On Episode 61 of The Edge of Innovation, we’re talking with security expert Adriel Desautels, founder and CEO of Netragard, about whether cybersecurity is getting better or worse.

Show Notes

The Netragard Website

Get in Touch With Netragard

Find Netragard on Facebook

Find Adriel Desautels on Twitter

Find Adriel Desautels on LinkedIn

Find Netragard on Twitter

Follow Adriel Desautels’ Blog on Netragard

Netragard in the News

“Is Your Data Safe From Hackers?”

“This Year, Why Not Take Your Data Seriously”- Netragard’s Guide to Finding a Vendor

“Cars: The Next Hacking Frontier?”

“How to Find a Genuine Penetration Testing Firm”

“What Is Penetration Testing? Here’s the Right Definition”

“Is Your Data Safe From Hackers?”

“How To Hack A Company With A Trojan Mouse”

“Don’t Become a Target”

Bitdefender’s Website Where You Can Buy Bitdefender, recommended by Adriel Desautels

The Hands Off! Mac Update Download recommended by Adriel Desautels can be found here

VMware Fusion, also recommended by Adriel Desautels, can be found here

Download for Little Snitch

“Honeypots: The Sweet Spot in Network Security” – An article about Honeypots

The Frank Abagnale movie, “Catch Me If You Can”

Link to SaviorLabs’ Free Assessment


CVE: Common Vulnerability Enumeration
The Watering Hole
You Can’t Detect What You Don’t Know To Look For
Programs and Operating Systems Adriel Uses
Dealing With Data
Is Computer Security Getting Better or Worse?
What is a Honey Pot?
Internet Security: Ten Years From Now
There’s No Excuse
Data With a Long Lifetime
Why Europe is Doing Credit Right
What To Do If You Have Been Compromised
How to Tell If Penetration Services are Genuine

Cybersecurity: For Better or For Worse?

CVE: Common Vulnerability Enumeration

Paul: Hello, everyone. I’m Paul Parisi here with the Edge of Innovation, and our guest today is Adriel Desautels from Netragard.

So now I recently read about a CVE. And just for our audience, CVE stands for…

Adriel: It’s the Common Vulnerability Enumeration, I think it is.

Paul: Something like that. So it was a vulnerability that if you browse to a certain website, to a website with a certain browser, and it loads an ad, your machine is infected. Can you explain? How does that work? And we’ll go through this probably…we’ll unwrap the onion a couple of times on this. How does that work? So I use Chrome and obviously, we think it’s secure today, but six weeks ago, we thought the same thing. And they fixed things in the past six weeks. So what happens? I go to a website. It opens up a news site. What happens? Tell me.

Adriel: So, this goes back into the helper application world. So, let’s use Flash as an example. Flash is a great example because Flash is always being exploited. In fact, our own company is notorious for having sold a Flash exploit. It made the news a while ago. But, Flash is used a lot for ads or videos or things like that on news websites or other websites, or at least it used to be. It’s a way of almost playing movies. Or playing ads and things like that.

Well, you can take Flash and you can embed specialized payloads into Flash. And then the Flash players themselves were vulnerable to these payloads. And when they would load the payload, the payload would exploit a vulnerability in the player, and then give whoever an attacker was — or whatever the end thing was — full access to your system. So in the case of malware, when the system is exploited, rather than give command and control of your compare system to some third party, the malware would be uploaded into the system, and it would do whatever it was going to do. So if it was ransomware, it would encrypt your system. Then maybe propagate it upwards, other directions. So really it’s taking advantage of helper applications.

Any time you browse the web, your browser is the main application that sometimes contains its own vulnerabilities that can be exploited. There are lots of other helper applications that come in. There’s different movie players, there are different content renderers. There are all kinds of things you can plug into a web browser or that you can use in a browser and any one of those things does have vulnerabilities and can be exploited.

So when you browse websites, when you look at anything online, you’re effectively trusting that source to have content that’s safe.

Paul: Okay, but now aren’t you also trusting their ad networks?

