Episode 24
Thinking Like A Hacker
Using compelling stories and metaphors, Ted Harrington, author of Hackable: How To Do Application Security Right, and Executive Partner at Independent Security Evaluators, explains the process of hacking and the importance of being able to think like a hacker. He encourages leaders to get excited about information security investments and look for ways of gaining a competitive edge from those investments.
To access and download the entire podcast summary with discussion highlights --
https://www.dchatte.com/episode-24-thinking-like-a-hacker/
Connect with Host Dr. Dave Chatterjee and Subscribe to the Podcast
Please subscribe to the podcast so you don't miss any new episodes! And please leave the show a rating if you like what you hear. New episodes release every two weeks.
Connect with Dr. Chatterjee on these platforms:
LinkedIn: https://www.linkedin.com/in/dchatte/
Website: https://dchatte.com/
Cybersecurity Readiness Book: https://www.amazon.com/Cybersecurity-Readiness-Holistic-High-Performance-Approach/dp/1071837338
Transcript
Welcome to the Cybersecurity Readiness Podcast
Introducer:Series with Dr. Dave Chatterjee. Dr. Chatterjee is the author of
Cybersecurity Readiness:A Holistic and High-Performance
Cybersecurity Readiness:Approach. He has been studying cybersecurity for over a decade,
Cybersecurity Readiness:authored and edited scholarly papers, delivered talks,
Cybersecurity Readiness:conducted webinars, consulted with companies, and served on a
Cybersecurity Readiness:cybersecurity SWAT team with Chief Information Security
Cybersecurity Readiness:Officers. Dr. Chatterjee is an Associate Professor of
Cybersecurity Readiness:Management Information Systems at the Terry College of
Cybersecurity Readiness:Business, the University of Georgia, and Visiting Professor
Cybersecurity Readiness:at Duke University's Pratt School of Engineering.
Dr. Dave Chatterjee:Hello, everyone, I'm delighted to
Dr. Dave Chatterjee:welcome you to this episode of the Cybersecurity Readiness
Dr. Dave Chatterjee:Podcast Series. Today, I have the pleasure of talking with Ted
Dr. Dave Chatterjee:Harrington, Executive Partner at Independent Security Evaluators
Dr. Dave Chatterjee:and he's also the author of Hackable: How To Do Application
Dr. Dave Chatterjee:Security Right. His company, made up of ethical hackers was
Dr. Dave Chatterjee:born out of the Ph. D. Program at the Johns Hopkins University.
Dr. Dave Chatterjee:They have been doing security assessments and security
Dr. Dave Chatterjee:consulting for a long time for both large enterprises and
Dr. Dave Chatterjee:funded startups and everyone in between. Since 2005, they have
Dr. Dave Chatterjee:been hired by hundreds of companies, and they have helped
Dr. Dave Chatterjee:discover 10s of 1000s of security vulnerabilities. Their
Dr. Dave Chatterjee:work has appeared in The New York Times, Wall Street Journal,
Dr. Dave Chatterjee:Washington Post, USA Today, Financial Times, Wired, and CBS
Dr. Dave Chatterjee:News on Assignment. Hey, Ted, welcome.
Ted Harrington:Thanks for having me. Excited to be here.
Dr. Dave Chatterjee:So let's talk about hacking. For the
Dr. Dave Chatterjee:benefit of the listeners, provide an overview of hacking
Dr. Dave Chatterjee:like hacking 101, what is it? What are the many consequences?
Ted Harrington:Sure, so I like this question a lot, because the
Ted Harrington:concept of hacking and the concept of hackers is pretty
Ted Harrington:misunderstood. So maybe we start there, like what is what is
Ted Harrington:hacking? What is a hacker and a lot of times people talk about
Ted Harrington:this idea, you know, hackers as if they're bad, right? That the
Ted Harrington:hackers are malicious, or associated with wrongdoing or
Ted Harrington:evil or whatever. And that's only partly true, because that's
Ted Harrington:a certain that is certainly a type of hacker. But hackers, the
Ted Harrington:term hacker is neutral. It's neither good nor bad. It's a
Ted Harrington:hacker is someone who is a problem solver. They're
Ted Harrington:creative. They're someone who looks at the way a system works
Ted Harrington:and says, you know, can it behave differently than what was
Ted Harrington:intended to do? Can I create something. So that's really what
Ted Harrington:hackers are, and then the fork in the road comes to motivation,
Ted Harrington:right? So if someone is doing this, because they want to
Ted Harrington:obtain some sort of personal gain, they want to harm others.
Ted Harrington:That's what attackers would be certainly. But the other forks
Ted Harrington:of the road are ethical hackers, people who do the same things
Ted Harrington:use the same tools, the same techniques, still want to find
Ted Harrington:those issues with how a system works. But they do it because
Ted Harrington:they want to fix the system, they want to make it better,
Ted Harrington:they want to improve it. And that's the corner of the world
Ted Harrington:that I come from, that our people all come from. And both
Ted Harrington:are hackers. So really fundamentally, that's what
Ted Harrington:hacking is hacking is looking at something and saying, you know,
Ted Harrington:can it be differently, and there's this classic TV series
Ted Harrington:called MacGyver that, you know, maybe younger generations might
Ted Harrington:not be familiar with. I've never even actually really seen
Ted Harrington:MacGyver myself. But I'm very familiar with the concept of
Ted Harrington:MacGyver. And he's, you know, this dude, who would just he
Ted Harrington:create things out of, he'd take things that were supposed to do
Ted Harrington:one thing and make it do something else. Like if there
Ted Harrington:was one episode where he, I think he needed to start a car
Ted Harrington:or something and he took a paperclip, which the purpose of
Ted Harrington:a paperclip is to clip together paper. And he used this to like
Ted Harrington:somehow, you know, ignite the engine in a vehicle. That's a
Ted Harrington:hacker that's someone who says, you know, things supposed to
Ted Harrington:work in a certain way, can I make it behave differently, and
Ted Harrington:then motivation determines whether that's a good thing or a
Ted Harrington:bad thing.
