Take a class with Dr. Herbert Thompson

herbert_thompson.jpeg I recently took a seminar on Product Security lead by Dr. Herbert (Hugh) Thompson from Security Innovation. He’s the Chief Security Strategist there and hold his degree in applied mathematics and has been working the security sector for a number of years training corporate types about the dangers and how to integrate security into their processes. This is pure üb3rn3rd love here.
What’s interesting is that this is something that I’ve been preaching for years in IT when I had to deal with management types. People have always taken a “defensive” strategy, but the whole planning should start with security in mind and you should always think like the attacker. Dr. Thompson has this saying: “Think like the abuser, not the user.”
Wow. I remember saying something similar to my manager back in the late 90s. I was showing him how Windows computers could be compromised without detection in our corporate test lab when we were starting to integrate Windows PCs into the corporate network. Back then, we ran pretty much 95% Macs.
What’s more interesting is that anyone that has had the pleasure of working in linux, sees the madness from server logs. Just hook a log watcher, lock down some accounts and watch the logs for attacks. It’s pretty interesting just to analyze how sequential account scripts and password dictionaries are used and that attackers are always looking towards the big picture. Compromising one account isn’t the key point. It’s compromising multiple accounts. Do you know how many attackers rely on default passwords? Did you even know such a list existed? Real eye-opener for those that have not participated in secure programming. [ Note: I was a part of the SRES research group back in the day. SRES stands for Secure Reliable Embedded Systems ].
Product security wise, this requires everything from planning for security, to the services when you disclose bugs in the system, fixes/patches, and a way for third-party researchers to actually get in contact with you about issues that they have discovered about your product. Marketing, sales, and even human resources has to participate in security since securing a product requires a full corporate participation. And just FYI, the concept of security by obscurity is out the window.
Anyone that has had the pleasure of taking a course of interacting with Hugh Thompson will come out of it seeing a lot of what security researchers have been looking at for years. It’s funny how this was some of the things I was teaching some high school students a couple years ago. Read Bugtraq, keep up with information. It’s amazing how much we rely upon products that have little security purely based on security teams that do not understand concepts of looking at it from an offensive perspective to actually create the defensive planning. Biggest take from all of this?
Security is not a team or a product. It’s a process.
I urge anyone that is looking to help nail down costs of product security and other security concerns to sign up for any keynotes or seminars done by Dr. Thompson. It’ll not only be very amusing since he’s a great speaker, but you’ll learn some things that you never knew about security.