Listen to learn how introspection and communication can make you a better technology professional.
Cybersecurity professionals come from all walks of life, and true professionals find ways to improve their skill sets at each step of the journey.
Pentester and Security Consultant Joseph Pierini (CISSP, CISA, PCIP) sat down with Host and Principal Security Analyst Jen Stone (MCIS, CISSP, CISA, QSA) at PCI Community Meeting North America to discuss:
Resources:
Download our Guide to PCI Compliance! - https://www.securitymetrics.com/lp/pci/pci-guide
Download our Guide to HIPAA Compliance! - https://www.securitymetrics.com/lp/hipaa/hipaa-guide
[Disclaimer] Before implementing any policies or procedures you hear about on this or any other episodes, make sure to talk to your legal department, IT department, and any other department assisting with your data security and compliance efforts.
Hello, and welcome back to the Security Metrics podcast. My name is Jen Stone. I'm one of the principal security analysts at Security Metrics coming to you from the, PCI North America community meeting. And today, I'm very excited to talk to Joe Perini, industry, veteran.
I'm excited to talk to Joe because he's got a lot of experience both in getting into computers and into security and then PCI. You have such a breadth of knowledge. I thought there would be a lot of interest from our from our listeners in just hearing kind of about your journey, how you got into this, what you do now.
Take it away, Joe.
Thank you for the kind introduction. It's wonderful. I've loved Security Metrics for years. I mean, we were always competitors, yes, but we were also colleagues.
And we worked together. I've worked with Chad. I've worked with Gary. I've worked with the team for many years.
So I really appreciate the the chance to be on here.
Oh, it's it's absolutely delightful to get to talk to you. And and, Gary was insistent that I have a conversation with you because, like you said, the experience and the the, longevity of the relationship. And I think that's one of the things I like the best about Security Metrics is, yes, we we can have competitors, but we I often have competitors on to talk about their solutions even on this on this podcast, which which is kind of unique. And I really appreciate Security Metrics for letting me do that.
Yeah. That is cool. Because I think it if we can come together and share some of the different ideas we have, specifically around PCI for example, then we can we carry the same message. We're not confusing the customers.
Exactly.
We can also work as a team to make it stronger and better and maybe some testing techniques that you're using are more effective for segmentation or for identity and authentication, whatever the case may be. But if we can share that, we can also produce consistent reports that make it easier for customers to be able to contrast and compare and talk to each other.
Right.
So, yeah, I think coming together as a team is is important.
And I would love to talk about how you worked with Chad and and SecurityMetrics to develop some of the the penetration testing guidance for PCI. But first Mhmm. Your entry to computers and to security and to PCI is very compelling.
Maybe just tell me a story.
Yeah. It's been an interesting journey. So I I didn't start my career as a computer guy or or more in security. I was an optician. So I made the eyeglasses that you and I are wearing, that, was my day job and I would go in and cut lenses and I used computers to calculate the curvatures of the lenses and we had an old eight thousand and eighty eight that we were getting rid of and I said, Could I get it? So I got it and I spent the weekend trying to get it online. My father had given me an old US robotics three hundred baud modem.
Mhmm. God. Good day.
Yeah. Oh, God.
The the aluminum thing that it was also, you know, a Ding.
Ding.
Home defensive weapon And I spent the the day trying to get it on, getting plugged in. I'm trying to jam things.
I'm running down to Radio Shack, which was still a thing Yeah.
To get adapters to try and fit it into the back from my cables. And I spent it and I discovered after all this time and effort that I had effectively connected the US robotics to the printer port.
Oh, perfect.
Yeah. And that's that's what it took to get me hooked. I'm like, okay. So what's the difference between and I went down this hardware path.
Yes. How does this work?
How does this work? This is amazing. And then, you know, I I picked up an old hard drive at a garage sale. Mhmm. Twenty megabytes, thought I'd never fill it. Yeah.
And put that in and picked went from It was massive.
Yeah. I went from a CGA to an EGA monitor and then a VGA card.
