Interview and photograph by Marcus Ranum
What do you do?
I'm assistant vice president for security for a national financial institution. I started to learn pen testing back in 2008. I started to actually work as a pen tester in 2009 and it helped me become a better blue teamer by figuring out how a bad guy would break in.
I was doing that 25 years ago, when I got into physical security. I would do patrols and say, 'Well, a person could get in here. There's a way that a person could do this or that.' Finding the physical security mistakes made me better at figuring out how to secure any area.
Evolution of your skill set and how you came to where you are …
I literally got tired of being shot at. I went into desktop support and I became a supervisor. I realized I sucked at management and then, in 2000, I knew this guy who was responsible for online transactions, and he needed a security administrator. I went 'Hold on … You can do security and computers and nobody shoots at you? Yes!'
This is my passion; it's something I've always loved. When I was 18 doing security, I was doing it not as a career or as a power trip, it was because I liked helping people. I liked being the good guy.
So you see it as being a good guy, yet your perspective is that of the bad guy!
If you do not go into a red team or a pen test with the express and explicit goal of making those people more secure, you're wasting everybody's time. They probably know the flaws that you're finding, and they couldn't get anyone to [fix] them. You're there to assist them in getting those things accomplished. That's your job as a red teamer and/or pen tester. A lot of people's perspective is 'I'm just here to break stuff and write a report about it.' No! As a pen tester, that's the least helpful thing you can do.
I call it a security awareness engagement; I don't call it a red team exercise or a pen test. On the last day of my engagement I spend the whole day getting caught. I act suspicious. I am overt. One time, I actually carried a server out from behind a Teleline, just so I could get caught. I want to give them that 'win' and get their attention.
You can't keep telling employees 'This is what you did wrong!' You have to be able to say, 'These things need to be improved, but this person detected that I was trying to piggyback off them.' That way you give them concrete actions they should keep doing.
When you're doing your work as a pen tester, what do you lean on from your past?
I'm not organized or disciplined at all. One of my key skills as a pen tester is I'm very good at finding where something can break.
When I was little I would actually repurpose my toys. … So I asked for certain kinds of cars that, when you took the wheels off, looked like spaceships and hover cars. And that way I had my spaceships!
Is it the curiosity that drove you? What I have from my childhood is probably paranoia.
Lord of the Flies could be my family vacation photos. I dropped out of high school, I don't have a college degree, and I'm always the stupidest one in the room. So I'm constantly trying to learn more. The other thing is, when I was young I was always waiting for the other shoe to drop. That still drives me today; I'm always looking for that worst-case scenario. My wife went on a vacation trip with my son and she was out of communication for a day because there was bad cell service -- but I called the state police.
Do you see the branching decision-tree with all the possibilities, or do you just jump to the most likely thing that can go wrong?
One of the weirdest things is that I literally have 25 different trains of thought going on, constantly. Sometimes people think I look distracted, but it's always like that for me. The only time I can narrow it down to one is if I am in a movie in a theater, or if I'm in a first-person shooter.
From where I am sitting right now in this chair I could trace it back to 'I met this person' and then 'I went here' and 'I did this' and I could walk forward down all of the branches that didn't lead me to be in this chair right now talking to you.
I don't sleep much. If I start sleeping too much I wake up in a panic because there are too many things that I need to get done.
Is that why you didn't want to be a manager?
I'm bad at supervising. I'm bad at paperwork. I don't mind helping out and I don't even mind doing all the work, but I don't want to be designated as the guy who's responsible for stuff because then I'll fail.
I'm always brutally honest. Anything that's in my head goes right out my mouth. I feel like with everything I say, I'm a failure and I'm just waiting for people to catch on.
About the author:
Marcus J. Ranum, the chief of security at Tenable Network Security Inc., is a world-renowned expert on security system design and implementation. He is the inventor of the first commercial bastion host firewall.
Paying for third-party for penetration testing services
Protect your applications with network pen testing
What you need to know about pen testing and PCI requirements