Adriel: You are trusting their ad networks, but more importantly, you’re trusting them. The ad networks are less likely… Well, they’re less likely to cause problems for you, than the systems themselves, usually.

Paul: Really?

The Watering Hole

Adriel: Yeah, I think so. I mean, from a theoretical perspective, I suppose anything could be a problem. But, I mean, if you look at…Are you familiar with the term watering hole?

Paul: Not from a computer point of view. I mean, from a wild gazelle point of view, yes.

Adriel: Yeah. Right. Exactly. So, in a safari, you have a watering hole. The animals, they all go to get their water, and they drink from this watering hole. And it’s the one place where the lion won’t eat the gazelle, and all these things are great and happy.

Now imagine some guy comes by with a bio agent that’s designed to wipe out these animals, and he puts it into the water hole. And these animals drink, and then they go back to their herd. And unbeknownst to them, spread this infection and then all of a sudden, their prides and their herds and all that just drop dead. That’s because of a poisoned watering hole.

So a watering hole attack is when you take a website, a common website or a news location or an ad network or anything like that, and you infect it with malware. The people who go and visit that website are then compromised or infected by the malware that exists in that website. If the malware is designed, as we would be at Netragard, if it’s designed properly, then what will end up happening is when that person takes their infected computer to another network, it will notify the controller, the person in charge, whoever deployed the malware, that they’re on a new network, and it will give them access to that network too.

So just like the infected animals that spread their infection to the rest of the herd, the infected computer will spread their infection to the rest of the computers in the network that it connects to. So it’s a watering hole.

This attack has been around… Boy, this type of attack has been around, since probably 2000, 2003, just never really heard about it until, I think it was called the Aurora incident, the Aurora something. It was when Google was targeted by the Chinese with a watering hole attack. And since then watering hole attacks have been happening. I can’t remember any off the top of my head or recall any on the top of my head that were as large-scale as that. That was just one example. I mean, there are, of course, you know… We have the ransomware attacks today that are happening. Bad Rabbit or whatever that was. They’re continuously going. But I don’t remember anything quite the scale of what was going on with Google, only because Google, of course, is massive.

Paul: They are a big target.

Adriel: Yeah. And so they have a lot of viewers. The bigger the watering hole, the more people that feed from it, the greater the impact.

You Can’t Detect What You Don’t Know To Look For

Paul: So now if I’m just a general citizen sitting at my computer, why is it that Google doesn’t catch the fact that their site is infected or CNN or whatever? How come they’re not smarter than me?

Adriel: Yeah. You can’t detect what you don’t know to look for. A weird example. Imagine we somehow encounter extraterrestrials and they come in. “We come in peace.” Shoot to kill. They think they’re friendly. We think they’re friendly. Everything is going great. Meanwhile, they’re offloading masses of weapons, and we don’t recognize the weapons as weapons because we have no idea what they are. Right? And they begin to attack us with these weapons, but they’re not like anything we’ve ever seen before. So we have no idea we’re being attacked. And then all of sudden, people just start dropping dead, and it takes us a while to begin to realize, we’ve been attacked.

Hackers are the aliens. We build weapons that nobody else has seen before. And we attack people in ways that they absolutely don’t expect and in ways that the security industry doesn’t expect. We come up with new things. And so you really can’t defend against the unknown, which kind of goes full circle, and that’s why this whole “I protect you against zero-day things” is ridiculous because zero days are unknown vulnerabilities you can’t defend.

Paul: So it’s all marketing is what you’re saying is…

Adriel: Exactly. That’s exactly right.

Programs and Operating Systems Adriel Uses

Paul: Now what kind of computer do you use? Do you use a PC with Windows or Mac or what?

Adriel: I use a Mac. But within the Mac, I use a hypervisor and I run about four or five different operating systems within that. So I use the virtual machines. Within containers is my real machines.

Paul: Which hypervisor do you use?

Adriel: Right now it’s VMware Fusion.

Paul: Okay. So you’re using VMware Fusion which allows you to run virtual machines, as they’re generally called. Are those sacrificial virtual machines, or are they secure?

