Welcome back to Pentester Diaries, a podcast series that aims to take off the hacker hoodie and have a real conversation about this growing profession.
In this episode, Jon Helmus talks with Shashank Dixit, a long-time cybersecurity professional with a love for the offensive side of security. Jon and Shashank will talk about Beyond Security Hygiene, diving into the fundamentals, and more.
Pentester Diaries is multi-formatted, with audio, video, and written versions of the episode below.
Watch the video podcast here:
Prefer to read the episode? Below you can find a transcription of the podcast:
Jon Helmus: [00:19]
Welcome everyone to this week's episode of Pentester Diaries. I'm your host, Jon Helmus, and joining me today is Shashank from the Cobalt Core. Shashank, thanks for being here today.
Shashank Dixit: [00:34]
Thank you, Jon. Happy to connect with you.
Jon Helmus: [00:36]
Awesome. Thank you, sir. Thank you. Today, Shashank and I are going to talk a lot about a fairly hot topic in cybersecurity.
The topic that we are going to be talking about is security hygiene and how do we work beyond security hygiene. Shashank, the listeners know about myself from previous episodes. However, I would love for you to give an introduction about yourself- who you are, your background, what you're currently doing, and your experience here at Cobalt.
Shashank Dixit: [01:23]
Sure. Jon, I am a Security Consultant with Sumeru, that's a company in Bangalore, India and I have close to 13 years of experience in cybersecurity. For the last few years, I had this opportunity to work with Cobalt Core and I'm thoroughly enjoying my time with Cobalt. I love offensive security. My time basically goes in pentesting, Red Teaming, and I'm leading the team of security experts in my current job. It's been an incredibly, beautiful journey with cybersecurity. It's very interesting and every day it's a new challenge. I am really enjoying my time.
Jon Helmus: [02:05]
That's great. I'm glad to hear it. Thirteen years of experience in cybersecurity, that's quite a bit. That's telling me that you've seen cybersecurity grow into a field, essentially because 10 to15 years ago, I would argue that, maybe shorter than that. It wasn't even really a field. We're starting to see cyber degrees. We're starting to see a lot more cyber certifications, a lot more push for cyber in the workforce and anything in between those. I'm just curious, too, about your experience or your thoughts on how you've seen cybersecurity evolve.
Shashank Dixit: [02:48]
When I started back in 2008, it was not a very known thing. People were knowing security, the Vulnerability Assessment and Penetration Testing (VAPT) was still a big thing. But vulnerability assessments and penetration testing were considered to be a luxury, unlike today. At that time, there are less resources online to study or to groom yourself in security and to learn something new.
We started with our Linux box and started scripting there and somehow we learned networking. Even running a virtual machine on your host system was such an eye-opener thing. I remember those days and we had those networking challenges of using a virtual box on a host system and that was such a tough time. Unlike today, we have so many resources, so many training materials online, a lot of blog posts and the overall industry has evolved from the traditional VAPT to now what we say Red Teaming and chat hunting and all those sorts of other resources. Of course, the growth of industry is incredible. I have seen the companies growing from a traditional firewall thing to today with DevOps and DevSecOps, so amazing. It’s incredible to see that. I'm really fortunate to witness that.
Jon Helmus: [04:17]
You're fortunate but the field also needs people like you. The field is also fortunate to have you. I love to always ask that question to everyone who's been in the field for quite some time, because you've seen it grow. You are a substantial pillar in the uprising of cybersecurity. And in this case too, Shashank, with you, it's offensive security. Something that's grown a lot. You're saying, he issues that some will never know about how difficult it used to be to just get a virtual image on VirtualBox and the networking issues that came with that. That's an amazing insight.
With that, something that's come up with the uprising of cyber in the workforce is cyber hygiene and that's what we're going to be talking about today, or security hygiene. We can use those terms synonymously with each other. For this conversation, I'd love for you to talk about what is cybersecurity hygiene and what qualifies as cybersecurity hygiene?
