Phishing Tests: A Waste of Time?
In the ever-evolving landscape of cybersecurity, one practice has become almost ubiquitous: phishing tests/simulations. Organizations deploy these tests with the intention of fortifying their defenses, but I genuinely feel that constantly bombarding users with phishing simulations is a waste of time. Yes, this view may be seen as controversial, but I wanted to take a moment to explain why I feel phishing tests might not be the panacea they are…
Addressing the Pain Point: Determining Severity for Findings in Consulting Reports
In the consulting world, the one consistent deliverable across all engagement types is the report, which often becomes a focal point for clients. It not only raises awareness for what was found, but many times can also be the justification they desperately need to take back to their leadership to justify additional resources whether it be people, processes, and/or technology. Yet, despite the uniformity in deliverable expectations, there’s a significant…
Turning the Page: Why I Chose to Leave Consulting Behind for a More Grounded Future
In this blog post, I want to share with you all the personal and professional journey I’ve been on, leading to my decision to leave the consulting world and return to being an individual contributor with an asset owner/operator. I’ll dive deep into my reasons behind this shift, and I want to apologize upfront for any strong language that might slip through. This topic is close to my heart, and…
Building Trust as a Penetration Tester: The Key to Effective Client Relationships and Impactful Advice
In the world of cybersecurity, the role of a penetration tester is not just about identifying vulnerabilities but also about building a relationship of trust with the client. This trust is essential for the client to take the advice and feedback seriously and act on it. Here’s how to establish and maintain this crucial trust: Establishing Trust: More Than Just Pointing Out Flaws As a penetration tester, the initial interaction…
The Pitfall of Overspecialization in Cybersecurity Job Postings: A Call for Generalist Roles
In the ever-evolving landscape of cybersecurity, the trend in job postings towards hyper-specialization – pigeonholing professionals into narrow fields like vulnerability management, identity & access management, or network security – is not just puzzling but also deeply concerning. This approach, widely adopted across the industry, raises several critical questions that need addressing. Why Aren’t Generalists Celebrated? In a field as dynamic and interconnected as cybersecurity, the value of a generalist…
Living Off the Land: A Dying Breed in Cybersecurity
As technology continues to evolve at speeds faster than ever could be thought possible, so does the cybersecurity industry. With this growth, there is an influx of tools designed to simplify tasks, optimize processes, and promise unbeatable security. But herein lies a danger – an over-reliance on these tools. The “old-school”, ingenious principle known as ‘living off the land’ is, unfortunately, becoming a dying breed in cybersecurity. The Reliance on…
10 Reasons Why Cyber Policy Exclusions Aren’t What You Think
In today’s hyper-connected world, organizations are constantly striving to fortify their cyber defenses. From firewall configurations, network segmentation, to intrusion detection systems, there’s a myriad of tools and techniques at our disposal. However, a common practice among many teams is to implement broad cyber exclusions in their security tools, either to reduce false positives or enhance system performance. While the intent is often noble, this approach can unwittingly weaken an…
Pertinent Issues Concerning Penetration Tests and Vulnerability Assessments in OT
Recently, my experiences in the ICS/OT cybersecurity space have compelled me to address a few pertinent issues concerning penetration tests and vulnerability assessments. Through this post, I hope to shed light on some common misconceptions and underscore the genuine value behind these activities. The Frustrations of Premature Penetration Testing It’s not uncommon for organizations to jump onto the penetration testing bandwagon and without truly understanding its prerequisites. I have frequently…
Vulnerability Assessment vs. Penetration Test
Vulnerability assessments and penetration tests both provide valuable insight on vulnerabilities found within organizations and are important proactive tactics to help reduce the risk of a cyberattack. Because of these resemblances, vulnerability assessments are often confused with penetration tests. Although similar, the analysis of a vulnerability assessment and the simulated attacks of a penetration test are very different. A vulnerability assessment looks at the organization as a whole and identifies attack paths…
OT Penetration Testing: How Often Should You Get A Pentest?
Building a functional OT cybersecurity program is not a spring, but rather a marathon. It can be challenging, and admittedly daunting, especially when trying to determine the foundation for establishing a mature program. When it comes to OT penetration testing, the best time to conduct one is before a breach occurs. Unfortunately, many organizations don’t receive the resources needed until after they’ve been successfully breached. By acting in this reactive…