Policies That Work (Making IT Real)

We talk a lot about IT, but we don’t talk nearly enough about making IT real.

In particular, I’ve found that there’s a disconnect between IT – security guys in particular – and the people they’re securing. While this applies across the board, it becomes a problem when policies are being created.

One of the keys to effective security is to stop trying to create policies or procedures that aren’t going to work. It’s great on paper to require users to have fourteen character passwords that change every day, only use Internet access for work purposes, turn off their cellphones as they walk in the door, have IT install (and fix) all printer connections, and never connect their iPads to corporate wireless. Unfortunately, these requirements work best on paper….not necessarily in reality. Security policies that users don’t buy into weaken security across the board.

When it comes to wireless in particular, it’s hard to tell users to just give up their need for constant Internet access. So I say: give them a clean, safe avenue to feed their need for unlimited access to the Internet. WiFi is so cheap – Internet connections in general are so cheap – that I suggest having open third-party wireless. It goes out to the Internet, and has no connection to the internal network. You get on the VPN as if you were in Starbucks – it’s just as hostile – and you back that up with policy that you treat the VPN as if you were in Starbucks. If you find a user bridging the networks, you have appropriate policy enforcements, equivalent to the ones if you found out that someone was publishing sensitive docs from a open, public network.

The question, then, is “what does appropriate punishment look like.” Personally, I believe in having effective policies that actually result in real change, and for that I have always found that positive reinforcement works the best. Whether positive or negative, acknowledgement either way is effective and very important. When I do a security awareness engagement (pentest) and I’ve completely destroyed the place, I spend the third day going out of my way getting caught. One time, I walked out with the business processing computer from behind a teller machine. There was a guy who had let me do lots of bad stuff, but this time he caught me. As soon as he caught me, I said “ooh, you caught me.” Basically, I gave him the win! It was a bad situation and we found all these flaws in their security. But these four people were able to find something, and that caught their attention.

We spend too much time in our industry showing people what they did wrong. You can’t find everything that everyone did wrong. But you can show them examples of what to do right. That’s what enforcement policies should be based off of – what it looks like to do things right. When I do enforce a punishment, I go to their desk and make that employee stand right behind me and watch while I “check” at their computer, even if I already know what was wrong. I make them watch the process. And then I say “you do understand our corporate policies, right?” Usually, if it’s the first time, I won’t necessarily even report it the first time, but I do publicly show him what the right way forward is. I don’t just educate this person – I’m also trying to educate everyone around that guy.

Unfortunately, not many IT departments have a guy like me.

But every IT guy can be a guy like me. Every quarter, a security professional or IT team doing security needs to physically walk through the company’s buildings. Pick a floor, campus, department. Walk through while people are there. Look under keyboards and monitors for passwords. Let them know what you’re doing, and let them know why you’re doing it. Security is everyone’s job: you’re just the one being obvious about it.

$13 Million Investment Will Grow Tech Firm In Burlington

By Steve Zind

May 19, 2016

Vermont Public Radio

A tech firm with roots in Vermont has raised $12.9 in venture capital that will help create new jobs at its Burlington office.

Pwnie Express started as a one-person business Central Vermont six years ago. Now there are 40 employees.

While its main office is in Boston, the engineering side of the business is in Burlington.

Pwnie Express makes sophisticated detection systems that companies use to monitor their networks and reduce the risk of breaches, which has become an increasing challenge with the ubiquity of Wi-Fi enabled devices.

A significant part of the problem is employee-owned devices such as cell phones and laptops that access a company’s Wi-Fi network.

“The devices that are coming into businesses today are devices that are owned by the employees, not by the company. So that is creating a security risk for the company,” says Pwnie Express CEO Paul Paget.

Other businesses create additional vulnerabilities. “It’s not just employees bringing in devices, it’s vendors bringing in devices, and they want to service those devices remotely,” Paget says.

Pwnie Express, which takes its name from a hacker term, was started in 2010 by Dave Porcello, a Boston transplant. Porcello worked at a Montpelier insurance company before starting the business in nearby Berlin.

Paget says the company’s tech side has stayed in Vermont for good reason.

“Burlington is a real hotbed for software and security talent. There are people from the early days who are there who are very important to us. The universities are pumping out talent. There are other companies in the area, ” he says.

