Why Your Org Needs a Penetration Test Program
This webcast originally aired on February 27, 2025.
Join us for a very special free one-hour Black Hills Information Security webcast with Corey Ham & Kelli Tarala on why your org needs a penetration test program.
GRC is like a reliable steam engine powering smooth operations, while pentesting is like a rebellious punk spirit that challenges weaknesses. When combined, they create steampunkāa perfect blend of structure and innovation, just like Kelli & Corey. This will be an informative session that will answer many questions you have about having a penetration testing program.
Highlights
Full Video
Transcript
Jason Blanchard
Hello, everybody, and welcome to today’s Black Hills Information Security Webcast. My name is Jason Blanchard. I am the content community director here at Black Hills. And if this is your first webcast with us, thank you so much for joining us. If this is your 50th webcast, thanks so much for joining us. Don’t forget to check in for Hack It
If you’re watching the recording, you have no idea what that means, and that’s okay. in the future, you can always join us on Discord Live during our webcast. We’d love to have you there. There’s, a robust community of 50,000 InfoSec professionals that are answering questions at any given time, helping you with your career and making sure that you don’t feel in this industry.
Speaking of people who help us answer questions and not feel alone in this industry, we have Corey and Kelly with us today. And so they’re going to come together to talk about why your org needs a penetration test program. And if you’re like, I already think we need a penetration test program, well, then it will reinforce your thoughts.
And if you’re not quite sure if you need a pen test program, then this will be the webcast where it gives you the information you need to take to your leadership and say, I just saw this thing. We should probably do this thing. And so they’re getting to do that now.
If you have questions at any time, feel free to ask them inside Discord or in Zoom. And we’ll do the best we can to do Q and A at the end of the webcast or during the webcast if Corey and Kelly see something interesting that they want to respond to immediately.
And with that, Kelly and Corey, are you ready?
Corey Ham
Ready to go?
Jason Blanchard
All right, I’m going to go backstage, take care of the Hack It stuff, and then get ready to mail out the comic books we just gave away. And with that, thank you so much for joining us and sharing your knowledge today with the community.
Corey Ham
Sure. Thanks, Jason. So Kelly and I met during the news, which we have a news podcast here at BHIS, if you didn’t know that. And I think the more we talked in person, the more we realized that neither of us really understood each other’s jobs all that well, because I did not have a great understanding of what GRC is.
And I won’t say the same for Kelly, but I think there’s always more to learn about what pen testers actually do or what they think they do versus what they actually do. So we decided to put this together as kind of a combination of GRC and pen test.
And I think the other thing that we discussed early on was some organizations are really good at pen testing and using the results and delivering, a good outcome from them, and other organizations are not so good.
obviously sometimes it’s based on maturity or other things, but a lot of the time it doesn’t actually seem to correlate with any other attribute of a business. so we really wanted to kind of level set and set the stage and kind of explain how to do pen testing and how to do it well, I guess.
Is that accurate, Kelly?
Kelli Tarala
Oh, I think you hit the nail on the head there, Corey. One of the things that we really wanted to focus on is working together. We’ve had some really great times on the news, agreed to disagree on some things, and we’re hoping to foster better relationships between pen testers and GRC people by providing a bit more information of what each other does and also what each other doesn’t do or perhaps touch on some of those misconceptions.
so thanks for that great introduction, Corey. I appreciate that. so I’m Kelly Torala. If you don’t know who I am, I do GRC over at Black Hills. yes, I help Black Hills customers do GRC things that may include policy review, policy analysis, setting up risk management programs, doing assessments, risk assessments, all sorts of fun things.
if you, if you didn’t know, I used to work. Used, to write courseware over at sans. I contribute to the CIS controls. And Corey and I were trying to find again, some common ground. We, we were talking about pizza. I especially like pepperoni with black olives.
And Corey, I think you’ve got strong feelings on pizza, don’t you?
Corey Ham
I do. Thanks, Kelly. So my background is pen tester. I now actually run the continuous penetration testing product at bhis. So I’ve kind of evolved into a middle manager. but for 10 years now, I’ve been a pen tester.
That’s been my job title. That was my first job. So I have, I have all the myopic perspectives that a pen tester would have about how things get done, why they get done. So a lot of this discussion will just be me asking dumb questions and Kelly saying, well, actually, no, that isn’t how it works at all.
and yeah, my favorite pizza. I put margarita. I love basil. Keep it simple. Some, some mozzarella, some cheese, maybe light on the cheese, some red sauce, throw it in, good to go.
Kelli Tarala
Well, I’m hoping that the Folks in Discord will also put in their favorite pizza. I see the pineapple issue has come up already. how about we let that one slide for right now?
Corey Ham
Yeah. Share your favorite pizzas. if someone says pineapple and black olives, I’ll. I’ll be questioning it. But I’ll also be like, let me see your order history. So this, this slide and kind of a meme demonstrates how Kelly and I felt when we started talking about pen testing and GRC and what GRC does, what GRC doesn’t do.
we’re kind of all in the same room and we’re kind of like, wait, what do you do? Why. Why are you yelling at me about vulnerabilities? Why. Why do I have to fix this? And also, we feel like threat actors are in the room with us too, but we don’t really know what they’re doing or what they’re not doing.
pen testers tend to look at things from an offensive perspective, right? Like, here’s the bad things that could happen to you. And GRC tends to look at things maybe from a defensive perspective. But we kind of, I think, felt like we were just in the standoff of like, okay, grc, what do you guys do?
Pen test. What do you guys do? So that was kind of our background for how we felt. let’s get into some misconceptions. So I guess while we’re running through this slide, let’s ask the audience.
So put it. Put in the chat first. Let’s do grc. So what do you think GRC is? What do you think? Maybe summarize. You don’t have to be, super technical about it, but maybe just put a little summary, of what you think GRC does.
Kelli Tarala
So, Corey, one of the things I’m going to say but I’m not going to put on the slide is GRC seems to have a lot of women in it. And I was, I was so glad to see Ashley and pre show banter because Ashley is one of the few women doing pen testing that, that I know.
there’s a reason why a lot of women like grc. I’ll tell you why. the hours are better than pen testing. And if you’re raising a family or trying to raise a husband, it’s a little easier that way.
Corey Ham
That’s funny. So some p. Some funny ones that I’ve seen in the Discord, someone, put the adults in the security team or the grown ups on the security department. I think that’s Hilarious and kind of accurate. Right, Kelly?
That’s. That’s a little bit close to the truth. yeah, I mean, I. People are also putting their pizzas in there. People said some. One person said rules, the best job. If you don’t want to be on call at 3am M in the morning.
That one’s pretty funny.
Kelli Tarala
Oh, absolutely.
Corey Ham
And matches what you just said. let’s see there. Any good ones? Marshawn Lynch. I’m just here so I don’t get fired. Security policy and governance. There’s a lot of compliance things. So GRC stands for governance, risk and compliance.
Right. That’s what it actually stands for.
Kelli Tarala
It sure does. And, and I appreciate our discord audience. They’re being very kind. But let me say the things that don’t usually said out loud. GRC people aren’t necessarily the fun ones. They are the rule keepers, the rule enforcers.
Sometimes people come to GRC from accounting or auditing, and they’re very black and white, even more black and white than sometimes pen testers can be. and we’re also sort of seen as an impediment.
Oh, my goodness. I got this project to do and now you want me to respond to an assessment. You want me to update the policies. Sometimes we’re perceived as preventing real work, real work from getting done.
also, other people see GRC is something, is just a checklist. Oh, my goodness. Insert eye roll here. Get the checklist done and we can get on to doing real work. but we’re going to talk about why GRC really is real work.
