Breaking and Entering: The Fascinating Life of a Professional Pen Tester

Episode Notes

Transcript

Digital Detectives

Breaking and Entering: The Fascinating Life of a Professional Pen Tester

02/26/2018

[Music]

Intro: Welcome to Digital Detectives, reports from the battlefront. We will discuss computer forensics, electronic discovery and information security issues and what’s really happening in the trenches; not theory, but practical information that you can use in your law practice, right here on the Legal Talk Network.

[Music]

Sharon D. Nelson: Welcome to the 100^th edition of Digital Detectives. We are glad to have you with us. I am Sharon Nelson, President of Sensei Enterprises, a digital forensics cybersecurity and information technology firm in Fairfax, Virginia.

John W. Simek: And I am John Simek, Vice President of Sensei Enterprises. Today on Digital Detectives our topic is, “Breaking and Entering: The Fascinating Life of a Professional Pen Tester.”

Sharon D. Nelson: Before we get started, I would like to thank our sponsor. We would like to thank our sponsor PInow.com. If you need a private investigator you can trust, visit pinow.com to learn more.

John W. Simek: Our guest today on the 100^th edition of this podcast is our friend and colleague Sherri Davidoff.  Sherri is a cybersecurity expert, author, speaker and CEO of both LMG Security and BrightWise, Inc. As a recognized expert in digital forensics and cybersecurity, Sherri has authored courses for Black Hat and the SANS Institute. She has conducted cybersecurity training for many notable organizations, including the Department of Defense, the American Bar Association, FFIEC/FDIC, and many more.

Sherri is a faculty member at the Pacific Coast Banking School, where she teaches cybersecurity classes. She is a frequent contributor of education articles and webinars, and occasionally serves as a cybersecurity expert on television.

Sherri is a GIAC-Certified Forensic Examiner and a penetration tester, a GPEN, and holds her degree in Computer Science and Electrical Engineering from MIT. And finally, her new book, “Data Breaches,” is going to be released in the spring of 2019.

We are glad to have you with us today Sherri.

Sherri Davidoff: Well, thank you so John and Sharon. It is a real honor to be here for your 100^th episode. I think this is a huge milestone for you guys and as I was mentioning earlier today, I took the time to listen to, I went back and I listened to your very first podcast that you ever did. I don’t know if you guys remember it, it was back in 2010, so there’s a while ago. And it was called, “A Look at Data Breaches”, which I think of course is a perfect topic, since I love data breaches, and some of the things I thought were great about it.

First of all, it was really thorough. You mentioned the Anthem breach, and I was like the Anthem breach, wasn’t that 2015 and it turned out that there was another Anthem breach before the big Anthem breach that we knew about. So the history just keeps repeating itself.

And you also mentioned at the time top reasons for breaches were unencrypted data like lost laptops, key loggers and spyware, SQL Injection, default credentials. So I’m just curious to get your take looking back, first did you ever expect to be doing this nine years later, and then second, have we learned anything in these nine years? How has the industry changed?

Sharon D. Nelson: Look at how she has turned the table. She’s doing the interview.

John W. Simek: I thought that yeah, yeah, I know, I know.

Sharon D. Nelson: Well, well –

John W. Simek: Well Sherri is pretty smart.

Sherri Davidoff: I will do the work.

Sharon D. Nelson: I will tell you what? I’ll take the answer to number one. I had hoped that we would be doing cybersecurity because as I was turning the ship, the corporate ship in that direction, I thought I saw an opening that probably was not only here to stay, but as we all know, there is no unemployment in cybersecurity. It’s a zero unemployment rate and I kind of saw that coming.

So I’m not surprised that we’re still doing cybersecurity. You want to answer the second part of the question, John?

John W. Simek: Well, yeah counsel, can you repeat the question, no, I am just kidding.

All right, I’ll get off the witness stand now. Have we improved any? Probably a little bit. I think we’re much more aware, at least that’s what my feeling is, but we’re still seeing the same basic rudimentary problems. The tactics are a little bit different, the phishing and all that stuff, and we’ve seen variations of those, but I think the base problems though, I think generally they are still around and thank you for reminding us about that episode Sherri. I thought my memory was going but this is coming back now.

