Identity at the Center is a weekly podcast all about identity security in the context of identity and access management (IAM). With a combined 30+ years of IAM experience, hosts Jim McDonald and Jeff Steadman bring you conversations with news, topics, and guests from the identity management industry.
Do you know who has access to what?
The long story short is, infosec chose me. It happened by accident. I was in college. I went to the University of Colorado at Boulder, and I was supposed to be a biology major. I’d gotten into my junior year at the university, studying biology, and my biology lab professor noticed that I was better at fixing the lab computers than doing the actual science experiments, and so he suggested that I might want to reevaluate my career path.
He wasn’t wrong. I struggled with chemistry and biology, so I switched my degree over to information systems, and I was concerned that it was going to take me six years to do my undergrad, but I got a call shortly after I changed my degree and put my résumé up on the university’s tracking system. I got a call from IBM about an internship opportunity doing workstation security auditing at a major site in Boulder. I took advantage of that opportunity, and they promised that if I just got my undergrad degree in anything, they would hire me onto the security team, and, as a pen tester, I had, during my internship, transitioned over to the pen-testing team. I completed my degree in Italian, and IBM hired me, and that’s where I got my start.
Since then, I’ve had a lot of different positions in the infosec world. In fact, there was a short time in my career that I was working with Tivoli Identity Manager and Tivoli Access Manager, if you know those tools. I was in the offering management side, building services around how to deploy and operationalize those tools. That was a while back. Then, I’ve had various positions since then. I had a short stint with the U.S. government doing embassy infrastructure security, and I most recently joined Protiviti in early 2020 as a managing director — the practice leader for our attack and pen practice. It’s been a really great career, and I couldn’t be happier about accidentally falling into this world. It’s so fun. It’s so interesting every day.
I think that’s what a lot of us find: You’re in college for communications or, in my case, political science — in your case, Italian — and then what you find is, “Wow, I’d be a lot more employable in computers,” whatever area of computers that happens to be, but security is such a great place, as we found. Now, Jeff mentioned that we obviously focus on identity and access management with this podcast, and what we thought was, “Look, our listenership is the IAM practitioner,” which can mean a lot of things, but folks who focus on identity and access management.
All of our listeners may have a different understanding of what penetration testing is, so let’s start there. What is penetration testing, and then transition into, specific to IAM, are there any differences in terms of how you do penetration testing for IAM systems versus other systems, or, if you can provide that tie-in from penetration testing — what is it?
I love talking about what pen testing is, and how does identity and access play into that. They’re so related, and let me explain why. First of all, pen testing: The more generic term for what we do is offensive security or security testing, and there are different types. You might do scanning on one particular target, versus full manual pen testing on another target, so it really depends on things like what does that asset or that target have from a data perspective, and what could the impact be if that system was breached? So, we look at a risk-based model when determining what type of security testing to do on a given asset or a target.
Now, when we talk about pen testing, and we’re talking with our clients about pen testing, it’s important to understand that that is a manual security test, so it’s not scanning. It’s not running scanners — things like that. It really is a manual approach, and it can be done against anything: applications, networks, mobile devices, IoT devices, pretty much anything. It could be anything out there that, especially, is connected in some way, that could have value to a criminal. Then, in some cases, there is an element of social engineering as well to our pen-testing engagement — think things like spear phishing: putting together ruses that’ll get somebody to click on a particular link and hand over credentials. That’s how we look at pen testing and what it is.
Now, from a process perspective and tools and techniques, something that’s really important to recognize is that, yes, there are methodologies out there, whether it’s PTES or the MITRE ATT&CK Framework — a lot of firms follow those kinds of methodologies — but pen testing is more of an art than a science. It’s not a paint-by-numbers kind of process. It’s really about the mind-set of the person — of the tester — and how does their brain work? Are they inventive? Are they curious? Are they always wanting to solve problems? Do they really want to know how something really works? Then, flip it and say, “How did the designer not intend for this thing to work?” and then poke at that. Our ultimate goal as hackers and as pen testers is, we want to identify and report on security vulnerabilities so that the organization can fix those before a criminal finds them and uses them for personal gain.
I’m fascinated already. I want to dig into this a little bit. You mentioned a few different things — the first one being that this is more of an art than a science. The way that I took that is, trying to combine the exploits that you know with thorough knowledge of systems to, again, get to a result that the designer of the system did not intend. Would that be accurate?