Dr. Dave Chatterjee:That's interesting. That's an
Dr. Dave Chatterjee:interesting way of looking at hacking. I never thought about
Dr. Dave Chatterjee:it as hackers as problem solvers. But I see from where
Dr. Dave Chatterjee:you're coming. With the growing expansion of attack surfaces and
Dr. Dave Chatterjee:evolution of attack vectors. It's hard for organizations to
Dr. Dave Chatterjee:keep up with the latest hacking methods and techniques. And
Dr. Dave Chatterjee:that's why companies often hire organizations that are made up
Dr. Dave Chatterjee:of ethical hackers to help them stay on top of information
Dr. Dave Chatterjee:security management to the extent possible. So shed some
Dr. Dave Chatterjee:light on why hackers might be interested in breaching systems
Dr. Dave Chatterjee:of certain types of organizations over others, if
Dr. Dave Chatterjee:that's the case, that may not be the case. And related to that,
Dr. Dave Chatterjee:are any organization types more vulnerable than others? Yeah,
Ted Harrington:let's tackle those separately, because they
Ted Harrington:let's
Ted Harrington:are two slightly different questions. But that can be
Ted Harrington:conflated. So why would an attacker attack a specific
Ted Harrington:organization? I think this is a wonderful question. And it goes
Ted Harrington:to the heart of one of the very common misunderstandings that
Ted Harrington:people have about attackers. Most people think that this idea
Ted Harrington:of we've already broken down that there's, you know, hackers
Ted Harrington:can be good, or hackers can be bad. But even amongst the bad
Ted Harrington:hackers, they're not all the same thing. But we often talk
Ted Harrington:about them as if they're all the same thing. And that's actually
Ted Harrington:not true. So different attacker groups, they're motivated to
Ted Harrington:achieve different outcomes. So the most common one, almost
Ted Harrington:everybody talks about hackers as being profit motivated. And that
Ted Harrington:is indeed a very compelling motivation for many types of
Ted Harrington:attackers. I mean, basically, anyone who engages in ransomware
Ted Harrington:profit is the motive. Almost everyone, there's, there's cases
Ted Harrington:where maybe you use that to hide your other motive, but so
Ted Harrington:someone who wants to make money that's like organized crime as
Ted Harrington:an example, they are attacking because they want to make money.
Ted Harrington:But then you've got groups that are more interested in
Ted Harrington:notoriety, right. So maybe it's someone who just they want to
Ted Harrington:prove they can do it, or they want to go to brag about it, or
Ted Harrington:they want to, yeah, they just want the notoriety associated
Ted Harrington:with it. That's a different motivation from someone who may
Ted Harrington:be like anonymous, the hacker collective that fits in the
Ted Harrington:group of what are called hacktivists, which they attack
Ted Harrington:organizations in order to make a statement. And then there's
Ted Harrington:nation states that attack organizations in order to pursue
Ted Harrington:their geopolitical objectives. And so when we think about
Ted Harrington:different attackers having different motivations that comes
Ted Harrington:into play, in terms of how we now think about how we defend,
Ted Harrington:because we think about, well, what are we trying to protect,
Ted Harrington:and is what we have something that an attacker could pursue
Ted Harrington:their specific motivation for. So they want to feel like a lot
Ted Harrington:of companies, they'll say, Well, I don't have anything valuable,
Ted Harrington:I don't protect any valuable data. So no one's going to
Ted Harrington:attack me because I don't have valuable data and no one's gonna
Ted Harrington:make money off of attacking me. And hopefully, what I just
Ted Harrington:illustrated makes it clear that that's actually not the case.
Ted Harrington:You know, you might not have valuable data, but maybe you
Ted Harrington:have, maybe your organization can be swept up in a botnet.
Ted Harrington:Your computational power can be used in a broader DDoS type
Ted Harrington:attack. Maybe your organization has some sort of influential
Ted Harrington:information on maybe population trends or things that are
Ted Harrington:happening on a national level that another nation might want
Ted Harrington:to understand. So we have to understand the attacker, why
Ted Harrington:they're motivated in order to help ourselves think about what
Ted Harrington:do we need? Why would someone attack us?
Dr. Dave Chatterjee:Very true, very true. We hear this phrase
Dr. Dave Chatterjee:'thinking like a hacker' a lot. The ability to think like a
Dr. Dave Chatterjee:hacker is considered a best practice in cybersecurity
Dr. Dave Chatterjee:governance. I'd like to probe a little deeper into it. Can you
Dr. Dave Chatterjee:shed some light on that?
Ted Harrington:Yeah, I'm, I'm definitely one of those people
Ted Harrington:who's out there banging this drum. I say this to anyone who
Ted Harrington:will listen that Yeah, to defend against an attacker, we need to
Ted Harrington:think like an attacker. Um, and this this idea of more
Ted Harrington:generally, you know, think like a hacker, whether that's a you
Ted Harrington:know, good type of hacker or a bad type Agere. This is
Ted Harrington:absolutely mission critical for organizations to be able to
Ted Harrington:secure their what it is, whatever it is, they're trying
Ted Harrington:to protect the most, they really need to think like, someone who
Ted Harrington:would attack a system. And that's not very easy actually to
Ted Harrington:do. And most people aren't wired that way. I often think of this,
Ted Harrington:like the movie, The Matrix. Maybe this is a little bit of a
Ted Harrington:spoiler, but the movie has been out for, like 25 years. So if
Ted Harrington:you haven't seen it yet, that's on you. And then I'm spoiling
Ted Harrington:it. You know, you find out partway through this movie, that
Ted Harrington:you know, everyone who's living normal life, like we live normal
Ted Harrington:life, you know, here on Earth, all of a sudden, you're actually
Ted Harrington:in a simulation. And when you unplug from the matrix, you
Ted Harrington:realize you're, you're now living reality, but the reality
Ted Harrington:is really ugly. You're in this like post apocalyptic world and
Ted Harrington:it's like everything cold your food is basically like eating
Ted Harrington:dust. It's, it's a terrible life, but you have freedom. And
Ted Harrington:I often think of that's what it's like, once you can think
Ted Harrington:like a hacker is like once you unplug from the matrix, and you
Ted Harrington:see kind of all the darkness in the world. Hold, there's no
Ted Harrington:going back. And so it's not for everybody, not everybody should
Ted Harrington:not think that everybody doesn't have the capability to see the
Ted Harrington:world that way. And most people probably don't want to see the
Ted Harrington:world that way. But those of us who are engaged in this as a
Ted Harrington:profession, or even as a hobby, this is the way that we see it.
Ted Harrington:And the reason that this is important is, I guess, think of
Ted Harrington:it like, what's any metaphor, I don't know, think of a sports
Ted Harrington:metaphor, right? If you're, if you're playing against an
Ted Harrington:opponent coming up this weekend, how are they going to think
Ted Harrington:about their plan to try to win the game against you, right, you
Ted Harrington:have to put yourself in the shoes of your opponent, in order
Ted Harrington:to be able to understand how will you like what's, what's the
Ted Harrington:lens through which they see you, and how will you be attacked.
Ted Harrington:And that's why this idea of thinking like a hacker is
Ted Harrington:really, really important. Because, again, to use a sports
Ted Harrington:metaphor, like when when we think as defenders, that sort of
Ted Harrington:like someone who's, you know, playing basketball, and they're,
Ted Harrington:they're playing defense on their heels, right. And so anyone
Ted Harrington:who's played really any ball sports, any team sports knows
Ted Harrington:that if your weight is on your heels, it's really, really hard
Ted Harrington:to react to the ball coming at you. And so the advice is, you
Ted Harrington:always have to be on your toes, you have to be leaning forward,
Ted Harrington:not leaning backwards. And so when we think like defenders,
Ted Harrington:we're leaning backwards, we're sort of like waiting for the
Ted Harrington:world to come to us. But that makes it really hard to react.
Ted Harrington:Instead, we should be leaning forward, we should be on our
Ted Harrington:toes. And we should be thinking like, Hey, we're actually on the
Ted Harrington:offense, not on the defense. And that's what think like a hacker
Ted Harrington:helps you do.
