Monday, June 27, 2016

Pete Herzog: "Firewalls, anti-virus and security campaigns don't work"

Pete Herzog. Co-creator of Open Souce Security Testing Methodology Manual.

Pete Herzog is the co-founder of ISECOM, along with his wife, Marta Barceló, and co-creator of the renowned Open Source Security Testing Methodology Manual, with 6 million downloads annually. The qualitiy and quantity of their projects says a lot about this real hacker who lives in Catalonia. He currently teaches classes online and in the past has taught at La Salle University's Masters in Cybersecurity as well as Business Information Security for the MBA program at ESADE.

- Why are you in cybersecurity?

- I'm a hacker so most of my time is spent researching why things work the way they do and how to take control of them. My focus changes and broadens constantly as I hit areas which can't be answered yet and I need to either dig deeper or find an alternative solution. It leads into interesting areas that affect security such as developing an unbiased measurement of trust and now how to determine intent.

This leads to ISECOM research being consistently about 12 years ahead of the security industry. For example, in 2002 we designed a SIEM which used behavioral use cases and both passive and active vulnerability detection. We built a prototype with La Salle University in Barcelona in 2004. We called it Consensus. It was every bit as sophisticated as the SIEM of today.

Mostly though I like the fact finding part of research and how hacking has no scope. In science, a fact is found through the scientific method of test and observation. In hacking, it's almost the same except that the tests are not limited to the object of study and also include anything around it that is connected to it. It lets you find many alternatives to accomplish the same task and gives you a greater awareness of the interconnectedness of things.

- Would you recommend us some magazines or websites?

- No. Can't think of anything specific. I really read anything and everything.

- Why did you create OSSTMM?

- OSSTMM is a free methodology for making good security decisions. It outlines multiples types of controls that can be used for various types of operations. That means choice. That means having the security decisions that are right for your organization, your operations, and your threats. So you do business the way you want to and use the OSSTMM to find the right controls to protect it without restricting it.

It was the first penetration testing methodology ever made and it has transformed over the years as we learned more about how to make better security tests. It's mostly used in organizations that either need to really be secure or where traditional security solutions can't work. For example, you can't put a firewall on a stock exchange or anything to slow trading yet it needs to be secure from hackers. So the OSSTMM can be used for that. With the OSSTMM, you do business the way you want to and use the OSSTMM to find the right controls to protect it without restricting it.

We created the OSSTMM to ensure better security tests through an open standard that anyone buying a penetration test or vulnerability test can ask for. And better security tests means better security.

- OSSTMM and most security documentation you've created is open source. Which is the value of open source in cybersecurity?

- There is information that needs to be free and open so anyone can expand on them to improve life for everyone. This is most obvious in legal and medical research, both what works and what doesn't. You can't grow as a civilization unless that information is free and open. Unfortunately, the world doesn't work that way.

There's only protection for people who build things and not for completed ideas, like a methodology or a process, which is only protected if designated as a trade secret. However as a trade secret you can't share it without losing that protection and others can take that method or process and commercialize it without even acknowledging your research or contribution. That's messed up. So much of humanity's knowledge in science, medicine, and even security is lost if it can't be commercialized.

For our works we created the OML, the Open Methodology License, which is essentially an open Trade Secret where instead of the secret being limited to a company, it's limited to everyone. This is to assure anyone using the OML can publish better methods and processes while still protecting the integrity of what we've created. It also lets us earn an income off of our research with training, certification, and knowledge tools while still publishing the research as free and open so others can learn from it and expand on it.

- You work with governments and corporations to help them get a better cybersecurity. Which is the current situation in terms of high-level security?

- I do take time away from research to do a few contracts a year. Mostly the situation out there is bad but only because people don't know why their security products aren't working and not because they don't care. Security is complicated, the industry provides many products that are called different things yet mostly do the same, and there's a bizarre focus on being faster to fix holes than the criminals attacking them despite the fact that we can't know all the holes. This leaves many security decision makers lost in conflicting advice. But I learned that once people are shown how to analyze their own security they figure out quickly what needs to change to make and maintain security in their infrastructures.

- Cyberwar is a hype but... do armies know what are they doing?