But first, let’s talk a little bit about Corey, some of those misconceptions about pen testing.
Corey Ham
Yeah, so we did it for grc. Let’s do it for pen testers too. So go in the discord and put what you think a pen tester is. And I hope that people are less nice and we could get some funny laughs.
what do pen testers do?
Kelli Tarala
My freight. My fear is pen testers wear the same clothing four or five, seven days in a row.
Corey Ham
Someone said break things for a living. that’s pretty funny. I’m looking through some. There’s some good ones in here. Poke stuff till it breaks. Ensure ink quality. That one’s funny. there’s a guy with a gif of, just testing that pen full on.
ten testers break my stuff. there’s some funny fake red team person. They’re ultra blue teamers that test the vulnerabilities. GRC points out that one’s good. yeah, I mean, I guess generate tickets.
Pen testers imagine they are rock stars. That’s pretty funny. people say even pen testers now are saying they break things.
Kelli Tarala
So Corey. I remember Chris Trainer mentioning on pre show banter that his wife says he’s a pen tester and usually eyebrows get raised and they’re not sure if they should ask more questions or just let it go.
Corey Ham
Yeah, I think, I mean, so as a 10 year career pen tester, I’ve never told a normal person that I’m a pen tester. I just say I work with computers and I leave it at that. Maybe if they pry, I’ll say, oh, I break into companies and tell them how I did it so they don’t get broken into.
Jason Blanchard
Right.
Corey Ham
But I don’t say pen tester in the wild. Bringing up the word penetration I think is just not a great thing, for just average people. But yeah, let’s so that’s some fun misconceptions. Let’s go back to the slides.
I think most of what, M1 slide before. So most of what we saw was actually, kind of accurate. Right. So find vulnerabilities. But the misconception is pen testers find everything and they can hack anything. Right? So like the perception of a pen tester as a wizard who you give them anything in the world and they can break into it, they can hack it.
is, I mean we’ll talk about why that isn’t true. But and also pen testers are, wearing hoodies in dark rooms and partying all the time, chugging Jolt colas or Mountain Dews or Red Bulls or whatever and just Jolt, grinding on the keyboard can’t be brought out in the light.
if we touch grass, we’ll wither and die. yeah, so I think, there’s, there’s fun misconceptions on both sides, but let’s kind of clear up the misconceptions, and talk about what we actually do or at least what our goals are not necessarily day to day.
So what is the goal of grc, Kelly?
Kelli Tarala
Well, Corey, that actually we, we were working on this slide. I was talking about this with CJ at Black Hills. And GRC really is hard to def in one short little sentence.
but let me try and talk through this. Really. There’s two main goals of GRC is to establish the foundation for a cybersecurity privacy or data governance program. To say, we want to do good things.
What are those good things? And how are we going to measure ourselves? So that’s kind of the foundation and that’s kind of a basis of why we’re talking about why you want to have a pen test program. How does that fit into your GRC foundation?
The other aspect, Corey, of GRC that I like to think of is a guardrail or guardrails for the organization. Now I know some people have sort of a, not pleasant experience to the word guardrails.
They’re thinking, oh my goodness, that sounds horrible. But if you think about guardrails when you’re driving in the mountains and you’re driving that Penzi truck that you’re really not comfortable with, guardrails show you how to stay on the road, stay away from danger, avoid things that are bad for you in the truck.
So I see guardrails as positive things. So the main goal of GRC is to direct and organize all cybersecurity activities in a, cohesive approach.
So we know why we’re doing pen tests, so we know why we’re doing vulnerability management. And also. Yeah. To do assessments and keep the policy up to date. So what are the main goals of pen testing?
Corey Ham
So, I mean, unlike grc, pen tester’s job I think is pretty simple, right? It’s just. And the execution of how it’s done is maybe complex, but the goal of pen testing is to find vulnerabilities, to discover vulnerabilities.
That’s really the one, one track mind of a pen tester is I find vulnerabilities. I think the true role of a pen tester is to make those vulnerabilities also digestible and actionable. Right. Like there’s a lot of, the difference between a pen tester and a black hat hacker is that pen testers write reports, right?
So at the end of the day, our goal is to find vulnerabilities, but our kind of secret goal is to make those vulnerabilities easy to find, easy to understand, and hopefully easy to fix or at least, awareness of those vulnerabilities exists.
Kelli Tarala
So I’m so glad you said that. It’s not just finding the vulnerabilities, but presenting them in a way that other people can understand them. If it’s a, very technical audience, if it’s a less technical audience, maybe business leadership or even the GRC people who may know three fourths of what the vulnerability is, but may not know the full picture of It, I really appreciate that Corey.
That was a good explanation there.
Corey Ham
So we’ve been pretty positive so far, but let’s go a little negative. so why, why should GRC and PEN test be friends? Why do we care why? we, we already have a pen testing program, it’s working fine. so let’s just level set industry wide here.
This is from the Verizon data breach report, which is a report that analyzes over, thousands and thousands of data breaches that happen throughout the year. It’s happened for many years now. And so it’s kind of an industry standard guide for why do breaches happen, how do they happen?
And this is one statistic from that report. So last year. This is for 2023 or sorry, 2024. 14 of breaches involve the exploitation of vulnerabilities as an internal access step, which is three times the previous year.
So essentially from my perspective. Say that again, 14. 14% of breaches involve the exploitation of vulnerabilities as an initial Access step, which is 3x last year.
So essentially from my perspective, if GRC and pen test are doing their jobs right, that statistic should be impossible. Our whole thing is we find vulnerabilities and you work to get them fixed or mitigated or control them.
So if we’re doing those things properly, there shouldn’t be an increase in the amount of breaches that result from exploitable vulnerabilities. Right. That’s bad.
Kelli Tarala
Corey, I appreciate what you just said. Can you just reiterate that that that’s not the 14% we care about it the three times amount.
Corey Ham
Exactly. You would expect this number to trend down. Right? We have vulnerability management programs, scanners are good, we have continuous scanning, we have all these technical solutions and code audits and like tools are better than ever.
You’d think maturity is going up, but it’s not. Or at least not according to the Verizon data breach report and vulnerabilities are still being exploited. Right. So let’s, we do have some kind of examples of why.
So let’s talk about why. so this gets into a little bit of a discussion on, correlation versus causation. The Verizon data breach report is purely by the numbers. It’s saying of the data breaches that we tracked here were the causes.
So some examples of why this could be. One is remediation. Right? So maybe there is a vulnerability that was discovered. And yeah, people are saying, yes, this is the 2024 report. So this is based on data from 2023, so there is not a 2025 report just yet.
but basically remediation is a component of it. Maybe a pen tester found a vulnerability and it wasn’t remediated in time and then it was exploited. So that’s one possible cause, which I guess, Kelly, GRC plays a role in remediation, right?
Kelli Tarala
Oh, sure does. So, remediation is a big word. Sounds, sounds kind of scary. But really it means remediation means fixing stuff. It means reducing risk.
And a lot of times we’ll see a vulnerability and there’ll be certain hotheads in the room that says, we need to fix it right now. And then sometimes GRC folks, or even the business unit folks will say, listen, we need to plan this because it’s our production system.
We need to take it down. We need to understand exactly what the risks are if we apply this fix to the vulnerability. how much revenue are we going to lose if we do bring production systems down?
So, what GRC does is it kind of puts a wrapping around doing or fixing that vulnerability and takes into account compliance issues. If you’re in a regulated space, you may not be able to fix that vulnerability within a particular window.
You may have to wait 30 days. You may have to file a report or a request to fix that vulnerability. Second of all, we have a tendency to look at risk. And while those who fix vulnerabilities, usually in the technology team, the security team, the vulnerability management team, understand the bits and the bytes, they may not understand comprehensively the risk that it, that may occur to the business if we do or do not fix that vulnerability.
