The Voice of Cyberยฎ

KBKAST
Episode 158: Alton Johnson
First Aired: February 01, 2023

ALTON JOHNSON
Founder & Principal Security Consultant

Alton Johnson is the Founder and Principal Security Consultant for Vonahi Security. Prior to Vonahi Security, Alton worked at several large and small cybersecurity consulting firms as a Principal Security Consultant. Throughout his professional career, he has performed hundreds of security assessments for organizations ranging from small businesses to Fortune 10. He is proficient in performing both traditional security assessments, such as network, physical, and application penetration testing, as well as advanced security assessments, such as red team engagements.

 

With over a decade of experience as a security consultant and over 10 industry-related certifications, Alton has helped hundreds of organizations requiring unique, modern-day approaches to solve todayโ€™s most complex security challenges.ย 

As the Founder of Vonahi Security, Alton regularly conducts research to identify ways to help organizations combat ever-changing cyber threats through efficient, automated, cost-effective, and non-traditional security assessments.

 

Notable Accomplishments

Alton has developed several penetration testing tools and scripts that are used widely within the information security industry. Alton also developed and published several open-source tools to platforms such as GitHub, Metasploit Framework, as well as Kali Linux (formerly known as Backtrack Linux), all of which are the most recognized and used tools and operating systems within the information security consulting industry.

 

The penetration testing tools that were developed by Alton were written in multiple scripting languages, which provides him the ability to quickly and efficiently develop exploits and scripts that can be used for network traffic analysis, protocol/service fuzzing, exploitation, and quick completion of extremely time-consuming network-related tasks.

 

Certifications & Training

Alton successfully obtained some of the industryโ€™s most challenging and respected security certifications, including Offensive Security Certified Expert (OSCE), Offensive Security Certified Professional (OSCP), as well as eLearnSecurityโ€™s Certified Professional Penetration Tester (eCPPT). He also regularly attends information security conferences and has spoken at DerbyCon, Podcasts, and local community events.

 

Areas of Expertise

Cybersecurity, automated penetration testing, vulnerability research, exploit development, coding, cryptography, malware, phishing, social engineering, and technology innovation.

 

Non-Hacking Hobbies

Aside from cybersecurity, Alton is also a car enthusiast. He enjoys modifying and racing his car on the tracks. Heโ€™s also into photography, especially automotive photography, and shooting pool as often as possible.

 

Connect with Alton

Email: alton@vonahi.io

Website: www.altonj.ioย 

Linkedin: https://www.linkedin.com/in/altonjx/

Twitter: https://twitter.com/altonjx

Help Us Improve

Please take two minutes to write a quick and honest review on your perception of KBKast, and what value it brings to you professionally. The button below will open a new tab, and allow you to add your thoughts to either (or both!) of the two podcast review aggregators, Apple Podcasts or Podchaser.

Episode Transcription

These transcriptions are automatically generated. Please excuse any errors in the text.

Introduction (00:28)
You are listening to KBkast, the Cyber Security podcast for all executives cutting through the jargon and hype to understand the landscape where risk and technology meet. Now, here’s your host. Karissa Breen.

Karissa (00:42)
Joining me today is Alton Johnson, founder of Vonahi security. And today we’re discussing automated Pen testing. Alton, thanks for joining. It’s great to chat to you again. Now we will be linking the interview that we did on the Challenger interview with the Decipher Cyber Guide. So we’ll be linking that in the show notes if people want to have look at a little bit more fidelity about what you guys do, but then also a little bit more information about automated Pen testing if they haven’t thought that they’ve gotten up from this episode today.

Alton Johnson (01:12)
Sweet. I appreciate you for having me. I’m looking forward to it.

Karissa (01:15)
Now, I want to start with we’ve spoken at length about automated Pen testing. Again, we’re going to link it in the show notes, but for the purpose of this channel, I want to talk to you about what is automated pen testing because I think that people still get confused about what this is.

Alton Johnson (01:34)
Yeah, absolutely. Automated every Pen testing is definitely something that in the market is a little bit confusing, right, because there’s a lot of companies that will say they do automated penetration testing and then when you peel back the layers, it’s really just a vulnerability scan. So that’s kind of one of the things that we’re dealing with in the market today. And I think that will eventually change, but there’s a transition period that will take a while. But to kind of elaborate a little bit further into what that is. So automated network penetration testing is basically automating what a hacker would do if they were to compromise your environment and to take a little bit step back. When we talk about vulnerability assessments, everyone’s familiar with what a vulnerability assessment is, right? You have your popular products like Nessus, Wallace, Rapid Seven, et cetera, right? And those vulnerability scanners are typically designed to find surface level vulnerabilities. So for example, they’ll look at a house, they’ll go up and twist the doorknob and see if the door is unlocked. And if the doorknob is unlocked, that would be a vulnerability. Hey, your door knob is unlocked and here are the things that could possibly happen if somebody was to walk through the door.

