it's not for everybody, not everybody should

not think that everybody doesn't have the capability to see the

world that way. And most people probably don't want to see the

world that way. But those of us who are engaged in this as a

profession, or even as a hobby, this is the way that we see it.

And the reason that this is important is, I guess, think of

it like, what's any metaphor, I don't know, think of a sports

metaphor, right? If you're, if you're playing against an

opponent coming up this weekend, how are they going to think

about their plan to try to win the game against you, right, you

have to put yourself in the shoes of your opponent, in order

to be able to understand how will you like what's, what's the

lens through which they see you, and how will you be attacked.

And that's why this idea of thinking like a hacker is

really, really important. Because, again, to use a sports

metaphor, like when when we think as defenders, that sort of

like someone who's, you know, playing basketball, and they're,

they're playing defense on their heels, right. And so anyone

who's played really any ball sports, any team sports knows

that if your weight is on your heels, it's really, really hard

to react to the ball coming at you. And so the advice is, you

always have to be on your toes, you have to be leaning forward,

not leaning backwards. And so when we think like defenders,

we're leaning backwards, we're sort of like waiting for the

world to come to us. But that makes it really hard to react.

Instead, we should be leaning forward, we should be on our

toes. And we should be thinking like, Hey, we're actually on the

offense, not on the defense. And that's what think like a hacker

helps you do.

And so, you know, as you said, that you

don't expect everyone to think like a hacker. Now, maybe the

cybersecurity professionals in the organization, who are paid

to, you know, be proactive, make recommendations on how to secure

the organization, from new attack types, maybe they are the

ones who should be thinking like a hacker. But I'm just curious

to know, your thoughts and perspectives on the other group,

the folks who generally get compromised, they are not very

security savvy, they learn as best they can, what they're told

by the organization. For those folks, obviously, they are not

the type that you'd recommend, think like a hacker. But what

advice do you have for them?

Yeah, so as you can, as you're gonna see,

throughout the crowd, I'm big on metaphors. So let's, let's use

the metaphor of someone who builds skyscrapers, right? So

that particular type of contractor that takes a specific

skill set, developed over a long period of time, you know, how to

build a skyscraper. Now, if someone comes to you and says,

Hey, we've got this other skyscraper over here, and we

need to demo it, we need to demolish it. You know how these

things, you build these things all day? Can you demolish this

one? They'd be like, maybe like, I guess I know the fundamentals

of how it's built. But like, that's not what I do. That's not

my profession. That's not my chosen craft. So what do they

do? They say, Well, why don't we get a demo expert in here to do

the demo, and I'll work with them. And I'll say, you know,

we'll, we'll talk through the mechanics of this building. And,

and that's how we'll have a successful demolition. But

they're two completely different crafts. So the first piece of

advice is, you need to work with somebody, like you're the

builder, you need to work with a breaker, right? So companies who

are out there building, whatever system that you're building, you

definitely want to work with ethical hackers, because they

help you because they bring that expertise, that, as you

correctly noted, isn't necessarily the core part of

what it is that you're doing. It's similar to like any

expertise that you would partner with externally, so companies

all the time will partner with, you know, outside counsel,

outside accountants outside, you know, pick your expertise,

they'll, they'll say, Hey, you're gonna come and sort of be

the surgical strike that does this specific thing that we

don't actually fully staffing out. So that's the first thing

is, you know, work with outside organizations. Second thing is

to, even though that that's what has to happen is you have to

work with outside organizations who specialize in this thing.

You want to also make sure that you understand the principles.

So if we use that, the skyscraper metaphor, the guy who

or the guy or the gal who builds a skyscraper should also know

where the weaknesses are and know and know how it might

crumble if it's not built correctly. Now, that doesn't

mean they're gonna go out and do demo, but they're going to know

like, Hey, this is a, you know, this type of joint stresses in a

in a bad way, we should make sure we don't use that type of

joint. And I'm way oversimplifying the practice of

building a skyscraper for sure. But you know, it's for

illustrative purposes. And so that's the second piece of

advice is make sure you understand the principles so

your work with someone else, but still, you have to make sure

that they understand the principles yourself. And then

the third is this. It's abstract, but it's keep asking

these questions, right? It's your whatever it is that you do

in any profession, your core expertise, you're going to, you

know, that's where the focus of your develop effort developing

yourself is going to be. But there's always going to be these

things on the periphery that like, oh, I should probably know

about that. But maybe I'm not the expert in that. But by

asking the questions of what do I need to know about x? So the

person who's listening to this right now, who builds systems

and says, What do I need to know about security? That question is

so important, it's so powerful, because just by asking it, it

leads you to the type of growth that is necessary, in order to

make sure you understand the principles even though the, the

entity or the person who's going to be responsible for this is

going to be someone else, you can't completely delegate it to

someone else.