But Corey, let’s get down to brass tacks for a second here. Some vulnerabilities are hard to fix. They are running production systems that feel like they’re being held together by, string and tin cans.
Second of all, the vulnerability may be hard to fix because the business unit won’t schedule downtime. Do you see any other reasons why an organization may not fix a vulnerability?
Corey Ham
I mean, I think, like, I guess from my perspective, pen test’s job in all of this is to report the risk to the GRC team or other people to basically say, you need to fix this asap.
And I think if, if there’s one thing that pen testing might have failed when it comes to this is that maybe the people who reported these vulnerabilities didn’t do so in a context that made everyone else aware of that. The fact that they could lead to A data breach.
Right. So I think obviously we’re kind of speculating here about why this number is what it is. But I think from my perspective as a pen tester, it’s our job to, when we, to encourage remediation, to kind of explain impact at the same time.
so let’s, the other reason why this number might have gone up is because of a lack of visibility. So maybe organizations got exploited and had a data breach and they didn’t even know they were vulnerable.
Now there could be multiple reasons for this, but I would argue if they didn’t have a very good pen testing program, they might have just not had a pen test and not known that the vulnerability existed. Or it could be go beyond pen testing too.
It could be vulnerability management scanning. If you aren’t doing regular security scanning and pen testing, you wouldn’t even know that you are vulnerable before you ended up with a data breach. Which, we’re speculating here. But I would suspect that in a non, a significant amount of cases that organizations were exploited with vulnerabilities they didn’t know, even existed.
So I think that’s like, GRC’s job is to say, hey guys, we don’t know, right? Hey, we don’t know what we’re, what our situation is, what we’re vulnerable to. is that, is that how it works, Kelly?
Kelli Tarala
Well, Corey, I’m, I’m going to piggyback on that a little bit and say there’s a lot of noise, especially when it comes to vulnerability management systems. if I, if I’m looking and I ask for a report, okay, what, what do we have?
What, what vulnerabilities are currently being worked on? Which ones have a high, medium or low designation? What’s their, perhaps their risk rating? A lot of organizations have 2 to 300 medium level vulnerabilities.
And honestly it’s hard for a GRC person to say, well, is 200 vulnerabilities normal? Is that not normal? And sometimes we’re missing the clarity to say this particular vulnerability.
I see people talking about the move it issue, that should be highlighted, it should be put in red, there should be blinking lights around it and say, listen, this is our highest, most riskiest, vulnerability right now and it needs to be addressed right away.
But sometimes there’s so many vulnerabilities it gets lost in the noise. So how would a pen testing report or person help a GRC person cut through that noise?
Corey Ham
So I think and we’ll talk more about like how to build this program from scratch. But I think, we’re talking about visibility. It’s about making sure as a pen tester that the customer’s request and they’re like sort of goals with the pen test match up, which we do that at Black Hills, right?
If someone says, hey, I want an external pen test and here’s the scope and it’s just one ip, we’re like, are you sure? Are you, are you sure that’s what you want to be the scope? but when it comes to like, cutting through the noise, as you said, that’s why we have things like severities, that’s why we have risk scores, that’s why we have executive summaries and readouts, I think pen testers tend to do a bad job of saying, oh, this is a critical, this is a high.
I think, there’s a lot of highs that if I were to read a pen test report, I would say that’s not that big of a priority. Right? Like a classic one that we see is there’s exploitable software, supposedly vulnerable, unpatched software.
But if you didn’t exploit it successfully, should I really care, maybe someone can exploit it. But that’s the pen tester’s job to figure out is to actually exploit the vulnerability and draw attention to the things that are actually exploitable versus the things that are just maybe if, the wind is 22 miles an hour and Mars is in retrograde and a, right.
Stack overflow happens, then maybe there could be a denial of service condition. It’s like, okay, well how likely is that actually to happen? that isn’t something that’s necessarily defined, well, in every pen test report. So I think pen testers can do a good job with that.
Well, Oh, sorry, go ahead.
Kelli Tarala
I was just going to say the, the GRC people, we, we try to quantify risk. A lot of times we look at a vulnerability and the threat we look at really, what is the likelihood of this happening.
And a lot of times, as much as we try and anticipate the likelihood, it’s really hard to put a number on that. but when I talk with you, I do get a better sense of the likelihood of something bad happening that isn’t necessarily articulated in a report.
So one of the things I would like to see more is if, a GRC person doesn’t necessarily completely understand the report, go ask a pen tester. It’s okay to not have all of the technical chops.
Go ask somebody who does who can clarify it for you.
Corey Ham
Yes. And pen testers should really, they should be reading their own reports from the perspective of someone like grc. Not someone who’s non technical, but someone who might not know. Oh, of course.
denial of service totally. makes perfect sense. Like not everyone might understand the impact of that. Is this is one system, is it our data? What’s actually happening with this vulnerability? so yeah, I mean, I think the last scenario talking about this data is that there’s also zero days.
Right. So move it is a specific example from 2023 where there was really no way to defend against this. the only ways of defending against this vulnerability were just mitigations like defense in depth concepts. Right.
Having logs coming out of your appliances, having limited amounts of data. I guess I would say if you have a good data governance program, you were probably impacted less by Move it than if you didn’t have a good data governance program.
Move it specifically. Let’s dig into this for a second. So Move it was manage, file transfer appliance that was publicly exposed. Now essentially with different companies used Move it for different purposes. Some companies used it for HR and onboarding to send people documents and things like that.
Other companies use it for customer support. So like, if you’re having an issue with our product, upload your data here and we’ll access it. Some other companies use it for internal data store. Like, oh, I’m sending a file to Kelly. I should use Move It.
So the GRC team at each company that had this product should be aware of how does this data, what is the data? How sensitive is it? How long should it be there? Should it be there in perpetuity? What kind of data should be in MoveIt?
Right. So it’s an example of like, it’s not really like GRC can stop the vulnerability or pen testers can even find it, but if you have a good GRC program, it could potentially limit the impact of a zero day exploit.
Right. So, oh, we have a very limited number of users and Move it, we have a very limited amount of data. that. Is that true, Kelly? Like that. Is that a role of GRC as well, is to know where that data is and make sure that it isn’t excessive?
Kelli Tarala
absolutely. I, I personally have a philosophy that’s quite unpopular with technologists, I’ll freely admit. This is. I like to set expiration dates on service accounts and user Accounts now, I’ll set it for a year, but a lot of times something like move it.
Is it, is it something we use day in and day out and is it considered a critical service for us or is it project based? Is it a one time use? And putting the why a service or a tool really helps us understand why it’s where it’s being used, why it’s being used and how long it should be used.
Does that make sense?
Corey Ham
Yeah, makes perfect sense. A company with 10,000 move it accounts was probably hit a lot harder than a company with three. Right. So let’s go to the next slide. So let’s be a little bit negative, in a different way.
so maybe you’re listening to this, thinking, well, vulnerabilities are not really my primary concern. We have a really good maturity. We, we have a hardened outside with a soft squishy center. Right. Like we are fine. Our vulnerability scans come up clean.
We fix everything within 60 days. Don’t worry about this. Well, there’s another component to this which is the pen test types you’re using. So this is another statistic. 68% of breaches in 2023 involved a non malicious human element, like a person falling victim to a social engineering attack or making an error error.
So this is. Data breaches can result from misconfigurations or social engineering, but there’s human elements to both. like what? Well, like someone falling victim to a phishing attack or like, the misconfiguration side.