Yes, that’s accurate. Why I said at the beginning why there is a big identity and access part is that most of the breaches are related to the compromise of credentials, stolen passwords, things like that, so there is a very big component there. Since that is where most breaches are starting from, or that’s how they occur, it is naturally one of the first things pen testers seek out, because that’s what criminals would do.
I can dive into that a little bit more: It’s easier to go undetected as a hacker if you can use a legitimate username and password to gain access. You might ask, “How does one go about even getting access to a legitimate username and password if we’re not talking about some kind of insider-threat situation?” We’re really talking about an outside criminal. There are a few different ways that that can be accomplished, and I’m going to keep it simple, because if we get down too much into the technical rabbit hole, I’d probably get tripped up here, too, but some of the most basic ways are through brute force — password guessing.
What’s crazy that this is still an issue is that we do a lot of what we call open source intelligence gathering: We look at publicly available information about people, and we try to guess their passwords, because people are still using passwords like summer2020, or one of the most common passwords right now is coronavirus2021, or coronavirus2020, or something with what’s happening in our world — even election-related words, things like that, so we’re able to often brute-force people’s passwords just by understanding the person, what are they posting out there on social media or maybe even on LinkedIn, and then getting in that way.
Another way that is crazy is the spear phishing — social engineering: How can we trick users into handing over their username and passwords? One of the coolest ways that I’ve seen recently is with a move to being remote, if you think about the real estate world or the building industry, sellers, salespeople, are hungry to sell properties, to sell houses, to sell new builds, whatever, and so a lot of these sites now have ways that you can interact with the sales folks, or the agents, via chat.
We have been able to exploit that and get these folks, the agents, to install things on their system, things like key loggers, so that we can captures their username and passwords — it’s really fascinating — or upload other kinds of malware that let us have a foothold and pivot to other parts of their environment. That, then, really gets back to user awareness training, but we are very focused on creating the best ruses that we can get out there that’s so convincing, and humans are very nice, and if you can tap into that thing that they want, whether it’s to help or to buy something or sell something, we’ve been very successful.
Yes, it’s a little bit of both, and I would say it’s even more the mind-set. Back when I was in college, there were no cyber security courses or things like that. There were some SANS courses and some certifications and things like that, but you couldn’t really get a college degree or a certificate in this, and so, back then, it was about networking. It was about going to conferences, doing these online courses and things like that.
These days, we’re seeing much more availability of different degrees or programs where you can go to an educational institution, if you will, and learn, but when I’m looking for people, if it’s the younger generation just getting started, I look for passion. How passionate are they about this industry? What have they done on their own time? Do they have a GitHub where they have some open source information, open source tools, out there? Have they been to DEF CON? Things like that. There is a ton of online free resources. One of my favorites is HackerHighschool.org. OWASP has a lot of different training and actual exercises that you can go through to look at web app vulnerabilities.
For me, if it’s someone who has come along, or someone who’s just interested in getting started, really, it’s about that passion. That’s what I look for, and those are some of the resources that they could start to use to get up to speed and really learn and see if this is something that might be interesting to them, and then, the technical stuff can come later. It’s definitely important, but if you don’t have the right mind-set, and the right passion and that curiosity going into it, I don’t think you can be as successful.
I think that natural curiosity probably lends itself well to this type of role. You mentioned a few different resources that you’re familiar with. One of mine is, I like Reddit, and there is a subreddit called “How to Hack.” I’m not exactly sure what they’re talking about sometimes, but I find it extremely valuable to peruse the different topics and educate myself as much as I want to be at this point on some of the different paths that people are taking, so that’s probably another good resource, if folks are interested out there. Check out the “How to Hack” subreddit. I like that one. There’s a lot of good stuff, and there are even tutorials on how to exploit certain things, and, obviously, they should be done where you have permission to do so, so that you don’t get into trouble or anything like that, but that is definitely something, because I find it can be difficult to keep up with the space and all the different things that are at risk, or could be at risk, from different systems.
It seems like there are some zero-day exploits happening on a weekly, if not daily, basis, and you’re probably a lot closer to it than I would be, but what are some of the techniques that you use to stay sharp in this space and to be able to apply what you know with that curiosity mind-set of how to break it?
It is challenging to stay ahead of things in this space. What I’ve done with my organization is, I have leaders in the different areas, and their job is to stay focused on what the latest and greatest things are. For example, I have a person who is our head of application security, a person who is head of network pen testing, someone who is the head of red teaming, someone who is the head of social engineering, and that’s their job — to really stay informed: what’s going on, what’s the latest, are there vulnerabilities out there? I also have a tools team that weaponizes vulnerabilities that we can use on our engagements, and we are starting to put out more thought leadership.