Sherri Davidoff: Yeah. I mean it’s amazing how unencrypted passwords are still a problem today. I feel like we’ve made some progress with the unencrypted devices though, I mean what do you guys think?

John W. Simek: Yeah, yes.

Sharon D. Nelson: Yes.

John W. Simek: For sure.

Sharon D. Nelson: A large bit of progress, but there’s still work to be done, especially in the solo, small firm market, that’s for sure.

Sherri Davidoff: I agree.

John W. Simek: But I think to a large degree, it’s the people aren’t any smarter and I say that truthfully, it’s they don’t know that the devices are encrypted. They are automatically happening for them.

(00:05:00)

Sherri Davidoff: Right.

John W. Simek: So –

Sharon D. Nelson: Yeah, it’s not the people that got smarter, it’s the machines.

John W. Simek: Exactly.

Sherri Davidoff: Got you. What’s so funny? I have a quote from you John from 2010 and then, let’s move on. Back in 2010 on your first podcast, you said that security breaches happen not because people aren’t competent, but because they’re not aware. So you’re saying they’re still not aware, we just have better technology.

John W. Simek: Right.

Sharon D. Nelson: Pretty much.

John W. Simek: We need to stop recording ourselves because it ends up coming back to us, Sharon.

Sharon D. Nelson: I’ve more than once had that thought John. Well, Sherri we are so thrilled that you are here for our 100^th podcast, that’s really wonderful. And although everyone in the cybersecurity world probably knows about you, we have a lot of folks who listen to us who probably don’t know you.

So would you tell us a little about yourself and your two companies and the work that you do?

Sherri Davidoff: Absolutely. I am the CEO for two companies; LMG security and BrightWise. LMG is coming into our 10^th year. We do penetration testing, so we break into companies and write reports about it. We do compliance that we help organizations comply with their cybersecurity requirements, whether those are legal or contractual. And if a company gets hacked, we do breach response. We come in, we handle the investigation, we get things cleaned up.

BrightWise, is a cybersecurity training company, so we make cute little animated videos for employee awareness training.

John W. Simek: I love it. I’m going to have to see one of those videos sometimes Sherri.

Sherri Davidoff: Oh yeah, I will send it to you.

John W. Simek: I know you wear this because I shot you an email the same day or at least probably within two hours after seeing you show up on NBC’s Today’s Show, and Sharon was in the back, back in a bedroom and says, you got to see this. Turn on the TV, Sherri is on.

Sharon D. Nelson: He was very excited Sherri.

Sherri Davidoff: Cool.

John W. Simek: So that was great but tell our listeners how that interview came about?

Sherri Davidoff: Sure. Well, I had the good fortune of being involved with the Breaking and Entering by Jeremy N. Smith, and as part of the publicity for that, they did outreach and the Today’s Show became interested in my story and being a woman running a cybersecurity company which you guys are familiar with, and also just my history as a hacker, because I had the good fortune of being here as the industry evolved. I mean cybersecurity was not even a word when I first started in the industry and it’s just been a fascinating ride.

Sharon D. Nelson: Well that interview was really a good, good interview. What are the takeaways from that interview that our listeners might be interested in?

Sherri Davidoff: Sure. I think the big thing was in the interview you could see our team conducting a phishing test and watch how people clicked on those links and fell victim. And in fact the reporter Stephanie Gosk actually did a phone scam herself and was able to trick a receptionist into downloading a file and clicking on it and that’s the kind of thing that could get your entire organization infected with ransomware with a banking Trojan.

So you really can’t be too careful. In that case, the receptionist name was Nancy and so they ended by saying we are all Nancy. It is so easy to click on the wrong link or to accidentally install something that has malicious software in it. So really being aware and raising awareness for everybody is so important.

John W. Simek: Well Sherri, you mentioned the book by Jeremy Smith, Breaking and Entering: The Extraordinary Story of a Hacker Called “Alien”. What part did you play in that book?

Sherri Davidoff: Well secretly, I’m Alien. I am the subject of the book.

Sharon D. Nelson: I don’t think it’s much of a secret to us.

Sherri Davidoff: It’s not anymore, which is a little odd because as a security and privacy professional, it was a big deal to like have my story be told and to feel exposed in some ways, because it’s fairly dramatic in places. But yeah, I was the subject of this book and it was it was a fun experience.

