About this Episode:
Are you using Infection Monkey? In this episode, Pluralsight author and security expert Maril Vernon share insights from her Infection Monkey course. Discover uses of Infection Monkey to test for later movement and network segments against known MITRE tactics. Listen up to learn how this cool tool can identify your companies vulnerable network paths and how to protect yourself proactively.
TestGuild Security Testing Exclusive Sponsor
Micro Focus Fortify is the recognized market leader in application security and is the most comprehensive and scalable application security solution that works with your current development tools and processes. Try it today
About Maril Vernon
Maril also known as “SheWhoHacks,” is an IT security expert specializing in pentesting who has helped people start new careers in cybersecurity from a long tenure in a non-technical industry. After entering cybersecurity for the National Guard in 2018, in just over 1 year Maril has achieved 7 certifications in pentesting and security in unprecedented time including: Metasploit Pro Certified Specialist, AppSpider Pro Certified Specialist, AWS Cloud Certified Practitioner, Atomic Purple Teaming, and Security+. Maril’s expertise will be featured as a contributing editor of the CIS AWS Foundation Benchmark v1.3 and CSFI. Closing the gap between enterprise risk and IT security, Maril discovered a need for a new kind of expert who could speak to non-technical audiences. Drawing on her multiple degrees from UCSD and other universities, and a family of technical engineers and developers, Maril is uniquely qualified to demystify the terminology, testing, compliance, and tools of cybersecurity.
Connect with Maril Vernon
-
- Website: www.pluralsight.com/authors/maril-vernon
- Twitter: @shewhohacks
- LinkedIn: /marilvernon/
Full Transcript Maril Vernon
Joe [00:02:11] Hey Maril! Welcome to the Guild.
Maril [00:02:14] Hey Joe, how are you?
Joe [00:02:16] Awesome, awesome. Great to finally speak with you. I think you're the perfect guest for this episode of the show because I think a lot of our audience are newbies and it seems like you have a special knack to actually break down security in a way that I think other people can easily understand. I'm really excited to dive into it. Before we get into it is there anything in your bio that you want the Guild to know more about?
Maril [00:02:34] No, although I do need to update it. Thanks for bringing that to my attention because now I have about nine or 10 certifications. So Aviatrix Multi-Cloud certified and I picked up a few more along the way. So it's been a busy first year and infosec, but tons of good things happening all the time.
Joe [00:02:50] Awesome. So that actually leads to my first question. What's the deal with certificates? Do you think it actually helps people with security? Do you just love learning? Like, why so many certificates?
Maril [00:02:58] So I access them on the soapboxes stand on the most. I think that a lot of people don't understand certifications and the practical application they have to the jobs that people are going to do every day. So I'm not a big advocate of having a ton of them despite that I have so many. And I think that the big ones that people like certain jobs are known for, like my job and Pen Testing, you know, people want a CEH. They want an OSTP and they don't actually know what that means because they want like web application Pen Tester. And I'm like neither of those certifications suppress web application Pen Testing. So I do think the certifications are good to have for foundational knowledge and giving you contextual understanding to understand higher echelons of more complex ideals and methodologies. But I don't think you need a ton of them under the sun. I think actually nowadays a lot more someone's accomplishments and skills experience speaks louder than the certifications do. But in security, unfortunately, certifications can be the gatekeeper sometimes. H.R. won't even move your application on unless you have their bar entry certification, which is usually a sec plus. So…
Joe [00:04:00] Awesome. So once again, that's my next question. If someone's getting into Pen Testing, or they are trying to move over from a different field, is there one certification you think you definitely should get certifications, definitely worth the time and effort because it gives you X amount of benefit?