Alton Johnson (02:41)
So that’s basically what a vulnerability assessment is, right? But a penetration test on the other hand, basically opens up the door to see what’s inside. It actually walks inside of the house and starts going through all of the closets and the drawers and stuff like that to find the sensitive data. And so when it comes to penetration testing, the ultimate goal of a penetration test is to demonstrate impact, is to basically educate the organisation that, hey, not only do your vulnerabilities exist, but if an attacker was to get access to your environment, these are the things that could possibly happen. These are the possible things. Here’s your Social Security numbers, here’s your passwords for all of your employees. And when it comes to automating that process, we’re basically taking that exact same logic and turning it into code, right? So I’ve been Pen testing for over ten years and I love coding. And one day I just decided to combine the two. And so as a penetration tester, I was constantly flying on site, talking to customers every single day, basically trying to penetrate their network and find as much sensitive data as I possibly could.

Alton Johnson (03:43)
And so from an automation perspective, we’re basically trying to do that exact same process. So the exact same things that I would typically do manually are the exact things that we went back to the back end and started coding. Okay? As a penetration tester whose goal is to find sensitive data, what is the first step? And we’ve basically taken that entire process and turn it into code. And obviously, when it comes to penetration testing, there’s a lot of differences as you get further into the network. Like, you may compromise a set of credentials that to get sensitive data on this customer’s network, you may use those credentials differently than you would on another customer’s network. And so we’ve taken that logic and those decision making processes and turned it into code. So we’re essentially automating that entire flow of the penetration test.

Karissa (04:31)
Okay, a couple of things that are coming from my mind as you’re speaking. Are people out there selling vulnerability scanning but claiming it is an automated Pen test? And if so, why? And are these people being questioned?

Alton Johnson (04:46)
Yeah, so unfortunately there are like the bad guys out there when it comes to this as well, in my opinion. I do think it’s associated to two things, right. I think from a marketing perspective it hits home a little bit more, hey, we’re doing penetration testing and in reality is just a vulnerability assessment. So I think some companies are using it as a marketing opportunity. You also have some other companies who are genuinely confused. I hate to say that because they’re like legit companies that are confused with the difference between a Pen test and a vulnerability assessment. And I think because of that, companies like ours, who will be popping up more in the future, as we mentioned, automated penetration testing, we’re going to have to basically explain and clarify that this is truly penetration testing and not vulnerability assessments, because that’s what a lot of people are used to hearing. And even prior to Vonnehigh, when I was a penetration tester, I used to think the same thing. I heard a company is claiming to automate penetration testing to some extent, and when you put back the layers, it’s just a vulnerability assessment. Or you talk to a client who say they’ve been doing penetration testing for years, and you look at the reports and they’re just vulnerability assessments.

Alton Johnson (05:49)
Right. So there’s a lot of that confusion in the market. And I do think that over time, we’ll finally get to a point to where it makes sense. But I think we’re kind of in a transition period because automated Pen testing wasn’t something that a lot of companies were truly doing. So there’s this huge prospective mindset of automated Pen testing isn’t really possible because no one has really truly seen an actual automated pen testing company.

Karissa (06:14)
When you say we’re in this transition period, what do you mean by that?

Alton Johnson (06:18)
Yeah, it’s kind of like AI, right? Like, you mentioned AI several years ago, and people just kind of like, whatever. It’s just another buzzword in the world, right? No one cares. And then over time, as we start to see more and more products and technology that incorporate AI, people are finally starting to believe that. You still have a lot of people who don’t believe it, but I think we’re finally starting to see, like, real world things that are being controlled automatically cars, planes, et cetera. And so I think when it comes to, like, penetration testing, it’s kind of a very similar, like situation. Right. Automated Pen testing is something today that people don’t think it’s really possible. But I think in five and six, five to six years, when there’s a lot of companies that are actually truly automating it, and there’s going to be some confusion, but I think more and more people will start to believe that it truly is possible.

Karissa (07:06)
Okay, so one of the things that’s really interesting that you’re saying is the things that you were doing manually historically is now automated. Can you sort of list out what the things that you were doing manually, which is now automated?

