The Security Sentinel (TSS) is a Spanish company dedicated to computer security, so forgotten by many and so important. TSS is dedicated to conducting security audits to companies, based on ethical hacking or pentesting tests, in addition to providing security training courses.
Malware and vulnerabilities are a hot topic on our blog and especially with the latest news about VENOM, Heartbleed, and other security issues affecting GNU Linux. That is why we have decided to interview Francisco Sanz, the CEO of TSS which will give us some clues on this interesting topic.
Francisco (FS from now on) is one of the TSS professionals. He studied computer engineering at the Autonomous University of Madrid to later obtain a degree in business management and marketing at ESIC, take the Cisco CNNA, PHP and MySQL programming courses, ethical hacking and pass the CEH certificate from EC-Council with a classification 91% / 100%.
Linux Addicts: GNU Linux is very important in the field of security. In our blog we have talked about distributions such as Santoku, Kali, BugTraq, Xiaopan, Parrot OS, WiFislax, DEFT, Backbox, IPCop, or others oriented to safe browsing and privacy, such as Tails and Whonix. In your daily routine, which ones do you use?
Francis Sanchez: Depending on the work to be done ... for example, in pentesting I use my own distribution (TPS) with pentesting tools that we use, but based on they should 7.
TO: Many attack free or open source software saying it is poor quality or more insecure. What would you say to these people? Do you think it is easier to attack a GNU Linux or FreeBSD machine because it is open source than one with Windows because it is proprietary code, or is it the opposite?
FS: The million dollar question. Or the usual question. For me it is not the system, but the person who sets up the system.
Even so, if I have to decide, I would always say LINUX. Why? There are many reasons, but for not expanding I would tell you that its default configuration is more secure than Windows'; you can also make it more secure by having multiple options; being free software, you can develop, modify or expand security services.
On the other hand, there are no executables to infect you with Trojans so easily.
Even so, it seems that now Windows is the safest, according to some publications ... or maybe the one with the most money ... I don't know if I explain myself. In this comparison, they name 119 Linux kernel vulnerabilities ... unspecified ... however, 248 appear among Windows systems ... but specifying a lower amount for each Windows OS ... that is ... a small set of numbers. Much marketing;)
TO: The Security Sentinel is a partner of the Rapid7 Metasploit project, an open source project, like many others used for pentesting or forensic analysis. It is a good example that makes clear what we mentioned in the previous question. Dont you think
FS: Well, Metasploit (Rapid7), has spent many years investing time in the development of exploits to damage systems of all kinds.
I think that the possibility that you can develop, modify or expand the objectives of an exploit and be able to use it with a framework like this, without having to pay or waiting for new exploits, being open source, makes your work much easier.
Although there is a paid version, with the free one and with programming knowledge in ruby, Python, perl ... you have a very, very useful co-worker.
I also have to comment that many Metasploit users only use 10 or 20% of their possibilities. In the next Ethical Hacking course that we are developing (CHEE), we have a whole topic for Metasploit, where we will teach how to use the tool to the fullest.
TO: Python is a programming language under another free license (PSFL) and that you have very present in the security sector. Why? What is special about others?
FS: Python has a very big advantage and it is its libraries. The use of these and the ease of learning the language helps you a lot to be able to carry out small tools that are very useful when performing a security audit based on pentesting.
You can also connect small Python programs with others such as nmap, nessus etc ... and this helps you even more to speed up the work of a pentester.
We take a course on June 1 for our students, Python for pentesters, because we believe that it is essential for a pentester to use this language.
TO: Lately, some critical vulnerabilities have been detected in open source projects and some other malware that attacks GNU Linux systems. Companies that sell closed software, such as Apple and Microsoft, have security auditors who attack their own systems to improve security. Do you think that the open source project development community should consider promoting this practice?
FS: Well, you think there are no auditors for Apache, Debian, Fedora, Ubuntu ... another thing is that they charge what other firms charge, but there are, they exist, because I understand that the large distributions have people working on this. It would be illogical not to have them. I also believe that all this is a bet for the future. The problem is, will Apple or Windows end up being the most powerful open source distributions?
TO: Let's move on to The Security Sentinel customers. This summer I was chatting with an Oracle engineer and he told me that more and more servers and supercomputers are sold with Linux to the detriment of their own system, Solaris, and that they even use a distribution called Oracle Linux for their work every day. Do you find more and more companies that use Linux or still depend a lot on Windows?
FS: In this aspect, you find everything.
My clients now use more Linux for servers than Windows, but the user computers are still 90% Windows and a very high percentage still use XP !!!
TO: Some governments or companies are migrating to Linux distributions because of the possibilities and advantages it brings. Some lured by safety. Would you encourage companies and organizations to make this change? Does TSS advise free projects for any of the security solutions that you implement?
FS: We advise depending on the needs of each client. I would like people to get more involved with Linux, but sometimes a brand name weighs a lot.
Even so, we, whenever we can, advise Linux servers for their robustness, flexibility and security.
TO: Many users or companies do not pay attention to security. To what extent is it bad practice and what advice would you give them? Tell us about a serious case that can be exposed and that you have observed during your experience to raise awareness among the public.
FS: A lots of? Almost nobody. The first thing I would advise them would be to give a small awareness course on basic computer security regulations.
Even in the Tax Agency I have found users with the post-it with their password on the monitor!
But it was incredible to see in situ, in a small presentation of our company in a possible client, which is also a company that plays with securities on the stock market (brokers), listen to the director of operations from his office, shout to the computer scientist "WHAT IS MY B ... A PASSWORD ?? !! "
Even after seeing this, the potential client did not hire us ... God catch them confessed!
TO: Now you also teach courses on hacking and security. You took the EC-Council CEH (Council Ethical Hacking) exam yourself and with a pretty good score. There is a saying that "the best defense is a good offense", I say this in reference to the previous question. Would you encourage users to take this type of course?
FS: I would encourage them not to focus on "titulitis" but instead on taking courses to learn. We focus our courses on practice, because I did not like this course that you name, since I studied it on my own, and also without practice. It's just a title. However, our students are "crushed" doing practices. But they tell you ...
An athlete must train every day. We also.
TO: Many believe that a hacker is a bad person. Even the RAE defines him as a hacker who uses his knowledge to do bad things. It is sad to hear this, because it has even forced terms like “ethical hacking” to be seen so that people do not think of a cybercriminal. Eric Reymond, defends the term "hacker" with the original definition and advocates using "cracker" to refer to "bad guys." But in the face of the propaganda machine of Hollywood, which has also created a bad reputation with a multitude of movies and series about hackers, what can be done ... What do you think as a security expert?
FS: I consider the word hacker as a computer specialist who sometimes obsessively investigates until he finds his answer. But from there to crime ...
Of course there are hackers who are criminals, as there may be firefighters who are also criminals. But just as it is not generalized in the second case, why do it in the first?
In short, I think that the RAE shows great ignorance when it comes to calling the word hacker as a hacker. The Hollywood thing is better not to mention it ...
I hope you liked this first interview of the series that we have raised to important figures on the national and international scene ...
2 comments, leave yours
A very interesting interview, keep it up linuxadictos.com
I want to enter this organization please if you want to receive me my number is 7351979719 I live in morelos I know what it is and I really want to enter