- Cyberwar used as an offensive tactic is prevalent and successful. Never before has the world had such an easy time to attack a people's intimate thoughts on such a massive scale. Never before has it been possible to directly affect the economy of an enemy nation from so far away. Cyberwar, like hacking, has no scope. Therefore the defenses against it requires government to be more centralized and less open which is the opposite of what makes good government. So it requires a new paradigm in security thinking- firewalls, anti-virus, and security awareness campaigns won't work. I think it could be done but not with the commercial solutions and risk mentality towards security that are used today.

- It seems that current cybersecurity only leads to more caos... Where are we wrong?

- The general means of approaching security is reactive. Even the “preventive” types of security are reactive because they use blacklists and crowdsourcing to determine what's bad and act on it or a vulnerability is found and quickly patched before it can be exploited. The penetration tests and vulnerability scans considered the defacto means of testing an organization further enables reactive security. This needs to change. Penetration tests should determine process problems and highlight effective controls. Vulnerability scanners should determine missing or weak security controls and not just listing missing patches on applications and services. The fact that they don't is like a doctor that treats the cough without an interest in the disease. There's something really wrong with it.

- You worked recently on securing a stock exchange in Wall Street. Now we see a lot of attacks against banks, SWIFT system... What's going on?

- It was a great experience because it's a whole different Internet. They have a very clear idea of what they can and can't have for security to maintain the integrity and reputation of a stock trade. But keep in mind, the stock exchange is not a singular thing and it's very insulated against what happens in other financial areas such as SWIFT and banking. In that manner, SWIFT and Banking are just as vulnerable as other businesses on the Internet. Exchanges aren't really on the Internet. They don't really connect the same way. They don't share the same way. Far more common are Exchanges stumbling from programmed thresholds reacting to the manipulation of the masses who buy and sell on the market.

- You're in the Wikipedia, where they tell you "neurohacker". What is it? 

- Neurohacking is hacking neurons- mainly finding ways to control how people think and feel. It's used in both manipulation techniques that you find in advertising, social groups, and politics as well as in medical research for the treatment of various neurological disorders like depression and aphasia. But you can do so much more from speeding up the learning of new skills like tennis or math to expanding your creativity. It's a really new area where technology allows us to research and try things that previously only medical labs could.

- Wikipedia also shows you as a social engineer, a very old hacker art now used by criminals. 

- People are much more alike than we are different. Most people have the same vulnerabilities which is why the same fraud and manipulation techniques work on nearly everyone and will keep working. So the only changes in Social Engineering you can expect to see is the technology used to frame the attack. There are no patches for people's vulnerabilities. The best we can do is limit the time they are exposed to the attack vectors while they are vulnerable.

- From all of your free projects, I specially like the Hacker HighSchool because you not only teach girls and boys how to hack: you teach how to think as a hacker.  

- Hacker Highschool is a project that Marta and I started in 2003 and was the first ever security awareness training specifically aimed at teenagers. We did a lot of research into how teens think and learn to reach them the best way we could. That way turned out to be teaching them to hack.

Based on the principle that a little knowledge is dangerous, we aim to instruct teens to the point where they know what they don't know. We provide free self-learning lesson books that guide a teenager through the process of actual hacking. Which, if you don't know, is not easy. This isn't them downloading an exploit or running a tool. This is them doing the reconnaissance and analysis before determining the right path and method.

By the time anyone gets to that point they are aware of how security works, how criminal hackers get caught, and how even simple attacks can take a lot of preparation unless you're intending to get caught. We find that this not only makes them capable of analyzing someone's security but also to keep themselves safe and aware. Additionally, if they have any interest in criminal hacking, we would rather have them reading our lessons which try to give them empathy rather than just learning bad techniques from an online chat room.

- A hacker without ethics is a hacker?

- Hacking is a skill anyone can learn. It combines resourfulness, creativity, and critical thinking with technology. So a person who hacks, ethically or not, is a hacker. Just like a politician who governs, ethically or not, is a politician.

- How do you protect you family and you on the Internet?

- We separate all the desktop applications with virtulization technology, as well as the systems and devices through switches and vlans in case one gets infected. And we do regular back-ups. On top of that we talk to our kids about cybersafety but mostly how to recognize manipulation techniques which are the main attack vector that they can prevent. It's really hard to completely keep kids offline today because even if you keep them off social networks, their schools and friends, and even local governments have no problem posting things online about them and tagging them. Today, if a kid does a sport, the sports clubs put all their stats online. You can't prevent it today and live a somewhat normal life. So instead you need to keep teaching them how to stay safe.

Mercè Molist


Post a Comment