Alton Johnson (07:18)
Yeah, absolutely. So, for example, when it comes to the penetration test methodology, you would typically start off with host discovery, right? You’re basically trying to figure out what systems are active. You do your port scans, your service version scans. You start to figure out what’s on the network, and then from there, you start to enumerate those services in those systems to figure out, okay, what can I assess without having any kind of information? Like, what are some of the low hanging fruit? And then you start to kind of pivot over into exploitation. Right. You’ve already identified what your exploit attack paths are, what your attack records are, and then you start to exploit those systems. And then once you get a foothold within the environment with limited credentials, then you start to pivot from there and you start to crack hashes enumerate, shares, databases, things like that. You try to find your way to the highest level of privileges, which is typically like domain or enterprise admin. And then from there you’re looking for sensitive data. And so that exact methodology that I used to do manually, we’ve automated, for example, things like cracking password hashes, right?

Alton Johnson (08:13)
Typically cybersecurity companies that have a group of pen testers, they share a password cracking server. And there’s the inconvenience of pen testers having to wait for the other pen testers to finish their session before they can finally use the server. And that’s an inconvenience, right? It’s pretty inefficient. And in some cases, if you haven’t done an assessment that required cracking hashes, you may even forget which server you need to get access to in order to crack those hashes. And it’s just a huge process of trying to figure that out. Sending out emails to your pen testers saying, hey, I’m using the cracking server, things like that. So all of those headaches that I used to deal with as a pen tester, even in that scenario, we’ve automated that. So there is no more guessing, right? That’s 100% automated. We don’t ever have to touch a cracking server ever again. And those are some of the techniques that we’ve been able to incorporate.

Karissa (09:04)
So one thing that’s interesting, I do a lot of talks about universities here in Australia and the question that always comes up is like pen testing. So I think that maybe there’s a skewed view in the market that as you’re sort of talking about and as I know from our previous chats, pen testing in the traditional sense is like kind of out the door. So what sort of advice would you have perhaps to people who are looking to get into the pen testing field now? Because I’ve often even referenced you guys and talks to say, hey, you should be looking at what these guys are doing. Like it’s not just how it used to be in terms of a traditional Pen tester because this is something they often get asked about. And so I sort of want to maybe pull the veil back a little bit and hear your thoughts on it because it’s your space and you’re the expert in it. Because I think that perhaps people are still maybe unsure that this is the way the market is moving in terms of automated Pen testing.

Alton Johnson (09:55)
Yeah. So just to clarify, right, so we’re basically talking about, like, how someone would want to get into pen testing. Like a student, for example. I think today, right. I would definitely still pursue your certifications and your courses, and there’s a lot of opinions about certifications and stuff like that. But the real value here is the content that you’re consuming, right? Like you may throw some certifications and people may go, oh yeah, whatever, no one cares about that. But when you actually enrol into those courses, like your OSCP, your Elearn, security certifications, things like that, there’s a lot of great content in those courses. Regardless of what people think about the certifications, there’s a lot of great knowledge that you can obtain from those courses. And I think that’s really something I will still put a lot of emphasis in as far as, like, studying. Of course, one of the biggest things too nowadays is really security research is an ability to demonstrate that you can use kali, you can run the tools, you understand the penetration test methodology. And for me personally, I really, truly feel like a lot of the courses that I’ve taken really kind of helped me expedite my learning and my career path just because I was able to consume so much knowledge and apply it on the job.

Alton Johnson (11:02)
And that made me pretty skilled pretty quickly.

Karissa (11:05)
Yeah, no, thanks for clarifying that. I think it’s just getting that awareness around where the market is moving sort of long term. So when you said before out in like five to six years, things will be different and you sort of discussed this transition period, what do you sort of see in the next five to six years? Will we even have traditional Pen testers at all? Or what are we looking at here?

Alton Johnson (11:27)
Yeah, absolutely. So there’s still a lot of security services that could be offered manually, right? Like web application penetration testing are very popular requests when it comes to penetration testing. And of course, stock two requires a penetration test and there’s going to be companies that will probably get into automating application testing. It’s a lot more dynamic than network testing. Just as a person who has been a part of the automated network penetration testing and developing, that even the things that I think are pretty close to extremely complicated. I still believe that those things are going to be automated. But in five to six years, I do think that there’s going to be a lot of Pen testers who will probably focus a little bit more like application testing, red team engagements, things like that. And also to coding too. Right, because as we start to see more and more automated security services which are developed by Pence and developers, I think that will probably increase the demand for coding. Right, because people who code really drive these automated platforms that you get pushed out today. So I think we’ll see a pretty interesting shift to coding with Pen testers as well.

Alton Johnson (12:35)
It’ll be more important along the way on their journey.

Karissa (12:40)
You sort of touched on at the start of the interview the difference between traditional Pen test and automated Pen test. But you did sort of mention as well that people do get confused what are typically sort of the areas, or is it the language that people get confused on in terms of how they determine the difference. Is there anything specific that comes to mind that you’ve sort of seen in your experience, perhaps people not quite understanding the difference?