And, one of my patients at the optical office that I was working at gave me eight thousand and eighty eight to a two eighty six overdrive chip. So you would plug it into the board. You plug the chip on and then you would hit the turbo button. It was the only reason that the turbo button really existed and I had a two eighty six. So it's just the thing that is pretty consistent in my journey is I've always not had a lot of money to get there. So while my colleagues were all going out and getting Microsoft certified, I couldn't afford those. So what I did was I started a nonprofit in Napa called the Recycled PCs Program.
Oh, wow.
And we would collect used equipment from businesses Okay. Two generations out.
Mhmm.
And then they had given me a classroom Mhmm. And we set up a lab and I would train adults in the evening, upgrade and repair the IBM compatible.
Oh, fascinating.
And I got access to more equipment than I would ever know. And it reinforced it because I had to then teach somebody else.
Mhmm. Yes.
There is nothing that helps you learn something Exactly.
Like teaching it. That's amazing.
I remember the first class I had, we I went thirty minutes, dismissed everyone, aligned on my on the floor on my back and thought, what the hell am I doing? I don't know. They don't. Imposter syndrome from day one.
Yeah. Massive decompress and wrestle with that ego a little bit.
And then just picked up and started and and from there, I was able to move from optical into computers.
But I still didn't go immediately into becoming a network engineer or sysadmin. Uh-huh. I went into sales for a value added reseller.
Oh, interesting. Okay.
And one of the computer guys there taught me networking and operating systems Okay. And more and more and more. And I leveraged that to get a real sysadmin job, continue to do sysadmin work.
I was working at an e commerce developer Mhmm.
In in Petaluma, California.
Uh-huh.
And, my systems were getting hacked into. And I didn't know. We wouldn't know until all of a sudden we'd have no disk space because they were they were knocking over the SMTP service, putting in an FTP server, and then using it for zero day wears.
Oh, wow.
So it wasn't malware or anything. It was just books and and movies and music and nothing in a language typically that I understood.
Mhmm.
So it wasn't a value to me other than but it it caught my attention. How are they doing this?
What are we not doing?
Mhmm. And I had no idea how to get trained. So I like many, I went out and got my CISSP.
Mhmm. Which does nothing to help people out.
Gonna make you a hacker. It is not. Gonna put you into penetration testing. Nope. It will I mean, if if we're honest, what it's gonna do is it's gonna level the playing field if you're up against another candidate with one.
But as far as it being practical for Yes.
Hacking, not so much.
Let's be honest. People ask me all the time, should I get my CISP? And I say, what the the job that you're going for? What does it say in the job description?
Get that. Because it it like you said, it levels the playing field. Maybe it shows that you know how to take a test. But but if you want to know how to do things, what you're describing is amazing because what you're doing is starting with where you are and then how what do I how do I either solve a problem or get to a next step where I want to be.
Mhmm. And so many people I I mean, you probably have the same experience. How do I get into computers? How do I get into security?
How do I get into PCI? Well, I don't know. Where are you now? Start there.
Exactly. Look around with what you've got and figure out how you can use it to your benefit. Yeah.
I took my once I got the CISSP, I took my resume. I sent it to a company called Hacker Safe, which was an old company that did a little banner at the bottom of shopping carts to say that they were hacker safe. They were tested every every day and it was kind of a controversial service on the Internet. Some people liked us. Some people absolutely hated us. But it I sent it to them and said, ask your hackers what I need to add to my resume to get into pen testing.
Okay.
And they said, tell you what, why don't you come work for us and we'll have them teach you. Wow. So I came over there, worked there. And that was my introduction to both web application penetration testing, network penetration testing, and also PCI because Hacker Safe was also an approved scanning vendor or an ASR.
Oh, okay. Uh-huh.
So that was my introduction to the standard.
Mhmm.
And I would go to this community meeting and sit behind the booth and talk to people about our service and begin to understand more and more about, PCI and how, you know, what role could I play in, you know, and I was only in requirement eleven at that point, but it was still exposure and I could start to learn from other people more and more how to interpret the standard.
