Pete Herzog

From Wikipedia, the free encyclopedia
Jump to: navigation, search

Pete Herzog born October 5, 1970, is a security analyst and tactician, presenter and keynote speaker, article and book author, creator and researcher for the Open Source Security Testing Methodology Manual (OSSTMM), and the co-founder of the open, non-profit, security research organization, ISECOM.[1] He has been recognized in 2007 by InfoWorld for the OSSTMM and in 2013 by for Hacker Highschool. He taught Business Security in the ESADE MBA program and Information Security in the La Salle URL Masters program, both in Barcelona, Spain.

Herzog was born in Brooklyn, NY, USA. He graduated Queensbury High School in Queensbury, NY in 1988. He earned a bachelor's degree from Utica College of Syracuse University in 1993. He currently resides near Barcelona, Spain.

In 2001, Herzog created the Open Source Security Testing Methodology Manual (OSSTMM) and provided it for free to the public. It was the first security testing methodology ever published.

In 2002, Herzog co-founded the non-profit research organization, the Institute for Security and Open Methodologies (ISECOM) with Marta Barceló to support the further development of the OSSTMM and launch more projects.

In 2003, he founded Hacker Highschool, creating 12 lessons with volunteers and providing them for free to the public. It was the first cybersafety and cybersecurity awareness and training published that was written specifically for teens. He was part of the rewrite team and republished them again in 2014 with updated information.

In 2008, the Hacking Exposed Linux 3 book came out, attributed to ISECOM but Herzog was named as Project Leader. He wrote the first three chapters which specifically talk about using the OSSTMM to test Linux security and integrated the OSSTMM into other chapters.

There have been a variety of interviews with him which show his background:

"Without admitting to the 'bad stuff' let's say I started in physical security. At age 16 I hung out with the store detectives where I worked. By 18, I was kind of an authority at my university on identification fraud even working to teach local businesses on how to know a real I.D. from a fake. That summer I was hired to do "beer stings" to test store clerks to see how far I could push them to sell me beer illegally but stopped after a couple months because I never had the heart to fire those who failed (I only gave stern warnings). By my last year in University, I worked in the computer lab battling disk viruses and breaking copy protection for professors who wanted to "try" unlicensed software. At the same time, I was paying for school by working sting jobs for a couple chains to catch embezzlement as well as point out other security lapses. Unfortunately, I stepped away from security after college for a few years while chasing dreams and some bad ideas too. Although security was often part of my various jobs, I didn't consider it as a profession until IBM Germany tapped me to be on their ethical hacking team. So I left my cushy software-testing job at Intel to be a full-time hacker. The rest is all security after that."[2]

Later, in an interview with LearnSecurityOnline, he expands on the "bad stuff" he refers to:

"My experience begins with work in physical and human security doing undercover sting operations and clean-up work (we also called it "fire and hire" but also "hack and slash" when there was a real mess) which supported my want of that expensive computer equipment in the 90s. But I always had a my own sense of fairness. This frustrated my employers because I wouldn't always turn in the guilty if I thought they didn't deserve punishment. For me it was always about what was fair and I still do not equate the law with justice. So like most anyone who began their history in security with the start of the Internet, we were travelers and spelunkers across this new channel and only later called hackers or crackers when the few bad apples made the news. But back then most of us were curious and not malicious. Personally, I did no harm. But then again I respect what other people have and their privacy. They don't build fences for people like me." [3]

In an October 2015 article for Opensource, Herzog explains why he worked with open source and why he created the Open methodology License:

"Later we learned that a methodology couldn't be copyrighted as it was legally considered a trade secret. All I was doing was copyrighting the written words, but not protecting the method. What we needed was an open trade secret, which didn't exist. So I talked to lawyers. I spent a weekend creating the Open Methodology License (OML), which originally borrowed heavily from the GPL with the only purpose of labeling something as a Trade Secret with the owner being everyone. An open trade secret. Go figure. That let us keep the methodology open and free while restricting forks and rewrites of the document as a standard that industries could uphold for regulatory requirements."[4]

In 2016, Herzog co-created the Open Source Cybersecurity Playbook in collaboration with Barkly Protects, Inc. to help small and medium-sized companies build better security with well-designed, easy-to-understand how-to manual.

In 2017, ISECOM released 3 classroom textbooks and one children's book, "How the Hacker Stole Christmas", all designed by artist Marta Barceló and illustrated by Herzog's then 13-year-old daughter and his friend Carmen Sullo.
IBM partners with ISECOM to leverage Hacker Highschool in order to increase the number of skilled cybersecurity workers worldwide.[5]

Videos and Podcasts with Herzog:
2017 La Salle Breakfast presentation on Situational Security Awareness
2017 Troopers Heidelberg presentation on Using Intent for Authentication
2017 RSA Conference San Francisco presentation on Teen Online Addiction
2016 RSA Conference San Francisco presentation on Hacking as a Learning Tool
2016 Veracode PSA on Why Security Breaches Still Happen
2016 Veracode PSA on Starting an Application Security Program
2016 Veracode PSA on The Importance of Application Security
2015 RVAsec presentation on Hacking the Stock Market
2014 RVAsec presentation on Security Awareness
2010 SecTor Canada Presentation on Trust
2010 #days Switzerland on Security Research and Philosophy
2010 Eurotrash Security Podcast Interview
2010 CyberPatriot Interview
2009 BlackHat Amsterdam Interview
2008 Swiss Symposium about OSSTMM
2007 FOSDEM presentation on Security Testing
2003 Hacker Highschool Teacher class

Popular Articles by Herzog:
2016 Article on Application Security from a Consultant's Perspective
2015 Article Showing the Detail of Effort That Goes into Making and Maintaining Security