When I started here at Protiviti, it was a really solid business. It’s a great business — 15-plus years of doing pen testing— but Protiviti wanted to take it to the next level, and so I came in. One of the focuses is on that external promotion and making sure people know what it is that we are doing out there, and that they’ve heard of Protiviti and our thought leadership. I focused people in these key areas so they can stay up on the latest and greatest in that particular area. Then, we have a lot of internal sharing of information. We do a lot of lunch-and-learns. We do a lot of webinars, things like that, so we’re sharing information across our team, as well as across the different verticals and into the broader security and privacy. People are very interested, just like you said, Jeff, in pen testing, or what it is we’re doing, so we never have a shortage of audience members for our topics.
This is really interesting conversation, because my mind-set, or my understanding of penetration testing, was that there is a lot more of it automated, and I was thinking of scanning, just calling that penetration testing.
I’m going to combine a couple of questions here. One is, when should organizations be doing penetration testing? It seems like there’s a value to doing 365 days a year at some level, or do you see this as “Hey, a new system is rolling out. That’s a good time to do penetration testing”?
Then, back to what I was thinking about with that scanning or the automated penetration testing was, “All right. I’m going to roll out a new system. I’m going to hit that system to look for known vulnerabilities, and I’m going to come up with a spreadsheet of ‘Here are 150 vulnerabilities I found,’” and you’ve got some associated framework to classify what was found, anywhere from low to high and critical, and that the organization would have some methodology to decide, “All right. All the highs and criticals need to be closed before we’re allowed to go live,” something like that. Is that a similar framework that you use with penetration testing, or is it something different than that?
That is one of my favorite topics — we call it vulnerability management. When you’re getting these hundreds of thousands, or millions, of vulnerabilities and you’re like, “What do I do with all these? How do I even start?” you’ll hear vulnerability management and “What is your vulnerability management program?” things like that. We try to help clients figure out how to prioritize those vulnerabilities. There are a lot of commercial, off-the-shelf products out there to do scanning. We’ll just leave it at scanning for right now, but how do you prioritize those? Some of the things that we integrate into our client scanning results are, is there asset information, do they have a CMDB, can we help them make sure that their CMDB — their asset database — is robust with information on all of their assets, what kind of data lives on them, what kind of criticality are they? Things like that that would be part of the equation, if you will, for figuring out how to prioritize fixing those vulnerabilities.
The next, most important, part is weaponization of vulnerabilities. When you run that scan and you get that big list, which ones are being targeted by criminals? That’s very important. If they’re being targeted, those should probably be moved up on the list. It’s a combination of the weaponization of the vulnerabilities out there by the criminals and the asset criticality, and then we rerank how those things should be addressed.
Now, getting to when would you do pen testing, what are the best practices out there, things like that, generally, when you’re talking about the appsec world, you’ll hear buzzwords like DevSecOps and ShiftLeft, and things like that. It is important that there is a vulnerability testing process throughout the appsec life cycle, and getting those vulnerabilities remediated during the development. It’s a lot less expensive to get vulnerabilities remediated during the development of an application than after it’s been released into production, so we do a lot of work in helping clients set up those kinds of programs — and their continuous development, continuous remediation of the vulnerabilities, things like that.
From a pen-testing perspective, now, there are a lot of drivers for when you might do something like a pen test or the different levels of pen test. Compliance is a huge driver. A lot of regulations out there require that a company do a vulnerability assessment — a scan or some level of pen testing — and it usually dictates the frequency as well. Sometimes, users demand testing, so we do a lot of product testing for third-party security products, and those product companies must provide to their consumers that their product has been tested, and so we provide that kind of information in support of those companies that we support, of those clients.
And then, we’re starting to see, finally, a shift from — it’s just like a compliance check-the-box to people who actually care about security, and they don’t want to be a headline on the news. So they want to know, they want to get them fixed, they want real security for their users and for their data. Most interestingly, lately, I have seen a big uptick in M&A driving and testing, so a lot of acquisitions happening out there right now, and companies want to know if they’re inheriting a security mess, if you will — are they inheriting a breach, are they inheriting poor application development practices without security integrated into it or lack of pen testing or security testing, things like that.
That’s kind of a really fun space for us, because it’s very fast, and trying to identify any material weaknesses that a company might need to know about. We obviously don’t make that determination, but we provide to the company that’s doing the acquisition. It’s a pretty fun space. Did I cover all of that, Jim?