Maril [00:04:14] Yes. So even for someone who's worked as an IT for a long, long time or who's been a developer for a long, long time, I recommend Sec Plus because, you know, up until now, you haven't been a security professional. You've been a development professional or a sysadmin or some other type of professional. But security hasn't always been an aspect of what you're thinking of. And there is a security aspect that plays in most business operations. So it really helps to put yourself in a security mindset and thinking of just the aspects of what you might be doing that do apply to information sec. So Sec Plus is great. It's a managerial level cert, so it's a great overview. You're going to get a very wide but shallow breadth of knowledge so you're going to drink from a fire hose a little bit if you're new. But you can understand everything in Sec Plus and take that forward with you. Everything else is going to make a lot more sense.
Joe [00:04:57] Great. So since you have taken so many certs as well, any tips you have for people to prepare for them to pass them? Any hacks you've learned to learn, ramp up quickly?
Maril [00:05:07] I actually used to call myself a process hacker. Before it was a real one, like really going to taking something and breaking it down and making it happen faster or better or easier. And I do tell people I'm more of a professional student than I am a professional Pen Tester. But I would just say honestly, some of my tips are to like look to the back of the book and memorize the glossary first, because the more familiar you are with the terms that are being used throughout the book, the less you're going to have to refresh yourself on what something means as they're trying to explain more about it. Additionally, it would be to get yourself in context. So don't be exposed to DLP for the first time when the Sec Plus book is talking about it. Understand how a DLP, what it is, how it fits into a corporate enterprise like security program. So understanding security programs in general and like structure and the various components to a defense in depth set up, all those things will really behoove you as you learn about how to make them more secure.
Joe [00:05:59] Nice. And as I mentioned in your bio, you have a knack for helping people that may not be in security or non-technical industries make a transformation over to this career. What kind of transferable skills you think folks have that make them or would make them a good fit for cybersecurity, security type role at an organization.
Maril [00:06:17] Oh gosh, sorry. There are tons honestly. So people who have been technicians their entire careers don't have a ton of soft skills and they don't like the soft skill things. So a few of the things that stood out to my first hiring boss that as the reason she hired me into infosec despite that, I told her I had so little technical knowledge that I didn't even know what an IP address was. But I love learning. I learn quickly. I retain information really well. I'm great with attention to detail. I'm really good at documentation and policies. And I'm also really, really good at speaking to multiple people because I came from customer service and marketing so I can take a concept and translate it for any audience and make sure that anyone understands what I'm talking about. And those are all things that technical people inherently lack and they don't want to work on their public speaking. They don't want to speak in the meeting. So if you can immediately understand even what your team is doing and relate it to the other business managers on behalf of your team, you're going to play an integral part in what they do. And they're going to have to involve you in all their projects so that you can understand that you can be the face man to them. That's a sweet spot to be in because now you're walking around as the go-to face expert for all these security projects and all these things that are happening within the company that senior management really cares about. So there are tons of applicable skills that people from finance or sales or marketing or APAR can absolutely bring with them into information security.
Joe [00:07:38] So I guess then what got you into security? It seems like you'll be able to learn anything. So why put all your efforts into learning cybersecurity?
Maril [00:07:45] Because I was hitting a knowledge stealing with pretty much every new industry I tried. I tried a number of them and I would come in, learn it quickly, master it because I'm really good at learning. And then I would get bored and I said, you know, I really need something where it's I never going to know it all. I will never sit back and do like, “Well I'm done now.'” I'm the epitome of the master of cybersecurity knowledge. Everything's always changing. New things are evolving. New things are being combined in different ways. There's so much to learn. It's ever-evolving. It's so challenging. The second I get better, the enemy gets better and then I have to get better to out better them. And it just keeps going like that. And it's just it's super engaging material. It's material that my brain really loves. I retain it really well without really trying. So that tells you that you're in a good niche spot for your skills. So that was what really attracted me to security from the beginning.
Joe [00:08:34] Absolutely. And I love learning as well. I'm always on Pluralsight looking for new courses on new things and I actually stumbled across yours. Never heard of it before. So I'm excited to learn more about what…you actually have a class called Lateral Movement with Infection Monkey. So I guess at a high level, what's lateral movement, and then what's Infection Monkey? Can we break that down a little bit? What that's all about?