Sharon D. Nelson: Well lawyers tend to be very confused about the lines between things like security, audits, also sometimes called security assessments and pen testing, penetration testing, they don’t get it. It’s not their world and they don’t know what it is they need. Can you help clarify the distinctions between those things for the people who are listening?

Sherri Davidoff: Absolutely. And this is such a great question because sometimes when you hire somebody for a pen test, you might think you’re getting a vulnerability assessment or something different.

So a penetration test is when ethical hackers break into your network and write a report about it and that means that they may go so far as to actually get copies of data that you say is really valuable and show you that they were able to get it. It’s really good for identifying root cause issues like you have issues with patching or you have a lot of exposed interfaces and this is different from say a vulnerability assessment, where someone’s job is to scan your network and give you a comprehensive list of all the vulnerabilities, but not necessarily take it to that next level and break-in.

So penetration testing will illustrate what damage could a hacker cause, what could they steal; whereas vulnerability assessments are really just going to assess your vulnerabilities.

You also see general types of assessments, for example, if you’re regulated under HIPAA or if you need to comply with the NIST cybersecurity framework, you can have assessments of your policies and procedures or if you are compliance with those frameworks.

(00:10:00)

I think it’s also interesting to note that the definition of penetration testing has varied over the years. In fact it’s required by PCI DSS if you are regulated under the payment card industry standards, then you need to get a penetration test and that’s been going on for almost 20 years. But the definition of a penetration test was not clarified until 2015 that’s when they first said here’s what a penetration test is and here’s how it should be conducted. So this has been a big open question in the industry for a long time.

John W. Simek: Great. Well, before we move on to our next segment, let’s take a quick commercial break.

[Music]

Advertiser: Does your law firm need an investigator for a background check, civil investigation or other type of investigation? PInow.com is a one of a kind resource for locating investigators anywhere in the US and worldwide. The professionals listed on PInow understand the legal constraints of an investigation, are up-to-date on the latest technology, and have extensive experience in many types of investigation, including workers’ compensation and surveillance. Find a prescreened private investigator today. Visit www.pinow.com.

[Music]

Sharon D. Nelson: Welcome back to Digital Detectives on the Legal Talk Network. Today our topic is, “Breaking and Entering: The Fascinating Life of a Professional Pen Tester.” Our guest today is Sherri Davidoff. Sherri is a cybersecurity expert, author, speaker and CEO of both LMG Security and BrightWise, Inc.

John W. Simek: Well Sherri before the break, you were talking about penetration testing and vulnerability assessments and all that but how did you specifically get interested in pen testing and how did you become qualified as a pen tester?

Sherri Davidoff: Well I started off on MIT’s Network Security team 18 years ago and I still remember I saw an advertisement. They were looking for people who wanted to stay up late and eat pizza and watch the network and I was like I’m qualified. I can stay up late, I can eat pizza, and I will figure out this network thing, and that’s what we did. It was part of MIT’s first network security team and like everybody in the industry, I ramped up along with the attackers watching for viruses and malware and shutting down the infected computers, going to find them and that was before again cybersecurity was even a word.

In fact, I was interested enough in cybersecurity that I had to petition to study it as part of my advanced undergraduate project because there wasn’t really a field of study in it at the time. And then from there, I started doing physical penetration testing, so breaking into banks, writing reports about it and from there, it was just a small hop into breaking into networks and along the way I also did a lot of digital forensics.

John W. Simek: So as a follow-on though, I mean you didn’t do Capture the flag with RPI, did you?

Sherri Davidoff: Well I did. You know I think Capture the flags are an interesting topic, I like to say they keep students off the streets, off of the internet because so many students want to play and two decades ago like they just played on the Internet. They would break into websites for fun. So now, it’s really important that we have these security Capture the flag programs where students all over the country compete to break into things but it’s in a safe environment, they’re not real systems.

Sharon D. Nelson: Well I feel funny asking this question because I know your answer and I think it’s pretty funny but the question that we discussed earlier was what percentage of your time is spent doing pen testing and then what does the rest of your professional life look like? So what percentage of your time is spent doing pen testing, Sherri?

Sherri Davidoff: I’m sad to say that these days I think it’s just about zero and it makes me want to cry. Yeah as the CEO, I don’t get to do the fun stuff anymore, that’s not true. I don’t get to do the hands-on pen testing fun stuff as much anymore.