Alton Johnson (13:04)
Obviously, penetration test complements a vulnerability assessment, right, because you need to find the vulnerability before you can export it. So even if you’re a Pen tester, sometimes you may be doing a vulnerability analysis manually, so there’s a little bit of a blend with that, but I do think that a lot of it has to do with the scope too, right? I’ve had some customers actually do a Pen test, but no exploitation. That’s not really a Pen test, right? It’s just a vulnerability assessment with a little bit of validation, but it’s not truly trying to penetrate the network and find data. So there’s a lot of conversations around the scope of what a Pen test is versus a vulnerability assessment. But obviously the biggest thing is really like demonstrating impact by actually proving it. And that’s really the biggest question, right? If that assessment is intended to prove the issues, then that’s most likely a penetration test. But if it’s just simply designed to tell you what the vulnerabilities are and not anything beyond that, it’s mostly just a vulnerability assessment. But I do think that there’s just a lot of companies that try to blend them together because unfortunately they’ve been able to make it through by tricking people and not being completely educated themselves.

Alton Johnson (14:08)
And it’s one of those things to where there’s always going to be that batch of bad or misinformed that will be in the mix of everything.

Karissa (14:16)
There’s a couple of questions you said before that depending on the scope, some clients will say, we just want a Pen test for that, like exploitation. Why would someone ask for that, though? Or do you think, again, it comes back to not understanding specifically the value of this.

Alton Johnson (14:31)
So a lot of times it is it departments that have their own intention, like their own motives, right? They don’t want you to get deep and find all of the bad stuff and basically point it out. You have some organisations that are just simply trying to cheque the box, right, so they don’t really want you to go, they just want to do the bare minimum to satisfy that requirement. And I think a lot of times too, companies don’t truly get the information that they need about exploitation, right? When you say exploitation, a lot of companies just assume that that’s the worst thing possible, it’s going to take things offline, it’s going to destroy stuff, it’s going to cause disruption. And that’s usually not the case when it comes to an experienced penetration tester. We know the types of exploits and tools to run that will prevent those types of things from happening. But I think there’s a good mix of a lot of that just basically not understanding what an exploitation looks like and how that impacts the environment, not understanding the value of a penetration test, just simply trying to meet the requirements that they need, whether it’s compliance or insurance, things like that.

Alton Johnson (15:36)
Yeah, I’ve seen that a lot.

Karissa (15:39)
So you mentioned before a great point, by the way, that the It team doesn’t want anyone to look too far because is it this fear of them being exposed? Is it that because then that sounds counterintuitive to doing the test in the first place.

Alton Johnson (15:56)
Yeah, it is definitely very interesting. A lot of political reasons, I’m sure, too. But I’ve seen example an It person on the phone basically saying that they don’t want you to do a pen test, they don’t want you to exploit anything, but they want you to do a pen test. And you try to sit there and justify or explain that that’s not a pen penetration tests, but they need a pen test for a requirement, but they don’t want you to go deep into finding it. And so, like, in one particular case, we were able to finally convince the customer that, hey, we need to do a penetration test. I think you haven’t done one before, or you’ve got a lot of valuable data for an attacker if they were to get access to your environment. And once we started exporting things, I mean, we started seeing everything, reuse passwords, FTP shares on the Internet, containing sensitive data, all kinds of stuff that vulnerability scanners just typically wouldn’t discover. And so that did cause a lot of issues within the organisation. I’ve seen It people get let go and all kinds of stuff because of things that they said that they were securing and they really weren’t.

Alton Johnson (16:52)
But yeah, I think there’s probably just a lot of political reasons for that as well.

Karissa (16:57)
Okay, this is where it gets really interesting. So you just explained this dynamic. You just mentioned that the It guy got let go, for example. So do you think that some people don’t want to do the test because maybe they know there’s issues, they don’t want someone like you to not expose them. It’s not the right word, but illuminate that there’s some serious flaws in their environment. And then as a result, if this gets again illuminated to executive team, this person’s potential jobs, that on the line. So is it more selfishly about protecting their own personal job rather than an organisation?

Alton Johnson (17:32)
I hate to say this, but personally I do believe that’s the case. In that particular scenario I just mentioned, the It guy was just very nonchalant and just really thought that he was doing a good job at protecting things, but didn’t want us to prove otherwise. And I think their boss and stuff like that, we’re really relying on that team to protect the environment. And we just saw a lot of just sensitive stuff. That was really one of the best networks I’ve ever tested as a pen tester. Right there’s just so much stuff just went all around. But yeah, I think it’s really more of a personal reason. Like, I don’t want them to expose how bad I have a job that I’m doing and I got to find them a job, right? So I think that’s a big part of it.