Maril [00:08:53] Absolutely. So lateral movement with Infection Monkey is part of the Red Team Tool series that Pluralsight is doing. There's also Blue Team Tool series. These are short, no more than a half-hour bite-sized little courses on various tools you can incorporate into your arsenal as you're executing more red or blue team operations. So the part that lateral movement plays and we do go over this in the course, we tell you which MITRE tactics it addresses and where it fits into the kill chain in every single Red Team Tools course. So after you gain initial access to a system, which would be your initial compromise, and then you're starting to dump credentials and do network discovery and you're trying to enumerate different shares or users or ports that are open, dump credentials, lateral movement is what gets you from your initially compromised host into other places in the network. So other shares, escalating to other users would be privileged escalation. It's kind of a part of lateral movement that you're like, I want to be on the network server the data like it, but this basic user doesn't have that. So I have to hop to this server where the admin credentials unprotected. I can then escalate to an admin and now as an admin, I can get to the data. So that's kind of the part that lateral movement plays and Infection Monkey is such an effective tool at multiple stages of the kill chain, but especially lateral movement, because a lot of…Something that's very hard to manage from an oversight point of view for IT ops teams is configuration management. It's one of the number one things I have a ton of findings on and pretty much every assessment I do because it's so hard to stand do configuration changes in a standardized fashion. And so you might have left a port open somewhere. And now there's a hole on port 22 to another host. You really don't want to have port 22 open. Something like that. And Infection Monkey because it is not an adversarial emulation tool. It's a real payload (??). It's fully loaded, just like anything that China uses would be. And it goes after your system, except for its only goal is to propagate itself. It's not going to attack your data or encrypt anything, but it'll find the porthole. It'll find the service holes, it'll find the admin hashes, and it'll combine all these things to say, hey, I started off on this basic user endpoint over here and I ended up all the way over here in your data. And it'll show you the path of hosts that it actually took to get there. It will tell you what compromise it used at each step to hop to the next stepping stone. It'll give you a visual layout, so it'll give you actually a live map of all the things it's compromised. It'll compromise something from one host, talk to another host, compromise that thing again to show you these all have a path open. So if you want to walk those parts down, lock SMB down, make sure you're taking away as many steps from that kill chain as possible. I mean, Infection Monkey is just such an effective tool for doing all of that.
Joe [00:11:30] I want to dive a little bit more into it. But first, like I said, I think most of my audience, I could be wrong, mostly beginners. I don't know if we ever define what is MITRE. What is a MITRE attack?
Maril [00:11:38] Okay, so MITRE attack is a framework. And really what it is, is it's a giant repository. It's kind of a library of adversary TTPs, which are tactics, techniques, and protocols. So basically, anything that the enemy is doing to try and accomplish a specific stage of a hack, which is called the kill chain. So the hacking process is called a kill chain. So anything they're using to accomplish initial access so compromise their first host, move laterally in a network, take data and get it out of your system that all is combined into one giant kill chain and all those individual things are TTPs. And so MITRE has basically taken all the TTPs from the public playbooks of the enemies and categorized them so that you can tie the testing and the security controls that you're doing, like the controls you're implementing in the testing you're doing to specific tactics. You can say if they wanted to accomplish this on us, they would have had to use this tool right here and we took away their ability to do that. So now, even if they got this far, they could no longer move forward with this breach because we've removed as many pieces as possible so that they're less likely to be successful. And so MITRE really helps you do that.
Joe [00:12:49] Cool. Now you mentioned kill chain. Once again, I'm a newbie, so let me picture this. You mentioned that Infection Monkey lets you look at different ports and then access all the resources once it's into other resources. So is that the kill chain? Like, eventually you get to the point where you have admin rights and you're able to actually do some damage?