Shashank Dixit: [05:33]
Before that, I think it's important that we understand how different IT setups around an organization and what a hacker's view of an organization is. If you see, there are multiple types of hackers who target a particular organization if they want to hack. The first type is the basic Script Kiddie types, where they just run some tools, some automation, they find some vulnerability, and they get inside. The second type of hackers are a bit more skilled. They know how to basically filter the results and poke into the functionalities and go further down. Then the third type of hackers are really skilled ones, and if they target a particular organization, most of the time, they are going to be getting inside.
When we talk about basic security hygiene, what we are trying to do here is to filter out all those Script Kiddies or the low-level hackers and try to set up a defense that is capable to stop that kind of hacking attempt. When I say that kind of hacking attempt I mean, you should have at least the basic firewall in place. You should have periodic vulnerability assessments. And then for employees, you have some phishing programs going on where you are educating your employees, you have a basic lock monitoring system, or a bare minimum of antivirus running where you can go a little bit further and have compliance like ISO 27001. That set up your basic security hygiene starts with simple networking segmentation.
Building on top of your network segmentation, you set up the firewall. You set up an antivirus solution. You set up a proper log monitoring system and then you have periodic vulnerability assessments. And then you have some sort of security testing happening, at least an automation or you're running a desk tool on your application security. So that at least filters out a lot of those low-hanging fruits or low-hanging vulnerabilities, which can be easily targeted by all the Script Kiddies. That is your basic security hygiene. It is absolutely important to have basic security hygiene, but it is very very important to move beyond that and that's it. Basic security hygiene sets up a baseline for you, but as the organization matures, it's important to step beyond that.
Jon Helmus: [08:10]
A lot of interesting points. Honestly, Shashank, what I'm really hearing is that we need to make sure that we're executing the fundamentals. Is that what I'm hearing?
Shashank Dixit: [08:23]
Executing the fundamentals and making sure your basic security checklist is properly followed. If you're doing that, I think you are doing a good job in security because I see companies really struggle even to achieve that. I would say that's a good start.
Jon Helmus: [08:43]
Why do you think they're overlooking the fundamentals?
Shashank Dixit: [08:48]
There are multiple challenges there. The first challenge is the business requirement. That's where the conflict comes. When the company’s business priorities are different, then there is a security team who is crying for help. Where there is something to be urgently delivered or go live and then there is a security team which wants something to be implemented but there are no budget approvals or there is no sufficient amount of attention from management. That's where things become really problematic. Even to achieve a simple network segmentation, people are really struggling because they need multiple approvals. There is an IT team. There is a security team. There is a conflict going on. There's a dev team. It's a tough job for an organization.
Jon Helmus: [09:39]
I would 100% agree. As someone, too, who's been a pentester doing network segmentation and having to deliver the results of that, and then, also talk about next steps of how to achieve proper network segmentation, it's an interesting problem to have to solve. Definitely, an interesting problem to have to solve.
With all these basics and everything and hopefully listeners are now already starting to get the picture painted in their head about why this is important. But I would love for you to dive into detail about why all this is important? Why is it important that we understand what qualifies a security hygiene and what exactly it is?
Shashank Dixit: [10:32]
Imagine if a hacker wants to target your organization. What is it that he's going to target? He will look into the external periphery of your organization. He'll look into what are the external IPs? What applications have been facing the internet and then try to attack from there? If the hacker is just running a tool and finding all those low-security loopholes, then it's easy for him to exploit something and get inside. That is one way of doing it.
Another way of doing it is to target your employees, maybe some phishing email or maybe some Malware, where a loaded document will land in your inbox. If somebody clicks and if your basics are not in place (like your segmentation is not proper, if your Malware detection is not properly done, your proper antivirus is not there) then that ransomware is going to explode and infect the different systems. That is why it is very important to get the basics right. What I mean by basics is to make sure you're following the right configuration. You are giving at least a minimum privilege to the user, least privilege principle you are following. You are making sure that admin functionality is only limited to certain individuals who actually need it. You are implementing the need-to-know basis and if you are implementing proper due diligence there. So many things you can avoid.