Karissa (18:13)
Okay, so from a leadership perspective, how can people handle that? So at the end of the day, we do penetration tests to obviously find the issues in our business so we can then fix them. But maybe you think that from a leadership perspective, if we find something, we’re not going to, like, fire you. So maybe in this particular case no, I don’t know the specifics. I’m just speaking very openly here. Maybe it wasn’t the right decision to fire that guy because now other people are going to be worried, and then as a result of them being worried about their job security, they’re not going to want someone like you in their doors to be like, hey, here’s all these bonds, this is what’s happening. So how do you handle that from a leadership perspective? Because I think that this, to me, sounds like a very vicious circle. So it’s like, oh, I don’t want someone like Von Ohio Security coming in here because potentially my job could be on the line. And then they’re trying to protect themselves. They’re then actually not trying to protect their business as a result of that.

Alton Johnson (19:11)
Yeah, I think as a leader, especially with me and my team, I always want to empower the team. We’re all trying to solve a good problem, and even from the opposite side of an organisation that they’ve got their It security team, I think it’s one of those things to where you want to make sure that everybody feels pretty happy. Right? Because we’re working on the same team right now. We’re not coming into the environment to find the flaws, to basically show how bad everybody’s doing. That’s not the goal. We’re trying to help. We’re trying to find the flaws so that we can point you in the right direction to get those things fixed. And so I really think it’s just a mindset of understanding that because a lot of pensioners have experience where you go on site, you don’t even do anything, and everyone’s blaming you like they hate you. They don’t want you to succeed because they don’t want you to find anything. So I just think we have to shift our mindset to this cyber security company is trying to help me. You want us to find things, right? Because if everything is perfect when it comes to technology, I don’t know, is that really something you want to see?

Alton Johnson (20:11)
Because for me personally, if I was the It person of a big company and there’s a pen tester that came in, he found nothing, that would be a little bit worried, like, man, maybe there’s a lot of stuff that this guy just doesn’t know. You always want to take those reports and just start improving things. So it’s really just a mindset of we’re trying to help and not hurt.

Karissa (20:31)
But do you think some people’s mindset from a Pen tested perspective is, Haha, I found stuff? Do you think there is a little bit of that in there sometimes, though? Like, you’re saying we want to help and I’m definitely not arguing that point, but I do think there are people in there that literally get a kick out of, oh, look how dumb these It guys are.

Alton Johnson (20:49)
Yeah, I do think there is that, right, because there is a lot of excitement when it comes to finding sensitive data. It’s really exciting. Right? But yeah, so I think from the Pen testers perspective, too, we also need to make sure that it’s okay to get excited, but we don’t want to throw it in people’s face. Right? Like we want to say, oh, man, like, I found it. Like, you didn’t think I was going to find it. Like, you can kind of turn it into a little bit of a game and like a little challenge. But it doesn’t have to be like malicious, right? We don’t have to try to go out there and prove to the world how bad this company is or prove to this guy’s boss how bad the environment is. I just want to have a positive attitude to make sure that we’re all on the same page. We’re trying to find the issues and fix them together rather than the cause problems.

Karissa (21:27)
Now, I want to sort of shift gears and speak about value. You mentioned that before, that perhaps if people are just doing a vulnerability assessment, certain things are not going to be picked up. You’re absolutely right. So if you look at a VA, as we know, it will only pick up, like, certain vulnerabilities, if any, opposed to more of a traditional Pen test. But how would a client derive value from an automated Pen test in terms of the report? What type of things are going to be shown?

Alton Johnson (21:55)
Yeah, absolutely. There’s a lot of cool new things about automating a Pen test that we haven’t been able to see before. So, number one, there’s obviously the price point. You don’t have a human that’s sitting behind the keyboard on a Monday morning after a long weekend, like paying that person to do a full blown Pen test. That’s pretty expensive. And we all know, you know, we’ve all seen the very expensive Pen test engagements that seemed like it should have been much cheaper. So there’s really the cost factor, right? That’s one of the big things. The other thing cheaper is obviously this speed. So rather than waiting a long time to get a Pen test done, you can basically just log in, schedule an assessment and get it done. I mean, a traditional way of scheduling a Pen test is just chaotic. I mean, you have to call up a lot of companies, you have to figure out when they’re available, what’s the cost and you have to figure out if the cost is if that makes sense because they can get to you sooner. You got to all these different decisions you have to make to figure out how to get an assessment done and if you need it done pretty soon, that’s going to be pretty tough and obviously towards the end of the year.