Yes, exactly, and then, having a process for how you integrate that acquisition into the parent company’s processes. Do they need to be added to the vulnerability management program? What frequency of testing needs to be done? What is already being done? Yes, having that integration process, which we’re seeing — I’m glad you mentioned it — a lot of in combination with this M&A activity, so it’s not only “Am I inheriting poor security practices?” or an existing breach but also “How do I integrate successfully into my existing processes to ensure we don’t end up on the news a year or so later because we didn’t do that effectively?”
When you’re going through this process — obviously, we’re interested in the identity side of things — you mentioned a couple of things earlier around social engineering and methods to obtain access to peoples’ accounts, because it is easier to move around when you’re a known quantity versus this foreign account that just appeared. I’m wondering if you can talk about some of the other identity components that you’ve got some experience with that folks who are listening today should be aware of. And bonus points if you can talk about how a team might go about weaponizing some sort of identity compromise.
I don’t know about that last part, Jeff.
That’s why I said bonus points.
OK. From an identity perspective and any kind of tips there, what we’re seeing in our pen-testing engagements is, most of the vulnerabilities are around identity and access management issues. I’m sure you’ve got missing software patches and are leveraging those, exploiting those, to gain access and such. But I mentioned one of the first things we start with is, can we get valid credentials? Naturally, then, there are a lot of findings on the identity and access space.
These might sound pretty basic to some of the practitioners who are listening here, but these are some of the basics that are not being done well that allow us to gain access to data, or whatever the objective is that the client has set — things like password strength and rotation of passwords, multifactor authentication, is it implemented or . . .
This is actually an interesting story, too: One company that we were working with recently had multifactor implemented, and it was the type where the person is logging in, and then they get a text or a pop-up from an authenticator on their phone, and they have to click on Agree to allow the access to be given. And we had employees clicking Accept even when they weren’t the ones initiating that request, so it was granting us access to their environment just because they were clicking Accept. So, MFA fail, or what? It was really interesting, and the client was like, “You can’t fix stupid.” I don’t know — am I allowed to say that?
Then, you have the principles of least privilege. We see where companies are not auditing or revalidating the need of that particular account. Maybe somebody moves on to a different position within the company, but the privileges that they had in the previous role are never revoked, so they have more access than they should have, or people leave the organization and that access isn’t revoked —some of the most basic things, we’re still seeing. We’re encouraging, as part of our recommendations or remediation results, to really look back at that IAM strategy, adopting that mind-set of zero trust and things like that.
We had Dr. Chase Cunningham on a couple of episodes ago, and one of his key points he was making was that the attacks are moving downstream: The high-value targets like government organizations, utilities, financial institutions, they’ve been investing so heavily in information security that it takes a PhD in hacking to attack those companies. So, a lot of the hackers are moving downstream, down a level to other organizations that — there’s still value to be stolen from these organizations, but maybe they don’t have all these great things in place. If you go further down the chain, companies are more underinvested in security and MFA — some of the basic blocking. And those hacks gets easier, and while you might not be pulling thousands of credit card numbers, or millions of credit card numbers, for example, you could still get valuable data that can be sold and monetized. Is that what you’re seeing as well?
Yes, exactly what we’re seeing. Right on.
Great, great. Let me shift topics a little bit. One thing that I think everybody who’s listening is probably seeing in their workplace, or with the clients they work with, is, en masse, organizations have been moving services to the cloud. I’m wondering, when an organization is using a cloud-based service like a SaaS service for HR or anything, and you’re looking at your penetration-testing program, are any of the methodologies they use different because of the cloud service versus something that the organization is running themselves?
Overall, the methodology is the same. Some of the nuances to testing a SaaS application, or something in the cloud are, historically, you had to go get permission from the third party every single time. But I think AWS and Azure and all of them got annoyed with all of the notifications and requests that someone was going to do a pen test on an application that lived in their environment. But now, it’s understood that that’s going to happen, and you don’t have to get permission every time. But if you are looking at other applications, like an HR tool — like a Workday or something to that effect — we do request that our clients get permission from that third party to conduct that testing. We do not conduct testing on a third-party product without that.
Then, once we’ve got those things settled, one of the next big differentiators is the level of access that we’re granted. When we’re testing a SaaS application, we often don’t get the source code, or pretty much never get the source code. With an on-prem deployment, sometimes we have that access, so the highest role that we have when testing an application in the cloud is like a tenant admin, versus a sysadmin, and then, we also don’t have as much access to the developers in a cloud deployment as we do on an on-prem deployment, so it’s more of a black-box approach. We’ve got to go do a little bit more intelligence gathering and determining what attacks could we throw at this thing than we were used to seeing in the on-prem world.
