{"id":92450,"date":"2023-06-08T08:15:00","date_gmt":"2023-06-08T08:15:00","guid":{"rendered":"https:\/\/cloudnewshub.com\/?p=92450"},"modified":"2023-06-08T08:15:00","modified_gmt":"2023-06-08T08:15:00","slug":"bishop-foxs-vinnie-liu-talks-offensive-security-skills","status":"publish","type":"post","link":"https:\/\/cloudnewshub.com\/?p=92450","title":{"rendered":"Bishop Fox\u2019s Vinnie Liu talks offensive security skills"},"content":{"rendered":"

Conventional security, which is sometimes referred to as \u201cdefensive security\u201d, focuses on reactive measures, such as fixing known system vulnerabilities. Offensive security<\/a>, on the other hand, is a proactive approach to protecting against cyber attacks.<\/p>\n

Offensive security is far more than just another word for penetration testing<\/a> (also known as pen testing). Penetration testing is a cyber security technique to identify, test and highlight vulnerabilities in an organisation\u2019s security posture<\/a>. Offensive security incorporates penetration testing, together with other forms of security testing, to fully assess and review a system\u2019s security profile. In many ways, offensive security could be considered akin to a live-fire exercise used by the military to test their defences.<\/p>\n

\n

<\/i>A proactive approach to security<\/h3>\n

\u201cOffensive security is the all-encompassing term for a broad range of activities,\u201d explains Vinnie Liu, CEO and co-founder of Bishop Fox<\/a>, an offensive security specialist that launched its UK operations earlier in 2023.<\/p>\n

\u201cIt\u2019s the emulation of adversaries in various ways. It\u2019s penetration testing, both internally and externally. It\u2019s application testing and the discovery of vulnerabilities. It\u2019s the exploitation of those vulnerabilities in the real world, as well as the ecosystem around the identification and exploitation of vulnerabilities across the entire technology stack,\u201d he says.<\/p>\n

The proactive nature of offensive security results in a more robust security posture, as the defensive measures will have already had their resilience tested, and the majority of exploits will have been detected and mitigated. Although offensive security may not necessarily prevent attacks, as nothing can be 100% secure, it will enable a thorough trial and testing period in advance.<\/p>\n

Even though human-based elements may remain the most vulnerable exploit (through social engineering), offensive security enables organisations to detect system-based vulnerabilities that could be exploited. These can be broadly defined into the following five categories:<\/p>\n

    \n
  1. Credential management \u2013 poor password management remains a common flaw, despite well-publicised warnings about this issue.<\/li>\n
  2. Custom code or application-level vulnerabilities \u2013 insecure code that enables the system to be exploited.<\/li>\n
  3. Misconfiguration of systems \u2013 this can be as simple as not activating a security feature or a system not being appropriately configured for maximum effectiveness.<\/li>\n
  4. Missing patches \u2013 poor patch management is another common issue.<\/li>\n
  5. Sensitive information disclosure \u2013 when a system discloses too much information about itself, which a malicious actor could leverage and exploit.<\/li>\n<\/ol>\n

    It is often a combination of these five categories that can lead to a high-risk vulnerability. A single medium-risk vulnerability may be a cause for concern, but might not require urgent attention. It is more likely that multiple medium-risk issues could result in a compromise, as they could be linked together and leveraged to acquire access.<\/p>\n

    \u201cPeople refer to it as attack chaining \u2013 linking together these various vulnerabilities that may not seem like a critical risk, but when combined with others create pretty devastating results,\u201d explains Liu.<\/p>\n<\/section>\n

    \n

    <\/i>A multi-skilled discipline<\/h3>\n

    The multi-faceted nature of offensive security requires a diverse skillset. Offensive security testing is more complex than simply stress-testing a system, as it requires inventiveness and creativity on the part of the analysts.<\/p>\n

    \u201cThere\u2019s an aspect of it which is similar to safecracking. To do that successfully, you have to know how it works, so that you can find how it doesn\u2019t work,\u201d says Liu. \u201cYou\u2019ve got to both quickly understand if something should happen, and then be creative and inventive enough to figure out how it shouldn\u2019t happen, or how you can still get it to do a thing that it was never designed to do in the first place, but not crash and fall over.\u201d<\/p>\n

    The cyber security sector is struggling to recruit specialists, as there are currently more vacancies than experienced people. This is especially the case for offensive security, due to the diverse skillset required. As such, offensive security firms such as Bishop Fox have an active recruitment policy of always being on the lookout for fresh talent.<\/p>\n

    \u201cPart of being an offensive security expert is you need to be versed in a broad array of technologies and systems, as you don\u2019t know what you\u2019re going to come up against,\u201d says Liu. \u201cBecause we encounter so many different environments, networks, custom applications and custom targets, you really have to have that versatility and a broad, but also deep, set of knowledge.\u201d<\/p>\n

    This lack of offensive security talent has been exacerbated by the limited number of academic institutions that have educational programmes designed to teach students how to become offensive security experts. \u201cThere\u2019s plenty where you can learn how to be a network analyst or security operations centre analyst and get your hands around some of those,\u201d says Liu. \u201cThe skillsets and instinct of offensive security are tough to teach in a school environment.\u201d<\/p>\n

