In the latest instalment of our interviews speaking to leaders throughout the world of tech, we’ve welcomed Jeff Baron, cybersecurity professional with Critical Path Security and recent interviewee on NBC News segment 11 Alive.
Tell us about the business you represent, what is their vision & goals?
I represent Critical Path Security and lead the offensive security team. Critical Path Security’s team is dedicated to helping midsize companies increase their awareness around information security issues affecting their business and enhancing their security posture to secure and protect sensitive assets. We help people protect themselves.
What inspires and energises you within your work?
I’m extremely passionate about helping people and solving puzzles. While I enjoy being good at my job, what I like even better is seeing my clients become more and more secure. When I return to a client for a third engagement and they have locked down all the old things it challenges me to find new ways in. Eventually, the client and I get to the point where I am struggling to break in anywhere. It’s a great feeling to see an insecure environment become a fortress.
Can you share a little bit about yourself and how you got into cybersecurity?
Sure. I have a non-traditional path but I don’t think I’m alone in that with this industry. I have had a lifelong interest in computer security. I organized a local 2600 meeting in Roanoke, VA when I was 13. I’ve worked most of my life in IT and software development. I had an indie game development business that failed so I started looking around for new opportunities. I ended up meeting my boss at a local hacker conference.
He was looking to hire people and I was just trying to get some pointers on how to get a job in the business. He told me he’d help me find a job and he did. He hired me as a Security Engineer.
What advice would you give to someone wishing to start their career in cybersecurity?
Have faith in yourself. It’s not magic. This stuff can be learned and you don’t need any special background or permission to learn it. You can learn so much online. I would say the most important advice I would give them is to attend local security conferences and meetups.
This more than anything will accelerate your entry into the field. Meet the people. It will help you understand how the business works. And they might hire you.
Why is penetration testing necessary?
Penetration testing exposes the holes and gaps in an organization’s IT infrastructure. The default configuration of a Windows network is full of problems. I can usually compromise a client’s network on their first engagement in 2 or 3 hours.
The problem is ransomware threat actors have the same skill set I do. They even use a lot of the same tools. So you’re going to get a pen test. It's just a matter of how much you will pay for it.
Additionally, a penetration test is a great tool for IT departments to show the impact of a cybersecurity incident to senior management so they can receive the resources they need to properly protect the organization’s IT environment.
What is the main difference between vulnerability scanning and penetration testing?
A vulnerability scan is just an automated process. It is sometimes a part of a penetration test but it is dramatically less involved. Your vulnerability scan isn’t going to conduct LLMNR poisoning attacks over IPv6 and relay SMB credentials to dump NTLM hashes from a host. It isn’t going to customize and deploy an exploit that will bypass your antivirus.
It won’t escalate privileges on a compromised host and move laterally until the entire network is compromised. It will give you a lot of false positives that need to be tracked down. That said there is a lot of value in a vulnerability scan.
It will point out software that needs patching which is very valuable. It may point out configuration issues. It’s just a very different thing. Orgs need to do both.
What is the primary purpose of penetration testing?
I believe the primary purpose is to demonstrate the very real danger and impact a cybersecurity incident can have on an organization. It creates a better understanding among senior management and IT about what resources and planning are needed to minimize the impact and risk of an incident.
What is the difference between vulnerability assessment and penetration testing?
A vulnerability assessment is just a vulnerability scan with a report that has been written by a human. Penetration testing exposes vulnerabilities but also exploits them. Permissions and policies will be checked and abused. Attack trees are planned and precision strikes are conducted.
How do you do penetration testing with Kali Linux?
With permission and great care. Kali Linux is a great distro. The value comes from all the open-source tools it bundles into one place.
I have my toolset (all open-source) that I usually install on Ubuntu. You don’t have to use Kali to conduct a penetration test but it certainly has the tools necessary to do so.
Which step of penetration testing includes the remediation of the vulnerabilities?
After the report is delivered to a client and the findings have been reviewed we usually set up another meeting to discuss remediation progress. It is up to the client to remedy the vulnerabilities found or accept the risk of having them.
When the client is ready we will check the findings again and deliver a remediation report to the client.
Have you ever used either Kibana or Grafana as part of your work?
Kibana is great for visualizing data. I highly recommend it.
Does your organisation use log and metrics data to improve and secure your systems? How do you find managing logs assists your day to day work?
Yes. You can’t work without logs.
Are there any books, blogs, or other resources that you highly recommend?
There are so many. I love the /r/netsec subreddit. Paul’s Security Weekly podcast. I think your local DEFCON group mailing list is also good. For me, it’s dc404 and dc770. Black Hills Infosec webcasts on YouTube.
Would you like to share any cybersecurity forecasts or predictions of your own with our readers?
I do have a growing concern about containers and their management. I think cloud environments will suffer the same problems as on-premise environments do currently.