If a ransomware payload gets executed on somebody's system, it is going to not only infect the system, but it will also scan through and infect the other notes there. If your basic networking is not done properly, it is going to be a chain reaction from there. That is why I'm stressing on this baseline security part a lot because everything starts from there and then you develop further.
Jon Helmus: [12:33]
Before we dive a little further into that, to highlight the severity of just overlooking the fundamentals. These essential controls that we have to put in place to ensure that we prevent some type of severe cyber attack. You mentioned the word ransomware, right? If you propose that to an organization saying, "Hey, we need to put these controls in place, otherwise, this is the severity and the impact of what can happen."
Have you described ransomware to an organization before, like using that as an example of what could happen? And if you have, I’m curious of what the take away from that was, based on that organization's perception of what the impact of ransomware would have by overlooking the fundamentals?
Shashank Dixit: [13:37]
In my job, multiple times I come across these kinds of fruitful discussions with multiple CISOs or multiple security teams, where I need to put my foot forward and explain to them that this is very basic stuff. For example, a simple incident management process. Imagine if an employee gets a suspicious email, then there should be a proper way where he can communicate, where he can actually tell and then there's at least a simple process set where some steps can be taken. Sometimes I usually explain to them, if one laptop gets compromised and it enters in your corporate network or your internal network then you are definitely giving easy access to the attacker sitting outside and controlling that laptop. Then from there, it's very easy to propagate. But, you can make it tough by some layers of security there.
What do I mean by layers of security? There is an antivirus running on your system and then a good go for them could be an EDPR solution. There could be a DLP solution. And then followed by another network left over, there's some monitoring happening, then definitely at least you can flex some of the events so there's some suspicion. And then from there, it is important that it shouldn't just stop there. It is important to educate the team. At least start educating them on security, a basic education to your IT team or dev team, the people who are writing the code, at least they understand that the basic inline SQL queries are deadly or it’s a crime. That kind of education is very important. I try to educate people in that way. Also, it is important to give the impression that security starts with something very simple so let's not think about it. It's a very complicated thing. Let's simplify it. That is what my intention is when I talk to people about security hygiene and going beyond it. That's how I try to talk about it and convince them.
Jon Helmus: [15:52]
Wonderful. Those are a lot of good points. Please let me know if you agree or if you don't, but the big thing is fundamentals and applying security in depth at the fundamental level. Beyond the fundamentals, we've been talking about the fundamentals for a while. For organizations that have the fundamentals down, they're doing all the right things. That doesn't mean that they're good to go. There are still other things to look beyond. What does it mean to look beyond the fundamentals? Why is that important? And more importantly, how do we do this?
Shashank Dixit: [16:32]
Let's come back to the organization and the setup around it. There is an external parameter, internal network, employees. And then there are gateways and there are firewalls. Now my question is, does your organization’s IT stop there? No. Organization IT also includes some of the shadow inventory. What is the shadow inventory? Something that you don't know which is part of your network. Today, you see subdomain takeover is such a big thing today in bug bounties. People start with something and then they forget about it. That's where all these mistakes happen where there is some DNS record already existing. They forgot about a subdomain and then there is a security guy who is able to find it. These are small things but have a huge impact.
What about third parties? What about the third party you are talking to or third-party integrations or those third-party APIs that are part of your core application? If they get hacked, then it is going to impact you. That could be an easy channel for them to just come inside. What about the data of your employees that have already been leaked over the internet and darknet? Somebody can pull that information, use those credentials against your organization, and then it's easy to access. Or maybe a developer who has committed a code on GitHub, that has all the reports and secrets lying there, just by mistake or unawareness.