Paget says the hiring market for talent is also much more competitive in Boston. He says the company plans to hire another four or five employees at its Burlington office this year.

(Full Article)

The life of a social engineer: Hacking the human

By Mirko Zorz

May 19, 2016

Help Net Security

A clean-cut guy with rimmed glasses and a warm smile, Jayson E. Street looks nothing like the stereotypical hacker regularly portrayed in movies (i.e. pale, grim and antisocial). But he is one – he just “hacks” humans.

Street is a master of deception: a social engineer, specializing in security awareness and physical compromise engagements. He’s outspoken, friendly, always wearing a smile, and besides working in the field, he’s also the InfoSec Ranger at Pwnie Express, and is well-known for his books and conference talks around the world.

Social engineering skills

Information security professionals generally agree that humans are the weakest security link. Employees need access in order to do their job, and so attackers increasingly target them instead of the network, in order to infiltrate the system…..

(Full Article)

Introducing the Pwn Pad 4: the latest Pwnie mobile sensor for wired, wireless and Bluetooth device detection, classification, and penetration testing

We’re excited to announce pre-sale of the Pwn Pad 4, a commercial-grade security tablet designed for remote security assessment. The Pwn Pad 4 combines a portable security detection and pen-testing tool with a powerful enterprise security platform.  In addition, even the pentesting abilities have some exciting new features: with Kali Rolling and Blue Hydra (a Pwnie-developed capability), it’s the only pentesting tablet with Bluetooth capabilities that offers energy efficient and conventional Bluetooth detection and fingerprinting.

The Pwn Pad 4 features the following enhanced capabilities:

  • Blue Hydra, An industry first from Pwnie Express, the Pwn Pad 4 now includes Blue Hydra, the first device discovery software capable of detecting low power and classic Bluetooth devices.
  • Portable Pen-Testing Doubling as Threat Detection Sensors: The tablet is completely integrated with Pwnie Express’ Pwn Pulse SaaS platform for real-time wired and wireless, BYOD and IoT threat detection. This allows security professionals to leverage the versatile pen testing capabilities of a portable pad andwith the centralized visibility and historical records of enterprise data.
  • Kali Linux Rolling Distribution: The tablet comes prepackaged with the latest Kali Rolling edition, which includes an arsenal of tools and scripts for the hands-on, on-the-go cyber security professional.
  • Enhanced Configuration and Setup: The Pwn Pad 4 is more user-friendly than its earlier counterparts, with a consumer-like setup and configuration wizard that allows customers to streamline the initial implementation, upgrading and use of non-Pwnie Android apps.  

The Pwn Pad 4 is now available for pre-sale and will be generally available on June 1.  For more information, please visit  or contact sales@pwnieexpress.com or call (855) 793-1337.

Cybersecurity Firm Pwnie Express To Expand in Boston and Burlington

May 16, 2016

By Cathy Resmer

Tech Jam VT

Protecting customer and employee data against cyber attacks is increasingly challenging. That’s bad news for the government and for corporate America, but good news for Boston-based Pwnie Express.

The cybersecurity firm, which also has an office in Burlington,just announced that it’s raised $12.9 million in venture capital. The cash will help the company expand its efforts to help customers prevent hackers from gaining access to sensitive data.

Those customers include companies facing the growing threat of attacks from mobile devices and the expanding Internet of Things — in which sensors and previously offline appliances connect to household and corporate networks.

A growing reliance on workplace “Bring Your Own Device” policies is also cause for concern. “Most organizations are starting to worry about that as a new attack vector,” says Pwnie Express CEO Paul Paget. “If you don’t know what [the devices] are, and they’re connecting to your networks, that creates risk.”

Paget sees opportunity there, particularly among small and mid-size businesses that need help adapting to this rapidly changing environment — perhaps from Pwnie’s new, real-time wireless and wired detection tool, Pwn Pulse. “We think that’s a huge market,” he says. Pwnie’s investors agree — hence the new infusion of funds. In a phone interview, Paget outlined how the investment will help the company grow — in both Boston and Burlington, Vermont….

(Full Article)

Cybersecurity Firm Pwnie Express To Expand in Boston and Burlington

May 16, 2016

By Cathy Resmer

Seven Days Magazine

This story was originally published on the Vermont Tech Jam blog.

Protecting customer and employee data against cyber attacks is increasingly challenging. That’s bad news for the government and for corporate America, but good news for Boston-based Pwnie Express.