Adriel: One of them secure, but it can still be sacrificed if that makes any sense. I take snapshots regularly. So if I’m doing something, and I think anything bizarre happens, I just revert back to the snapshot that I know was good.

Paul: Okay. So this is a good line of discussion. So you have several VMs and you use those. Now in those VMs, do you have any antivirus, antimalware, any software on them that helps you stay secure?

Adriel: Yeah. Only in one of them, in the Mac VM, within the Mac. On my Mac within a Mac, yeah. I use Bitdefender and Hands Off! I use Bitdefender because it is proven to be one of the most effective pieces of antivirus software out there. When we do our own zero-day development, Bitdefender oftentimes will pick up our exploits or our tools and we’ll be able to say, “Hey, well okay. We have to adjust this because Bitdefender just found it.” Others just don’t seem to do it quite as well.

And then Hands Off! Is sort of like Little Snitch, only it’s a bit more advanced. It’s a bit more advanced than Little Snitch. Hands Off! allows me to control what files are accessed, what ports are being connected to, what hosts are being connected to. So if I decide that I want to browse to XYZ.com, Hands Off! is going to say, “Hey, do you want to allow this connection? Do you want to allow this access to this file?” And I have to explicitly allow everything.

And it’s nice because if I actually brought us to a malicious site and I hit a Flash exploit or whatever it might be, when that exploit begins to work, I will see that my system is trying to access files and do things that it shouldn’t normally do. And I’ll say, “Hey, wait a second. Why are you doing all of this stuff? Something just happened. Let me revert back.” So I can catch it, even if I don’t know exactly what’s going on.

Paul: So it sounds like you have to be a little bit smart.

Adriel: Yeah. You do. You have to be vigilant. Absolutely.

Paul: And know what you’re looking at. So if the ordinary user was faced with Hands Off!, they might not know how to respond.

Adriel: Yeah, it’s not trivial, unfortunately.

Paul: So what are the other operating systems you run in these VMs and, and why?

Adriel: So BSD and Linux., BSD just because I like it. There’s not a lot of people that are targeting BSD. I like the port system a lot. And Linux because Kali is great for penetration testing and doing research, and a lot of tools run on it. I run Ubuntu, but I do that largely for administrative reasons because it has some cool functions and features that will help you manage other servers that are similar or systems that are similar.

Paul: And do you run Windows at all?

Adriel: I don’t. I mean, I do have a Windows VM, but I use that specifically for signing malware. So we have a code signing certificate and we sign all the malware that we push out, which is interesting. So I use Windows specifically for signing malware.

Dealing With Data

Paul: So how do you deal with your data?

Adriel: What kind of data?

Paul: Well, I mean, you’re doing work. You’re a productive member of society. You probably have a bank account. You probably have photos. You have business files, an agreement with a client, a contract here and there, etc. Where are those? Are they on the machine? Are they in a VM? Are they somewhere else? Are they on a flash drive?

Adriel: No. So everything that we have is stored in our data center that is related to the business. And it’s stored in different ways. If something is highly sensitive, it’s stored on an encrypted disk, and it’s also PGP encrypted. And there are only three people that can decrypt those files. If it’s medium sensitivity, then it’s stored in the system with an encrypted file system or it’s stored in a system with an encrypted file system within an encrypted database.

The idea of encryption, though, on end points like that, kind of promotes a false sense of security also. If you were to walk into our data center, and you were to lift one of our machines, the drive would be encrypted, and you wouldn’t know the passphrase to unlock the drive, so of course, it wouldn’t be useful. But if you’re a hacker, and you were to hack one of these systems, the contents are already decrypted because the system is running, and you’re going to gain access to the system and its respective data.

Likewise, encrypted databases, everybody always talks about them. “Oh, let’s use encrypted databases. They’re great.”