Maybe a human just accidentally sent data to an unintended recipient or business email compromise probably accounts for a huge chunk of these. But I guess to kind of like highlight the impact of this.
If you’re not getting a social engineering or a pen test that has a social engineering component, you might be completely missing this potential chance of a data breach. Right. If I do all the vulnerability scanning in the world and I don’t actually try some social engineering, phishing, all that good stuff, I could be overlooking a huge chunk of my risk exposure.
Kelli Tarala
Corey, may I ask you a question?
Corey Ham
Yes.
Kelli Tarala
Let’s say I’m a GRC person and I know that we’ve got a phishing campaign tool like knowbefore. Is that social engineering or is that something different? How would I understand the differences between these products?
Corey Ham
I think it is. And I think that’s a key thing that pretty much every organization should have. Right? That’s part of GRC’s job is to go beyond the pen test and also look at general, security policies and things. Right. Having a good phishing training program is key.
However, it might not cover, all of these scenarios. Right. So understanding, a business email compromise is not always going to look like a phishing email training program. Right. There are different levels of training programs.
Some of them are really advanced and can do crazy stuff like, use AI to generate an email that works for one specific person. but, as an example, if we’re talking about 2023, that was a year that ransomware threat actors started calling help desks and asking for accounts to be reset.
And that might not be included in your phishing training program. Your help desk policies, procedures, security awareness of the help desk team might be key, but it might not be assessed by your average pen test.
So it’s something that you have to factor in. You have to say, each person at our company has the potential to cause risk to the company. How do we mitigate that risk? Phishing is part of that. Phishing is a big risk.
But if you look at the, Verizon data breach report, phishing actually isn’t the primary entrance, entry method. It’s valid credentials. Right. So, how did those credentials leak? That’s a whole separate debate.
But, but basically what I’m saying, the point here is it’s not just about vulnerabilities. It’s about data breaches happening from all kinds of sources. And your pen test program needs to factor all of those things in.
So let’s stop being negative for a second and let’s go back to what, what do I do? Let’s say I, Kelly, let’s say I’m. I’m, now the CISO of an example company, and I don’t know where I’m at.
I don’t know what I should do. How do I go about starting to build a program for pen testing?
Kelli Tarala
Well, you mean, what would I do? Or what everybody else does? Everybody else will just cut the budget and say, eh, don’t need to do it anymore sometimes.
Corey Ham
No, no, no, Kelly, what you’re thinking is they panic in Q4 and say, we haven’t gotten a pen test this year. And then they ask to do a pen test in next week when they find out, yeah, yeah, they were looking at the budget.
Kelli Tarala
They see this pen test number. They’re like, wow, these pen tests are expensive. but perhaps they don’t understand why they’re doing it. So let’s dive a little bit into why we do pen tests. Now, I’m sure there’s a lot of amazing pen testers on this webinar.
They know why they’re doing pen testing. But we also have some newer GRC people on the webinar. So, pen tests, we do them for a variety of reasons. sometimes we can say kind of like a pouty child, we do pen tests because we’re told to.
We don’t necessarily want to do them, but there are regulations that say we need to do them. Especially for example, HIPAA requires one pci. Other organizations have pen testing as part of an audit program.
Perhaps you’re at an organization where there’s an internal audit team and they design a series of assessments. Audits and pen testing happens to be one of them. Another reason why an organization may have a, pen test or multiple pen tests is they are trying to improve maturity.
Perhaps there was a incident last year, or perhaps we’ll even use the, the B word, the capital breach word. Or they’re anticipating a new product release. They’re a gaming company. They’re releasing a new edition of the game.
They’re a, a, company that’s sending out a new mobile app. They want to make sure that the vulnerabilities that were in there are addressed, remediated, or they’re aware of what’s in there.
Corey, are there any other reasons why a company may want a pen test?
Corey Ham
I mean, there probably are, but my favorite one of all these is just the companies who are looking to improve maturity. the companies who are, maybe it’s because they got breached and they’re trying not to repeat that. And that’s fine. That’s, that’s actually good.
My personal belief is that the security maturity of a company is not whether they’ve been breached or not, but it’s just how they react. and so companies that react to getting breached by getting a pen test and by expanding their security program and kind of like, improving their maturity.
That’s the way to react, and that’s how you end up not getting breached. it’s unfortunate, but sometimes you live in a world where the, the perspective of the board and executives doesn’t open up until there is an incident like that. And then, oh, now the budget can increase.
Now things can happen. Now things can change. We can turn off this server that I’ve been begging to turn off for five years or whatever. So, I think, yeah, but I guess there’s A bunch of different kinds of pen tests. Right? And I guess, I will cover these.
these are just kind of the, the buckets we use at Black Hills. If you go out in the industry, there are so many other types of pen testing, but these are kind of the most common. So we call them flavors of pen testing.
Right. So network pen test is your typical inside, outside. It incorporates probably a scan and validate component and then basic testing for high impact vulnerabilities. So that’s like your basic pen test, your general pen test.
Then you get into an application pen test. This is maybe in depth, maybe you have credentials, you’re doing more advanced scanning, maybe you’re using code analysis tools, you’re doing more in depth, penetration testing targeting a specific application or specific set of applications.
And usually this also includes all of the components of those applications. Like if it’s a mobile app, there should be an API component. If it’s a, if it’s, if it’s a web app, it might also have a mobile app that goes with it. Right.
So combining those ingredients into one application pen test, is something that a lot of companies do. And then, social engineering pen test, that could be physical, that could be phishing, smishing, any other isshing you can come up with, quiching, I don’t know, that’s, that’s QR code phishing.
I’m just kidding. but then there’s also continuous pen testing which is kind of a new, an evolving thing, which is my personal area of expertise right now. But I think the industry in general is morphing towards a continuous, as a kind of pen test being, a long running pen test that incorporates, creates triage and exploitation of high vulnerabilities and kind of more of a red team rules to engagement.
So obviously there’s a ton more flavors of pen testing. But I guess, Kelly, what as an organization, how do I go about choosing my flavor? Do I just get one of those ice cream cones with like 10 different flavors stacked up and then try to eat them one by one?
How do I. What, types of flavors would an organization typically engage with? Is one good enough?
Kelli Tarala
Oh, goodness, that boy, that’s a loaded question there. But I really do like the idea of a 10 flavored ice cream cone. After this webinar, I’m going down to the ice cream shop. But honestly, the GRC team can really help answer that question.
Corey. A lot of times we look at, okay, we have Our systems. We have our vulnerability management system. I would go and look, I mentioned a little earlier, I’ve got 200 mediums. Well, what’s the, the deal there?
How do we, how do we clear them out? Why can’t we get rid of them? Why can’t we address them? sometimes what pen tests will do is I have to really ask what are we trying to accomplish with the pen test?
The goal is not a pretty little report that sits on my desk and I say, hit the check mark.
Corey Ham
No, Kelly, it’s a blank pen test report. It’s clean.
Kelli Tarala
Does that exist, Corey?
Corey Ham
Yes, it does. But anyway, sorry.
Kelli Tarala
Well, so I would sort of build, if I can use an analogy here, I’m going to build a house. Okay. What do I absolutely have to do? Well, depending on what regulation I’m in or what, standard I’m trying to follow, I’m going to say, yep, I need to have perhaps it’s a network pen test at least annually.
Then I’ll look at what the business goals are or what our strategies are for the year. If we are looking at a product release, if we are trying to get a better rate on our cyber insurance. I noticed in the Discord chat we were talking about, improving our relationship with our cyber insurance carrier.
Perhaps our carrier has asked for a different type of pen test. And while we can joke around and say, I’ve got this 10 flavored ice cream cone. Most organizations just don’t have the budget to do all of the pen tests that they want.