The cybersecurity firm, which also has an office in Burlington, just announced that it’s raised $12.9 million in venture capital. The cash will help the company expand its efforts to help customers prevent hackers from gaining access to sensitive data.

Those customers include companies facing the growing threat of attacks from mobile devices and the expanding Internet of Things — in which sensors and previously offline appliances connect to household and corporate networks.

A growing reliance on workplace “Bring Your Own Device” policies is also cause for concern. “Most organizations are starting to worry about that as a new attack vector,” says Pwnie Express CEO Paul Paget. “If you don’t know what [the devices] are, and they’re connecting to your networks, that creates risk.”

(Full Article)

MassMutual Climbs Aboard Pwnie Express

16 May, 2016

By Robert Lavine

Global Corporate Venturing

Cybersecurity software developer Pwnie Express has secured $12.9m in an Ascent Venture Partners-led series B round that included MassMutual Ventures

US-based cyber threat detection technology developer Pwnie Express has raised $12.9m in a series B round featuring MassMutual Ventures, the corporate venturing subsidiary of insurance group Massachusetts Mutual Life Insurance.

(Full Article)

[Investor Q&A] How Matt Fates of Ascent Venture Partners Supports Boston Enterprise IT

May 16, 2016

By Keith Cline

Venturefizz

It’s perfect timing for Matt Fates’ Investor Q&A on VentureFizz. Just last week, Ascent Venture Partners led a $12.9M Series B round of funding for Pwnie Express in Boston, a leading provider of device threat detection. Matt will be joining Pwnie Express’ Board of Directors.

Fates is a General Partner at the firm and has been investing in Boston startups since 1998. Prior exits include Interactive Supercomputing (acquired by Microsoft), Cymfony (acquired by TNS), Fidelis (acquired by General Dynamics) and others.

Learn more in my Q&A with Fates below.

Keith Cline: Tell us about your background.

Matt Fates: My father was a fighter pilot in the U.S. Navy and I was born at the Navy Hospital in Norfolk, Virginia. My parents said it cost them under $5 in medical bills, and yet at times they still questioned whether it was worth it. I was the kind of kid who did not like to be told what to do. After Dad’s service, we moved to the Boston area until I was 9, then to London, England for five years (a terrific experience), then back to Boston. I have a younger brother who lives in La Jolla, California today. I don’t like to talk about the weather with him…

(Full Article)

How to keep from becoming a safety statistic

by Christopher Elliott

May 15, 2016

USA Today

Summer travelers worry about terrorism and Zika and unrest, but maybe they should look a little closer for the real threat.

Maybe they should look in a mirror.

“Travelers leave their laptop open and unlocked while they go to the bar or bathroom,” says security strategist Ben Johnson. “They read off credit card and passport numbers over the phone, in public.”

A survey by Experian revealed nearly one in five travelers lost sensitive information on the road, and 30% said they experienced identity theft while traveling or know someone who has. It gets worse if you cross a border. International travelers are 1 1/2 times more likely to become victims of identity theft than domestic travelers, a LifeLock study found.

The consequences of their carelessness can be immediate and catastrophic. Travelers are quick to blame everyone but themselves for data loss or ID theft. The app had a security flaw! The Wi-Fi network wasn’t secure! There were strangers overhearing my conversation in the hotel lobby! But this summer, the best way to stay safe lies within.

What to do? Easy. Just observe your fellow travelers and learn from their mistakes.

Johnson, a former NSA employee who co-founded the security consulting firm Carbon Black, has seen travelers carelessly log onto a wireless network that may not have been the hotel’s official one (yes, they let him watch). He’s even seen hotel guests leave electronics, such as laptops and USB keys, in their room, leaving their most sensitive information vulnerable to theft.

Patti Reddi witnessed some pretty outrageous things, too. Like posting a photo of your boarding pass on social media. Duh. “Your boarding pass contains sensitive information like your frequent-flier number, record locator and more,” says Reddi, who writes a travel blog. Plus, there’s no better way of tipping off a thief that you’re not home than with a confirmed boarding pass that says, “I’m away.”

The lack of attention can hurt you. Jaclyn Goldman met a man at a hotel bar who was sobbing uncontrollably. What happened? Goldman, a sales executive, says the man had given two women his last name and room number.

(Full Article)