How often do you Google yourself? Never? (Congrats! You’re in Mother Teresa territory.) Every ten minutes? (Sad. You’re on par with President You-Know-Who.) We know that search tools feed narcissism, but hackers have also discovered their potential to locate vulnerabilities in websites. The Google-hacking-diggity-project, for example, offers free downloads of tools that integrate with search to find exploitable holes in public systems.
The motivation is simple: If you don’t find the problems on your site, then someone else will. Enterprise security teams thus use tools to enter company’s domain names and related keywords to find relevant exposures. (And yes, narcissists can do this using their names.) A popular book came out a few years ago on the topic by Johnny Long, Bill Gardner, and Justin Brown. I thought it was a great read.
Anyway, all this talk of search and vulnerabilities came to mind last week during a stimulating technical discussion I had with industry veteran Vincent Liu who serves as CEO of Arizona-based Bishop Fox. The company provides expert offensive cyber security consulting and testing services – which I will address below - and produces popular industry tools, including the Diggity suite.
“We're proud of our technical expertise,” Liu explained. “We have some of the best engineers, software developers, and, of course, hackers – all dedicated to providing tailored offensive services for our clients. Our engagements run the gamut, from cloud deployment reviews to application assessments, red teaming to third-party assessments. If you want to know your vulnerabilities, we’ll show you, no matter the industry, no matter the business.”
I asked about the services offered and Liu went through an impressive assortment of areas, including application security, network security, infrastructure security, architecture security, cloud security, and on and on. Pen testing is a special area of expertise, with support for both internal and external probing, expert red teaming, social engineering, and review of products and source code.
Since the value proposition for Bishop Fox is inter-twined with the capability of its team, I asked Liu how he recruits and retain staff. “It’s important to maintain a supportive culture – and ours is often referenced as a hacker culture,” he replied. “We understand the unique needs of our cyber security experts and we offer generous training budgets so that our consultants can continue their education and participate in security research.”
After my discussion with Liu, I time watching videos from Bishop Fox team members, and I must say – the place looks like a supportive, high-tech culture. And this is not an easy balance to strike. But Liu and his team have had some time to fine-tune the approach: Bishop Fox has been in business for an astounding 14 years. Not too many cyber security firms, especially ones supporting professional services, can boast that much drive time.
I get asked every day if I know someone good at assessment, pen testing, red teaming, and the like. And yes – there are many options, which, of course, creates business risk for any security consulting firm. But I can enthusiastically recommend Vincent Liu and his team for these types of offensive services. In fact, my money is on the Bishop Fox team and its impressive hacker culture to keep improving for at least another fourteen years.
After you speak with the Bishop Fox team, as always, please let us know what you learned.