I do get to do things like manage large-scale data breaches, which are really fun so I do get to be involved in the forensic side of things that way. But yeah these days, my job mostly involves designing new services because cybersecurity changes so quickly, being involved with our VIP clients or on these bleeding edge cases where a new data breach has come out and it’s huge and it may be some of our newer regulations are in play.

So that’s really fun getting to be on that bleeding edge of the industry and figure out, work with the attorneys and figure out what do we need to do as forensic analysts to support them in making the decisions they need to make do we notify, do we not notify.

John W. Simek: Well as you know Sherri, I’m one of the co-chairs for ABA TECHSHOW this year. So I kind of had a little advance notice of you being on the faculty but — and we’re really delighted that you’re going to be a speaker there this year. But tell us about the session, the security practices that won’t bust your budget that you’re going to be doing with Dave Ries and what you plan to cover and maybe even give a few tips from the session for our listeners.

(00:14:54)

Sherri Davidoff: Yeah I’m very excited to be speaking with Dave who’s a longtime friend and of course, an expert in the industry and we’re going to be talking about cheap security, and I know that sounds like an oxymoron but it’s not. The number one takeaway from our session I’ll give you a heads-up is to delete or reduce your data.

I like to think of data as hazardous material like oil or nuclear waste and you have to keep it carefully controlled if you’re going to hang on to it but if you don’t need it, get rid of it and you don’t see this advertised by security companies as like the number one most important thing because nobody makes money off of you deleting your data but right there that is an inexpensive thing you can do to dramatically reduce your risk of a breach.

Our second takeaway is going to be use strong authentication. And of course, authentication means something different in security than it does in the legal industry. So it means how do you verify someone’s identity?

These days we’ve been seeing all these password breaches coming out. It seems like more and more. At this point, I just feel and I don’t know how you guys feel but hackers are dead to me. I think that — you just have to assume that your password is stolen or that it’s going to be stolen. So use two-factor authentication more than one way of verifying your identity.

John 10 years ago or 9 years ago, in your first podcast, you guys said that you surveyed an audience of attorneys and only 20% of them said they had a pin on their phone. And I feel like that’s changed these days right. I feel like — I mean how do you guys feel? Do most attorneys have pins on their phones these days?

John W. Simek: Generally. Most of them at least, my experience and what I’ve observed they’re doing biometric unlock because they don’t want to type, they don’t want to type anything.

Sharon D. Nelson: They really want instant on and so biometrics is as close to that as you can get.

Sherri Davidoff: Right. Well, and I think that bodes well because we’ve been saying for years that you need to use two-factor authentication but it was so hard and so clunky. You had to have that silly little token, the hardware token with the number that you have to type in and now it’s possible, you have your password that’s one factor and then maybe you get a little pop up on your phone with an authentication app and you just click yes, sign-on or you have a code on your phone. But I think we’re making it easier and easier for people to deploy two-factor authentication which again bodes well for the future.

John W. Simek: For sure.

Sharon D. Nelson: Well we know you’re going to do two sessions at TECHSHOW and we love the very mafia sounding title of your other session which is avoiding — Avoid Swimming with the Phishes with Ian Hu. Can you tell us a little bit about that session and again, if you offer a couple of takeaways that would be great?

Sherri Davidoff: Absolutely. And I like that you referenced mafia because so many phishing attacks are done by organized crime these days and that’s an important takeaway for everybody. This is not 13 year olds in their mom’s basement, this is not kids playing on the Internet. These are organized crime groups and they are using spam, they’re using phishing emails to break into your computer.

For example, we have seen a rash of banking Trojan attacks. This is a type of malicious software. It was originally designed to steal your banking information and there was a big case involving a Toronto law firm where someone was managing a trust account on behalf of a client and the banking Trojan stole the username and password and moved a six-figure sum of money out of the trust account and the bank is not responsible for that, you don’t get that money back.

These days that same software has evolved into a much more sophisticated and evil type of software that will literally just suck up all the files on your computer and start sending them out to the attacker as soon as you click on that attachment and your computer gets infected.