Dr. Dave Chatterjee:And so, you know, as you said, that you
Dr. Dave Chatterjee:don't expect everyone to think like a hacker. Now, maybe the
Dr. Dave Chatterjee:cybersecurity professionals in the organization, who are paid
Dr. Dave Chatterjee:to, you know, be proactive, make recommendations on how to secure
Dr. Dave Chatterjee:the organization, from new attack types, maybe they are the
Dr. Dave Chatterjee:ones who should be thinking like a hacker. But I'm just curious
Dr. Dave Chatterjee:to know, your thoughts and perspectives on the other group,
Dr. Dave Chatterjee:the folks who generally get compromised, they are not very
Dr. Dave Chatterjee:security savvy, they learn as best they can, what they're told
Dr. Dave Chatterjee:by the organization. For those folks, obviously, they are not
Dr. Dave Chatterjee:the type that you'd recommend, think like a hacker. But what
Dr. Dave Chatterjee:advice do you have for them?
Ted Harrington:Yeah, so as you can, as you're gonna see,
Ted Harrington:throughout the crowd, I'm big on metaphors. So let's, let's use
Ted Harrington:the metaphor of someone who builds skyscrapers, right? So
Ted Harrington:that particular type of contractor that takes a specific
Ted Harrington:skill set, developed over a long period of time, you know, how to
Ted Harrington:build a skyscraper. Now, if someone comes to you and says,
Ted Harrington:Hey, we've got this other skyscraper over here, and we
Ted Harrington:need to demo it, we need to demolish it. You know how these
Ted Harrington:things, you build these things all day? Can you demolish this
Ted Harrington:one? They'd be like, maybe like, I guess I know the fundamentals
Ted Harrington:of how it's built. But like, that's not what I do. That's not
Ted Harrington:my profession. That's not my chosen craft. So what do they
Ted Harrington:do? They say, Well, why don't we get a demo expert in here to do
Ted Harrington:the demo, and I'll work with them. And I'll say, you know,
Ted Harrington:we'll, we'll talk through the mechanics of this building. And,
Ted Harrington:and that's how we'll have a successful demolition. But
Ted Harrington:they're two completely different crafts. So the first piece of
Ted Harrington:advice is, you need to work with somebody, like you're the
Ted Harrington:builder, you need to work with a breaker, right? So companies who
Ted Harrington:are out there building, whatever system that you're building, you
Ted Harrington:definitely want to work with ethical hackers, because they
Ted Harrington:help you because they bring that expertise, that, as you
Ted Harrington:correctly noted, isn't necessarily the core part of
Ted Harrington:what it is that you're doing. It's similar to like any
Ted Harrington:expertise that you would partner with externally, so companies
Ted Harrington:all the time will partner with, you know, outside counsel,
Ted Harrington:outside accountants outside, you know, pick your expertise,
Ted Harrington:they'll, they'll say, Hey, you're gonna come and sort of be
Ted Harrington:the surgical strike that does this specific thing that we
Ted Harrington:don't actually fully staffing out. So that's the first thing
Ted Harrington:is, you know, work with outside organizations. Second thing is
Ted Harrington:to, even though that that's what has to happen is you have to
Ted Harrington:work with outside organizations who specialize in this thing.
Ted Harrington:You want to also make sure that you understand the principles.
Ted Harrington:So if we use that, the skyscraper metaphor, the guy who
Ted Harrington:or the guy or the gal who builds a skyscraper should also know
Ted Harrington:where the weaknesses are and know and know how it might
Ted Harrington:crumble if it's not built correctly. Now, that doesn't
Ted Harrington:mean they're gonna go out and do demo, but they're going to know
Ted Harrington:like, Hey, this is a, you know, this type of joint stresses in a
Ted Harrington:in a bad way, we should make sure we don't use that type of
Ted Harrington:joint. And I'm way oversimplifying the practice of
Ted Harrington:building a skyscraper for sure. But you know, it's for
Ted Harrington:illustrative purposes. And so that's the second piece of
Ted Harrington:advice is make sure you understand the principles so
Ted Harrington:your work with someone else, but still, you have to make sure
Ted Harrington:that they understand the principles yourself. And then
Ted Harrington:the third is this. It's abstract, but it's keep asking
Ted Harrington:these questions, right? It's your whatever it is that you do
Ted Harrington:in any profession, your core expertise, you're going to, you
Ted Harrington:know, that's where the focus of your develop effort developing
Ted Harrington:yourself is going to be. But there's always going to be these
Ted Harrington:things on the periphery that like, oh, I should probably know
Ted Harrington:about that. But maybe I'm not the expert in that. But by
Ted Harrington:asking the questions of what do I need to know about x? So the
Ted Harrington:person who's listening to this right now, who builds systems
Ted Harrington:and says, What do I need to know about security? That question is
Ted Harrington:so important, it's so powerful, because just by asking it, it
Ted Harrington:leads you to the type of growth that is necessary, in order to
Ted Harrington:make sure you understand the principles even though the, the
Ted Harrington:entity or the person who's going to be responsible for this is
Ted Harrington:going to be someone else, you can't completely delegate it to
Ted Harrington:someone else.
Dr. Dave Chatterjee:I agree. I wholeheartedly agree. In fact,
Dr. Dave Chatterjee:as you were talking, a thought came to mind. I wish you know,
Dr. Dave Chatterjee:that. There are more demonstrations, visual
Dr. Dave Chatterjee:demonstrations, graphical illustrations, and various forms
Dr. Dave Chatterjee:of presentations made available to the masses, where people get
Dr. Dave Chatterjee:to see how hackers think, how hackers act. And I realized that
Dr. Dave Chatterjee:can get very technical, but that's where the skill lies. Can
Dr. Dave Chatterjee:we present the technical stuff in a non technical way you, you
Dr. Dave Chatterjee:use metaphors and you, you know, kind of talked about several
Dr. Dave Chatterjee:movies. So maybe we need more media help here to popularize
Dr. Dave Chatterjee:thinking like a hacker. So everyone on the street literally
Dr. Dave Chatterjee:has some sense of what these guys are up to how they are
Dr. Dave Chatterjee:thinking how they try to attack, not to suggest that this would
Dr. Dave Chatterjee:make everyone an expert, but at least it whets the appetite, it
Dr. Dave Chatterjee:gives them a basic understanding. And that would
Dr. Dave Chatterjee:help the organization to mobilize support from from all
Dr. Dave Chatterjee:parts of the organization. Thoughts, reactions?