So it really is GRC’s job to be that intermediate between the pen testers and the business executives and say, listen, we can only choose to do so much.
We only have so much budget. I think our biggest risks are here. I don’t think they’re there. Or I think our number one goal is to improve our maturity by addressing these 200 plus medium vulnerabilities that are sitting in our vulnerability management system because we’re tired of looking at them.
so how often depend test is really, it’s really a personal type question, Corey. And it depends on the organization and it depends on their strategic goals. But I’d love to hear your thoughts on that too.
Corey Ham
I mean, I think you nailed it. I guess the only thing that I would factor, the only other thing that I would bring up, which is actually kind of a GRC topic, but I think needs to get brought into the pen testing discussion more is the concept of like your business impact.
Right. So we were talking at, Wild West Hack infest the concept of a BIA or a business impact assessment going through. I’ve, I’ve started asking my clients this. I ask, do what your highest impact assets are?
Right. So maybe you have, let’s say, like in Kelly’s previous example, you’re a software company that releases a video game. How do you monetize that video game? If you monetize that video game on a subscription type basis or a microtransaction basis, this, and your website that sells those microtransactions is down, you’re not making any money.
if you, if you monetize that game based on, initial sales and you don’t have any kind of monetization built into the game itself, maybe you just care that people buy the game, that it works in the first month, and then you can deprioritize it. Obviously, this is.
It depends on the business. But you have to, I would say you have to center your pen testing objectives around your highest impact assets. if you have some application that is your money maker, if you’re a retail site and, let’s say you’re Amazon, if Amazon.com
goes down, how many dollars per second do you think they lose? It’s got to be in the millions. Right. so I’m pretty sure that they’re very focused around pen testing that application, making sure it’s secure, making sure there’s no API issues.
the other thing with GRC that’s interesting is not just centering your pen testing around your business, critical things, but also centering your, I guess I would call them, ancillary security, things like availability, disaster recovery.
Right. Like you have to put the GRC people in a position to protect those assets and to know what they are and to protect them and also to pen test them.
Kelli Tarala
Right, exactly. And, and I’m just going to add to what you’re saying there. Pen testing is protecting the assets. Because if we don’t understand what those assets are and what vulnerabilities they hold, how can we possibly protect them?
Corey Ham
Right, Right. So if I’m the CISO of a company and I know this web application is our crown jewel, I need to get a pen test of it right now. Right. Like that is a. So, yeah, we’ll kind of, pass through the, how often. I think we kind of covered that.
Basically, make this decision. I think annual is kind of the standard. I will say I’m Obviously biased and think that continuous is its own beast. and I recommend it because, hypothetically, let’s say you got a pen test, and then the next month there’s a vulnerability released.
You’re not going to know about that until next year. Right. So that’s a problem. or, next. The month after your pen test, an, admin changes the configuration. And so now that you’re in a different state, something becomes vulnerable. Right, right.
but I think annual is kind of the standard. I would say quarterly. You do see it, but I feel like it’s pretty rare. I think a company, at least from my perspective, Kelly, an annual pen test is the gold standard. Is that. Do you think that’s true, or do you see companies doing a lot of monthly, quarterly type stuff?
Kelli Tarala
annual is usually what I see. But, Corey, I really want to hit the last point on this slide, because it’s sort of a pet peeve of mine and it might be a pet peeve of yours as well. Well, pen test reports that sit on somebody’s desk or they get thrown on a SharePoint server and nothing ever happens afterwards.
Have you heard of that ever happening at an organization?
Corey Ham
Yes. So this is from my perspective as a pen tester. This is my worst nightmare. The. My least favorite pen test is one where I come in and I do the pen test and I read the previous pen test report that the customer that we did for the customer or that they provided to me, and I just check the boxes.
Right. We talked about GRC being checkboxes. Pen testers could be checkboxes too. If the organization doesn’t fix anything, all you do is just check the list of things the previous pen tester found, and that offers no impact.
And there’s also just such a depressing atmosphere of knowing we’re going to publish this report. They’re not going to do anything about it. It we’re going to come in next year, we’re going to do the same pen test again. And then it’s just going to get looped again and again and, forever.
which is where I feel like GRC should kind of jump in to help fix that problem. Right. Isn’t that kind of the role is like consume the report, turn it into action? Right. Isn’t that part of the goal of grc?
Kelli Tarala
I’m sorry, Corey. You want me to fix your problems? I don’t think we have enough time in the webinar for that.
Corey Ham
Well, I’m a pen tester so all I do is point out problems and then say bye bye.
Kelli Tarala
Well, let’s talk about that. one of the things we’ve been talking about is there’s this chasm between GRC people and pen testers. sometimes, believe it or not, we don’t even know that a pen test has been done.
Kelli Tarala
Sometimes a security manager will purchase, a pen test, get the results and they sit on that person’s desk or vice versa. Sometimes GRC has a pen test and the results aren’t communicated to the security team or the technology team.
Even before you get a pen test internally decide an organization, what are you going to do with the results? First, of all, one of the things I like to do is I like to get multiple people to read the pen test report.
I of course will read it, but there will be some technical aspects that honestly are above m my understanding. I’m going to send it to the cloud architect or I’m going to send it to the network architect or who, whomever who can perhaps explain it a little bit better to me.
I’m going to send it over to legal and they’re going to look through it through their lens. I’m also going to, perhaps if I’ve got an internal audit team, I may send it to them. Now I understand, what I just said may raise some red flags with people thinking, oh my goodness, don’t share the pen test report.
well, we’re sharing the pen test report with people who are going to do something about it or who have insights that will help propel the organization’s maturity forward. But Corey, who do you think also should be, given the results of a pen test?
Corey Ham
So I, I want to call out an interesting point from LinkedIn made by Nikoma McIntyre, who says, I would argue that for a realistic exercise you shouldn’t know that a pen test is happening, but you should know the conclusions.
So this I think is an interesting angle because from my perspective, GRC isn’t actually the ones defending against vulnerability. That would be blue team, right? That’s the security team. so I would argue if there’s someone at the organization who should be informed, it’s grc because they aren’t actually the ones who would be defending anyway.
so maybe GRC knows, maybe the blue team doesn’t know. Right? I agree with the logic of not necessarily informing the SOC or the, MSSP or whoever it is who’s defending the organization. Making sure you can detect penetration testing activity in your environment is Great.
But also having GRC involved, they’re kind of a neutral third party in this. Right? From their perspective, they aren’t really on the pen tester side or the blue teamer side. They’re just there to try to drive home results. They’re not saying, oh, we need to detect this pen test at all costs so we’re going to get fired.
And they’re also not saying, well, we need to find all their vulnerabilities or we’re not going to get fired. So I think it’s ideal to have them involved as kind of a neutral third party and then handle the report afterwards.
Kelli Tarala
I’m going to build on what you’re saying there. I think we all are defenders, especially if you’re on this webinar. But there are defenders who look more long term. They look at strategy, risk management.
Those are your GRC people. There are defenders who are short term, who roll up their sleeves and fix stuff. They’ve got more of a short term focus. So it really depends on where you are in the process.
Wouldn’t you agree?
Corey Ham
Yes. And people, there’s also been some really good feedback in the discord of people saying, well, it depends on the kind of pen test. That’s absolutely true. Right. Like you wouldn’t be. Although, I guess even in something like a mobile app pen test, it would be good to monitor your logs and see, okay, our application is experiencing on, really high load.
What is the cause of this? Is it the pen test? yeah. So, step into kind of like using your pen test program. So we’re already kind of starting this process
But there’s a couple things here. Right. So when you’re reading a pen test report, let’s say this is the first step. You’ve gotten this awesome pen test from Black Hills Information Security shout out. and now you’re going to, what do you do with that report?