Alton Johnson (22:50)
So I think speed is another big thing. But one of the other things too, right, is because we’ve automated the process, we’ve been able to incorporate the logic of multiple pen testers. So it’s very consistent, right. Obviously as a human, especially as a Pen tester, we’re very creative, we always trying to find new ways to do certain things. But one of the problems though is that as new vulnerabilities and exploits come out, you kind of have to just memorise what to do when you’re doing your tests, which is not a bad thing, but you can’t memorise everything. So it is very possible that you can get the same person twice, one person this year, the same person next year and get slightly different methodologies because they forgot to do something or they just skip it for whatever reason or anything like that. So there is that consistency as well. And then I think the biggest thing when it comes to automation is really the frequency, right? So you have your once a year pin test engagements and those are good. But I think we’re kind of moving to where we want to get those assessments done more often because there’s more and more breaches happening.

Alton Johnson (23:48)
The impact of those breaches are pretty bad. If you perform a penetration test in January and something crazy comes out in March, if you’re doing a once a year pen test and your vulnerability scanner doesn’t pick up that issue because it’s a surface, it’s a vulnerability that requires post exploitation, you won’t know how that vulnerability impacts your environment until you do your pen test next year in January. So with an automated penetration test, have the ability to schedule recurring, consistent, affordable penetration test engagements to be able to capture those types of issues more frequently as opposed to just that once a year.

Karissa (24:24)
So you said we should be doing testing more often. How often would you say people should be doing it now?

Alton Johnson (24:31)
Yeah, I’ve seen companies that are doing it monthly and obviously that’s a pretty good schedule. But some of those medium to larger sized businesses, they’re probably going to want to do it at least quarterly, I would say, because a lot of times when they’re fixing issues they typically can’t resolve all of the things in just a month, right? Typically it takes a long time to get everybody on the same page and meetings and stuff like that and you may end up doing a Pen test. Once a month and realise that your first two Pen test engagements, every quarter, it looks exactly the same because a lot of the issues haven’t been fixed. So I would say once a quarter would be good. Again, going back to the frequency, there’s different companies that have different challenges, different requirements, different expectations with their security programme, so they have the ability to run that more often if they want to.

Karissa (25:16)
Okay, so thanks for clarifying that. A couple of things as well. Just on the automated side of things, do companies need to then do a VA with an automated Pen test? Is it both or do you not then need it? Will VAS become redundant or do you sort of couple them up as well when you’re doing an automated Pen test?

Alton Johnson (25:36)
Yes, we definitely still perform vulnerability assessments as part of the penetration test. I do think there’s a lot of value in vulnerability assessments, but I do also think that penetration testing can demonstrate additional value that you wouldn’t have even thought of if you’d looked at just the vulnerability assessment results. I do think that vulnerability assessments on a frequent basis, just like they are now, are pretty good. But, yeah, we definitely still perform those as part of our assessments as well.

Karissa (26:01)
So would your process be, okay, we’re going to run a VA, then we’re going to do the automated Pen test, or is that normally how it works? How soon after do you start doing the automated Pen test, for example, at the same time you’re running all of these things?

Alton Johnson (26:19)
Yes. So for us, I want to build assessment. If the partner chooses to run one, it actually feeds into the penetration test. Like any extra data, any extra ports that the vulnerability scanner found, things like that, and of course, vulnerabilities. We do have the capability to run them side by side. So we typically run the vulnerability assessment first and then once that’s completed, it starts to go into the penetration testing part. And that’s just in case there’s any extra value that we can extract from the vulnerability assessment.

Karissa (26:47)
So would you say, Alan, that automated Pen testing may miss things because you just sort of said before that VA sometimes may feed in like additional ports or things that maybe you didn’t know that you could find on the automated Pen test? Or is there a large amount of discrepancy or how does that work?

Alton Johnson (27:03)
It could validate some of the Pen test findings. Right. Or some of the things that the vulnerability assessment find. Sometimes the vulnerability assessment typically find things that as a penetration tester, we’re not necessarily looking for very low level SSL findings. Typically, Pen testers don’t really care about that. Well, people will put that into their reports, but it’s not really writing a lot of value. So there are some things that vulnerability assessments would provide. That a penetration testing process, because we’re not trying to replicate, we’re not trying to do the exact same thing as a vulnerability assessment. We’re trying to focus on the big issues that actually demonstrate impact. So you will see some low and informational level vulnerabilities from a vulnerability assessment that penetration tests wouldn’t necessarily go after because the likelihood of exploiting those things is extremely low. It’s not a common thing, there’s no exploitation available for some of those vulnerabilities, things like that. So there is some value, but I wouldn’t say the penetration test would miss vulnerabilities that could prove to be extremely bad in the event of an attack, if that makes sense.

Karissa (28:00)
Okay, so if you run the VA first or vulnerability assessment and then you run your automated Pen test, do you ever need to then get sort of someone manually in for the last 10% or is that rare?