I agree. I wholeheartedly agree. In fact,

as you were talking, a thought came to mind. I wish you know,

that. There are more demonstrations, visual

demonstrations, graphical illustrations, and various forms

of presentations made available to the masses, where people get

to see how hackers think, how hackers act. And I realized that

can get very technical, but that's where the skill lies. Can

we present the technical stuff in a non technical way you, you

use metaphors and you, you know, kind of talked about several

movies. So maybe we need more media help here to popularize

thinking like a hacker. So everyone on the street literally

has some sense of what these guys are up to how they are

thinking how they try to attack, not to suggest that this would

make everyone an expert, but at least it whets the appetite, it

gives them a basic understanding. And that would

help the organization to mobilize support from from all

parts of the organization. Thoughts, reactions?

Yeah, well, let me try to illustrate with maybe

a metaphor that most people can relate to. Most people don't

like waiting in line. Right? I think that's just, even though

everyone does wait in line, like people literally spend money and

vacation time to go to places like Disneyland, because they

want to wait in line all day. So they can, you know, wait in line

for an hour to take a three minute ride. Not for me, but

hey, you know, whatever floats your boat, but I think but, but

most people, even though they wait in those lines, they pay to

wait in those lines, they take time off their job to wait in

those lines, people would still say they don't like waiting in

the line. I think that's sort of a universal human condition. No

one, no one is enjoying the line. So let me tell you about a

story that I had involving a line and this is this story

actually is a form of social engineering. But the components

to it describe exactly the process that an attacker would

go through. So if we can imagine a bar, and the bar is going to

be you know, a bar, like a nightclub. This bar represents

our, it represents a, a system that someone is building. So I

this was a few years ago, I wound up going to this, this

bar, and I was meeting up with some friends. And I can't

remember why I needed to go to this specific bar. But I mean,

it was like someone's birthday, but I had to go to this. It

wasn't like, we'll just go to another bar, and there was this

huge line. And then when you you get through this whole long line

takes a half an hour or whatever, then you pay a cover

charge to get in. And I didn't want anything to do with either

of those. I was like I don't want to wait in line and then

pay you know, whatever. 20 bucks just just for the right to now

go in and I'll spend more money. So I did what you know, really

any hacker minded person does the first thing I did was I

assessed the system I looked at how does the system work? Okay,

well, there's a line that gets you in and, and then you pay a

cover when you're in and that grants you access. But I noticed

there's also this other area for a VIP entrance. And that VIP

entrance, you can only there's no line, there's no cover, but

you can only go in if you're on the list. So that's the second

thing I did was I said alright, well, how could the challenge

question was how can I make them believe I'm on the list? I'm not

on the list, but how can I make them believe it? So that's the

second thing that attackers will do, though. They'll essentially

set out a challenge statement for themselves. Like what's the

goal? What am I trying to do? And in this case, I was trying

to get the privileges of someone on the VIP list when I didn't

have those privileges. That's called privilege escalation. So

then the next thing I did was what any attacker Do I, I probed

some I established some assumptions about how the system

worked. And my assumption was, if I can produce the name of

someone on that list, they will assume I'm on the list. So that

was my goal, I needed to produce a name on the list. I did not

know any names. So here's what I did. So I walk right up to the

VIP hostess, and I say, Hi, I'm on the list. Now, again, I just

told you I'm not I'm not listed. She doesn't know this, but I'm

not on the list. So I said, Hi, I'm on the list. So when she

asks me, What My name is telling her my name wasn't going to

help, because I'm not on the list. And guessing is like,

what's the chances? I guess somebody's name, right? Like,

it's so like, why even bother? So I'm not gonna guess. So

instead, I issue what's called a specially crafted input. Now,

this is when an attacker is probing a system to see how it's

going to react. And in this case, a specially crafted input

was I said, Well, I'm with the group, I made an assumption that

the there was going to be a group, and the group would be on

the VIP list. And so when she said which group again, I