Well, if you hack a system with an encrypted database, the key exists somewhere because the database users, the people that are responsible for using that system, they have to have a way of decrypting the data. Right? And we have yet to find it an instance where we breached a network, counter encrypted the database, and couldn’t find a way to decrypt it. So really, encryption is not going to protect. It’s going to slow things down. The best way to encrypt something and protect is with something like PGP. But again, that’s not trivial. You know, I mean, PGP and managing that kind of…I mean, you lose your keys, you’re screwed.

Paul: Right. What do you do with your photos, your personal stuff?

Adriel: That goes into that Mac VM that I have that’s protected by Little Snitch and Bitdefender. Aand I, I just have those there.

Paul: Do you back them up?

Adriel: Yeah. I back them up.

Paul: How do you do back up?

Adriel: I back them up to the cloud. I dump them to the cloud. The iCloud. You just make sure that nothing is sensitive. That’s all. Nothing is compromising or sensitive.

Paul: Right. Okay.

Adriel: So, yeah. That’s the best way. I mean, anything that could ever be compromising or sensitive or somehow used to harm my family or harm myself, I just don’t put on computers. I try to make sure that that stuff you do stays in memory or is on paper in a vault or it just doesn’t exist.

Paul: Right. Well, it’s interesting. I’ve had, being a computer person, everybody asks you to solve their computer problems, and the number of people I’ve seen become infected, I’m like, “I don’t know. How did you get infected?” And it almost always comes down to they didn’t know what they were doing. They didn’t realize that doing this was going to do this. And, there’s really no way to give them that level of scrutiny that things that you and I might do, certainly you more than I would just say, “Wait a minute. That doesn’t seem right.” And they don’t perceive it. They don’t even see it.

I just saw a good example of the WPA Crack hack where they got in the middle and basically redirected somebody to a non-SSL site and captured their username and password. And that’s a good, for me, that really make it plain that, yeah, we really shouldn’t have any non-SSL sites. And that would have fixed that problem.

Is Computer Security Getting Better or Worse?

Paul: So what is your prognosis? Is computer security getting better, getting worse?

Adriel: No, it’s getting convoluted unnecessarily so, and it’s getting complex. And more and more difficult to understand because of the security market. Good security should follow the KISS rule. Right? Keep It Simple, Stupid.

The reason why our customers keep coming back to us, for example, is because we Keep It Simple, Stupid. We look at very efficient solutions. We don’t focus on bloatware because of security fatigue, which apparently is a new thing that people are talking about. We focus on effectiveness. The solutions that exist today are really pretty. And they look really cool.

And maybe they are catching a really high volume of attacks. The problem is, is they’re also catching a lot of non-attacks. And so somebody sitting down and staring at a screen with stuff scrolling by all the time is going to get worn out pretty quickly. Right? And so the interface of the person or the data that’s presented to the person is ineffective. And so the whole solution becomes ineffective.

Your network intrusion prevention systems, they make a lot of sense. But the part that’s not being considered there is the person that has to sit there and churn through all of that data every single day. You just can’t do it. Right?

So the security industry is chock full of solutions, which you really don’t call solutions. They’re, chock full of distracted new technologies, distracted technologies like this and these technologies are continually being marketed, pushed by other businesses. And in the end, if you follow it at all, it has to do with money. Everybody wants to make their money. The breaches that are happening today are also beneficial to the security industry because these breaches mean people are going to come and look for more technology, more services, more solutions.

In all reality, people don’t need to do a lot to be secure. And in all reality, people should not be focusing on breach prevention. They should be to a degree. But the real thing they should be looking at is preventing a damaging breach. It’s impossible to prevent the breach. Someday, somehow, somebody is going to breach your network. But if you can detect that breach when it happens, before it becomes damaging, you can prevent the damage, and you can prevent yourself from ever making the news. That’s how you protect networks.

What is a Honey Pot?

And the way that you detect a breach, right after it happens, is with things like internal honey pots and solutions that can pick up on lateral movement.

Paul: Well, so explain that to me.

Adriel: So a hacker breaks into a network…

Paul: You mentioned that. And so explain that to me. I’m a small business. I make semiconductors. I’ve got 50 employees. What is an internal honey pot?

