Security site to bookmark: www.lares.com

An elegant way to sell security

Every now and then we need to get a chance to slow down our professional tactical everyday pace and think strategically. For those moments, I propose to visit lares.com. Lares is a boutique-alike security company founded by Chris Nickerson and staffed also by Eric M. Smith. Both are reputable security professionals that have greatly contributed to the security community.

Chris Nickerson conducted the famous and irreverent "Exotic Liability" security podcast. Unfortunately, the last available episode dates already from 2013. Chris is also a regular presenter at many international security conferences. He is also one of the authors of the Penetration Testing Execution standard. The amount of followers he has in his twitter account confirms his relevance in the community.

Eric M. Smith has also presented at events such as DefCon 22 in 2014: Along with Josh Perrymon, they studied the topic of RFID chip security.

Let's go now through some of the sections of the lares.com site:

- Lares in action can inspire us to come up with alternative ideas to the traditional way of creating and selling security services. It contains more than a dozen videos, and their presentations, of appearances at conferences like BSides, Troopers or Source Barcelona. The historical and practical approaches they propose on how to implement security are worth thinking about.

As an example, we find almost 80 pages on how to increase the value of traditional security testing (both for vulnerability management and penetration testing). That slidedeck is not only fun but also innovative. They use useful concepts such as insider threat assessment, adversary modeling and the
continuous implementation of security tests along any technological process.


- It is great to see in their services section that, together with traditional vulnerability assessments and security testing, they also offer business impact analysis as a value added security deliverable.

- There is a social engineering section, labeled "Layer 8 labs". This is an appropriate name considering the human element as another layer on top of the 7 layers of the OSI communication model. "Layer 8 labs" provide controlled  "phishing" campaigns to increase security awareness among employees in companies and organisations.


As a final comment, I would highlight the modern design of this website: It helps underlining the valuable security content they provide.

Happy ninja reading!

Adversary modeling

Security site to bookmark: www.pentest-standard.org

In current times, the option to abandon a company's payroll and become an entrepreneurial Information Security freelancer appears as a plausible option to many IT Sec professionals. This choice comes either as a thoughtful decision or as a "last resort" before "being forced" to leave the industry and test their luck in other, more generic, IT areas.

Firms depend heavily on IT. They increasingly engage security professionals. A typically demanded service is the security analysis of their information systems, also known as a penetration test. Pentest-standard.org is a valuable initiative that provides both security vendors and their customers with one common "pen testing" language and scope, as you can read in their FAQ section.

Key players such as Chris Nickerson , Dave Kennedy , Chris John Riley , Carlos Perez and Wim Remes, among many others, have contributed to make pentest-standard.org a necessary go-to site for security pen testers. First thought of in 2009 and created in 2010, the site has had over 1800 content reviews and it continues evolving. Pentest-standard.org uses a handy wiki format and it welcomes contributions from the community via either the corresponding Linkedin group or a PDF-based collaboration site powered by Adobe.

I highlight two components of this site:

• The seven pen-testing execution stages: Each of them starts off with a valuable mind map that could very well be the script to follow in a formal pen-testing engagement. Non-technical, but pivotal, elements such as scoping and payment methods are also present.

• The technical guidelines: An excellent compilation of links and tools, both free and commercial software, required for each of the pen-test phases.

Finally , I would like to thank everyone involved in this "pen-testing vademecum" and invite the Infosec community to contribute. A revealing question would be: How much of what you can read in pentest-standard.org do you already know?

A version of this post in Spanish is available here.

A nice tool to fly ... and to pen test?

Book Review: Ninja Hacking by Thomas Wilhelm and Jason Andreas

Every now and then I share with the readers my views on a specific security related book. This time the title I scanned through is "Ninja Hacking: Unconventional Penetration Testing Tactics and Techniques". In a nutshell, this is a book for those who would like to get introduced into the world of security and insecurity. Especially those who also enjoy martial arts. However, this book does not target specifically at technical IT security professionals. Here you are a biased and telegraphic view:

chapter 1
It starts with the disclaimer that this is not a usual pen testing book. It includes
a reference to ancient feudal Japanese tradition: ninjas and samurais, the documented and the undocumented side of war and military strategy. It mentions how the public image of ninjas was negative. Stealthy reconaissance was a ninja technique. The authors establish a parallel between ninja codes and weapons and unusual pen testing.

chapter 2
This chapter links pen testing with Ninjitsu. They mention arts such as espionage and unconventional warfare. The authors propose that while white hats use methodologies to perform pen tests, ninjas take alternative paths. Important detail: ninjas move undetected.

The difference between white and black hacking is system owner permission. The description of grey hat hackers in this book is somehow confusing: they use illegal attack methods without hacking the spirit of the law?

All in all, 17 chapters for those readers willing to get an initial flavour of what insecurity means today. A light appetizer for a non-technical audience before embarking on more robust references.

Ninja "security" turtles?