didn't, you know, same problems, I didn't know the names of any

group guessing wasn't going to help. So again, I asked, I

issued another specially crafted input, and I said, I'm with the

big group. And I was making an assumption that that would be

something that would be on the list, there would be one group

larger than others. And with that, she looks down at her

clipboard, she flips a couple pages, and she says, Oh, the

Smith party. And I said, Yes, I am with the Smith party. And

with that, I had achieved the goal, I associated myself with a

name on the list, she opens the velvet rope escorts, we passed

the law and pass the cover charge. And, you know, I went

into the bar, I should say, as a sidebar, I am an ethical hacker.

So even though I did not pay the cover charge, I'm more than made

up for it with over tipping my bar staff, everyone, the only

person who lost money that night was probably me, like everyone

made out. But I didn't have to wait in line, which is what I

didn't want to do. But the point of that story, whether you like

going to bars or not, or you've never even been to a bar, we've

all been in situations we don't like waiting in line. And that

story can illustrate in a way that I think everyone can relate

to the process that attackers go through.

Excellent. That's a very, very interesting

and telling story. In fact, that reminds me, this is not so much

about how hackers hack, but how to be on your guard to be on

your defense. And I wasn't that night, where I went to a

restaurant at great city, I won't name it here. And it was a

Halloween, I think, and it was a haunted restaurant. So we were

having dinner there. And the lights were very dim. And you

know, they were trying to create that atmosphere I was in my

family. So we had dinner. And then when the waitress came up

asking for the credit card, I gave it to her without thinking

twice that I should be scanning the card right there. And then I

shouldn't be giving it to somebody. And next moment. Well,

you know, that night, everything went off. Well, we checked out

and we had a good night's rest. Next morning, I was driving my

son for his tennis match. And then I got a call. I was not

planning to take the call. It was an 800 number call. But then

I did. I'm glad I did. It was a Bank of America representatives

asking where I was the previous night. And then he was able to

share some data and facts that told me that my card got hacked.

And it was already being used in the state of California. And I

was on the eastern part of the country. So I knew that somebody

had gotten access to it. So this is an example where even those

of us who are conscious about this phenomenon will play a

role. Even they can get caught napping and they can get

compromised, and which has happened to me not once but

several times. And that's all the more I believe the need for

reiterating reinforcing some fundamental principles, some

guidelines and recommendations. Because I believe that the very

best of people have been, can be or will be breached in the

future. So that is great. Good discussion on that topic.

Switching gears a little bit. Let's talk about security

assessments. It's reasonable to assume that most organizations

are engaging in security assessments. But the more

nuanced question is, are they engaging in the right kinds of

security assessments with methodologies that best align

with their desired outcomes? What are your thoughts?

You are preaching to the choir right

now? That is that is the question in that matter that

absolutely is the question that matters. Wow. So the way you

actually framed the question first was, you know, we're

assuming that most organizations are getting security

assessments. I hope that is true. I guess it should be

stated that that's assuming an organization is something worth

protecting, that is actually an important item to note. So if

you don't have something worth protecting, then like, why would

you invest in protecting it doesn't matter. But assuming you

do, I mean, someone who's listening to a show like this,

you probably do. Right? You wouldn't be investing your time,

in listening to Ted ramble until random metaphors, if you didn't

have something to protect, so we're assuming have something to

protect, you're getting these security assessments done. And

the real problem that I see, I mean, one of the motivations to

want to write a book was because I saw this rampant problem all

over the place, which is that the way that we talk about

security testing, and we I'm talking about collectively, the

security community, but also those who engage with security

community who hire security professionals to do security

testing, we talk about it in very imprecise ways. And it

winds up leading to some really bad outcomes. So what most

people want when they're hiring, security testing? Well, there

are different motivations for why someone would go hire one.