Adriel: Well, actually, so we sell these now. It’s something that we’ve started manufacturing and selling and developing — whatever you want to call it — probably about a year ago because of their effectiveness. So what it is, it’s a computer system that does absolutely nothing except to sit there and look like other computer systems. You deploy these fake computer systems in different parts of the network, depending on how threats are likely to enter your network and move through your network. And they’re tempting.

So a hacker breaks into an infrastructure, and a hacker begins to probe the network. The very act of probing the network when it contacts one of these systems, these honey pots, is going to set off an alarm. That honey pot is going to say, “Hey, user Joe just connected to me.” Now there’s absolutely no reason for any legitimate user to ever connect to a honey pot because they do nothing. Right? So any time anybody connects to a honey pot, by default, it’s illegitimate. So there is no false positive. There is no continuous streams of data like you’re going to see with other solutions. A hacker breaks in, hacker probes network, hacker trips two or three of these things. System admin will get an alert within seconds likely of a hacker breaching a network, maybe within minutes of a hacker breaching a network.

If that admin responds to those alarms and in quick time, that admin can likely kick that intruder out of the network before any damage is every caused. They can say, “Hey, my web server just started scanning my network. That should never happen. Let me go and kill the connection, and let me go put up a temporary site, or let me revert to a back to a backup and just see what will happen.” But this was a breach. It was a breach that doesn’t matter because sensitive information was never captured.

Meanwhile, what’s going on is the inverse of this. People are focusing on breaches, and this is why I say the industry is convoluted. People are focusing on breach prevention. We hear this all the time. It’s an impossible task. But they’re not focusing on post-breach detection. And so what ends up happening is they suffer a breach, and the hacker sits there and says, “Okay. Was that detected?” It’s almost never detected. I mean, I can’t think of the last time that we were detected breaking into a network. So hacker says, “Okay. Were we detected? The answer is no. Great. Now let’s just spread like wildfire throughout the network because nobody has any post-breach detection capabilities.” And it’s true.

Paul: Right. I see.

Adriel: So there’s this gap. Mind the gap. There’s a gap that exists, and that’s what we’re exploiting. The security industry as a whole is upside down, and the solutions that it’s providing are also upside down. Rather than providing you with a solution that says, “Hey, you’re being hacked and it’s real. Do something about it,” they’re providing you with solutions that say, a million times a day, “You might be getting hacked here.”

Paul: Right.

Adriel: So, it doesn’t work.

Paul: Fascinating.

Adriel: So is it getting better, is it getting worse? I think the threats are evolving. I think some of the technology is evolving. I think software vendors like Microsoft are definitely evolving. They’re doing a much better job, and they have a part to do with good security. I think a lot of the other software vendors, especially the ones who build the applications that used by Microsoft need to really catch up and start taking security seriously. But I think that rather than being something that could be a fairly simple type of thing, I think it’s become a big convoluted mess. And I think that convoluted mess is making it hard for normal, everyday people to be able to really understand where to go, what to do.

Internet Security: Ten Years From Now

Paul: Sure. So alright. Let’s take the crystal ball out here. Ten years from now, is it going to be better or worse?

Adriel: Oh, boy. I don’t know. If we keep on allowing bureaucrats to dictate the direction of the industry and if we keep on allowing entrepreneurs that are financially motivated rather than technically motivated to dictate the direction, as long it’s being directed by really policies and money, it’s going to continue to get worse.

Paul: So that sounds like it’s going to get worse.

Adriel: Yes, that’s exactly right. And so inevitably, I think that that’s the case.

Paul: Do you think that there’s some period or some event or inflection point that we’ll reach where we just have to do something differently?

Adriel: I think we’ve already passed that point.

Paul: Okay. That’s fair.

Adriel: Yeah, there’s no reason why businesses should be suffering breaches.