Overall threat modeling consists of multiple things, not only your IP addresses and applications and employees. It also includes what is there on the internet, what is the data that is already outside. When I say go beyond security hygiene, I mean that you have to take care of all these. You have to make sure that you're very much aware of what it is that is already leaked over the internet about your organization. What are those credentials of your employees who are already there and haven’t changed their password yet? Or is your developer or some third-party vendor leaking something over the internet? All these things together make something beyond security hygiene and that's where the world is moving today. As we see, there are attacks that are evolving all of the time. A few years back, nobody was talking about subdomain takeover. But today if you see, it's a major attack vector. Things are evolving, attacks are evolving, and it's critcal that the security of organizations also evolve.
Jon Helmus: [19:28]
As things are evolving in technology so are the threat vectors and the attack vectors. A lot of this relates to the growth of pentesting as a process. It's growing. It's not this hacker-esque kind of thing anymore. It's becoming more of a formal process that businesses can execute. And also, on the pentesting side, it's essentially pentesters having to keep up with all of this new technology, all this new information, and evolve from that. With that being said, I would love to know your perspective, your input on all of this stuff that we just talked about—how does this relate to pentesting and pentesters overall?
Shashank Dixit: [20:23]
Pentesting is something I always say is inevitable. Organizations cannot avoid conducting a pentest for themselves. From a pentester's perspective, it is very important that we support and really add value to the organization’s security. It shouldn't be an exercise of just doing some scanning and doing some checks here and there and just presenting a report. It is important that we really add value. When I say really add value means what? When you connect to the internal team of an organization. When those findings are being taken to the closure. When there are vulnerabilities found, then it is important that pentesters support the internal teams of organizations to take it to closure. That's where the real value happens. That's where the organization really gets something out of it.
As a pentester, it is also important to go beyond the basic fundamentals that are there. It's important that you get used to all these new attacks because if you see, the whole attack paradigm has shifted over the years. Look at the OWASP Top 10 you saw a few years back. Now today, the list is very different. Now people are talking about deserialization, XML external entity (XXE)—there is something new every day.
It is important that as a pentester, you make sure that you are very much aware of what attack vectors are being exploited in the wild. At the same time, your skills should be sharp enough to be able to find those vulnerabilities in target systems and that's where you are going to help. This is how you really add value to pentesters, pentesting teams, and the customers. It is important that you become aware of the new attack vectors, practice that, and replicate these findings in your pentesting engagements.
Jon Helmus: [22:20]
To feed off of how it helps pentesters and pentesting and the evolution of it constantly changing, how does pentesting help build security hygiene and beyond in an organization?
Shashank Dixit: [22:42]
One thing pentesting does very well is executing a thorough assessment of your current status. It's a very good way of performing a technical gap assessment, where you see your applications running, and while they may have multiple APIs, there are pentesters who find issues in their testing.
That gives a very good idea for anyone who is looking to understand where pentesting is heading, and understand the trends of vulnerabilities. Various mistakes are happening from my end or from my dev team or my Ops team. When we are seeing a trend there, then it is easy for them to go and attend to the root cause of it.
It's important to analyze those results in a deep way and look into the root causes from where those vulnerabilities have been originating. And also, look into a holistic solution, not only just a quick patch-up or workaround for it. It's important that it has to be approached holistically.
Pentesting, is inevitable, and it really plays a really important role. Important that periodically you go for a pentest, make sure your critical assets are being assessed by a good skill team. A skilled team is very important there. It shouldn't be just a check on your pentest checklist, because of the compliance requirements. It's important that you're really challenging yourself, at the same time, you're not afraid of getting exposed.
Be open to get exposed, and work closely with the pentesting team to actually help them to find more vulnerabilities. Help them, try to work closely, define your scopes properly, make sure you're covering your scopes properly, and make it a success story. It's important that if more vulnerabilities are found, it is good for you, understand that. People are afraid of getting exposed. It's good that more vulnerabilities are being found so that you can go back, revisit, fix those root causes and then come back stronger. It's a continuous process. It's an evolving process and important that you come again and then get yourself evaluated.
Jon Helmus: [25:22]
It's a process that we all have to move forward with. Some keywords that you had mentioned made me think, this is just an organic process that we all have to naturally go through but we all have to be together to push it forward. Myself, I'm a big firm believer in the direction pentesting is going. It's inevitable. You have to do it. But it's not here to only show you your vulnerabilities. It's here to show you how to be better than you were before the pentest team or the pentesting engagement started. It's all about how we make you better than you were before. Did you want to say something?