Ted Harrington:Yeah, well, let me try to illustrate with maybe
Ted Harrington:a metaphor that most people can relate to. Most people don't
Ted Harrington:like waiting in line. Right? I think that's just, even though
Ted Harrington:everyone does wait in line, like people literally spend money and
Ted Harrington:vacation time to go to places like Disneyland, because they
Ted Harrington:want to wait in line all day. So they can, you know, wait in line
Ted Harrington:for an hour to take a three minute ride. Not for me, but
Ted Harrington:hey, you know, whatever floats your boat, but I think but, but
Ted Harrington:most people, even though they wait in those lines, they pay to
Ted Harrington:wait in those lines, they take time off their job to wait in
Ted Harrington:those lines, people would still say they don't like waiting in
Ted Harrington:the line. I think that's sort of a universal human condition. No
Ted Harrington:one, no one is enjoying the line. So let me tell you about a
Ted Harrington:story that I had involving a line and this is this story
Ted Harrington:actually is a form of social engineering. But the components
Ted Harrington:to it describe exactly the process that an attacker would
Ted Harrington:go through. So if we can imagine a bar, and the bar is going to
Ted Harrington:be you know, a bar, like a nightclub. This bar represents
Ted Harrington:our, it represents a, a system that someone is building. So I
Ted Harrington:this was a few years ago, I wound up going to this, this
Ted Harrington:bar, and I was meeting up with some friends. And I can't
Ted Harrington:remember why I needed to go to this specific bar. But I mean,
Ted Harrington:it was like someone's birthday, but I had to go to this. It
Ted Harrington:wasn't like, we'll just go to another bar, and there was this
Ted Harrington:huge line. And then when you you get through this whole long line
Ted Harrington:takes a half an hour or whatever, then you pay a cover
Ted Harrington:charge to get in. And I didn't want anything to do with either
Ted Harrington:of those. I was like I don't want to wait in line and then
Ted Harrington:pay you know, whatever. 20 bucks just just for the right to now
Ted Harrington:go in and I'll spend more money. So I did what you know, really
Ted Harrington:any hacker minded person does the first thing I did was I
Ted Harrington:assessed the system I looked at how does the system work? Okay,
Ted Harrington:well, there's a line that gets you in and, and then you pay a
Ted Harrington:cover when you're in and that grants you access. But I noticed
Ted Harrington:there's also this other area for a VIP entrance. And that VIP
Ted Harrington:entrance, you can only there's no line, there's no cover, but
Ted Harrington:you can only go in if you're on the list. So that's the second
Ted Harrington:thing I did was I said alright, well, how could the challenge
Ted Harrington:question was how can I make them believe I'm on the list? I'm not
Ted Harrington:on the list, but how can I make them believe it? So that's the
Ted Harrington:second thing that attackers will do, though. They'll essentially
Ted Harrington:set out a challenge statement for themselves. Like what's the
Ted Harrington:goal? What am I trying to do? And in this case, I was trying
Ted Harrington:to get the privileges of someone on the VIP list when I didn't
Ted Harrington:have those privileges. That's called privilege escalation. So
Ted Harrington:then the next thing I did was what any attacker Do I, I probed
Ted Harrington:some I established some assumptions about how the system
Ted Harrington:worked. And my assumption was, if I can produce the name of
Ted Harrington:someone on that list, they will assume I'm on the list. So that
Ted Harrington:was my goal, I needed to produce a name on the list. I did not
Ted Harrington:know any names. So here's what I did. So I walk right up to the
Ted Harrington:VIP hostess, and I say, Hi, I'm on the list. Now, again, I just
Ted Harrington:told you I'm not I'm not listed. She doesn't know this, but I'm
Ted Harrington:not on the list. So I said, Hi, I'm on the list. So when she
Ted Harrington:asks me, What My name is telling her my name wasn't going to
Ted Harrington:help, because I'm not on the list. And guessing is like,
Ted Harrington:what's the chances? I guess somebody's name, right? Like,
Ted Harrington:it's so like, why even bother? So I'm not gonna guess. So
Ted Harrington:instead, I issue what's called a specially crafted input. Now,
Ted Harrington:this is when an attacker is probing a system to see how it's
Ted Harrington:going to react. And in this case, a specially crafted input
Ted Harrington:was I said, Well, I'm with the group, I made an assumption that
Ted Harrington:the there was going to be a group, and the group would be on
Ted Harrington:the VIP list. And so when she said which group again, I
Ted Harrington:didn't, you know, same problems, I didn't know the names of any
Ted Harrington:group guessing wasn't going to help. So again, I asked, I
Ted Harrington:issued another specially crafted input, and I said, I'm with the
Ted Harrington:big group. And I was making an assumption that that would be
Ted Harrington:something that would be on the list, there would be one group
Ted Harrington:larger than others. And with that, she looks down at her
Ted Harrington:clipboard, she flips a couple pages, and she says, Oh, the
Ted Harrington:Smith party. And I said, Yes, I am with the Smith party. And
Ted Harrington:with that, I had achieved the goal, I associated myself with a
Ted Harrington:name on the list, she opens the velvet rope escorts, we passed
Ted Harrington:the law and pass the cover charge. And, you know, I went
Ted Harrington:into the bar, I should say, as a sidebar, I am an ethical hacker.
Ted Harrington:So even though I did not pay the cover charge, I'm more than made
Ted Harrington:up for it with over tipping my bar staff, everyone, the only
Ted Harrington:person who lost money that night was probably me, like everyone
Ted Harrington:made out. But I didn't have to wait in line, which is what I
Ted Harrington:didn't want to do. But the point of that story, whether you like
Ted Harrington:going to bars or not, or you've never even been to a bar, we've
Ted Harrington:all been in situations we don't like waiting in line. And that
Ted Harrington:story can illustrate in a way that I think everyone can relate
Ted Harrington:to the process that attackers go through.
Dr. Dave Chatterjee:Excellent. That's a very, very interesting
Dr. Dave Chatterjee:and telling story. In fact, that reminds me, this is not so much
Dr. Dave Chatterjee:about how hackers hack, but how to be on your guard to be on
Dr. Dave Chatterjee:your defense. And I wasn't that night, where I went to a
Dr. Dave Chatterjee:restaurant at great city, I won't name it here. And it was a
Dr. Dave Chatterjee:Halloween, I think, and it was a haunted restaurant. So we were
Dr. Dave Chatterjee:having dinner there. And the lights were very dim. And you
Dr. Dave Chatterjee:know, they were trying to create that atmosphere I was in my
Dr. Dave Chatterjee:family. So we had dinner. And then when the waitress came up
Dr. Dave Chatterjee:asking for the credit card, I gave it to her without thinking
Dr. Dave Chatterjee:twice that I should be scanning the card right there. And then I
Dr. Dave Chatterjee:shouldn't be giving it to somebody. And next moment. Well,
Dr. Dave Chatterjee:you know, that night, everything went off. Well, we checked out
Dr. Dave Chatterjee:and we had a good night's rest. Next morning, I was driving my
Dr. Dave Chatterjee:son for his tennis match. And then I got a call. I was not
Dr. Dave Chatterjee:planning to take the call. It was an 800 number call. But then
Dr. Dave Chatterjee:I did. I'm glad I did. It was a Bank of America representatives
Dr. Dave Chatterjee:asking where I was the previous night. And then he was able to
Dr. Dave Chatterjee:share some data and facts that told me that my card got hacked.
Dr. Dave Chatterjee:And it was already being used in the state of California. And I
Dr. Dave Chatterjee:was on the eastern part of the country. So I knew that somebody
Dr. Dave Chatterjee:had gotten access to it. So this is an example where even those
Dr. Dave Chatterjee:of us who are conscious about this phenomenon will play a
Dr. Dave Chatterjee:role. Even they can get caught napping and they can get
Dr. Dave Chatterjee:compromised, and which has happened to me not once but
Dr. Dave Chatterjee:several times. And that's all the more I believe the need for
Dr. Dave Chatterjee:reiterating reinforcing some fundamental principles, some
Dr. Dave Chatterjee:guidelines and recommendations. Because I believe that the very
Dr. Dave Chatterjee:best of people have been, can be or will be breached in the
Dr. Dave Chatterjee:future. So that is great. Good discussion on that topic.