    \n
    <\/div>\n

    \u201cWhen we look for talent, we don\u2019t care about degrees. The most educated and credentialled people in our company are the technical writers, who have degrees from Oxford and Yale, but for our testers it\u2019s all about their skillset and their commitment\u201d<\/span><\/strong><\/span><\/p>\n

    Vinnie Liu, Bishop Fox<\/span><\/em><\/p>\n<\/blockquote>\n

    Given the limited number of academic or training credentials available for offensive security, talent and reputation for security is often far more important than academic qualifications or certifications. \u201cWhen we look for talent, we don\u2019t care about degrees,\u201d says Liu. \u201cThe most educated and credentialled people in our company are the technical writers, who have degrees from Oxford and Yale, but for our testers it\u2019s all about their skillset and their commitment.\u201d<\/p>\n

    Vinnie Liu became interested in security during the early days of the internet, dialling into systems and sharing text files. What really piqued his interest was reading technical documentation about how computers operated and how different aspects of telephone systems worked.<\/p>\n

    Learning about programming and how different operating systems worked was a natural progression for Liu, as well as spending time on internet relay chat (IRC) interacting with peers in those circles. \u201cAs I was graduating from high school, an individual I knew, who I\u2019d known for over four years online, was in the Air Force and working at the National Security Agency<\/a> (NSA), suggested that I get in touch with a couple of people at the NSA,\u201d recalls Liu. \u201cThey were running a programme designed around recruiting computer science and math people out of high school, to bring them into the agency if they were gifted and talented programmers.\u201d<\/p>\n

    Whilst IRC may now be obsolete, programming and mathematics have come to the fore with the prevalence of science, technology, engineering and maths (STEM)<\/a> teaching in modern education. Organisations can harness the focus on STEM subjects by liaising with educational establishments and engaging with pupils, thereby allowing them to nurture fresh offensive security talent.<\/p>\n

    This engagement could be in the form of immersion days, where schools arrange for pupils to experience different careers throughout the year, or offering educational challenges with a prize for the winner. In each of these cases, individuals with the appropriate talent will become familiar with the backing organisations and be encouraged to apply for vacancies within the sector.<\/p>\n

    \u201cThe key thing you\u2019re looking for is talent, but that\u2019s difficult to judge until they\u2019re in,\u201d admits Liu. \u201cA lot of people can talk the talk, but the ability to grow and become more sophisticated to be a true professional takes passion and dedication and a willingness to invest.\u201d<\/p>\n

    However, the pervasive nature of technology and the growing acceptance for remote working has meant that organisations are no longer as geographically bound as they once were. Recruitment initiatives in the past may have required a relocation budget for potential applicants, but the capacity for working online means that this is no longer the case. As such, organisations are now able to search further afield and expand their recruitment campaign beyond the normal boundaries.<\/p>\n<\/section>\n

    \n

    <\/i>The future of offensive security<\/h3>\n

    With the growing frequency of cyber attacks that have real-world implications, there has been increasing demand to have a robust cyber security posture that can protect user data. There is also the reputational element that needs to be considered, as potential clients and vendors may be disinclined to rely on the services of an organisation that has recently suffered a data breach due to a cyber attack.<\/p>\n

    \n

    \u201cThe key thing you\u2019re looking for is talent, but that\u2019s difficult to judge until they\u2019re in. A lot of people can talk the talk, but the ability to grow and become more sophisticated to be a true professional takes passion and dedication and a willingness to invest\u201d <\/figure>
    Vinnie Liu, Bishop Fox<\/strong> <\/figcaption><\/i> <\/p>\n<\/blockquote>\n

    \u201cThere\u2019s an embrace of this approach to testing yourself and holding yourself to a higher standard, and allowing that to improve your system,\u201d says Liu. \u201cThere\u2019s a renaissance in offensive security, as companies are looking to be more proactive instead of reactive. People and regulations are starting to push for proactive measures \u2013 instead of getting breached in the first place.\u201d<\/p>\n

    Given the proactive approach for detecting threats before they are exploited, offensive security remains a powerful tool in an organisation\u2019s security posture. However, it is a technique that is experiencing a shortfall in analysts with the required skillsets, due to the lack of formal training or certification. That said, with the appropriate community engagement policy, organisations should be able to attract suitable students with the potential to become offensive security analysts in the future. This approach to easing the skills shortage requires time and commitment.<\/p>\n

    \u201cThe way vulnerabilities are being exploited today is a global concern,\u201d concludes Liu. \u201cIt isn\u2019t just regional anymore, because of the homogeneity of technical systems. Everyone is impacted by it.\u201d<\/p>\n<\/section>\n","protected":false},"excerpt":{"rendered":"

    Conventional security, which is sometimes referred to as \u201cdefensive security\u201d, focuses on reactive measures, such as fixing known system vulnerabilities. Offensive security, on the other hand, is a proactive approach to protecting against cyber attacks. Offensive security is far more than just another word for penetration testing (also known as pen testing). Penetration testing is […]<\/p>\n","protected":false},"author":1,"featured_media":92451,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[533],"tags":[],"class_list":["post-92450","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-it"],"_links":{"self":[{"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/posts\/92450","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=92450"}],"version-history":[{"count":0,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/posts\/92450\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/media\/92451"}],"wp:attachment":[{"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=92450"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=92450"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=92450"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}