Maril [00:13:05] Yeah. So the kill chain would be how I want to accomplish the hack. So let's say in order to compromise my first host, I need to phish somebody so that I can get their password. So I would say my initial access is going to be a phish. And once I have been clicked my link and give me their password, then I'm going to see I'm going to run that stat and enumerate domain users and all the shares that person has access to and see where I can go. That's my discovery steps. Now I have initial access and discovery and it kind of keeps going like that all the way down the kill chain through credential access and privilege escalation all the way to exfiltration, which is taking some something of yours and leaving your environment with it so that I have it on my own over here now. That makes up an entire kill chain. And so you kind of pick a methodology for each step that you want to combine specifics to that network. So if I got in and I saw you had SMB open or port 22, which is SSH, I would say, oh, I'm going to pick using SSH with this payload which works over SSH to try and accomplish this so I can make myself an admin, kind of thing from a high level. There are a lot more steps involved, but that's kind of how that would work.
Joe [00:14:13] So if someone didn't know those steps, Infection Munky, does it have like known exploits and known paths that it does, and that's what it does. It automates those types of exploits where it'll walk to what someone would normally do to get to a certain outcome that you're trying to achieve?
Maril [00:14:27] Yes. So versus me having to seal the open ports and seal the user thing, pick and exploit and craft it, Infection Monkey just does all that automatically. It's doing it all the time. So if it's got ten payloads it can use on a certain port, it'll try all ten of them and tell you which ones were successful. And then you can just break that exploit down. You can say, oh, this payload okay, if I simply remove this, that won't work. Done. This one, okay, if I remove this, that won't work. Done. And then you're taking away puzzle pieces for them to play with to try and craft an entire successful hacking process.
Joe [00:15:02] So how come more companies don't use it? Maybe they do use it. It sounds like something you would. It's a quick win almost.
Maril [00:15:08] I don't know why more people aren't using this. I saw this in a demo at a conference, I can't remember what the conference was, but I was like, this is amazing. This is robust. But this is kind of scary. I mean, this is good. Like, if I was my IT op team, I would be running this on myself every week to be like when we change something with this update, did we open a hole somewhere or a path that we didn't intend to? Or are we still just as secure as we were on the last update? You know, like this thing is still effective and it's got so many implications that you can use it to protect yourself against phishing, against lateral movement, against Purple escalation, against past the hash, against exfiltration. So I think more people could be (unintelligible) myself up.
Joe [00:15:50] Is it hard to set up/ Is there overhead with it that maybe people may not use it? Or it's just not well known.
Maril [00:15:57] No, I do walk you through this in my course. It's either very simple open-source download. Guardicore gives it away for free. You can totally see the Python source code running behind it. Or you can subscribe to an AWS instance. That's what I did. I just went into the marketplace. Click, click, click, subscribe, launch, and then you can use it, ready to go.
Joe [00:16:15] So I know a lot of times people when they use tools, can get in trouble. If they turn on the network like Metasploit or something, they're messing around to learn it. It doesn't seem like it does anything malicious, it just walks through and gives you information without actually doing anything bad, right?
Maril [00:16:28] This is the kind of tool that if you were to use it, it's going to send off a bunch of flags and alarms. Hopefully, your IDS or your MSSP is going to be like what is going on over there right now? I do warn people before I set it off. Otherwise, a lot of people get their feathers ruffled. But what you have to keep in mind is even though it's not a malicious payload, it's only goal is to replicate itself. The monkey's an agent, so it'll replicate and then try to move and replicate and try to move. But it's still doing all of that with a real payload. So your antivirus is going to say, I detect this payload, this payload, this payload. Those are bad payloads. And I know that. So it's the kind of thing where you do have to turn your firewall off to download it. And you do want to warn some people or at least tell your boss, maybe you don't want everyone because you want to see how well they do. But at least tell your boss before you do it because it'll set off some flags, ideally.
Joe [00:17:20] Cool. And it sounds like the end result is something very actionable, where if someone sees the report, they know what to do or how to fix it or resolve it.