Dr. Dave Chatterjee:Switching gears a little bit. Let's talk about security
Dr. Dave Chatterjee:assessments. It's reasonable to assume that most organizations
Dr. Dave Chatterjee:are engaging in security assessments. But the more
Dr. Dave Chatterjee:nuanced question is, are they engaging in the right kinds of
Dr. Dave Chatterjee:security assessments with methodologies that best align
Dr. Dave Chatterjee:with their desired outcomes? What are your thoughts?
Ted Harrington:You are preaching to the choir right
Ted Harrington:now? That is that is the question in that matter that
Ted Harrington:absolutely is the question that matters. Wow. So the way you
Ted Harrington:actually framed the question first was, you know, we're
Ted Harrington:assuming that most organizations are getting security
Ted Harrington:assessments. I hope that is true. I guess it should be
Ted Harrington:stated that that's assuming an organization is something worth
Ted Harrington:protecting, that is actually an important item to note. So if
Ted Harrington:you don't have something worth protecting, then like, why would
Ted Harrington:you invest in protecting it doesn't matter. But assuming you
Ted Harrington:do, I mean, someone who's listening to a show like this,
Ted Harrington:you probably do. Right? You wouldn't be investing your time,
Ted Harrington:in listening to Ted ramble until random metaphors, if you didn't
Ted Harrington:have something to protect, so we're assuming have something to
Ted Harrington:protect, you're getting these security assessments done. And
Ted Harrington:the real problem that I see, I mean, one of the motivations to
Ted Harrington:want to write a book was because I saw this rampant problem all
Ted Harrington:over the place, which is that the way that we talk about
Ted Harrington:security testing, and we I'm talking about collectively, the
Ted Harrington:security community, but also those who engage with security
Ted Harrington:community who hire security professionals to do security
Ted Harrington:testing, we talk about it in very imprecise ways. And it
Ted Harrington:winds up leading to some really bad outcomes. So what most
Ted Harrington:people want when they're hiring, security testing? Well, there
Ted Harrington:are different motivations for why someone would go hire one.
Ted Harrington:But they're usually something like, well, I need to prove it
Ted Harrington:to someone else. And I need to actually secure the thing. So
Ted Harrington:those are, sometimes hopefully, it's both sometimes it's just
Ted Harrington:one, like, I need to prove this, I don't care what it is, I need
Ted Harrington:to prove it to someone else that I did a security test. But In
Ted Harrington:but in the case of, you know, the more progressive companies
Ted Harrington:definitely, they're actually trying to improve the security
Ted Harrington:of the system. They're not just going through the motions. But
Ted Harrington:the problem is, the way we talk about security testing is we use
Ted Harrington:terms incorrectly all the time. So people often will ask for
Ted Harrington:penetration testing. That's sort of the term that's become the
Ted Harrington:catch all. But penetration testing is a very specific type
Ted Harrington:of thing. But complicating that problem, they're asking for
Ted Harrington:penetration testing, they're usually sold something else.
Ted Harrington:Like if you Google that term, right now, almost all the
Ted Harrington:results you're gonna get, not all of them, but at least three
Ted Harrington:quarters of them are something else, they're going to be
Ted Harrington:vulnerability scanning, they're not penetration testing. But
Ted Harrington:then what makes it even more complicated is that what people
Ted Harrington:actually need usually isn't actually penetration testing at
Ted Harrington:all. What they usually need is what's called vulnerability
Ted Harrington:assessments. And I can definitely I've, of course, I've
Ted Harrington:metaphors, I can explain the difference between these these
Ted Harrington:three types. But the point that I want to leave on answering
Ted Harrington:your question here is that those are three really different
Ted Harrington:things. They entail different investments of time, and money
Ted Harrington:and person power, and they deliver different things. So
Ted Harrington:when people are asking for something, they're getting
Ted Harrington:something else, and yet they actually needed a third thing
Ted Harrington:altogether, have we actually achieved the mission? Right?
Ted Harrington:Have we actually accomplished what we set out to accomplish,
Ted Harrington:and that is a really big problem.
Dr. Dave Chatterjee:There are a few things that you've mentioned
Dr. Dave Chatterjee:more than once now, and I believe it, it's worth
Dr. Dave Chatterjee:reiterating, re emphasizing, and that is, an organization needs
Dr. Dave Chatterjee:to know, or needs to have a good understanding of what it wants
Dr. Dave Chatterjee:to secure. And what are the tools, the methodologies, the
Dr. Dave Chatterjee:techniques that are out there? Now, one is not expecting an
Dr. Dave Chatterjee:organization, especially smaller organizations resource
Dr. Dave Chatterjee:constrained to have the kinds of expertise to make those calls,
Dr. Dave Chatterjee:but they need to reach out and get help. Again, you know,
Dr. Dave Chatterjee:trying to follow your example of using a metaphor. It's like,
Dr. Dave Chatterjee:when you go to a doctor, and or you're, you're thinking of going
Dr. Dave Chatterjee:to a doctor, because you feel there is an issue. And so you're
Dr. Dave Chatterjee:doing your best due diligence possible, doing your searches,
Dr. Dave Chatterjee:you know, talking to people getting advice. So you have a
Dr. Dave Chatterjee:planning process in place. And it's important, why is it
Dr. Dave Chatterjee:important because it's your health. And I like to use the
Dr. Dave Chatterjee:health metaphor, because when it comes to security, that's the
Dr. Dave Chatterjee:security is the health of the organization. It is I believe
Dr. Dave Chatterjee:that there is not far where we'll be ranking organizations
Dr. Dave Chatterjee:on their security health rating. So therefore, developing an
Dr. Dave Chatterjee:understanding of what the security needs are, and who is
Dr. Dave Chatterjee:the right person who can provide the help or who are the right
Dr. Dave Chatterjee:people who can deliver the goods is absolutely mission critical.
Dr. Dave Chatterjee:So therefore, your points are very well made that to recognize
Dr. Dave Chatterjee:what kind of help you need from a security standpoint. And that
Dr. Dave Chatterjee:will immediately help align what you get by way of security
Dr. Dave Chatterjee:mechanisms, along with your overall organizational goals and
Dr. Dave Chatterjee:strategies. So I just wanted to re emphasize there anything else
Dr. Dave Chatterjee:you'd like to add to that?