So that’s very scary especially for law firms given the sensitivity of the data that we have and so many different problems start with phishing. It’s not just data breaches, its ransomware cases where your computers and your data can get locked up and held for ransom and then the criminals want you to pay them money to release it. We have a lot of financial fraud cases. Maybe a client says please send money to this third party on our behalf or maybe a vendor tells you hey please pay us, here’s where you wire money.

So what you and I are going to be talking about are some real-life cases. We’re going to show you some videos from our laboratory so you can see these types of scams in action and then we’ll talk about the consequences.

To protect yourself, number one, think before you click. That’s what we always say. Think before you click. Don’t just blindly click on things. If you get a web address, a URL, inspect it carefully, hover your mouse over it and then if you get a payment request, call to confirm the instructions. Please do not just rely on email. It’s so important because so many peoples’ email accounts are getting hacked these days.

Sharon D. Nelson: Good advice for sure, both of those.

Sherri Davidoff: By the way may I mention one more thing. For anyone who’s going to be out at TECHSHOW, we mentioned Jeremy N. Smith in the book Breaking and Entering. Jeremy will be there and so will I and we’re going to be doing a book signing at the TECHSHOW on Friday March 1^st at 9:30 a.m. It’s at the BrightWise Booth. So if you’re there at TECHSHOW, please come by and see us.

John W. Simek: Super. I’ll be there Sherri.

Sherri Davidoff: Oh good.

(00:20:00)

John W. Simek: So finally what do you want to be when you grow up? Now, acting really though –

Sherri Davidoff: I am never going to grow up, John.

John W. Simek: So but are your plans for the future and maybe some things that our listeners should be thinking about as far as the future of cybersecurity especially with regards to privacy and I’m not going to let you leave until you let our listeners know how they’re going to be able to contact you as well.

Sherri Davidoff: Oh great. Thank you. Well, in terms of my future plans, I’m excited to continue growing my two companies and I’m especially excited about these little animated training videos. It’s been really fun to help work on the scripts to get to draw pictures of sharks and talk about cybersecurity. So I hope people will enjoy that.

In terms of the future of cybersecurity, I think where more and more devices of course are becoming networked, we talked about the Internet of Things. You have smart refrigerators and smart cars and smart buildings and maybe they’re a little too smart because with that kind of connectivity comes security issues.

And what we’re seeing is that manufacturers are not necessarily keeping up with the standards and again back to that first podcast you guys did, it’s the same issues over and over again. At LMG, we demonstrated that we could break into a security camera and then use it to install crypto-mining software, so we actually made some money off of our security camera, but we 21:22 a weak password.

I know I made like two cents. Oh well, I am going to get better security camera. But just imagine, criminals are going to be breaking into your heating systems, they’re going to be breaking into your building’s lighting systems, you’re going to wake up one day and find out that oh, your refrigerator doesn’t work or your oven doesn’t work and maybe you have to pay a ransom to turn it back on.

And this is important not just for individuals but also for businesses because I don’t know if you remember when DLA Piper was held for ransom, their email systems were down, their phone systems were down and I was just thinking at least, they could walk into the lobby, at least the building lighting systems are on, at least the heat was on because five years from now, we’re going to see criminals holding us hostage, holding our building systems hostage, holding our physical systems hostage and that’s scary.

Sharon D. Nelson: It really is. I don’t know if you remember or saw this particular story but some folks broke into a casino through an internet-connected aquarium and through that getting in there, they were able to get the casinos list of high rollers with contact information.

Sherri Davidoff: I do remember that, that’s amazing. Like why — it makes you think why is there aquarium on the internet? So then you look at like hospitals and I remember working with hospitals at 10, 15 years ago and sometimes they didn’t even know that a vendor had just plugged something into the network. You can’t always control what vendors are doing so you have to be really careful.

John, you also mentioned the other day the Singapore Airlines case where people realized just this month that there are cameras built into the backs of seats and from a privacy perspective, it’s so creepy to think about what if your airline seat get the virus, are they going to watch you like what if you could imagine if virus is on the airplane and they have a copy of that, I don’t know. It’s a little creepy.

John W. Simek: Well, this morning American Airlines came clean too. They also have some aircraft with cameras in their back seats.

Sharon D. Nelson: Seriously? I didn’t know that. Oh my God.

Sherri Davidoff: Oh really?

John W. Simek: Yeah, yeah that hit today. We have way, way too much data.