But they're usually something like, well, I need to prove it

to someone else. And I need to actually secure the thing. So

those are, sometimes hopefully, it's both sometimes it's just

one, like, I need to prove this, I don't care what it is, I need

to prove it to someone else that I did a security test. But In

but in the case of, you know, the more progressive companies

definitely, they're actually trying to improve the security

of the system. They're not just going through the motions. But

the problem is, the way we talk about security testing is we use

terms incorrectly all the time. So people often will ask for

penetration testing. That's sort of the term that's become the

catch all. But penetration testing is a very specific type

of thing. But complicating that problem, they're asking for

penetration testing, they're usually sold something else.

Like if you Google that term, right now, almost all the

results you're gonna get, not all of them, but at least three

quarters of them are something else, they're going to be

vulnerability scanning, they're not penetration testing. But

then what makes it even more complicated is that what people

actually need usually isn't actually penetration testing at

all. What they usually need is what's called vulnerability

assessments. And I can definitely I've, of course, I've

metaphors, I can explain the difference between these these

three types. But the point that I want to leave on answering

your question here is that those are three really different

things. They entail different investments of time, and money

and person power, and they deliver different things. So

when people are asking for something, they're getting

something else, and yet they actually needed a third thing

altogether, have we actually achieved the mission? Right?

Have we actually accomplished what we set out to accomplish,

and that is a really big problem.

There are a few things that you've mentioned

more than once now, and I believe it, it's worth

reiterating, re emphasizing, and that is, an organization needs

to know, or needs to have a good understanding of what it wants

to secure. And what are the tools, the methodologies, the

techniques that are out there? Now, one is not expecting an

organization, especially smaller organizations resource

constrained to have the kinds of expertise to make those calls,

but they need to reach out and get help. Again, you know,

trying to follow your example of using a metaphor. It's like,

when you go to a doctor, and or you're, you're thinking of going

to a doctor, because you feel there is an issue. And so you're

doing your best due diligence possible, doing your searches,

you know, talking to people getting advice. So you have a

planning process in place. And it's important, why is it

important because it's your health. And I like to use the

health metaphor, because when it comes to security, that's the

security is the health of the organization. It is I believe

that there is not far where we'll be ranking organizations

on their security health rating. So therefore, developing an

understanding of what the security needs are, and who is

the right person who can provide the help or who are the right

people who can deliver the goods is absolutely mission critical.

So therefore, your points are very well made that to recognize

what kind of help you need from a security standpoint. And that

will immediately help align what you get by way of security

mechanisms, along with your overall organizational goals and

strategies. So I just wanted to re emphasize there anything else

you'd like to add to that?

Well, just that the doctor patient metaphor for

security is so good. And there's so many aspects of that

relationship that we can, you know, tie back to security, and

I'm just deciding whether or not to go down all those different

rabbit holes right now. But I'll definitely tie back to one or

more of them as as we go. But, um, if we want to use the doctor

metaphor, and the context of the question that you're asking

about, like, how do we make sure we're getting the right thing? I

think it's, that's actually, maybe that's a good metaphor for

us to use, because it's like when people go into the doctor's

office, and they're like, Oh, I checked on WebMD, my, you know,

my symptoms or whatever. And so they, they've self diagnosed, so

they go into the doctor, and they're like, I need a, I don't

know, insert jargon, technical term right now. And the doctor

is like, we'll get to that limit. Let me instead, evaluate

your symptoms, see where we're at. And I'll tell you, then, you

know, what we need. But the problem that happens in security

would be like, so doctors, I guess I don't know what I'm

about to say for 100% Certain, because I am not a doctor. But

my understanding is that in medicine, a procedure has a

name. And that's a universally understood procedure. The

problem with what's happening with security. So let's say I

don't know what the technical term would be, let's just say

it's called knee replacement. You know, someone goes in, and

they're like, I think I might, you know, my knees bother me, I

need some help with my knee. And then a doctor is like, you need

a knee replacement. The problem, insecurity would be like, when

one doctor says knee replacement, he means I'm going

to replace your knee, another doctor means I'm going to give

you orange juice. And a third doctor means I'm going to give

you a physical, and you're like, these are all using the same

term to describe really, really different things. And the

patient doesn't know any better to like, because the patient's

going to the expert. That's why this is a real problem. Like if

you went to the doctor, and three different doctors said the

same term, but they meant three different things. You probably

wouldn't go to the doctor anymore. And that's why is such

a significant problem.