Ted Harrington:Well, just that the doctor patient metaphor for
Ted Harrington:security is so good. And there's so many aspects of that
Ted Harrington:relationship that we can, you know, tie back to security, and
Ted Harrington:I'm just deciding whether or not to go down all those different
Ted Harrington:rabbit holes right now. But I'll definitely tie back to one or
Ted Harrington:more of them as as we go. But, um, if we want to use the doctor
Ted Harrington:metaphor, and the context of the question that you're asking
Ted Harrington:about, like, how do we make sure we're getting the right thing? I
Ted Harrington:think it's, that's actually, maybe that's a good metaphor for
Ted Harrington:us to use, because it's like when people go into the doctor's
Ted Harrington:office, and they're like, Oh, I checked on WebMD, my, you know,
Ted Harrington:my symptoms or whatever. And so they, they've self diagnosed, so
Ted Harrington:they go into the doctor, and they're like, I need a, I don't
Ted Harrington:know, insert jargon, technical term right now. And the doctor
Ted Harrington:is like, we'll get to that limit. Let me instead, evaluate
Ted Harrington:your symptoms, see where we're at. And I'll tell you, then, you
Ted Harrington:know, what we need. But the problem that happens in security
Ted Harrington:would be like, so doctors, I guess I don't know what I'm
Ted Harrington:about to say for 100% Certain, because I am not a doctor. But
Ted Harrington:my understanding is that in medicine, a procedure has a
Ted Harrington:name. And that's a universally understood procedure. The
Ted Harrington:problem with what's happening with security. So let's say I
Ted Harrington:don't know what the technical term would be, let's just say
Ted Harrington:it's called knee replacement. You know, someone goes in, and
Ted Harrington:they're like, I think I might, you know, my knees bother me, I
Ted Harrington:need some help with my knee. And then a doctor is like, you need
Ted Harrington:a knee replacement. The problem, insecurity would be like, when
Ted Harrington:one doctor says knee replacement, he means I'm going
Ted Harrington:to replace your knee, another doctor means I'm going to give
Ted Harrington:you orange juice. And a third doctor means I'm going to give
Ted Harrington:you a physical, and you're like, these are all using the same
Ted Harrington:term to describe really, really different things. And the
Ted Harrington:patient doesn't know any better to like, because the patient's
Ted Harrington:going to the expert. That's why this is a real problem. Like if
Ted Harrington:you went to the doctor, and three different doctors said the
Ted Harrington:same term, but they meant three different things. You probably
Ted Harrington:wouldn't go to the doctor anymore. And that's why is such
Ted Harrington:a significant problem.
Dr. Dave Chatterjee:Yep, very cool. You know, I, I authored a
Dr. Dave Chatterjee:book, which, which was published by SAGE last year on
Cybersecurity Readiness:A Holistic and High-Performance
Cybersecurity Readiness:Approach. In that book, I, I presented a framework, it's
Cybersecurity Readiness:called the Commitment, Preparedness and Discipline
Cybersecurity Readiness:framework that is associated with 17 cybersecurity readiness
Cybersecurity Readiness:success factors. And I'm not going to go down that list, but
Cybersecurity Readiness:I wanted your thoughts on some of them, which I have found to
Cybersecurity Readiness:be very important for an organization to secure
Cybersecurity Readiness:themselves or get the resources they need to secure themselves.
Cybersecurity Readiness:And one of those success factors happens to be hands-on top
Cybersecurity Readiness:management. And it's a challenge out there. In terms of how to
Cybersecurity Readiness:get top management attention, how to get top management
Cybersecurity Readiness:actively engaged in cybersecurity planning,
Cybersecurity Readiness:execution, monitoring. Just curious because you're in the
Cybersecurity Readiness:field, and you are you and your company are engaging in engaging
Cybersecurity Readiness:with numerous organizations. What are you seeing out there,
Cybersecurity Readiness:in terms of top management commitment to information
Cybersecurity Readiness:security?
Ted Harrington:Well, it's it's definitely becoming more and
Ted Harrington:more of a priority for executive leadership. I think you probably
Ted Harrington:could have any number of security professionals on here
Ted Harrington:to answer that question that would probably all say, some
Ted Harrington:version of the same thing, right, which is like, security
Ted Harrington:is a business problem, not a technical problem. We need to
Ted Harrington:speak in the language of leaders, which is, you know, in
Ted Harrington:terms of numbers and outcomes, and all that stuff. And we need
Ted Harrington:to make sure that we, you know, don't make it technical and all
Ted Harrington:that. So I would say all those things, too. But instead, what I
Ted Harrington:want to share is something that I see the most progressive
Ted Harrington:organizations doing that are the ones who are getting it right.
Ted Harrington:And they're currently in the minority. They're on if we think
Ted Harrington:about, you know, a bell curve. They're on the early early
Ted Harrington:adopter side. And my hope is that eventually we're going to
Ted Harrington:get the whole world thinking this way. And the way is this
Ted Harrington:one Most people think about security as avoid a bad thing,
Ted Harrington:right, let's not get hacked. That is, in fact, a good way to
Ted Harrington:think about security. But it's incomplete. We also need to
Ted Harrington:think about not just how do we avoid a bad thing? But how do we
Ted Harrington:get a good thing? So not just how do we not get hacked? But
Ted Harrington:how do we gain an advantage. And one of the things that is very,
Ted Harrington:very obvious to me, as I look at the companies really across
Ted Harrington:industries across sectors, the ones who do two things, first,
Ted Harrington:actually secure their systems. And then secondly, in an
Ted Harrington:authentic and credible way, prove it, they gain this
Ted Harrington:incredible competitive advantage over their competitors. So if
Ted Harrington:that's a company, they're competing the way a company
Ted Harrington:will, you know, for customers and market share. But there's
Ted Harrington:other ways you can compete, too, whether that's maybe you're a
Ted Harrington:nonprofit, and you need donors, maybe you're a government, and
Ted Harrington:you need your political influence, or whatever. people
Ted Harrington:and companies and organizations, they want to do business with
Ted Harrington:organizations that are secure, they want trust is the
Ted Harrington:foundation of so they trust someone, they're going to want
Ted Harrington:to work with them, or at least if they don't trust them,
Ted Harrington:they're going to be hesitant to work with them. And so this is
Ted Harrington:one of the things that I see executives at the more
Ted Harrington:progressive organizations capturing, they see it, they
Ted Harrington:look at it, and they're like, if we only think of security as a
Ted Harrington:bad avoid a bad thing, what we're going to do is we're going
Ted Harrington:to make some risk based decisions about, look, this is
Ted Harrington:just a tax on the business. How do we reduce the tax to the
Ted Harrington:right amount that's not so low that we expose ourselves to huge
Ted Harrington:risk, but we're not overspending? That's the way
Ted Harrington:that's the way most people actually think about security,
Ted Harrington:when it's the idea of avoid a bad thing. But now when you
Ted Harrington:change the frame, and you say, Well, how do we get a good
Ted Harrington:thing? How do we get this competitive advantage? Now
Ted Harrington:you're looking at it as an investment. And you're saying
Ted Harrington:it's no longer a cost center to reduce? It's an advantage to
Ted Harrington:optimize? How do we spend in a way that helps us beat the
Ted Harrington:competition? How do we move faster? How do we get more
Ted Harrington:enterprises using us than someone else? And I found that
Ted Harrington:to be the thing that really gets leaders excited, because it's no
Ted Harrington:longer this, like, this is annoying, I don't want to talk
Ted Harrington:about this, make make this problem go away. That's the way
Ted Harrington:most people think about security. Now it is, oh, wait a
Ted Harrington:minute, there is an untapped opportunity to gain a
Ted Harrington:competitive edge. No one else is doing it or not enough people
Ted Harrington:are doing it. Talk to me about that. That's what progressive
Ted Harrington:organizations are doing right now.