Sharon D. Nelson: Well you know they are doing it for a reason because nobody simply gives you a free camera so there’s a reason for it.

Sherri Davidoff: Right.

Sharon D. Nelson: But I suspect it’s more about marketing and seeing what we’re paying attention to or selling us stuff and seeing what works and what doesn’t, who knows, stuff like that.

John W. Simek: Targeted ads, those kinds of things, yeah.

Sherri Davidoff: Yeah.

Sharon D. Nelson: Or they think of the sexual — we’ve all heard about the sex at so many thousand feet in the air, so I guess if they capture some of that, they’ve got some great video blackmail.

Sherri Davidoff: Oh sure and people will be doing airplane tinder. Well if you like some other people on the airplane, swipe right if you like them and –

Sharon D. Nelson: What, you know Sherri, if this cybersecurity business doesn’t work out, I think you and I have a good idea for a new enterprise.

Sherri Davidoff: Oh yeah. In all seriousness, no, I mean I wonder are they planning on doing like allowing people to do video chats or I wonder if there’s some legitimate business reason behind this or do you think it was really to spy on people?

Sharon D. Nelson: To just spy or to market, marketing I think is — I mean we are commodities. So I think it’s about marketing and watching what we’re paying attention to. So that would be my first thought. But you know what, whatever they’re doing, it’s evil and that’s what we’ve learned about so many of these things.

Sherri Davidoff: So now Sherri, you’re going to have to carry around a roll of electrical tape in your purse.

Sharon D. Nelson: Yeah, that’s what I am going to do.

Sherri Davidoff: I already do, of course.

Sharon D. Nelson: Yeah of course, John has it in his case too, so we will just cover the camera.

John W. Simek: Well I have duct tape but yeah.

Sharon D. Nelson: Yeah, they’ll probably kick us off the plane for covering the camera.

(00:24:57)

Sherri Davidoff: Right, no kidding. I mean this brings up some other important security issues for attorneys though. I mean first so you can’t — you can’t see where all the cameras are but I worry a lot about when your phone gets infected, we’ve seen malware that will grab the audio from the room for example and send that out.

John W. Simek: Yeah, yeah.

Sherri Davidoff: And I mean do you think that this is a concern for attorneys, like what if we’re sitting there in meetings and one person’s phone has a virus and somebody can get that audio, is there a way we can protect against it?

Sharon D. Nelson: Well we’re trying, but I don’t know that there’s ever really a way. I mean we’ve just heard about that law firm, where was that John in Florida, where they –

John W. Simek: Florida, yeah.

Sharon D. Nelson: Yeah where they had recording devices that were in the law firm and thank God, they found it after less than 24 hours, but that’s a story that’s still developing and I was kind of working on a blog post, but as there have been developments, I’ve gone well I think I’m going to wait another day because we keep finding out more.

So but you know what you didn’t answer Sherri, you didn’t tell us your contact information which is so important.

John W. Simek: Maybe she doesn’t want to be contacted.

Sherri Davidoff: I’m secret. You can follow me on Twitter @SherriDavidoff, you can visit me on the web at lmgsecurity.com or you can just turn on that security camera you control in the airline seat that’s going to be in front of me in another few days.

Sharon D. Nelson: Perfect. I couldn’t do better. Sherri, we really want to thank you being a good friend for being our guest today on our 100th anniversary here of our podcast. This is great to have you. You’re always entertaining, always knowledgeable, just fun to be around and I think our guests probably got that message too.

So thanks for joining us.

Sherri Davidoff: Thanks so much and congratulations on your 100th podcast.

Sharon D. Nelson: Oh thanks so much, and we look forward to seeing you next week at ABA TECHSHOW.

John W. Simek: That does it for this edition of Digital Detectives. And remember, you can subscribe to all the editions of this podcast at legaltalknetwork.com or in Apple Podcasts. And if you enjoyed our podcast, please rate us on Apple Podcasts.

Sharon D. Nelson: And you can find out more about Sensei’s digital forensics, technology and cybersecurity services at senseient.com.

We will see you next time on Digital Detectives.

[Music]

Outro: Thanks for listening to Digital Detectives on the Legal Talk Network. Check out some of our other podcasts on legaltalknetwork.com and in iTunes.

[Music]

Continue Reading