Right, so you already mentioned maybe handoff, but before you even hand it off, what do you do? You.
Kelli Tarala
Well, what does remediation look like? one of the things, obviously we want to fix things as fast as possible and as cleanly as possible. But that’s not the real world. By defining remediation, we talked.
I’ve seen this pop up in the discord conversations prioritizing systems, system criticality. Corey, you mentioned a business impact analysis. Going and looking at that remediation isn’t necessarily.
I’m going to go out and Fix everything I possibly can this Friday night because, I don’t have anything going on this Friday. It’s about scheduling, prioritizing what systems get fixed based on their risk level, how it impacts the organization.
And also one of the things is setting deadlines. I see vulnerabilities sitting on vulnerability management reports for months and quite honestly, it ticks me off. And it’s not because people aren’t trying hard enough.
A lot of times they’re just not communicating there’s a vulnerability that requires another update or the. NET framework to be updated before that vulnerability can be fixed. A lot of times we just don’t document interdependencies, but also set deadlines.
I’ve had this conversation in other webinars. Set a deadline, even if the deadline has to move, at least you’ve got a target. And that all of that is wrapped around remediation.
Not just testing in a test environment, not just seeing if you’re going to break things, but actually looking at the process as a whole. So after we’ve defined remediation, Corey, what happens next?
Corey Ham
Well, so I was actually going to even tack on to that because. So one of the things I’ve heard you bring up so many times is like documented exceptions, right? Like this is a, I feel like it’s a GRC catchphrase of like document your exceptions.
if that vulnerability is going to sit around in the queue for six months or a year or five years, whatever it is, maybe there’s a reason for that. Maybe, maybe that’s okay, right? Maybe the vulnerability is low impact and it’s in an, it’s in a system that is also low impact and it’s low likelihood and it’s on an air gap network or whatever, whatever justification you want to apply.
But whatever that is, document that exception, say this CVE on this host, we’re not going to fix within six months because blah, blah, blah, whatever the justification is, even if it’s because the business team can’t fix it, that’s fine, Right?
But. Or maybe it’s not. But the point is documenting if things are going to exist outside of your remediation that you set, you should document, what that impact of that is and how that is. Right, right.
but yeah, I mean, talking about handoff, like, as a pen tester, I genuinely hope that my report gets handed to as many people as possible in as many different formats as possible. Not necessarily like the general public, obviously, but at inside a company.
one of My favorite things is getting an email from a random sysadmin at a company that says, hey, I’m reading your pen test report and I’m trying to fix this. And I have a question about exactly what you mean by PowerShell version 2 is enabled or whatever the vulnerability is.
Right. My favorite thing to do is engage with customers, explain the impact of vulnerabilities, help them actually fix it, and then next year or next month or next day, when I retest it, it’s fixed. That’s the best feeling in the world.
That’s the dopamine that a pen tester gets beyond just getting DA or whatever. Because honestly, after pen testing for a few years, you start to move on from, from hacking, giving you the dopamine and you move more towards actually fixing things gives you the dopamine because you realize really your role is to keep companies from getting hacked, not to actually hack them.
So that’s kind of from my perspective. My favorite thing about being a pen tester is seeing organizations improve their security posture. And that does require a handoff. So, we kind of already implied it a lot. But as a pen tester, I have no idea who, who’s going to fix this stuff.
That’s GRC’s job to go and take a vulnerability, figure out who owns the application, who owns the system, and also hand it off to them and provide guidance on how fast they need to fix it, how what the impact could be.
And one of the things you mentioned, I thought that was really interesting is what are actually the risks of fixing it are, is there a scenario where fixing a pen test finding also includes an element of risk not from the vulnerability, but from the system itself going down or something like that?
Kelli Tarala
Exactly. And the, sometimes the word handoff, I kind of see this picture in my head of just kind of shoving it over to somebody else. But I really liked what you said, that while there is an official handoff, you’re still involved, you’re still having conversations with sysadmins, you’re still partnering with them.
And I really want to emphasize that, that, pen testers aren’t, they come in, they go out, you never talk to them again. They really are part of the team and there’s so much knowledge there that there’s more knowledge than what’s represented in the report.
And by keeping that relationship warm with your pen test company or with your actual pen tester, it allows you to really focus on that last box on the slide. And that’s confirming Results.
one of the things I didn’t realize until I started at Black Hills is retesting as part of pen testing. Corey, can you talk a little bit about that?
Corey Ham
Yeah. So I mean as I mentioned, I want that dopamine hit. And how do I get it? I get it from doing the retest and seeing that things have actually been fixed. Right. documenting, have, being able to provide the customer a list of, those checkboxes of here’s eight vulnerabilities we identified.
All eight are fixed. We’ll see you next year. And this pen test just got a lot harder by the way. the organizations that are the hardest for us to test are the ones who keep getting pen tests and keep fixing everything in those pen tests and you end up running out of vulnerabilities.
From a penetration testing perspective, you have to get really creative with these organizations and say okay, well that’s fixed. Maybe there’s a way around that. Is the fix a band aid? Is it a true fix? Right. That’s easy.
But when we get into, I mean this is going to get technical for a second. if we get into things like SCCM or adcs, which are two internal Windows services that are notoriously riddled with holes and very difficult to fully secure, honestly, I’ve gotten to the point where we just start recommending customers not use SCCM if possible.
Right. Because Microsoft doesn’t want you to use it, But that transition process of, of first of all securing the vulnerabilities in SCCM that we identified during the pen test. Second of all, talking about moving away from it to something like intune, that’s potentially a years long project.
You can’t just immediately CCM is dead, a month later. I think this is the world that pen testers live in. It’s like, well, why don’t you guys just disable sccm, just turn it off. It’s like, well okay, that’s a very myopic. you can’t.
No, that’s not how it works. Works. but yeah, like from my perspective the retesting is so important and fully, trying. I guess next year maybe we’ll try to exploit a different avenue. But for now let’s make sure that at the.
And and I want to call out remediation and retesting is important but one of the things that’s an undertone in all of pen testing is detection. So like maybe you can’t fix it.
It Maybe SCCM is a two year long project to fix. Can you detect exploitation of it? Can you? It’s kind of a nice little stop gap between fix. So like, we can’t fix it, but how about you retest it and we can detect it?
And if we can say, oh, we caught you, that’s still better than not doing anything. Right? so I guess we’re kind of running short on time. I did want to leave some time for questions. Let’s run through our conclusions and let’s get into some questions.
Kelli Tarala
Okay, Corey, our first one, I, I think we’ve hammered this point home. GRC and pen testing teams are better together. Shared knowledge really works us towards, a better maturity for the organization.
How about the second one?
Corey Ham
So, as we said, penetration testing programs help define what type of pen test is needed at what time.
Jason Blanchard
Time.
Corey Ham
Right. So it’s a huge world of flavors out there. You can’t carry around that ice cream cone with 10 ice creams. You have, you have to, figure out what you actually need. What flavors are you actually going to buy?
Kelli Tarala
Okay. And Corey, you want to tackle this one too?
Corey Ham
Sure. So, we just spent 20 minutes talking about it, so it shouldn’t surprise anyone, but pen testing programs are iterative processes. Right? You have to adapt these processes over time to the needs of the business. Business. Maybe you discover a vulnerability in something that you never tested.
Well, then you need to change your program to test that vulnerability. maybe you had some problems with the pen test. Maybe it broke some stuff. Well, you need to change your program to try to mitigate those risks. Or maybe hire a different pen testing firm, depending on the scenario.
but like, that program has to change over time. So I guess that pretty much that’s our final conclusion. let’s get into some questions. And thank you everyone in advance for attending. let’s see. Questions.