Dr. Dave Chatterjee:brilliant, absolutely brilliant. I love the
Dr. Dave Chatterjee:way you put it. One has to look at information security
Dr. Dave Chatterjee:capability as a distinctive competency. And focusing on
Dr. Dave Chatterjee:developing the competency, using that competency or leveraging
Dr. Dave Chatterjee:that competency to achieve a competitive edge is the way to
Dr. Dave Chatterjee:go. The moment you are thinking of security ah that's one more
Dr. Dave Chatterjee:thing we have to do, we don't have a choice, that really
Dr. Dave Chatterjee:doesn't cut it. Rather, taking a very optimistic approach, and
Dr. Dave Chatterjee:saying -- yes, there is this is a problem. This is a constant
Dr. Dave Chatterjee:issue that we have to deal with. So let's see, we can convert the
Dr. Dave Chatterjee:so called problem into an opportunity and be the best we
Dr. Dave Chatterjee:can be in managing this risk. I love that kind of a mindset,
Dr. Dave Chatterjee:that kind of approach. And I'm sure people who are listening
Dr. Dave Chatterjee:are making note of it. I'm sure many, many organizations, many
Dr. Dave Chatterjee:senior executives approach it that way. So, Ted, a couple of
Dr. Dave Chatterjee:months ago, probably in a podcast session, a renowned
Dr. Dave Chatterjee:cybersecurity expert lamented that companies keep making the
Dr. Dave Chatterjee:same mistakes over and over again. So I asked him, I said,
Dr. Dave Chatterjee:What kind of mistakes are they making over and over again? And
Dr. Dave Chatterjee:he talked about vulnerability management, patch management.
Dr. Dave Chatterjee:And, you know, you being in the business, leading a team of
Dr. Dave Chatterjee:ethical hackers, I'm sure you see that a lot. What are your
Dr. Dave Chatterjee:thoughts about what is so difficult or challenging about
Dr. Dave Chatterjee:patch management, vulnerability management, that to use his
Dr. Dave Chatterjee:words again, that companies keep making the same mistakes?
Ted Harrington:Well, I definitely agree with the
Ted Harrington:problem that companies continue making the same mistakes over
Ted Harrington:and over again, I would not limit it just to this particular
Ted Harrington:issue of patch management. I'm a little befuddled myself as to
Ted Harrington:why patch management continues to be such an issue. And that's
Ted Harrington:not to diminish how hard it is. It's hard. Patch management is
Ted Harrington:difficult. What I, for me personally, like if my job was
Ted Harrington:to be In charge of patch management, I'd be terrible at
Ted Harrington:it. Because what it requires for patch management are the kinds
Ted Harrington:of things that like the your brain is wired in a certain way
Ted Harrington:to excel at that I think the kind of person who's really good
Ted Harrington:at like, maybe accounting, the kind of person who wants to make
Ted Harrington:sure that the numbers perfectly zero out and everything's like
Ted Harrington:exactly an order the way that should be. Patch management is
Ted Harrington:kinda like that to like you have that absolute overriding drive
Ted Harrington:for the perfection. But you can take that you combine it with
Ted Harrington:the fact that patches, sometimes break systems and braking
Ted Harrington:systems gets in the way of operational uptime, and
Ted Harrington:operational uptime, and a lot of situations is non negotiable, or
Ted Harrington:operational downtime is not allowable. So there's all these
Ted Harrington:complexities to it. But really, I think that what's happening if
Ted Harrington:we go broader than just patch management, and we say, well,
Ted Harrington:why do we keep making the same problem, like making the same
Ted Harrington:mistakes over and over and over again? And I think it's because
Ted Harrington:we don't necessarily truly understand the problem. And we
Ted Harrington:don't truly understand the solution. And the we I'm
Ted Harrington:describing here is the people who have the problem, and
Ted Harrington:certain corners of the security community who are willing to
Ted Harrington:present the incorrect solution. We talked about penetration
Ted Harrington:testing before. And that's a great example of where, you
Ted Harrington:know, there are people willing to sell companies a penetration
Ted Harrington:test, that isn't a penetration test, they're willing to do
Ted Harrington:that. Now, maybe they don't know that there's a difference.
Ted Harrington:That's negative, that's negligent. Or they do know
Ted Harrington:there's a difference, and they're misrepresenting it
Ted Harrington:anyway. That's irresponsible. So whichever it is, is not good.
Ted Harrington:But the problem is, that's a two sided problem, right? That
Ted Harrington:companies were building things like we talked about before,
Ted Harrington:it's not there every moment of every day working on how do you
Ted Harrington:break things, they're looking to their expert partners to help
Ted Harrington:them and the expert partner isn't actually presenting the
Ted Harrington:appropriate solution, those two issues combined become this
Ted Harrington:like, kind of catastrophic problem.
Dr. Dave Chatterjee:Yep. True. So here comes my final two
Dr. Dave Chatterjee:questions. First one is, What lessons do organizations refuse
Dr. Dave Chatterjee:to learn? Have you come across anything like that? Do you have
Dr. Dave Chatterjee:any thoughts on that? And I don't mean to stump you. So feel
Dr. Dave Chatterjee:free to say what's the next one? And I'm happy to throw out the
Dr. Dave Chatterjee:next one.
Ted Harrington:No, I like that question. Actually, a lot. I
Ted Harrington:would the way I would answer that, though, is I don't think
Ted Harrington:you could say there's a universal, there's not like one
Ted Harrington:lesson that everybody refuses to learn. But within every
Ted Harrington:organization, there is at least one lesson that everybody that
Ted Harrington:that organization refuses to learn. The one that as an
Ted Harrington:example, that it saddens me actually, I was gonna say it
Ted Harrington:irritates me or angers me. I was like, what's the right word for
Ted Harrington:this? But I think it saddens me is the way that sometimes
Ted Harrington:politics work in large enterprises. I've seen it happen
Ted Harrington:time and time again, where, you know, one executive will build a
Ted Harrington:program in a certain way. And that program is succeeding in
Ted Harrington:some way. And then the next, you know, that executive either gets
Ted Harrington:promoted or gets poached go somewhere else. And then the
Ted Harrington:next executive comes in, and the way that exec, that new
Ted Harrington:executive is going to quote unquote, create their own thing,
Ted Harrington:right, is going to create their opportunity to get promoted, or
Ted Harrington:get poached to go somewhere else. They need to do something
Ted Harrington:unique. They can't just do what's already been done. And so
Ted Harrington:that, what do they have to do? They have to look at the this
Ted Harrington:program that's already been built, and say, we're gonna do
Ted Harrington:it totally differently, because I know a better way. But if it's
Ted Harrington:already working, why are you tearing it down? And that is
Ted Harrington:actually a pretty significant problem in corporate America
Ted Harrington:today, that that sort of political need, which I
Ted Harrington:actually, I have no problem with someone needing to say, I need
Ted Harrington:to make my mark on this organization so that I can make
Ted Harrington:more money and provide more for my family. And like, what's
Ted Harrington:wrong with that? That's amazing. But unfortunately, the way that
Ted Harrington:it typically has to play out is by dismantling some other thing
Ted Harrington:that already worked. And so now you have in these, it's kind of
Ted Harrington:amazing when you see large enterprises, how inefficient
Ted Harrington:they can be. Because every few years as there's this turnover,
Ted Harrington:and you know, executive positions. You You've, you're
Ted Harrington:kind of starting things all over again. And I mean, how many
Ted Harrington:people listening right now work in a large enterprise and go
Ted Harrington:through a reorganization? Like every three or four years,
Ted Harrington:you're like, I'll just wait this out, because by the time it
Ted Harrington:actually is implemented, there's going to be a reorg you know.
