Henry Dalziel | Pentesting Tools | January 31, 2017
We had the honor of interviewing Ron Gula from Tenable Networks and are delighted to share this with our community. For those that don’t know, Ron is a legend in the Cyber Business Scene: I’ll let a recent interview with Paul Asadoorian do a better job than I’d ever do (see the bottom of this post for the video) – there’s also a very good overview of Ron here.
Tenable Network Security create network security monitoring tools, which watches your network for vulnerabilities, threats, compromised systems, ‘odd-traffic’ and issues that could be affecting your security compliance. Tenable is most well known for, and virtually synonymous with Nessus: a leading vulnerability scanning platform. Nessus is perhaps one of the best known hacking tools out there and one which has been on our Top Ten Hacking Tools List for several years now.
Nessus was freely available as an open source platform (and still is in a limited format), but in 2005 Tenable Network decided to change the license in order to better develop and support the vulnerability scanner. Any Penetration Tester or Ethical Hacker worth their salt will know exactly how to use Nessus, indeed many Pentesters mention Nessus in our ever-green interview post here.
How did you get your get your break in Cyber Security? Was it an accident or was it by design?
I have always been a UFO fan and did a lot of online research in the early and mid 90s. During that time, many of the same places that hosted UFO and conspiracy content also hosted Phrack, L0pht and other similar computer security content. I was very hooked on learning about this information and also devoured the basics of networking and security theory. My big, big, big break came when I got stationed at NSA through the US Air Force in a group that did network security assessments. I was able to learn even more about auditing networks for security weaknesses there doing this full time.
We have a lot of interest from students with regards to being proficient with pentesting tools and frameworks such as Metasploit and Nessus. Would you agree that mastering these tools is vital when pursuing a technical career in Cyber Security?
Those tools didn’t exist when I started out. The Nessus and Metasploit tools of the next ten years haven’t been written yet. We don’t know what the next wave of security auditing will bring. Is it car hacking, IOT, mining data off of social media, mining data off of underground networks, mobile vulnerabilities, etc? I love tools because they can automate tedious tasks. What I love more is teaching students about security basics, security design and applying these to new types of business and privacy problems for the next generation of solutions we are using.
How do you see the industry evolving in the medium to long term?
Everything is getting better the more we pull people outside of the problem. For example, pentesters and malicious APT writers regularly break into businesses running their own Exchange email solution, their own anti-Spam system, their own patching, their own sandboxes, their own SIM, .etc but wouldn’t be able to use that same attack path against a small business that had moved their email to Office365. The cloud offers lots of efficiencies in IT and security that small or big business can’t ever get really good at. Targets are getting harder and harder to exploit. One of the big reasons people are turing to hacking IOT is its basically unhardened Unix. Doing exploits on Windows 10 or OS X takes real expertise and attacks are becoming a lot less common. Most of the major breaches we see against healthcare systems and government systems is exploiting legacy tech like Win7, old Linux, unmatched Cisco routers, .etc. Web applications are getting much better as well. The use of secure libraries, infrastructures like Amazon and secure coding practices (SecDevOps) are making new web applications much easier to maintain and defend than what we were using in years past.
So because of this, the future looks very cloudy. Our industry will transform to being one of auditors where people set business goals for their network to match the risk appetite of what they are doing versus today’s approach of assuming a breach and throwing lots of defensive tech on the network.
What advice would you give to your younger self?
Startup Security Weekly #23 – Ron Gula, Gula Tech Adventures