Jason Blanchard
Hello.
Kelli Tarala
Hello.
Corey Ham
Hello. Hello.
Jason Blanchard
Well done, team.
Deb Wigley
I said talk about butter together.
Jason Blanchard
I know.
Corey Ham
well done, guys.
Jason Blanchard
Peanut butter and chocolate. I won’t, I won’t. I don’t, I don’t want to think who.
Corey Ham
Peanut butter and chocolate.
Deb Wigley
Is it jelly or butter? Bananas, even.
Jason Blanchard
Peanut butter and chocolate.
Corey Ham
So m. Yeah. If you have any questions, please submit them in Discord. Or I guess you can also use the Zoom webinar thing. so one question from anonymous attendee. My favorite attendee is, what do you recommend for security teams whose legal departments are forcing them to put their pen test reports under attorney client privilege?
So I guess I would say that’s fine. Put it under attorney client privilege. we could get into a super long discussion about whether that actually does anything. But I mean, as a pen tester, I don’t have a problem with it.
Right. Like, it can be under attorney client privilege and it can still be shared with, GRC and everyone else. Right. That’s, that’s fine. I don’t think it’ll. Yeah.
Kelli Tarala
What, what a client. Client attorney privilege means is if there is an ediscovery request, it’s protected. It doesn’t necessarily mean nobody gets to read the report.
And I think there’s some misconceptions about. So, thank you Anonymous for that question. Really appreciate it.
Corey Ham
Yeah, so do it if you want to do it, but still share that pentest report out internally and let people access it and fix things.
Jason Blanchard
So we’re going to wrap up because we’re at the end of time, but we’ll stick around for a couple more questions. So just for, officially, Corey, if you could wrap up everything you just talked about, one final thought, what would it be?
Corey Ham
Get a pen test, use the results. Okay.
Jason Blanchard
And Kelly, if you could wrap up everything you just talked about in one final thought, what would it be?
Corey Ham
Love.
Kelli Tarala
feel the love. GRC and pen test are better together.
Jason Blanchard
Okay. so speaking of which, if you ever need a pen test or GRC or continuous pen testing or active soc or all the other things that we offer at Black Hills Information Security, where to find us. as you can tell, we didn’t really.
We’re not selling you something. We’re just saying here’s the things we’ve learned and here’s how you can apply it. this is how we introduce ourselves to people. And so if you were here for the very first time, please come back. And if you’ve been here for 50 times, which some of you have, we actually keep track.
Thank, you again. All right, so we’re gonna do the. All right, so the webcast is over. We’re in post show banter, doing good. All right, so I saw this question and I, this for you, Corey, but I mean, Kelly, you can always jump in.
How does the continuous pen test program compare against bug bounty programs? Apart from. You are sure of the scheduled dedicated time frame for the assessment?
Corey Ham
Yeah, so I would say they can be. In addition to. I think, I would say maturity wise, A truly mature organization should have a bug bounty program and should still be getting pen testing. I think it’s like more eyes on the same, network or more people looking at the same thing is good, good.
maybe bug bounty finds something that pen testers don’t. Maybe pen testers find something that bug bounty don’t doesn’t. I don’t think they are really mutually exclusive. I, I also don’t think you should expect a bug bounty to go as in depth as a pen test.
As an example, assume compromise. It’s a key part of any pen testing program is having a exploited user in your network simulated and see what kind of access someone who has credentials or a VPN or whatever would have have.
I don’t know of any organization that’s handing those out to the public. so bug bounty is kind of in addition to a pen test and kind of does, has different goals and different perspectives. Also, one little final thing is that for continuous pen testing you don’t necessarily know the dedicated time frame for the assessment and that’s part of the benefit.
how we do continuous pen testing is it’s a year long contract. We might warn customers if we’re doing high impact stuff like social engineering, we’re not gonna, they’re not gonna know every dedicated scan test. we’re not gonna, that’s not gonna be something we tell.
So that is similar to a bug bounty program. But yeah.
Deb Wigley
thank you. I have another question for both of you. it’s actually a very good question. I think, I think so. Kelly, you talked about sharing the love and working together and better together. here we have a good relationship between GRC and pen testers.
not organizations all around the world are like that, that. So how do you recommend opening up feedback between the pen test teams and the DRC teams so that they can work closely and more effectively together.
Corey Ham
I’ll let Kelly take that one first.
Kelli Tarala
Well, I would recommend the next pen test that’s done, sit down and say, okay, everybody read it. We’re going to get together, have some pizza, have some beers and say okay, hey pen testers, how do you read the report?
What do you look for? Do you skim it? Are there keywords you’re looking for? And then okay, GRC folks, same thing. What are you, what, what were your hopes for this report? What were you expecting to see?
What keywords do you look for? And then what are you going to do next? And kind of workshop going through a pen test report together? one thing that I’m working at is if I don’t understand something, I’m a proud woman sometimes and I don’t want to ask people or tell them I don’t understand something.
I’m coming to terms with that. And I’ve. Corey. Some things I’m like, I don’t really understand how this works. Leave the ego out of it. And, and if you don’t understand something on the pen test report, go ask the person who wrote it.
Corey, what are your thoughts?
Corey Ham
I mean, that. That’s super accurate. The other thing I would say is if there’s one thing I can pretty much guarantee about every security team, it’s that they’re understaffed, and that they’re struggling to make ends meet.
Right. And so what I would say is, is if GRC approaches the security team saying, I want to help you fix this. I want to help you drive this change. I want to take things off your plate. Oh, are you tracking remediation for 200 vulnerabilities?
Let me help. Let me help prioritize. Let me help go to the business. I think that. How could you possibly turn that down? Right? Like, if nothing else, approaching things from that perspective of like, I’m here to help, which ideally everyone would take to.
But I think as a security team member, you might be like, who are these GRC people? But once they say I’m here to help, you’re like, oh, great. Here you go. Here’s 200 Jira tickets. Good luck. Right? Like, perfect. It’s perfect.
Jason Blanchard
Hey, Kelly, do you recommend personal pan pizzas or like, just a big pizza for everybody?
Kelli Tarala
it really depends if you like cold pizza in the morning. Because if you do go with the bigger size, but if you’re trying to watch your girlish figure, Jason, you may want to go with the smaller size size.
Jason Blanchard
Oh, stop it. I. I have a quick, thing for everyone in the audience. If you’re currently job hunting and you’re here today because you’re skilling up or you’re getting ready to transition into the m. into cyber security, and you are currently looking for a job.
We are not offering one, but we are offering help. So type in the word hunter into the chat in Discord. Hunter in the word discord. And we’ll give you the role that unlocks the message board that has where people are posting jobs.
And if you have a job to offer to somebody, you can type the word poster into the chat and we’ll get you the role so that you can post jobs in the message boards. There’s 50,000 infosec professionals on the Phis Discord server, 2,000 of them.
Are active at any given time. And so this is a great place to find a job and also place to find people to come work for your team. All right, back to Deb. And if you have any questions for anybody.
Deb Wigley
Did not see any come in. have you guys been looking at the zoom or.
Corey Ham
No, I looked at the zoom. I don’t think there’s any other ones in there that we didn’t answer. Perfect.
Kelli Tarala
There’s a question. I think it’s a technical question about, SCCM and mech. Of course, now I can’t find it.
Jason Blanchard
Let’s see, that one.
Corey Ham
I think it’s, mcm, Microsoft Configure or Customer Engagement or. Wait, what?
Deb Wigley
It’s mecm.
Corey Ham
mec.
Kelli Tarala
I don’t know what that is.
Deb Wigley
Microsoft Endpoint Configuration Manager.