There’s No Excuse

Adriel: Yeah, there’s no reason why businesses should be suffering breaches the way they have, the Equifax breach in my opinion along with Target, and the multiple breaches of Sony and Hanaford and Ashley Madison, these stand out because these were the ones that were particularly silly. And these breaches shouldn’t have happened. Knowing what I know about how these businesses operate, the reasons why these breaches most likely happened is that either the CEO or some senior level executive didn’t do their job properly and didn’t pay attention to what they were supposed to be paying attention to or didn’t give security people enough of a budget or there was a political reason. Or they believed that they were doing their job properly and they were listening to the advice of bonified experts when in fact they were just being fed Coolaid and they were given a false sense of security.

Paul: So with the Exquifax – ill say it – it was just industrial strength stupidity on their part. It wasn’t clever. They drove with their door open and their seatbelt off.

Adriel: Yeah, with a big neon sign that said, “Hey come take it.” Yeah that’s exactly right.

Paul: It’s almost like manslaughter if not murder. Its manslaughter.

So just briefly talk about the Equifax thing. A lot of people don’t understand what actually happened. I’m not really concerned with the details of the technical of thing.

Data With a Long Lifetime

So I recently attended a conference by Frank Abagnale. I don’t know if you know who he is? “Catch Me If You Can?” There was a movie about him. And he works for the FBI. And when he was arrested, he was in prison and the FBI came to him and said if you work for the rest of your prison term for us we’ll let you get out of prison and he’s been working with them now for 45 years. He made the point, the distinction that is obvious again, when I say it, that what hackers are interested in, is data that has a long lifetime. Your name, your address, your eye color, your social security number. He said credit cards are great for people to steal, there’s zero liability for users. So he made the example, for my kids, I had them get a credit card when they went off to college, and I said to them I’ll pay it off every month, don’t spend – you can spend what you want to spend, but I’m actually going to be paying for things through that. So, when they got out of college they had a great credit rating. His point, was he said there’s no risk with a credit card, if someone steals it, they give you a new one. But with your social security number, they don’t give you a new one and Equifax lost 150 million people’s social security numbers.

Adriel: Exactly.

Paul: And it’s not just a number like I could say 1,2,3,4,5,6,7,8,9, that’s a social security number of someone but that’s not the point. The point is that they, Equifax wrote it down on a piece of paper and said, “Oh this is Bob Smith and he lives at 123 Main Street and oh by the way he has this car and this house.” I don’t see a way to recover from that.

Adriel: You can’t. There’s no way. And it’s not the kind of thing where we’re going to begin seeing the impact of it until several years go by. But if you think about the information that Equifax has, how many banks and how many healthcare providers and how many wealth management firms use that exact same information to authenticate you and forget your password.

Paul: Right. What was the first car you owned and of the five addresses which one have you lived at.

Why Europe is Doing Credit Right

Adriel: Right and this information, I’d be surprised, if it wasn’t at some point used for some major heists. You can clean people out with this information if you do it carefully and thoughtfully and spend some time doing it. Of course, you have social security fraud and all kinds of other things that could be happening in the future. People die and you take their identities. The scale of what this could do is significant and what is almost laughable, and really ridiculous about the whole thing is that you look at Europe and they don’t have a credit bureau. Europeans have credit cards but they don’t have credit bureaus like Equifax. They don’t need this person’s place, this business, to maintain all this history. They have different ways of doing things. I know this because my business partner came over here from Europe, bought a house here not too long ago with his wife and all that. The whole process, you don’t have any credit yet I can still do all this stuff in Europe. Why do I need to have this thing called credit over here? So it’s interesting.

Paul: Interesting. Given all of this data is out there and all these financing companies have to continue to do business, doesn’t it almost become their problem now? Because how are they going to, they can’t just say well we’re not going to lend to you because your identity was released on the internet? Well if they stop lending to everyone they stop making money.

Adriel: Yeah, well honestly, I think we should follow suit with what most of Europe is doing. Getting rid of these credit agencies and I think we should go into a more modernized way of tracking and verifying credit. From the little that I understand, I believe that what happens that if you take a credit card in Europe and if you don’t pay off that card there’s a way of communicating to other credit card companies, without a credit score, that there’s this debt that exists. The level of information that Equifax has is too much. They have way too much information.