And eventually, someone offered me a role as a QSA Oh, okay. Company called PSC.
Mhmm.
And I started and I discovered quite rapidly I hate being an auditor.
If you don't like it, you shouldn't do it. It's for me That's my rule.
Because I was a sysadmin. For me, it was eight hours a day of people lying to me because I know you're not doing the things that you say you're doing because I've been there. I know you don't have the time. I know you don't have the resources.
You know? So people were blowing smoke up my tuckus, and I had a chance.
The the, manager of the optical or the, excuse me, the pen testing lab Uh-huh.
At PSC decided he wanted to try a more athletic career in, I think it was kite, boarding.
That seems like a departure.
It was. But he was always really excited at it, and we're like, great. What are we gonna do about the lab? And I threw my hand up and said, let me give it a shot.
Okay. And from there, I just still didn't know what I was doing. Mhmm. But I hired people that did, and they were able to share with me.
And we could created a program that would allow us to work within the PCI requirements, do penetration testing, really focused on the regulatory regimes and allowed us to take companies that were not anywhere near compliant and provide them with at least some controls and some tools so that they can understand it. And then we teach them how to test themselves so that when when we left because the value of the pen test is very it's got a short lifespan.
It's very point in time.
Point in time. And if you only do it once a year, not very useful. So we would leave with them different ways that they could can do some continuous testing.
Interesting.
That way you know, because I didn't wanna hide all of our secrets. Our pen test reports were written with the exact syntax. The the rule was you had to put the syntax in such that even a junior Windows administrator could reproduce the vulnerability. Yeah. Because if you can't show them how it's done, there was a lot of at the time, there was a lot of it's just because you guys are special. It's your magic boxes. It's it wasn't we had to show them that it was something that they could do too because once you remove that the mystery and myth around the vulnerability, then it becomes real and it becomes real to you.
So that education piece was really important to Always has been.
Giving them a way to to remediate that vulnerability.
Yeah. I think the best pen testers are more educators.
Yeah.
And and that's not how I started my career. I remember the first couple of times I was like, you guys are so stupid. Look at you. This this and this. And I really wasn't particularly mature in my message.
But over time, I began to recognize that they're they've got a lot to do. So you can't just come in and say, this is what's broken. Go fix it and and leave. Yeah. I know I can't fix it because that would be an independence problem. But I can show you how and give you as much resources as possible in my reports.
So I think some of the better better reports are written in a way that people can follow along with the hack, can see how it was done and then they can see how it was fixed.
You know, I agree with you. And whenever I I deal with my my customers with empathy, I think they have a better security stance. We have a better conversation.
What in the end, we're all trying to do the same thing. Yeah. And so I I love that you developed that perspective and and the educational component. It's brilliant.
And that's something that we shared with Security Metrics in terms of philosophy. And in two thousand fifteen, Chad and I and Gary worked on the guidance for penetration testing for the PCI Council.
And it came out in two thousand fifteen, was updated in two thousand eighteen, and kind of shows how penetration testing should be done.
Because early on, we were seeing some crazy things. Like vendors were saying, open up a hole in your CDE for us and we'll pen test from there.
Or, you know, give us access to your CDE. We'll get send it boxed and put it in. And that's not how it's done. That's a vulnerability scan. Yeah. We have to do a real pen test. Yes.
So there's some education around the difference between vulnerability scanning, penetration testing And that's a red teaming and all that.
That's it's a little bit of confusion that exists to this day, but I think it's getting better and better, particularly with the guidance that the council comes out with, and and people gain that better understanding. And then you have something written that you can give to a customer and say, look, we're doing it this way because of this, and everybody gets on the same page. Mhmm. Right?
Right. And we were able to point out that it's not just the the technology or the servers or the networks that you need to hack. It's also the people.
So they're in scope, the system administrators and everyone within the organization Right.
Because they're part of the processing of credit cards.
Sure.
So it it kinda changed the way penetration testing was was being handled for PCI and for the better. And again, this was information that we were sharing with the general community Mhmm.
