Security is a farce because “security” is neither the objective nor a value in itself. And in any case, it’s not a game you can “win.”

Any non-trivial organization has unknowns: unknown assets, unknown weaknesses, unknown adversaries, unknown changes. Beyond that, mistakes happen, and sometimes exploits happen long before patches. That’s life. Compromise is inevitable. So if you define any compromise as “losing,” then you’ve doomed yourself to loss by definition, you’re a bad defender, and you should find a different line of work.

The harsh reality is that s*%t happens, and sometimes the bad guy “wins.” That’s to be expected. But not-so-secretly, your compliance program has known this for a long time (that there will always be risk), which is why you don’t lose your…

This is part three of a series on hacker logic — weaponizing a vulnerability. Check out parts one (doing reconnaissance) and two (figuring out what asset to exploit) to catch up.

Just as water flows to the lowest point, hackers are usually looking to take the path of least resistance. They want to be able to break into a system as quietly and with as little effort as possible — and with the fewest exploits. Once an attacker finds a tempting asset on your attack surface to exploit, they will typically deploy a few different tricks and techniques to find…

Every company is subject to the same reality: Compromise is inevitable

The security industry is reverberating with news of the FireEye breach and the announcement that the U.S. Treasury Department, DHS and potentially several other government agencies, were hacked due (in part, at least) to a supply chain attack on SolarWinds.

These breaches are reminders that nobody is immune to risk or being hacked. I’ve no doubt that both FireEye and SolarWinds take security very seriously, but every company is subject to the same reality: Compromise is inevitable.

The way I judge these events is not by whether someone is hacked, but by how much effort the adversary needed to expend…

The cloud has changed everything. Companies may have a similar number of devices to what they had before, but defending them has become a different mental game altogether. It used to be that no matter what happened, you’d always be able to unplug your fiber from the wall and your whole system would be disconnected from the internet, but not any longer now that it’s in the cloud. Variable location has added complexity and made boundaries less clear. The transition to remote operations has made the need to isolate faulty assets that much more pressing, as anything could be connected…

Software developers favor agility over sticking to a fixed roadmap in response to a dynamic and ever-changing technological landscape. It’s time security learned the same lesson.

The first principle for security (and more specifically attack surface management) should be this: You don’t know (and probably never will know) your whole inventory. And if your business is critically dependent upon knowing everything, your business is probably going to get hurt.

Forward progress in cybersecurity requires that we question assumptions that we view as fundamental. First among these: the idea that we can know everything (about anything) and that we’re building security…

Attackers have a checklist for evaluating a new target, and pro-tip: it doesn’t only have to do with the highest severity vulnerabilities

This is part two of a series on hacker logic — deciding what to exploit. If you’re interested in how a hacker does recon on a company, particularly through social engineering, read part one on reconnaissance.

Even medium-sized companies these days do so much diversified work in the cloud that their attack surface is absolutely massive, making it nearly impossible for them to know where to focus their time or energy. But the good news is that adversaries don’t have time to look at every asset in depth either — the number of assets can often run in the tens…

Doing surveillance on organizations takes time and persistence, but isn’t overly sophisticated. Tools that make things more usable, make you more of a target, and organizations have to make this risk trade-off daily.

As someone regularly hired to hack Fortune 500 companies, I’ve gone up against many different types of organizations — some are adept at stopping me from achieving my objective, others leave the door wide open. What I’ve found is that the most challenging organizations to break into are the ones anticipating my every move. They have experience protecting what matters most.

This blog post series is designed…

Security is not a problem to be solved, it’s a practice to be performed. It’s a chess match against a hacker, and a stalemate is your objective.

Hackers always start from the assumption that they can break in — it is a question of how, not if. Most defenders (aka blue teamers) believe they can design something to be secure. But hackers know nothing is ever completely secure.

So if the defender and the hacker play by a different set of universal, immutable laws, how can the defender prevail?

The only common ground is a monetary one. Dollars. Cash. How…