Yep, very cool. You know, I, I authored a

book, which, which was published by SAGE last year on

A Holistic and High-Performance

Approach. In that book, I, I presented a framework, it's

called the Commitment, Preparedness and Discipline

framework that is associated with 17 cybersecurity readiness

success factors. And I'm not going to go down that list, but

I wanted your thoughts on some of them, which I have found to

be very important for an organization to secure

themselves or get the resources they need to secure themselves.

And one of those success factors happens to be hands-on top

management. And it's a challenge out there. In terms of how to

get top management attention, how to get top management

actively engaged in cybersecurity planning,

execution, monitoring. Just curious because you're in the

field, and you are you and your company are engaging in engaging

with numerous organizations. What are you seeing out there,

in terms of top management commitment to information

security?

Well, it's it's definitely becoming more and

more of a priority for executive leadership. I think you probably

could have any number of security professionals on here

to answer that question that would probably all say, some

version of the same thing, right, which is like, security

is a business problem, not a technical problem. We need to

speak in the language of leaders, which is, you know, in

terms of numbers and outcomes, and all that stuff. And we need

to make sure that we, you know, don't make it technical and all

that. So I would say all those things, too. But instead, what I

want to share is something that I see the most progressive

organizations doing that are the ones who are getting it right.

And they're currently in the minority. They're on if we think

about, you know, a bell curve. They're on the early early

adopter side. And my hope is that eventually we're going to

get the whole world thinking this way. And the way is this

one Most people think about security as avoid a bad thing,

right, let's not get hacked. That is, in fact, a good way to

think about security. But it's incomplete. We also need to

think about not just how do we avoid a bad thing? But how do we

get a good thing? So not just how do we not get hacked? But

how do we gain an advantage. And one of the things that is very,

very obvious to me, as I look at the companies really across

industries across sectors, the ones who do two things, first,

actually secure their systems. And then secondly, in an

authentic and credible way, prove it, they gain this

incredible competitive advantage over their competitors. So if

that's a company, they're competing the way a company

will, you know, for customers and market share. But there's

other ways you can compete, too, whether that's maybe you're a

nonprofit, and you need donors, maybe you're a government, and

you need your political influence, or whatever. people

and companies and organizations, they want to do business with

organizations that are secure, they want trust is the

foundation of so they trust someone, they're going to want

to work with them, or at least if they don't trust them,

they're going to be hesitant to work with them. And so this is

one of the things that I see executives at the more

progressive organizations capturing, they see it, they

look at it, and they're like, if we only think of security as a

bad avoid a bad thing, what we're going to do is we're going

to make some risk based decisions about, look, this is

just a tax on the business. How do we reduce the tax to the

right amount that's not so low that we expose ourselves to huge

risk, but we're not overspending? That's the way

that's the way most people actually think about security,

when it's the idea of avoid a bad thing. But now when you

change the frame, and you say, Well, how do we get a good

thing? How do we get this competitive advantage? Now

you're looking at it as an investment. And you're saying

it's no longer a cost center to reduce? It's an advantage to

optimize? How do we spend in a way that helps us beat the

competition? How do we move faster? How do we get more

enterprises using us than someone else? And I found that

to be the thing that really gets leaders excited, because it's no

longer this, like, this is annoying, I don't want to talk

about this, make make this problem go away. That's the way

most people think about security. Now it is, oh, wait a

minute, there is an untapped opportunity to gain a

competitive edge. No one else is doing it or not enough people

are doing it. Talk to me about that. That's what progressive

organizations are doing right now.

brilliant, absolutely brilliant. I love the

way you put it. One has to look at information security

capability as a distinctive competency. And focusing on

developing the competency, using that competency or leveraging

that competency to achieve a competitive edge is the way to

go. The moment you are thinking of security ah that's one more

thing we have to do, we don't have a choice, that really

doesn't cut it. Rather, taking a very optimistic approach, and

saying -- yes, there is this is a problem. This is a constant

issue that we have to deal with. So let's see, we can convert the

so called problem into an opportunity and be the best we

can be in managing this risk. I love that kind of a mindset,

that kind of approach. And I'm sure people who are listening

are making note of it. I'm sure many, many organizations, many

senior executives approach it that way. So, Ted, a couple of

months ago, probably in a podcast session, a renowned

cybersecurity expert lamented that companies keep making the

same mistakes over and over again. So I asked him, I said,

What kind of mistakes are they making over and over again? And

he talked about vulnerability management, patch management.

