Micro Focus Fortify is proud to be the exclusive sponsor of the TestGuild Security podcast hosted by Joe Colantonio. This weekly podcast, dropping every Thursday, aims to be 30 minutes or less, and is an interview-style series speaking with some of the top Security Testing experts in the field.
This recent episode of the TestGuild Security Podcast, Cyber Security Tips and Virus Bombs features Greg Scott. Greg is a cyber-security professional and published author. In his day job, he helps the world’s largest open-source software company support the world’s largest telecom companies. Nights and weekends, he looks for ways to poison truck GPS signals, make cell phone bombs, blow-up buildings, and mount cyberattacks to use in his novels. He is the author of Virus Bomb and Bullseye Breach, and in this episode, Greg shares how to pick-up security practices by reading novels. Below are the highlights of his podcast.
Novels as a Medium to Teach Security
“I read my share of how-to books, and I went through the CISSP material. The books are three or four inches thick, and I couldn't stay awake through a lot of it because it was just so dry. What I noticed was the passages that had personal stories, those woke me up. And so, I thought, ‘I'm gonna write myself a how-to book. So, I started Bullseye Breach and I thought, ‘Oh, I'm going to start-off Bullseye Breach with a story, and I'm gonna make up a fictional world because then, I can control the narrative.’ And pretty soon, the fiction took over. And it occurred to me that if people read the fiction and like it, then they'll want to read the how-to stuff. And there's plenty of good how-to stuff out there.”
“In Bullseye Breach, a fictional retailer in Minneapolis named Bullseye Stores loses 40 million customer credit card numbers to some overseas attackers. These credit card numbers are just flying out the store every day through intermediate FTP sites and so, a group of creative people in Minneapolis see this stuff going on, and they're fighting bureaucrats who have their head in the sand, and they come up with a way to fight back that I think real retailers could use. If you could poison that stream of credit card numbers flying out the door to attackers, you screw up the attackers’ reputations who are selling this stuff, and then maybe you disrupt that market. [If people were to read the book] they could learn some techniques and some traditional defense tactics. […] With Virus Bomb, they can learn some things not to do. When you have a computer that's sending traffic to a Tor proxy to an IP address of a Tor proxy, that ought to raise some eyebrows.”
How to Get People to Care about Security
“Isn't that the million-dollar question? ‘Care and share to be prepared’? You've probably read that model in a million different places. Well, here's my answer to that: I write really, really, really good novels and then market them like crazy to get people to read them. That's my answer. Read them. Read my books. And then that'll help you care because you'll see some of the consequences of what happens when people don't care, and the consequences are really bad. […] Persuading people to care by looking at the consequences. Just go to Google and search for data breach on any given day and read a few of the stories. Those could be you. Those could be your business, your company. And they probably will be sooner or later.”
“There are so many different variations of attacks out there. There is nobody that can keep track of all of it. And we don't have to be sitting ducks for this stuff. There are common sense steps that every individual and every company can take to at least minimize the attack surface and reduce the odds of one of these attacks happening. Keep your patches up to date is one thing. […] Teach your people about spam and phishing schemes. […] Ransomware is a huge thing these days. Ransom, whereas when an attacker somehow invades your system, scrambles all your files and now your files are useless. And so, your only recovery is either pay the ransom or recover from backups. So if you want to prepare yourself for such an attack and there are lots of high profile ones to read about, make sure you have good backups and practice restoring everything from bare metal a few times so that when it happens you're ready and you don't have to spend millions of dollars scrambling.”
How to Secure Software and Hardware
“The bad guys who really, really, really don't want law enforcement to infiltrate them come up with some really, really, really creative ways to secure themselves. And so, learn how they do that stuff and adopt their tactics. Turn the tables on these guys.”
“Believe it or not, it starts with the firewall, […] that appliance is between your private network and the outside world. Everything that comes into your network goes through that firewall. […] Another thing you can do is put good antivirus systems on all year, on all your cell phones and desktops, laptops, all your devices. […} Another thing you can do is outbound web filtering. There are appliances out there that tracks evil websites and websites with objectionable content. […] There's a whole bunch of training you should do, too, because no matter how many tech tools we apply, there is no substitute for good old-fashioned human judgment.”
Training Using Technology and Psychology
“One tactic I've seen that's effective is take people through a scenario. […] I saw one presenter interact with an audience, and he spent so much time showing how identity theft works and how social engineering works and how you can persuade people to do something stupid. And then he turned to an audience member and an audience member and he said, ‘Here, let me see your purse. I want to look at something.’ And she gave him her purse in front of the whole audience. And so, he started taking stuff out of her purse and he smiled and he said, ‘I got you, didn't I?’ And she said, ‘Yes, you did.’
Security, it's about 50 percent technology and about 50 percent psychology.”
A Word on AI in Security
“Here's the scoop about Artificial Intelligence (AI). I can go buy AI software that does all this pattern detection, and the attackers can also go buy the same AI that knows about my AI that's detecting patterns. And so, they change the pattern. It's a never-ending arms race. […] AI has a long way to go before it's not so easy to fool. It’s a valuable tool, but don't depend on it 100%.”
Listen to Greg Scott’s full interview, Cyber Security Tips and Virus Bombs.
About Micro Focus Fortify
Fortify lets you build secure software fast with an application security platform that automates testing throughout the CI/CD pipeline to enable developers to quickly resolve issues, strengthening their cyber resilience. Fortify static, dynamic, interactive, and runtime security testing technologies are available on premises or as a service, offering organizations the flexibility needed to build an end-to-end software security assurance program.
Have technical questions about Fortify? Visit the Fortify Community. Keep up with the latest Tips & Info about Fortify. We’d love to hear your thoughts on this blog. Comment below. Or go to the Fortify Users Discussion Board to start a conversation.