ISSA International Conference 2012 - Anaheim, CA

Rafal

THanks for the "Cards" presentation at #ISSACONF. I've heard of big companies going to a huge level of detail testing DR scenarios, bringing critical servers down and having "dead" people. I have not yet come across a company brave enough to undertake a full on Red team attack on a live system.

Good interview with Eric too, I enjoyed his comments. That old bumper sticker "Users are Losers" takes on a whole new meaning when you are in IT.

Nic,

Being the owner of a company ( LARES) that does most of our work in Full Scope and "Red Team" testing, I can tell you that there is a number of companies out there that are willing to go through the exercise. Some of them want the testing in that manner so that they can show the catastrophic potential impact of compromise from a motivated attacker and the others are at a point in the maturity of their program that they are failing to grow and improve through "normal" testing types (app,pentest,phishing...etc). The biggest thing with full scope testing is being mature enough in your security program that you can actually leverage the results to GROW from the test. Many companies today do not have mature enough programs to do this and the red teaming tests are not providing the value that a solid test of another type could. the ideal company for Year over Year Red Teaming is one that is "Passing" their assessments and still feeling like they don't have a clear picture of the reality of compromise. In these companies, they already have significant resources dedicated to InfoSec and Security as a whole company wide and can get you information on any part of the program or its performance at the drop of a dime. These companies usually yield the MOST value from Red Teaming as it tests the program in a "cross training" way. Like any other sport or profession, once you get to the PRO level of the game, your training regimen has to drastically change in order to see any measurable progress in your performance. The more of the exposed attack surface that is considered in scope, the more the company will be testing its defensive strategy BUT will also be testing the effectiveness of their response capability. In this sense, Red Teaming is a BLEND of Offensive Testing and Defensive training. You are correct though, MOST companies out there are NOT ready to conduct full scope testing as they do not have enough confidence in their current programs capabilities. As they tend to believe, most people don't need to spar with a REAL motivated attacker that has no rules.... because they don't believe they will ever come into contact with that type of adversary. What they DON'T remember is that in today's interconnected business marketplace, all it takes is one good shot and you may never recover. Maturity is a hard thing to measure and understand in security. We have taken the Pass/Fail approach too long and it is an unreasonable method of scoring. At the end of the day, NO ONE *me included* would ever pass. If there is a will there IS a way..... The real question is, "How MUCH will does it take?"

Happy to talk about Red Teaming much more if interested as we have these discussions daily with people looking to try out new testing types and identify if they can actually get value from the exercise.

-Nickerson

Hey, very nice interview. I fully agree with Eric here, especially his theory on the reasons behind #cloud and #byod.

His argument touches the fundamental point, namely there is a very strong emotional factor behind #cloud and #byod : users^H^H^H^H^Hemployees simply hate their corporate equipments because they are limited and usually bloated, and execs hate IT because they come with problems instead of simply providing solutions (much more often than not).

If you're in #IT or #infosec and your strategy is to demonstrate that #byod or #cloud doesn't make business sense, then you're attacking the problem from the wrong angle. You would be better focusing on having people enjoy the products&services you provide.

Hey, glad I could provide some interesting thinking on the topic. Planning to expand from this somewhat limited 15 minutes to a full blown presentation. I think IT and InfoSec folks need to hear these very hard truths.