Alton Johnson (28:13)
So for us, basically the penetration test is 100% automated and completed. However, we do have a QA process where we have a human. The goal for us in that QA process is really to drive new development ideas, right? So if there’s a new exploit that just came out and we want to get it incorporated, we may want to see at the end of the Pen test like what would be the best way to incorporate that into the process. And obviously we don’t automate application testing, but we are building out modules and exploits for application vulnerabilities that we could feed into the network penetration testing platform just to kind of contribute to stuff like username enumeration and stuff like that from printers and address books and stuff like that. But yeah, so we do have a QA process that essentially looks for new opportunities to automate new things based on the results of that Pen test.

Karissa (29:00)
Okay, so where do you see the most value in an automated Pen test? But is it geared more towards SMBs or enterprises or both?

Alton Johnson (29:13)
I would say both. For us, we’re really focused on the SMB market because they don’t have many good options to do a Pen test. It’s just too expensive. We work with a lot of MSPs to essentially let them offer penetration testing using our platform. But however, we do have some direct businesses that are really large that I’ve worked with in the past who have came over to Vona High Security to take advantage of the automated platform. But I would say for us, we’re primarily focused on SMB market, but there is definitely a lot of value that larger businesses could extract from it as well.

Karissa (29:43)
So would you say that you just mentioned before, great point, SMB is maybe too expensive to do a full blown traditional Pen test. So would you say that in the past that people have forgone doing these activities, it’s way too expensive?

Alton Johnson (29:56)
Oh, absolutely. Most of our partners have never been able to offer Pen testing in the past to their customers and that exact scenario, right? They wanted to do Pen testing in the past, but they just haven’t found a solution to be able to do that at an affordable price. Either they’ve had a few customers that could afford it, had to make some sacrifices, or they just haven’t done it because they just couldn’t find an option that’s the market that we’re after is basically helping out those SMBs and those MSPs.

Karissa (30:24)
So in terms of insights, have you ever sort of had anyone come back and say, because obviously it’s a better price point for me, I actually found out a lot of things about my organisation and my environment that I didn’t know I had. And then as a result, they’ve taken the most proactive steps to make sure that they’ve got this resiliency now within their business. So do you think that people have come back and said, because of what you guys have offered has really helped them in their security journey, so to speak?

Alton Johnson (30:52)
Yeah, absolutely. I think for a lot of our partners, they obviously do their best to try to implement security and stuff like that. But I think when they do their first proof of concept and they see the value, like all of the things that they thought they were securing or they had some misconfigurations, I definitely think that they understand the value of a penetration test, especially an automated one at that point. Right. Because we all do our best, but we never know truly how good it is until someone else comes in to find the flaws. Right. I definitely think that we have a good bit of those scenarios.

Karissa (31:25)
So, quick question. When companies have traditionally outsourced pen testing or traditional pen testing, they don’t always necessarily go the same pen testing house. They’ll change it because people have different theories, different strategies. How does that work with automated pen testing, then? Or is it what you said before around incorporating some of the logic then? So you’re getting more of a well rounded approach?

Alton Johnson (31:46)
Exactly. The thing that I love the most about our product is that the pen test is automated and so we spend a lot of our time on the R and D side right, security research, talking to all the pen testers, figuring out what everybody else is doing, new tools. We’re part of reddit the next community and so we are basically on the side of what’s new, what’s coming out, and as we see other pen testers, or we get feedback from other pen testers, who we work with, because we work with a few cyber security companies as well. And any suggestions and feedback and thoughts from other pen testers, I don’t know, maybe it’s a personal thing, but I love collaborating with other pen testers on what they’re doing that we’re not, or what their strategy is in different scenarios. And we can incorporate all of that into the platform, which is really cool.

Karissa (32:29)
So I’d like to zoom out now and let’s talk about the industry now, I’ve sold pen testing in the past. I’ve also worked on the client side in a client in their pen testing team. So many people out there in Australia, in the United States or wherever you are, they’re still selling expensive traditional pen testing. So where do you sort of see this heading?

Alton Johnson (32:54)
Yeah, I think we’ll probably start to see partners using automation, right, to become more competitive because obviously there’s a lot of MSPs and then there’s a lot of MSPs that are trying to convert to an MSP. They’re trying to get into security. I think they’re going to eventually start incorporating some automation and bringing down their prices, which will hopefully drive people to do more continuous testing as opposed to.

Karissa (33:15)
Once a year, if you look at it, depends on the price. Some people are charging, like 2000, 3000 I’ve seen in the past, per day for a Pen tester on site. What are your thoughts on that? Are people just sort of price gouging now? That’s a lot, right? And so if you’re doing something for two weeks or you get something for a month, that’s quite an expensive test. So what are your thoughts on that? Do you think people sort of don’t want their clients to potentially listen to this interview? Because they’re going to be like, oh, wow, potentially my business is going to go down the drain again. Does it come back to the selfish piece of it? Because that old saying, don’t fix what’s not broken type of thing. If people are paying for it, why change it?