Maril [00:17:28] Yes, it actually gives you a MITRE report, a security vulnerability report, and a zero-trust report that no matter what you're using, can make remediation based on the information it gives you. And like I said, it gives you a really lovely little live network map. And senior management people love visualizations like that. You give them a network map saying, I started down here on my computer and I made it all the way to the CEO's computer and they go, oh, okay, now we know how bad that is.
Maril [00:17:56] So have you actually use this in your day to day organization where you work or have got good results from it?
Maril [00:18:02] Yep, yep.
Joe [00:18:04] Very cool. So I guess another thing you cover in your course is something called the zero trust model. And once again, I apologize if it's a newbie question, but what is a zero trust model?
Maril [00:18:13] So zero trust is just another alignment framework. It's something you can align your testing program to. So when you start out with a new security program, the thing you're going to be trying to the level you're trying to achieve is basically compliance for some reason or another – PCI compliance, ISO compliance. So you have a governing framework that's actually you can be audited to that thing or has a regulatory body and you're trying to get compliance to those things that you don't get fined. Once you have that, you're operating in a reasonably secure manner. Now you want to take your security outlook to the next level and make sure you're being proactive with it and make sure you're not letting it go stale. That's when you're going to implement things like zero trust or MITRE, which are reference frameworks and not compliance frameworks. There is no MITRE compliant anything. These don't replace ISO or NIST or anything else with MITRE. It's not like that. But you're going to take these other reference frameworks that people have developed and you're going to see if you're security standing up to that. And if not, that'll get a really good roadmap on places where you can improve your security. So zero trust is just one of those that basically says there are no trusted relationships. Like if you have a TLS set up with a vendor, which is like a trusted tunnel at the data transfer layer, then if someone wants to compromise one of your vendors' users, let's say yours are too secure, they compromise your user, your vendors' user. They let themselves inside your tunnel. And now everything is going well because you trust that vendor. You don't check all the request and all those source IP. You say anyone in the tunnel is good to be in the tunnel. Zero trust as you verify every request, every source, every time, no matter what, because we don't trust anybody. So it's not a bad place to be in.
Joe [00:19:55] Nice. Now, are there multiple areas that make up what is a zero-trust framework? Once again, I think this is I pulled this from your course.
Maril [00:20:03] Yes. It's in my course. I kind of go over to a very high level what goes into the zero-trust framework. So it's basically just doing data verification every single time. It's got some pillars that make it up and each pillar breaks down into certain controls. So, like, if you have this, then this pillar is 50 percent good. If you have these four things, this pillar is 50 percent good and you can kind of gauge how well are we doing zero trust. If we want to do zero trust really well, we have to have all these things. So it's a reference framework. It's just how high do you want to build the walls? But eventually when your walls get high enough, then you kind of want to hire someone like me. You want to hire a Pen Testing firm or a Red Team to come in and actually want some catapults at your walls and see if they stand up or if you've missed something. And Infection Monkey is a really great tool for doing that because it's basically harmless and it's free.
Joe [00:20:51] Very cool. So once you have your part from an Infection Monkey is there anything else you do as a Pen Tester? Do you say, oh, wait a minute, now that I know this port is open, I'm going to do this type of attack with another tool?