And, you know, you being in the business, leading a team of

ethical hackers, I'm sure you see that a lot. What are your

thoughts about what is so difficult or challenging about

patch management, vulnerability management, that to use his

words again, that companies keep making the same mistakes?

Well, I definitely agree with the

problem that companies continue making the same mistakes over

and over again, I would not limit it just to this particular

issue of patch management. I'm a little befuddled myself as to

why patch management continues to be such an issue. And that's

not to diminish how hard it is. It's hard. Patch management is

difficult. What I, for me personally, like if my job was

to be In charge of patch management, I'd be terrible at

it. Because what it requires for patch management are the kinds

of things that like the your brain is wired in a certain way

to excel at that I think the kind of person who's really good

at like, maybe accounting, the kind of person who wants to make

sure that the numbers perfectly zero out and everything's like

exactly an order the way that should be. Patch management is

kinda like that to like you have that absolute overriding drive

for the perfection. But you can take that you combine it with

the fact that patches, sometimes break systems and braking

systems gets in the way of operational uptime, and

operational uptime, and a lot of situations is non negotiable, or

operational downtime is not allowable. So there's all these

complexities to it. But really, I think that what's happening if

we go broader than just patch management, and we say, well,

why do we keep making the same problem, like making the same

mistakes over and over and over again? And I think it's because

we don't necessarily truly understand the problem. And we

don't truly understand the solution. And the we I'm

describing here is the people who have the problem, and

certain corners of the security community who are willing to

present the incorrect solution. We talked about penetration

testing before. And that's a great example of where, you

know, there are people willing to sell companies a penetration

test, that isn't a penetration test, they're willing to do

that. Now, maybe they don't know that there's a difference.

That's negative, that's negligent. Or they do know

there's a difference, and they're misrepresenting it

anyway. That's irresponsible. So whichever it is, is not good.

But the problem is, that's a two sided problem, right? That

companies were building things like we talked about before,

it's not there every moment of every day working on how do you

break things, they're looking to their expert partners to help

them and the expert partner isn't actually presenting the

appropriate solution, those two issues combined become this

like, kind of catastrophic problem.

Yep. True. So here comes my final two

questions. First one is, What lessons do organizations refuse

to learn? Have you come across anything like that? Do you have

any thoughts on that? And I don't mean to stump you. So feel

free to say what's the next one? And I'm happy to throw out the

next one.

No, I like that question. Actually, a lot. I

would the way I would answer that, though, is I don't think

you could say there's a universal, there's not like one

lesson that everybody refuses to learn. But within every

organization, there is at least one lesson that everybody that

that organization refuses to learn. The one that as an

example, that it saddens me actually, I was gonna say it

irritates me or angers me. I was like, what's the right word for

this? But I think it saddens me is the way that sometimes

politics work in large enterprises. I've seen it happen

time and time again, where, you know, one executive will build a

program in a certain way. And that program is succeeding in

some way. And then the next, you know, that executive either gets

promoted or gets poached go somewhere else. And then the

next executive comes in, and the way that exec, that new

executive is going to quote unquote, create their own thing,

right, is going to create their opportunity to get promoted, or

get poached to go somewhere else. They need to do something

unique. They can't just do what's already been done. And so

that, what do they have to do? They have to look at the this

program that's already been built, and say, we're gonna do

it totally differently, because I know a better way. But if it's

already working, why are you tearing it down? And that is

actually a pretty significant problem in corporate America

today, that that sort of political need, which I

actually, I have no problem with someone needing to say, I need

to make my mark on this organization so that I can make

more money and provide more for my family. And like, what's

wrong with that? That's amazing. But unfortunately, the way that

it typically has to play out is by dismantling some other thing

that already worked. And so now you have in these, it's kind of

amazing when you see large enterprises, how inefficient

they can be. Because every few years as there's this turnover,

and you know, executive positions. You You've, you're

kind of starting things all over again. And I mean, how many

people listening right now work in a large enterprise and go

through a reorganization? Like every three or four years,

you're like, I'll just wait this out, because by the time it

actually is implemented, there's going to be a reorg you know.