Dr. Dave Chatterjee:Yep. So let me give you my answer to the
Dr. Dave Chatterjee:question I posed to you. So, you know, two things happen, as your
Dr. Dave Chatterjee:probably aware, it is the medium sized organizations that
Dr. Dave Chatterjee:generally capitulate after a major cyber attack, they go out
Dr. Dave Chatterjee:of business, there is data to support that. 60 to 70%, of
Dr. Dave Chatterjee:small and medium sized enterprises cease to exist,
Dr. Dave Chatterjee:which is a very rough consequence, probably the most
Dr. Dave Chatterjee:severe consequence. But then there are large organizations.
Dr. Dave Chatterjee:And again, I won't take any names here, who, for lack of a
Dr. Dave Chatterjee:better word, made some very reckless mistakes, that
Dr. Dave Chatterjee:borderlines gross negligence, and breach has happened. There
Dr. Dave Chatterjee:were severe consequences. But they get bailed out for a
Dr. Dave Chatterjee:variety of reasons. And that's where my concern lies. Not that
Dr. Dave Chatterjee:we're going to solve this problem here, and neither am I
Dr. Dave Chatterjee:trying for you to suggest what the solution should be. But
Dr. Dave Chatterjee:that's where my concern is that when these organizations get
Dr. Dave Chatterjee:bailed out, do they learn the lessons and they or are they do
Dr. Dave Chatterjee:they make the necessary changes. And these are not symbolic
Dr. Dave Chatterjee:things that you put out there to impress the media and impress
Dr. Dave Chatterjee:your investors. But it goes deeper into their processes into
Dr. Dave Chatterjee:how security is approached by the organization, whether
Dr. Dave Chatterjee:security is built into their organizational culture. In my
Dr. Dave Chatterjee:book, I talk about creating and sustaining a high-performance
Dr. Dave Chatterjee:information security culture, it's hard to do. But it is
Dr. Dave Chatterjee:definitely something that organizations should, should
Dr. Dave Chatterjee:strive towards. So that's from where I was coming, when I asked
Dr. Dave Chatterjee:you that question.
Ted Harrington:It's hard to say without being on the inside of
Ted Harrington:every organization, right, whether they've learned their
Ted Harrington:lesson or not, but you see plenty of cool success stories,
Ted Harrington:you know, I'm in the aftermath of major breaches, including the
Ted Harrington:industry around whoever the victim was, you know, the movie
Ted Harrington:business is a great example. Sony, you know, went through
Ted Harrington:that really very public. You know, that was a real bummer
Ted Harrington:that that breach for everyone who not just the people at Sony,
Ted Harrington:but the people who work with Sony in the movie business is a
Ted Harrington:it's kind of a small world, everyone kind of knows everyone.
Ted Harrington:And, you know, there was a lot of a lot of hearts went out for
Ted Harrington:that. That was a really tough time for a lot of people. But
Ted Harrington:it's really cool to see in the aftermath, how the security
Ted Harrington:programs at different studios, got more funding got more
Ted Harrington:people, they got more sophisticated. And that's a cool
Ted Harrington:aftermath. I mean, yeah, you don't want a company to go
Ted Harrington:through what Sony went through. That's, that's terrible. But if
Ted Harrington:it has to happen, then let's make sure that some really
Ted Harrington:positive result. And that's, that's definitely what's been
Ted Harrington:happening. So that was pretty cool. That was pretty cool to
Ted Harrington:see that.
Dr. Dave Chatterjee:That's great to hear. I'm glad you
Dr. Dave Chatterjee:shared that with us. There are I'm sure many, many positive
Dr. Dave Chatterjee:stories of recovery, and, you know, coming back revitalized
Dr. Dave Chatterjee:and in ways that has made the organization better. So that's
Dr. Dave Chatterjee:good to hear. Hey, as much as I would like to keep talking with
Dr. Dave Chatterjee:you, I've been enjoying this, you know, we are getting to the
Dr. Dave Chatterjee:end of our time here. So let's try to wrap things up with you
Dr. Dave Chatterjee:sharing any final takeaways for the audience. Any final thoughts
Dr. Dave Chatterjee:for the audience?
Ted Harrington:Yeah, I mean, I definitely always like to end on
Ted Harrington:a high note. And I feel like the story I just told was, was a
Ted Harrington:high note. So there we go, you already have your high note. You
Ted Harrington:know, we're seeing industries react really well in the
Ted Harrington:aftermath of, of breaches. But I think that I would just leave
Ted Harrington:people with this fact that the security community is a
Ted Harrington:passionate one that really is trying to improve things every
Ted Harrington:day. Ethical hackers included amongst that, and that, to me is
Ted Harrington:really exciting to live in it and to see it and to those of
Ted Harrington:you who maybe are wanting to join security, or maybe you are
Ted Harrington:not in security, but you work with security companies, just
Ted Harrington:know that there's a really passionate group, let's move
Ted Harrington:forward. And yeah, I mean, that just we can end on that note,
Ted Harrington:and if anyone wants to know anything more about, you know,
Ted Harrington:if any of the ideas we talked about you wanted to ask me
Ted Harrington:about, personally, you want to follow me on social media, you
Ted Harrington:want to know more about my book, you you want help with your
Ted Harrington:security testing program. Just hit me up, I'm easy to find at
Ted Harrington:Ted harrington.com. And everything you could need to
Ted Harrington:know is right there.
Dr. Dave Chatterjee:Fantastic Ted, thank you again for your
Dr. Dave Chatterjee:time. It's been a pleasure.
Ted Harrington:Thank you for having me.
Dr. Dave Chatterjee:A special thanks to Ted Harrington for his
Dr. Dave Chatterjee:time and insights. If you like what you heard, please leave the
Dr. Dave Chatterjee:podcast a rating and share it with your network. Also,
Dr. Dave Chatterjee:subscribe to the show, so you don't miss any new episodes.
Dr. Dave Chatterjee:Thank you for listening, and I'll see you in the next
Dr. Dave Chatterjee:episode.
Introducer:The information contained in this podcast is for
Introducer:general guidance only. The discussants assume no
Introducer:responsibility or liability for any errors or omissions in the
Introducer:content of this podcast. The information contained in this
Introducer:podcast is provided on an as-is basis with no guarantee of
Introducer:completeness, accuracy, usefulness, or timeliness. The
Introducer:opinions and recommendations expressed in this podcast are
Introducer:those of the discussants and not of any organization.