Maril [00:21:01] Yes. So a lot of people will take an automated tool like Infection Monkey or Atomic Red Team, and they'll just launch it and get the results and say, well, we're done now. And it's like, well, this is one of the things I explain to people. I don't stop there. Like when I have those results that tell me other things that I can try, other things I can do. And I never give a raw report to anybody because they generally don't know how to read them, and they can be pretty scary. So as a Pen Tester I take all my findings and I give them some organizational context and I put them into a report. So I say we don't have maybe this, but that's actually not bad for us because we have this and this and this to compensate for that. So where is the tool? Might say this is high. For us, this is actually low. We're actually doing a pretty good job here. So I do try to give some context. I do try to give some actionable feedback. Like if you want to make this more secure, you could do this. If this is operating as intended and your risk appetite is pretty good with this operating how it is, then you're fine. You know, it's really important to know that in security we operate as a reporting body. We simply tell you this is how bad this could be. This is how you're operating. We don't tell you you can or cannot do something. You say, if you do that, this is how bad it gets. But if you take our advice, this is how less bad it gets. So a lot of people in security get frustrated because we don't call the shots. We just advise for advisors. But yeah, I absolutely take those results and I would absolutely see you know, is there anything Metasploitable I can do for this? Is there anything Cobalt strike I can do with this? Oh, you have this port open. I already have a payload croucher for that. I was going to send it to your IP address and see if I can get you to click it. And then I'll say it takes your funding a step farther (unintelligible) from. In a perfect hacker world, this might be bad if the hacker could theoretically to. I already did it. I took this thing and I made it happen and it's already happened. And now that takes its likelihood up a notch from possible to already happened once in the last year, which makes its risk rating go up. And risk is a business function. So everything in security translates to business risk.
Joe [00:22:56] So did you give people a heads up before you do an engagement and does that kind of I guess you have to, but does that kind of make it so people can be prepared? And so you're not getting real results?
Maril [00:23:06] Let me tell you, we don't always tell people even when a deal does not often change the result.
Joe [00:23:16] Wow.
Maril [00:23:17] Sadly, there have been times I participated in Cyber Shield 2020 recently, which is a huge Purple Team exercise with the National Guard Bureau as a Red teamer. And so we had a Blue Team and we had our Red Team over here and we were allowed to talk to each other. But we had a Purple Team coordinator who was kind of saying, okay, I don't want your next thing yet. They haven't even found the first thing. Don't start dumping credentials. They can't even tell that you've scanned their network. So it was kind of a live engagement. But eventually, the Blue Team was really not finding anything we were doing. We're seeing the indicators of compromise. So we had to open up our books and say, okay, I'm going to hit enter and launch this payload. You should go over here and see if you can see that. If you can't see that, you can figure something wrong. You know, like I know. I just passwords break you. Can you see it? If you can't see it, that's bad. So we don't always tell people. Sometimes we do give the highest up, a heads up. Like if your chain of command tells you something is going on, it's not actually bad. Don't wake up the CEO. You know, we know our response process is functioning as intended, but, you know, it's not actually bad. However, sometimes we don't. Sometimes we want to see if our MSSP, who is our third-party security provider, is awake and on it. If they're telling us before we tell them that something bad has happened. We want to see if not only our tools like our antivirus but our people process is working. Did you wake up the right people? Did you send an email or did you phone call? Like if this had been an actual breach we need to know that our incident response is functioning as intended. That's part of security. So it really just depends on if we're going to tell someone.
Joe [00:24:47] So since I saw in my podcast, you have people talking about Red Team, Blue Team, do you notice people spend more time on one than the other or is there a breakdown people should be spending the time in? It is mostly just Red Team people are focusing on rather than Blue Team type activities.
Maril [00:25:03] I would say that everyone on a Red Team came from a Blue Team originally. The Red Team never conceptualizes itself. It always comes from a Blue Team because again, you want to build up your defenses and get your walls and your defense pretty good, or the Red Team will come in and just obliterate you. It's like a nonvalue added test. So you want to make sure you've got everyone in a defensive mindset. Every Red Team exercise I do is to improve security. I do it with the goal of improving security, not just to break it really, really well and walk away and say, well, I broke that. That's your must. A lot of Red Teamers don't like that part. They just want to come in and break it and have fun and leave it for the Blue Team. But really, you need to give them something to go off of. So I would say I spend actually maybe 10 to 20 percent of my time in the Red Team world. And everything else I'm doing is a defensive standpoint. It's a lot of advising I.T. ops, putting an improved security spin on all the breaking stuff that I've already done, or it's Purple teaming. It's saying, hey, I am myself using a team server, which is a Red Team tool, and I'm using a monitoring tool, which is a Blue Team tool defense. And I am actively watching to see if I can see my own activity. If I can't even see it then how is my real Blue Team? So I Purple Team myself or red team myself but I do spend a lot of time, like everyone else in my department is Blue, the CISO, the architect, the infosec program manager, security awareness, they're all defensive people. So I. You have to be able to translate what I do into Blue Team or I'm not effective.