I would imagine that open-source intelligence, or OSINT, as I think it’s typically called, is something that is of great value when you’re trying to approach something where you don’t have a good knowledge of how something works. That’s the way I’m thinking, at least.
No, it is exactly right. OSINT is one of the most interesting parts of pen testing, too, and learning what is out there is publicly available. We also have access to a dark web provider, and so, as part of our reconnaissance that we’re doing in line with OSINT, we’re searching the dark web for information: What kind of compromised credentials are out there that we might be able to leverage? I don’t know if this problem is ever going to go away with people reusing passwords, but this is why it’s so important to not reuse passwords, because it’s possible that that username/password combination has already been compromised and is available on the dark web, and then we can simply lift that out of there and use the same information to gain access to the corporate network.
I’ve seen a lot of products recently tout their ability to have access to compromised passwords, and that is part of the product — that they can either flag the user or prompt them to change their password, or whatever it may be, which can be irritating for that user, but, I’m sorry: Your email address and that password, apparently, is already out there for sale, and it’s probably dirt cheap, because these things are sold en masse, right?
I have to imagine that the entire pen-testing community has some level of competition around it. How competitive is it? Compared with other organizations, is there a cool factor for being able to break something or to discover something? How does your team approach that?
Totally. I like to say we’re the coolest team out there. There is a coolness factor, and hackers want to feel this sense of belonging to a cool group of people — smart people — the ability to have time to do research and do cool things like that.
That was also one of the reasons that I was brought in — to build that culture. I was born in this culture. I didn’t tell you guys at the beginning, but I actually grew up a hacker, trying to circumvent all of my parents’ rules, because I thought they were dumb, so I get it, and that’s one of the things I’m working on here: How do we make sure we have that sense of belonging and the coolness factor? Do we get some of our own special colors or something like that, because it’s a very competitive market. It’s also a fairly commoditized market, so, Protiviti is not looking to be the cheapest provider out there. Instead, we’re looking at how we differentiate ourselves from our competitors. What is the different value that we’re bringing to the table that our competitors aren’t, and a large part of that is our people — what is the investment that we can provide for our people?
As I mentioned, research time, thought leadership, and are they interested in writing blogs, speaking at conferences? How I can provide the resources to them so that they have the job satisfaction and excitement of working here where they can really thrive? I’m a big proponent of diversity, equity and inclusion within my team, as well as the greater Protiviti, and driving that and making sure that we have good representation and There are opportunities for everybody to do the things that they want to do within my practice.
It sounds an awful lot like the Jedi: You’ve got the light side, you’ve got the dark side and then you’ve got the gray Jedis, who are somewhere in the middle. You have to have a good moral compass to not stray too far away from the light side, and I could certainly see some things skirting around the edges a little bit, but you probably don’t want to go down that way.
I know I want to leave some time here to talk a little bit about Identiverse and something that our friends at the Identity Defined Security Alliance are working on, but a stupid-question alert coming your way, Krissy: What’s the best hacker movie, and why? Let me press this: And why is it The Matrix?
Oh, man. I actually don’t watch movies. They put me right to sleep?
How about Mr. Robot?
Not a good question for me. Oh, I like Mr. Robot. I do watch TV shows, and Mr. Robot is good. Yes, it’s a good one.
My understanding is, a lot of the hacks in that show are based on real methods.
It’s obviously stylized a little bit for Hollywood, but there is some sense of realism in that space — is that right?
Yes, I’d say there is a bit, and I also like how it is based on current events to some degree, and that you can see how things that are happening in our world can be used in a malicious way.
Right on. So, let’s talk about Identiverse first. We teased it a little bit at the top of the show. Identiverse 2021, the registration is open. I do feel like this is typically the best identity conference, at least in the United States, that happens on a yearly basis. I’ve been to the last several — the last, at least, five or six in a row, obviously, before last year took place. Krissy, I think you’ll be happy to know, or maybe interested to know, that it is taking place in Denver this year — Denver, Colorado, which is your neck of the woods, or somewhere around that area. They have a couple of options this year. They have an online version that will run, I think, for a couple of weeks, and then they have an in-person version that’s running in Denver. We were talking before we hit the Record button here about travel. I love travel, and I would normally be all over this, but I am not so sure I’m ready for in-person quite yet. What do you guys think? Krissy, maybe we start with you.
