You get paid to break into companies' buildings and networks. Why is that level of assessment necessary?
The reason is because everywhere I've worked where I've owned the security program, the biggest problem is getting funding to do it the right way. I've found that the more you show someone and prove that you could do it, they have a total psychosomatic reaction to it. When I can hold their passwords in front of them and I can show them a picture of me in their data center at 2 a.m. when there is nothing on their security cameras, it does the job. It's been functional and worked in the government for a hundred years. For the security guys, you're telling me that you're ready to fight. All right, prove it.
How did you get into the security field? Did you have a physical security or information security background?
It's all an infosec background. My family built wastewater treatment plants, so I got to learn physical security that way. Then I was in the Navy for a brief stint and then went to work for a law firm that defended Big Tobacco, Buick and United Airlines and we had tons of sensitive data. We had armed guards in front of storage lockers guarding this stuff. And we were transporting data all over the world. Then I went to work at Sprint and built data centers for them and was doing blended threat assessments and all of that. They took it really seriously. I also worked in a big consulting firm and got a whole different view of what compliance means to the Big Four. I learned to speak auditor and learned that consulting companies are the root of all evil. They told me my job was to bill time, not fix problems.
How did the Tiger Team TV show come about?
I have some friends in the movie business who have technical backgrounds and after about three or four Defcons worth of telling stories and showing them pictures of me standing on top of missiles or holding anthrax, they said it would be cool to follow me on a job. I told them we'd do it anytime, anywhere.
One of the first episodes had you guys breaking into a car dealer and you ended up driving out with two of their cars. Is that typical of what you do?
Not at all. That's both the smallest and the weirdest job I've done in this field. Most of them are much larger and not as sexy as that one.
With so much code being written overseas now, how real is the threat of industrial espionage if companies don't pay enough attention to the people they're using?
It is extremely real. These are areas these companies spend tons of money on. In the software industry it's a major problem. I know people and I've been on incident response teams myself where you end up finding out that the janitor stole the source code. It's getting worse and worse. Some luxury good companies hire hacking teams to break into the competitors and steal designs for the next season. Look at things like social entrapment. People go after help desk engineers, build a relationship and then start paying them for useless information. Then they start relying on that money and pretty soon I can make them give me things they aren't supposed to. I've rooted your company and sold that intel for a hundred times what I paid for it. It's a beautiful form of hacking. We see this as a serious threat with U.S. companies who have outsourced their R&D overseas and then it comes back here to get productized in the States.
How can a normal enterprise protect against that?
They need to be doing more tire-kicking and less assuming. I ran a project at Sprint that was crazy. We did this social engineering training program where we tried to educate the users on some of these tricks people use. Then one week after that we called and tried to social engineer them. The success rate was ungodly. It was crazy. The only thing that let them know how bad it is was the test.
What are the biggest mistakes you see companies making with their information security programs?
Being aware of your business is something I thought was fairly normal, but most of the clients I deal with are shocked by how I look at it. Going through and deciding what's the most critical to stay alive and building your information security program off that is the key, instead of just being PCI compliant. You might be compliant, but if your system is compromised, you're going home without a paycheck. People err on the side of compliance versus security.
So you see companies putting too much emphasis on compliance and not enough on security.
Unequivocally. I was doing an assessment of the parent company of a company that got compromised by a data breach and I showed them the vulnerabilities and they said, "It's not PCI, we don't care." That's an open door to your data center and they're all, 'PCI, PCI.' I love showing people I can get close to a resource that's vital to the company, regardless of how close it is. I love showing clients that everything is controlled through Windows. You don't think that's a problem? OK, I'm just going to encrypt everything on your hard drives and not give you the keys. Done.