Alton Johnson (33:58)
Yeah, I think that’s a very interesting question. We work with some cyber security companies that actually have pen testers on their team, right? And I think they’re on the side of, hey, I know that automated pen testing is eventually going to get to a point to where we’re going to probably have to revamp our team and stuff like that, but I think for those partners on our side, they’re basically using their resources to now focus on other things, right? Application testing, red team assessments. Like they have the bandwidth now to offer other services within our organisation as opposed to having all of these people just simply focus on network penetration testing. Again, it’s going to be the cyber security companies that don’t care about automation, they don’t really want to adapt to new technology, they don’t want to deal with that and there’s definitely going to be a lot of those out there.

Karissa (34:46)
So do you think that, again, people are selfishly looking out for themselves rather than the clients?

Alton Johnson (34:53)
I do, I absolutely do.

Karissa (34:56)
Why do you think that’s the case, though?

Alton Johnson (34:58)
It’s one of those things where they’re just trying to capitalise on this moment for as long as they could, right before automation really kind of picks up and starts to kind of eat into that market. But it’s one of those things where they don’t want to lower the prices, they just want to keep raising them up. So it definitely sucks, but we’re hoping to help hopefully change that. So it’s just going to be a matter of time.

Karissa (35:21)
So you’re laughing as I say this, am I right in asking? I’m just being neutral. I’m just asking you the questions. I’m just curious to know that do you think, though, that people are really just again focused on the money that they make from pen testing?

Alton Johnson (35:37)
I do. I absolutely do. There’s been cases too, where we’ve offered pen testing for a really low price and we have actually seen that a case or two of someone actually still charging the price that they charge last year, the previous year. So they’re getting a pen test, they’re using the platform to basically make more money. Right. They’re not lowering the price for what they’re offering. But as far as the freezes, I don’t know. I do wish to stop, but I think there’s going to be those people out there.

Karissa (36:11)
So for someone listening that’s about to engage some pen testing out to do a physical, traditional Pen test, what sort of advice would you have for someone?

Alton Johnson (36:21)
Yeah, I would definitely ask about the processes and the justification for the cost. Right. In my opinion, there’s a lot of inefficient things that customers are paying for, right? Like reporting there’s Pen testers that are hacking networks in 2022 and having to spend 1220 plus hours writing reports. It’s not something that I guess the customer could change. But just out of curiosity, like, what’s going on behind the scenes, like dropping the price so high. But on the other side, I would definitely look into automated Pen testing. I mean, it’s something that today may not seem like a big deal because things are working the way they are in the traditional world, but it’s something to kind of get ahead of. Right. You can do an automated Pen test compared to your last Pen test engagement, understand. Is it truly automating? It what’s the value that I’m getting from the automation side of it. And I would definitely just give it a shot and see what you come up with.

Karissa (37:14)
So Alton, I really appreciate your insights and your thoughts today and your honesty in terms of any sort of closing comments or final thoughts. Is there anything you’d like to leave our audience with today?

Alton Johnson (37:24)
I think the only thing is when it comes to automated Pen testing versus vulnerability assessments for any customers or any companies that are actually offering or say that they’re offering automated Pen testing, I would definitely try to do a proof of concept and look for the impact in those results. Don’t just look for the vulnerabilities, hey, I’m vulnerable to XYZ, but look for that impact. See if the report is actually taking the vulnerability and trying to export it. And if it did exploit it, how far did it get? Right? Because I think that’s something that over time. Like I said, it’s going to be something that requires there’s going to be a huge shift in educating people on penetration testing and vulnerability assessments. But as far as trying to just determine if you’re doing a penetration test on vulnerability assessment, I would definitely just be on the lookout for that impact, because that’s really the biggest component of the penetration test is demonstrating that impact. So I would be on the lookout for it.

Karissa (38:18)
Well, thanks, Ellen. Thanks for sharing your thoughts and your insights and your time today. Thanks for coming on the show.

Alton Johnson (38:23)
Absolutely. I appreciate it as well.

Karissa (38:25)
Thanks for tuning in. We hope that you found today’s episode useful and you took away a few key points. Don’t forget to subscribe to our podcast to get our latest episodes. This podcast is brought to you by Mercsec, the specialists in security, search and recruitment solutions. Visit Mercksec to connect today. If you’d like to find out how KBI can help grow your cyber business, then please head over to KBI Digital. This podcast was brought to you by KBI Media, the voice of Cyber.

Share This