I am anxious to get out there again as well, but, yes, it will depend on where we are at with the vaccine and things like that. TBD, but some of the movement in the vaccine space has been pretty positive, so we’ll see.
Yes, I’m totally ready depending on the vaccinations and how that all works. Jim, what do you think?
I feel like June is pretty far out. That’s three and one half months, at least. I think we’re going to be much further along, and I’m starting to see people becoming more confident. I’m ready, man. I think I said it. I want to jump on a plane and just fly to another city and go to a hotel and work from the hotel or something, because I’m getting sick of my own four walls. I’m in favor of in-person at this point, but I hear where you guys are coming from, and the thing that I’d be worried about the most is if the local authorities decide, “Oh, you can’t have the conference now.”
We’ve got to keep an eye on that whether something like that happens, because that’s what happened a lot last year. There were conferences that folks were afraid to cancel — not just conferences, but all kinds of events. They were afraid to cancel, and then would cancel as it got closer, or postponed, and, essentially, nothing happened last year. My summary is, June 21 through June 23, which is when it’s scheduled, is three and one-half months plus from the recording of this podcast, so I feel like we’re going to be a lot further along by then.
You take the optimistic view. I didn’t even think about that concept where you book, you get there and then things get locked down. That hasn’t even crossed my mind, so that will be interesting to see how it works out. I hope things are a lot better than now, but it is rather bold, and, hopefully, it pays off. We’ve got a lot of friends in the Identiverse space. It is a fantastic conference, so even if you can’t make it there in person, or you’re not comfortable, definitely check out the online components, because it’s the who’s who and the what’s what for the Identity space, for sure. You can visit Identiverse.com for that, and we’ll have links to that in our show notes.
The other thing I want to bring up is something very cool, and that’s what our friends over at the Identity Defined Security Alliance are doing. They have essentially proclaimed the second Tuesday of April to be Identity Management Day, so that’s going to be April 13, and they want to drive awareness around the benefits of proper IA and help extol the virtues and highlight some of the folks that are out there. They’ve got a whole thing planned where they’re going to take nominations for Evangelist of the Year, Organizations of the Year — you can nominate people, you can nominate organizations and you can nominate podcast hosts, whomever you like for different things from that perspective. We’re looking forward to celebrating that with that group. They’ve got nominations open for the 23rd, and you can head over to IDSAlliance.org for more information on that. Jim, any thoughts on Identity Management Day? Are you going to get a cake?
I don’t know if I’m going to get a cake, but I did nominate you, Jeff, and I encourage anybody who likes their IAM podcast with a side of sci-fi movie recommendations and references — they should get out there and nominate Jeff as Evangelist of the Year. What do you say?
Well, I’m in favor of that, but this is a team effort, so, of course, I nominated you as part of that because turnabout is fair play, and, right now, we’re shamelessly pandering for votes. Krissy, what do you think about Identity Management Day? Is that something that we can set up a best IAM breach/penetration test, something along those lines, to talk about methods for that?
Yes. That can be fun. I’m only coming if there’s cake, though.
I think that can be arranged. There are ways to shift that sort of stuff around.
Perfect. We need a Pen-Testing Day. We need to work on that one next.
I’m surprised that there isn’t one. There’s a day for everything, and if you read my LinkedIn posts, I usually will scour the web looking for interesting things. I’ll take credit for National — I don’t know if it’s Global — we’ll just call it Global Identity Management Day, because I had mentioned five or six episodes ago that there should be a day that is dedicated to IAM.
Check out Identiverse, check out IDSA. Krissy, thank you so much for joining us. Are there any last words of wisdom that you want to throw out there for people who maybe are interested in pen testing — where can they get started? We’ll have a link to you on LinkedIn, if you’re cool with that, and people can reach out to ask a few questions, that sort of thing.
Yes, absolutely. I’m always happy to connect with folks on LinkedIn, so, definitely send me a message there, and check out the free resources. It’s only a Google search away. I mentioned a few here — HackerHighschool.org and OWASP are great places to get started.
Thank you for having me, and I’m always interested in making people aware that you can be a hacker and get paid — it’s so cool. Thank you.
That’s a pretty good spot to leave it. Krissy, I appreciate your time. Jim, as always, I appreciate your time as well. With that, we’re going to go ahead and leave it for this week, and we’ll talk with you on the next one. Thanks for listening.
Thanks for listening to the Identity at the Center podcast. If you like what you heard, don’t forget to subscribe, and visit us on the web at IdentityattheCenter.com.