Paul: It’s criminal, t seems like! It’s centralized.

Adriel: Yeah and they don’t need that level of information to know that you are a good buyer and really, they don’t need to know that Paul or Adriel – They don’t need to know their name, they just need to know credit card score and some kind of unique identifier. That’s all they need yet, because they are using this antiquated system and because they are collecting information and because they make most of their money by reselling our information without us really being aware if it to god knows who, they have that and they’ve put us all at risk! And now here they are. So yeah, those companies should be done away with and that we should have a more modernized way of doing this.

What To Do If You Have Been Compromised

Paul: Do you have any suggestions somebody who was potentially compromised? What should they do?

Adriel: Freeze your credit. Call Equifax, call Trans Union, call Experian, and pay the 15 dollars or whatever it is to freeze it. And quite frankly, Equifax should be doing that for free. They shouldn’t be charging you to freeze your credit, but do that. Because if you freeze your credit it will at least help to prevent people from taking loans out and things out in your name because it won’t be possible to pull your credit history. Doesn’t mean your safe though because people can still use that information to access resources that belong to you, financial things like wealth management, retirement funds, whatever, you can still use that and if you get in, there’s no reason why you can transfer out and steal money that way. It’s unfortunate.

How to Tell If Penetration Services are Genuine

Paul: So things are worse. We’ve passed the inflection point. Things are not necessarily getting any better. We still want to use the internet. Be careful of what you share because it could be used against you. Boy it sounds like, it doesn’t sound too positive here. I guess one of the things is through your services companies can be a lot more secure. So that’s a positive thing.

Adriel: It is but you have to be careful even with that. When you purchase penetration services, you have to make sure that you’re purchasing genuine services that produce a realistic level of threat and not services that give you a squirt gun test. The analogy is that penetration tests are the equivalent of testing body armor with a squirt gun. And there are ways to do it and we actually published a white paper that was published on Forbes, that was picked up by Forbes, and the article was “This Year Why Not Take Data Security Seriously” and if you google that, you’ll find a white paper that we published and it really gives you non biased key points on how to identify a genuine penetration testing, and how to differentiate between the people that are going to be selling snake oil. One of the most important differentiators there is that the snake oil vendors will sell based on the number of IP address or the number of web applications that you have. It’s called count-based pricing. And if you have ten Ips, like I said initially, and you bill five hundred dollars per IP address, that’s all great and good, you’re going to have a five hundred dollar price tag but what happens if zero of those IPs are providing any services. You just spent five grand on zero seconds worth of work.

Paul: Right.

Adriel: Likewise, what happens if each one is offering 40 man hours worth of service. Well no pent tester is going to be working for 12 dollars and 50 cents an hour so any vendor that uses count-based pricing as part of their pricing methodology, you can rest assured that youre going to be getting that squirt gun test. There’s a lot you can do and it’s a lot of stuff you have to cut through to understand before you can get to the good stuff.

Closing Words

Paul: Is there anything you’d like to cover that we haven’t talked about?

Adriel: No, I think this was pretty thorough. There’s a lot of stuff!

Paul: There’s a lot of stuff, we could do this a couple more times I’m sure. We’ve been talking with Adriel Desautels of Netragard. He’s a security expert. You’re based in Boston right?

Adreil: Yes.

Paul: But I know you work internationally and are pretty well known. And we’ve been exploring security and penetration testing and security testing and all of the different things that coalesce to mean security, what is security and what isn’t security. There will be a tremendous amount of links that will be in our shownotes, that I think will be worth looking at. Many of the articles that Adriel mentioned and many of the sites and of course a link to Netragard as well, and ways to contact Adriel.

So Adriel thank you very much for your time. We really appreciate it! It’s really been fascinating and I think a lot of people will learn a lot today and I really look forward to doing it again.

Adriel: My pleasure, any time.

Paul: Thank you Adriel.