Yep. So let me give you my answer to the

question I posed to you. So, you know, two things happen, as your

probably aware, it is the medium sized organizations that

generally capitulate after a major cyber attack, they go out

of business, there is data to support that. 60 to 70%, of

small and medium sized enterprises cease to exist,

which is a very rough consequence, probably the most

severe consequence. But then there are large organizations.

And again, I won't take any names here, who, for lack of a

better word, made some very reckless mistakes, that

borderlines gross negligence, and breach has happened. There

were severe consequences. But they get bailed out for a

variety of reasons. And that's where my concern lies. Not that

we're going to solve this problem here, and neither am I

trying for you to suggest what the solution should be. But

that's where my concern is that when these organizations get

bailed out, do they learn the lessons and they or are they do

they make the necessary changes. And these are not symbolic

things that you put out there to impress the media and impress

your investors. But it goes deeper into their processes into

how security is approached by the organization, whether

security is built into their organizational culture. In my

book, I talk about creating and sustaining a high-performance

information security culture, it's hard to do. But it is

definitely something that organizations should, should

strive towards. So that's from where I was coming, when I asked

you that question.

It's hard to say without being on the inside of

every organization, right, whether they've learned their

lesson or not, but you see plenty of cool success stories,

you know, I'm in the aftermath of major breaches, including the

industry around whoever the victim was, you know, the movie

business is a great example. Sony, you know, went through

that really very public. You know, that was a real bummer

that that breach for everyone who not just the people at Sony,

but the people who work with Sony in the movie business is a

it's kind of a small world, everyone kind of knows everyone.

And, you know, there was a lot of a lot of hearts went out for

that. That was a really tough time for a lot of people. But

it's really cool to see in the aftermath, how the security

programs at different studios, got more funding got more

people, they got more sophisticated. And that's a cool

aftermath. I mean, yeah, you don't want a company to go

through what Sony went through. That's, that's terrible. But if

it has to happen, then let's make sure that some really

positive result. And that's, that's definitely what's been

happening. So that was pretty cool. That was pretty cool to

see that.

That's great to hear. I'm glad you

shared that with us. There are I'm sure many, many positive

stories of recovery, and, you know, coming back revitalized

and in ways that has made the organization better. So that's

good to hear. Hey, as much as I would like to keep talking with

you, I've been enjoying this, you know, we are getting to the

end of our time here. So let's try to wrap things up with you

sharing any final takeaways for the audience. Any final thoughts

for the audience?

Yeah, I mean, I definitely always like to end on

a high note. And I feel like the story I just told was, was a

high note. So there we go, you already have your high note. You

know, we're seeing industries react really well in the

aftermath of, of breaches. But I think that I would just leave

people with this fact that the security community is a

passionate one that really is trying to improve things every

day. Ethical hackers included amongst that, and that, to me is

really exciting to live in it and to see it and to those of

you who maybe are wanting to join security, or maybe you are

not in security, but you work with security companies, just

know that there's a really passionate group, let's move

forward. And yeah, I mean, that just we can end on that note,

and if anyone wants to know anything more about, you know,

if any of the ideas we talked about you wanted to ask me

about, personally, you want to follow me on social media, you

want to know more about my book, you you want help with your

security testing program. Just hit me up, I'm easy to find at

Ted harrington.com. And everything you could need to

know is right there.

Fantastic Ted, thank you again for your

time. It's been a pleasure.

Thank you for having me.

A special thanks to Ted Harrington for his

time and insights. If you like what you heard, please leave the

podcast a rating and share it with your network. Also,

subscribe to the show, so you don't miss any new episodes.

Thank you for listening, and I'll see you in the next

episode.

The information contained in this podcast is for

general guidance only. The discussants assume no

responsibility or liability for any errors or omissions in the

content of this podcast. The information contained in this

podcast is provided on an as-is basis with no guarantee of

completeness, accuracy, usefulness, or timeliness. The

opinions and recommendations expressed in this podcast are

those of the discussants and not of any organization.