Joe [00:26:25] So obviously Infection Monkey should be in everyone's toolkit. Are there any other tools you use as a go-to Pen Tester that you like that maybe doesn't have enough love out there that people should know more about?
Maril [00:26:35] Well a lot of them are pretty straightforward. Burp is something that I use a lot and everyone uses Metasploit, who doesn't? However, some of the ones that I really love that I don't think get enough attention are Atomic Red Team. Our Red Canary, shout out to them. Amazing tool you've got out there, guys. Another one is Silent Trinity. Silent Trinity is great. If you're not familiar with Cobalt Strike, Cobalt Strike is a team server type setup. So you basically host your own server that you're compromising systems and you're getting sessions to all your compromised hosts and you can see them and interact with them and send more stuff at them in cycle. Silent Trinity is kind of a boiled down barebones version of that. It's very cool. Yeah, I like a lot of automated testing tools. I actually don't use a lot of Kali. People are going to hate me for saying that. I don't drive my Kali machine a lot. I don't really need to. I kind of pick out the bits and pieces that I like. I have an end and map script that I run that gives me some text outputs and that tells me my users, my shares, my open ports, and I go from there. So I don't really use a ton of Kali, but I do use a ton of the other open-source automated Red teaming tools. I think they're really effective because when you get to my point, you want to do targeted testing. You don't want to keep throwing the kitchen sink at it and having all those results to go through. And, you know, if we're improving everything at once, we're improving nothing. So let's pick one. We're going to improve our initial access vectors. We're going to take care of…as much of that as we can. Keep moving on. We're going to address as much lateral movement vectors as we can. When that's reasonably secure, we'll move on. So I really want to boil down and laser focus my testing to specific TTPs and not just keep throwing the whole tool at it. It's not effective.
Joe [00:28:11] Okay Maril, before we go is in one piece of actionable advice you can give to someone to help them with their security testing efforts? And what's the best way to find or contact you?
[00:28:19] The best way to fight or contact me is probably going to be on LinkedIn. I spend a lot of time in Discord now but LinkedIn DMs got pretty overwhelming when I got to about 40 of them, so. Well, it's happy to answer questions. I have a team of experts that I work with very closely, colleagues of mine. We're all over at the Discord server so I'll try and get you on a Discord. Pick an alignment framework on top of your compliance framework. Whatever you do that don't have to not be fined by the government do that. But pick a compliance framework, because it will get you all speaking the same language. Business risk and internal audit and senior management and IT ops, those are all people that get different reports of mine. One is highly technical, one is strictly an overview. One is strictly the business impact. And none of these people have the same job function and speak the same language. So when you use something like MITRE or zero trust, people are using the same terminology. They're referencing the same thing across their report. It's not, well we call your thing this and you call our thing that. And now things don't make sense. Standardization is one of the keys to security. So standardize as much as possible. Document everything, document, document, document. However, you spend up an EC2 instance. However, you want the canned responses to phishing tests to go. Document everything because documentation saves lives and then pick up a reference framework and get everyone using it. Get everyone thinking on the same page. So even when they're speaking their own language, you have something common to go back to.
Rate and Review TestGuild Security Podcast
Thanks again for listening to the show. If it has helped you in any way, shape or form, please share it using the social media buttons you see on the page. Additionally, reviews for the podcast on iTunes are extremely helpful and greatly appreciated! They do matter in the rankings of the show and I read each and every one of them.