Shashank Dixit: [26:18]
It's an evolving process. Everybody will see it’s worth the time and you will see. If you do the process properly if you actually implement your pentesting program, then you connect your teams properly and create a good bond between the pentesters and your teams, then you will see a real value-added. Because when you can share your scope thoroughly then pentesters can go and pull those functionalities properly, find those juicy vulnerabilities, and will help you over time. It should be done in a holistic way.
Jon Helmus: [27:02]
As you're telling us a bunch of things that we can do right on the pentesting and the organizational side, I would love for you to share some more targeted insight to pentesters and what advice can you give to pentesters about security hygiene as they moved forward in their pentesting careers?
Shashank Dixit: [27:30]
For the pentesters, if you come across testing a particular application or a network belonging to an organization that has just started at a basic network hygiene level, then make sure your results really make an impact or a strong case for that organization to grow further. It is important that your results are effective enough for the security team of that organization to really make a strong case to further strengthen their organization’s security.
Your security vulnerability should translate to some actionable items for the dev team or the network team, because those security vulnerabilities are something, which is like a direct result, where a hacker can actually use them against any organization. It's important that your pentest report should talk about the real value add or something which is actionable or something which is an initiative addressing that you are attending to the root cause of those vulnerabilities. That's where you are really adding value.
At the same time, the organization, which just had the basic level of security hygiene, you might end up finding so many vulnerabilities and that could be a kick for you. Just understand that the organization may be starting its first pentest program. It's important to be patient with them. It is important to be supportive in that case. Make sure that your results lay out some really good initiatives in that area to strengthen the security.
Jon Helmus: [29:25]
We're coming close to time here, Shashank. Thanks again for taking the time to be here. Moving forward before we close out, based on all the stuff that we just talked about, to the listeners, what are three key takeaways that you would want to give back to conclude this talk that we had? What are the three key takeaways that you would advise the listeners and the audience?
Shashank Dixit: [30:30]
The first takeaway I would say is to make sure the basics are done right. That's where I'm saying basic security hygiene is a must. Make sure you have done your baseline security implementations properly. It starts with as simple as a network segmentation to least privilege to putting up a firewall. But understand that is not at all enough. It is just the beginning.
The second key takeaway is, as the attacks are evolving, it is very important that you move beyond it and look towards a holistic picture of the overall setup, and make sure your defenses are erected accordingly. Make sure you implement a good pentest and have a skilled team around you and have the proper budgeting for this. Also, make sure you have enough defenses and have stock running. It is also important to have proper implementations of EDPRs or multiple layers of security in place so that you can build a strong defense against skilled hackers.
The third key takeaway, I would say is Pentest as a Service. With a platform such as Cobalt, is an amazing place where the collaboration between the pentesters and the security teams is happening smoothly and that's where people are able to effectively collaborate, where findings are being translated to actionable items and then there is a back and forth communication which has been enabled by the platform. That is amazing to see how much value-added is bringing to the organizations. These are some of the things I would like the listeners today to take with them.
Jon Helmus: [31:49]
Definitely, I think the big thing that we've been mentioning here is that it’s important to use pentesting as a way to move forward in assessing your organization, because it all goes back to where - it's not about showing you your vulnerabilities. It's about moving you past your vulnerabilities and growing from your vulnerabilities and becoming more competitive, better, and whatever it is that fits your organization’s end goals. I love all that.
That wraps it up for our conversation. Shashank, thanks again sir for taking the time out of your day to be here, really enjoyed the conversation.
For all those listening, I would like to thank our guest Shashank for taking the time to be with us today. Thank you again, sir. And for all the listeners, my name is Jon Helmus and this is Pentester Diaries and we'll see you on the next episode.
Shashank Dixit: [34:46]
Thank you, Jon, for this opportunity.