Jason Blanchard
Whoa.
Deb Wigley
That was not from up here, guys.
Corey Ham
Whoa. Are you a hack?
Deb Wigley
Wow.
Kelli Tarala
That was. Thank you. Thank you very much. Script kitty 24.
Deb Wigley
Thank you. It was not me again.
Kelli Tarala
And Kitty the turkey.
Corey Ham
Yeah, I mean, I guess what I would say is I, I’ll be perfectly honest and say that I have failed to keep track of all the Microsoft acronyms in this case. I don’t know how SCCM and MCM are different or if they’re the same.
I guess I haven’t heard a ton of, talk and discussion around M. Mecm, but a lot of talk around sccm. I, don’t know what the differences are. I know that most companies are moving to intune instead of mecm, but I don’t know.
Jason Blanchard
Azure of you to say. I’ll sit on it. I was just waiting for you to finish.
Corey Ham
All right.
Deb Wigley
That was more funny than your. Your funny joke.
Jason Blanchard
Well, let’s see. thank you, everyone who was a Kickstarter backer. Thank you so much for tuning in to the webcast today. Thank you. For those of you coming to join us in Deadwood, South Dakota in October, the tickets are available. And, and we’re also coming to D.C. in July. We’re still figuring out the details. And you’re like, D.C. in July? What are you going to do? Well, we’ll probably go do some tourist.
Corey Ham
see some sights, sweat.
Deb Wigley
Can we talk about it publicly?
Jason Blanchard
I don’t think so. Not until we have a date. And a location.
Deb Wigley
And a location. All right, well, maybe they can help us.
Jason Blanchard
Yeah. Do of a. A location in Washington, D.C. where we can, Now we’re going to talk about around. Around. Around Washington D.C. where you can hold two classrooms of about 100 students per classroom.
Corey Ham
Yeah, and massive spoilers.
Deb Wigley
Yeah, yeah, we’re. We’re bringing training.
Corey Ham
There’s a thing called the National Mall. I think you can do some shopping there outside.
Jason Blanchard
Oh, what if we did the training outside on the National Mall?
Deb Wigley
At the mall? Like, at the, like.
Jason Blanchard
Guys, it is so hot out here. It is stupid.
Deb Wigley
We can rent tents.
Corey Ham
The AV people just left the chat. They’re like, we can’t. No, we’re out.
Deb Wigley
No, definitely not. The Washington Hilton, where Schmoo was. No, you’re right, Thatcher. It’s not going to be there. We have checked with local universities. We’re waiting to hear back, but if anyone has any contacts with D.C. baltimore area.
Jason Blanchard
and we’re looking for low cost.
Corey Ham
Because there’s a reason there’s some alleyways you can just post open.
Deb Wigley
Oh, we could do in my backyard.
Jason Blanchard
Yeah, you do have enough room in your backyard.
Corey Ham
Barbecue problem solved.
Jason Blanchard
Got some. We got some hot dogs on the grill. Come on in for some training.
Kelli Tarala
Hey, I got one last question for, for Mr. Ham. There’s a few questions in discord about pen, test job openings. are pen testers going to lose their job to AI? Is it a cool field to go in?
Kelli Tarala
What are your thoughts?
Corey Ham
I, mean, I feel like I’m a grizzled old man at this point, and I don’t know much about how to get into pen testing. so I won’t offer specific advice on a pathway you could follow. I will say that learning the technical elements in pen testing has never been easier.
There’s so many resources out there, like hack the box, try hack me, OSCP Labs, all that stuff. There’s tons of open information out there. So the technical side, I think is easy. The business side, or like, getting the actual job, I think is probably pretty tough right now.
I would basically say, try to use some of the words that we use during this presentation. Anyone can go out in the world and find some wizard hacker that will. Will, hide in a corner and take down a bunch of apps that’s not hard to find.
What is hard to find is someone who can contextualize that in the perspective of the business, who can drive value, who can actually communicate. One of the biggest things at BHIS that we’re harping on this year is communication with our clients.
So we’re not looking for God tier hackers. We’re looking for God tier communicators, people who can actually go out and talk to customers and drive change. Because 80 million critical findings later is not necessarily a way to improve security.
and also, it’s hard to be on a team with someone who, only comes out for zero days. Right? Like, so I think just try to be good at communicating. I mean, these are, like, really, tried and true things. As far as will AI take our jobs, I think the only people whose jobs are at risk here are people who are unwilling to use AI to help them with their job.
we’ve seen it time and time again. We talked about it last week on the news and of China. Chat GPT has evidence that China is building security tools with Chat GPT. Right. so am I.
So. So is everyone else. if you need shiv code, it’s really quick at writing shiv code. It’s really. I mean, it is the fastest way to get a proof of concept up and running. It’ll fix your code. I mean, if you’re not using AI, you’re missing out.
It’s great for writing phishing email emails. If you compromise an environment that uses Copilot, and your account has Copilot licensing, it will just tell you where all the bodies are buried in SharePoint. so that’s nice. so, yeah, just use AI and you’re good.
Don’t worry about losing your job to it. Every automated AI pen testing application I’ve seen is hot garbage. So until I see one that’s actually good, I’ll let everyone know. But for now, our jobs are safe.
Jason Blanchard
Hey, Deb, we need to name a character in the comic book. Shiv code. Code.
Corey Ham
It only has to work once. That’s the joke, right?
Jason Blanchard
All right, everybody, thank you so much for your time today. Anything we’re missing? Anything? Deb, what are your final thoughts today?
Deb Wigley
My final thoughts? Yeah, now my brain just went completely blank. again, just thank you guys for spending time with us. We know that there’s a lot of noise out there, and we like being more of it, I guess, sometimes. And we’re grateful that you sometimes like to listen to it.
So, we would just be talking to ourselves if you guys didn’t show up. So thank you for that. And, yeah, the comic’s gonna be awesome. So my final thoughts are, check out Record Publishing. It’s gonna be in all the local comic shops around the world.
Jason Blanchard
Around the world.
Kelli Tarala
Bananas.
Jason Blanchard
It’s a real comic book.
Kelli Tarala
It’s a real comic book.
Jason Blanchard
I also put in the Discord Chat, if you haven’t gotten the free survival guide and, the Darknet Diaries comic will mail it to you for free. If you’re in the United States. If you’re not in the United States, then you can always get the. The, online version.
Deb Wigley
All right, Jason, final thoughts for you.
Jason Blanchard
Final thoughts are,
Deb Wigley
Did you go blank?
Jason Blanchard
Oh, no. You spend two. You spend two years working on a project, and you get to the end of it, and now we’re in that spot where we just want to know what you think.
Deb Wigley
Yeah.
Jason Blanchard
If you’re a Kickstarter backer, if you got the comics, and if you’re not a Kickstarter backer, you’ll be able to get in comic book stores starting in next. but we just want to know, like, we. We’re putting everything that we honor, and love about this industry into it, so that way we can spark some conversations about what our world’s going to look like 30 years from now.
Corey Ham
Yeah.
Jason Blanchard
Because if you don’t start thinking about what the world looks like 30 years from now, then you, like, if you start thinking about what it looks like 30 years from now, you start making differences and changes today so that you get to that place. And, if you’re not thinking about it, then, yeah, you start.
Like, Kelly, like you said, GRC takes that strategic long view. And so, there are some people who deal with just today, but there’s a lot of us that need to think about what the strategy of the next 30, 40, 50, 60 years look like in our world and our.
In our industry. And we’re hoping this comic starts people thinking down that path of, what does this look like 30 years from now? Instead of just what does it look like in quarter four? All right.
And that’s it. Ryan, kill it with fire.