So that everyone could get on the same page and do the same level of of reporting. And customers wouldn't be confused, and they Yeah. Could compare and contrast.
And while two thousand fifteen feels like yesterday to me Yeah. It's not. So so are are you still doing that same type of work, or where did you go from there?
Well, for a while, I had a a talk that I would give PCI for pen testers. Mhmm. And I would update it with every standard.
Okay.
So when we went from three to three dot whatever to Yeah.
I would make changes so that I can continue to educate the community on how you need to be approaching PCI from the penetration testers point of view.
Right.
Because this is your opportunity to validate the the controls that they put in place are effective. You're the only thing.
Absolutely.
I mean, the auditor is gonna look at them. They're gonna look at configuration.
Mhmm.
But when the rubber hits the road, if it keeps you out Yeah.
And you were given the, ability to perform an actual test so they didn't put too many constraints on you. And, you know, that wasn't time boxed to two days.
If you do it right, then you should be able to validate everything else that was done.
There is nothing that I rely on more than a good penetration test. Reading that those results, those reports, and discussing them with the the people that had the the tests done is, it's just essential.
Yeah.
And so for a while, you were you were doing this speech about penetration testing. You were doing the work. And and then where did you go from from there?
Well, COVID hit. So I was the head of testing for the US at a company called BSI, who is here at the, community meeting.
Oh, terrific.
Great group of guys. Really but what happened, I remember we were talking about, well, how are we going to handle this? Business is going to slow down until August and then we should probably pick now. It didn't happen that way. So it really impacted a lot of the consulting firms.
Yes.
So when that gig disappeared, there were other opportunities. I kind of bounced around for a little bit. I'm currently a cybersecurity architect for a pest control company out in Atlanta.
Okay.
And the role is consultative and we're, you know, they we're bringing in new technologies. We're looking at new opportunities to, you know, work with our data, reevaluate the cloud, things like that. So I'm there to be able to look at the solutions, determine whether or not they fit with all of our intentions and and regulatory regimes and then make suggestions and so on. I'll also do a little hands on testing Mhmm. Just to stay current and who wouldn't want to when you've got a a network all over the world.
They're like Sure.
You know, thousands of people, thousands of accounts, several different domains. Yeah. It's a little bit like, you know, a playground for me, but I'm I'm careful.
I'm sure they appreciate that. Yeah.
I want them asking for me to come back.
Yes.
So well, one of the things I really noticed going from the outside as a consultant to an inside is I would go to a customer and go, Look at this.
It's the same findings from last year. They haven't fixed anything.
We would frankly kind of get on our high horse about it thinking, you know, why aren't they taking this more seriously?
You know, yada, yada, yada coming in on the inside. Now I'm beginning to see, wait a second. It's a matter of time and resources.
So yeah, I wasn't doing them any favors by copying an attitude around it. I needed to look for ways to help them out, improve either the tools that they have, should do remediation, maybe check-in with them a little bit more, offer more guidance, do something other than say, Okay, there it is. Go away and fix it, because now I can see how many things they're you know, the phishing attacks that are coming through and the incidents that have to be done and the changes to the data. We've got new technologies coming out. There are just only so many hours in the day and so many people that do the work. So as pen testers copying the attitude when we come back because they haven't fixed anything, Instead, we need to ask why.
Yes.
Why didn't you get to that?
Exactly.
And then how can I help them so that they can remediate it faster?
Brilliant.
Because at the end of the day, that I don't wanna find those things. Things. I want to be able to fix we're really pen testers are trying to put the forensic guys out of business. That should be our jobs.
Absolutely.
You know, so that they're not walking around going, Yeah, I do blue teaming. Not anymore. You wait tables.
But yeah, that's it's definitely a different perspective being on the inside and if I ever go back out into consulting, I'm going to keep that with me because that's helpful. That's one of the things when you're starting and you're wanting to go into the business, you need to understand that you do have to have a foundation. I know some people say you can just get right into becoming an auditor for example.
You just take this course and do this thing and you're going to make six figures as a PCI auditor.
Maybe. But you also are not what value are you bringing?
You don't have any foundation. You don't have any experience and I know that I can I've got experience that might be even slightly outdated from my time as a sysadmin but it still helps me look at what they're doing now with respect to a certain requirement because I have been there and I can look at the larger picture. I think if you're trying to come in as an auditor without any system administration background, with any strong technical background, you're going to struggle.
Yep. Yep.
And you know, it may be Okay in you know, consulting firm that's nothing more than kids with clipboards going check, check, check in place, not in place in not a collaborative environment. It's just that quick, cheap, bottom of the barrel, audit. But if you're more complex environments with customers who really do care about their security, you need to bring your A game. So you should have a foundation in system administration, some understanding of programming, even just one language is helpful. This is also true of becoming a pen tester.
You can't just jump straight from I learned Windows to I'm a hacker.
There are a lot of different things that you kind of need to understand and have in your toolkit so that you when you are confronted with the technology that maybe you don't have hands on experience Mhmm. You've got nothing to extrapolate from if you don't have the experience behind you.
Right. And and it takes longer to to try and learn in place, you know. Yeah.
But, having some of that background, I I think people who who choose to to gain that information by having different, jobs, a lot of times people ask me, well, what's an entry level career into cybersecurity? And I say IT.
Because if you have a let's say you have a help desk, job in a company that allows you to do more than just, you know, answer a you know, just reset a password, but you're actually digging into, what's going on on the server level. What's how is the network working? A small organizations where you wear a lot of hats gives you a really great, like you said, foundation to be able to build that knowledge and then develop that into a a cybersecurity direction.
For example, even if you're at on the help desk and all you're doing is resetting passwords, that's still a valuable information because now you understand some of the choices people are making when it comes to passwords.
Good point.
How people are losing their passwords. Mhmm.
Maybe you're you're in charge of also resetting their MFA because they lost their phone or because they clicked on something they should have.
It's not experience that's worthless to you. Even if you start at the very bottom and begin pay attention because everything you're working with is going to be invaluable for you five years down the line. You will know and you will be able to recognize situations and understand solutions much better than the person that didn't have that experience.
And every job I've ever had, if I was willing to do more or learn more or ask more, there there was always the opportunity to expand what I could do and what my knowledge base was, not beyond just the basics of what I was hired for. And I think that's something that that if you have some initiative and some desire that you can probably learn and grow wherever you are.
Oh, absolutely. Absolutely. And many the larger companies, the company I work for has, numerous opportunities for training. If I wanted to go back to college, they would pay for it.
Yeah. And I've also worked at startups where, you know, you're going to wear six or seven different hats. Mhmm. So you're really going to get your fingers in a lot of different things and everybody around you also is like winging it.
Yeah. Trying to figure it out.
Trying to figure it out. We're we're as they say, building the plane as we're flying.
So Startups are fun that way.
Startups are fun. You don't get the security that comes from a larger organization. Maybe the benefits aren't as good. So you have choices in terms of where you work and that need to fit your immediate needs and lifestyle and family choices and things like that.
But either path is good. There are opportunities for you in both of them. You just need to look around and see what you can do. What can I do with where I'm at?
Well, this is brilliant. Thank you so much for for coming and talking to me. If people wanna connect with you, how do they find you?
I'm Joseph Perini on LinkedIn. I'm Jay Perini on, Twitter or x Mhmm. Now. I'm Jay Perini on Blue Sky.
Fantastic.
I might have a Mastodon account that got on the nose how to use Mastodon.
I don't I don't even know if I have one or not. I actually can't remember. Yeah.
So but I'm I'm definitely available Alright. You know, for questions and you can go ahead and Well, this was great.
Thank you so much.
Thank you for your time.
I really appreciate it. Alright. Alright. Cheers.
Thanks for watching. To watch more episodes of Security Metrics podcast, click on the box on the left. If you prefer to listen to this podcast, it's available on all your favorite podcast platforms. See you on the slopes.
.svg)
