When Do The Ends Justify The Means?

Since my last story, I find myself puzzled by the lack of inaction by an industry who characterizes trust, ethics, and morals as the foundation to which its entire profession touts, stands, and is built upon. Bold statements such as “Integrity is a fundamental standard in ethical cyber security”, “Cyber ethics encapsulates common courtesy, trust, and legal considerations”, “Cybersecurity is guided by ethical principles and values, such as confidentiality, integrity, availability, non-maleficence, beneficence, justice, and respect for autonomy. These principles and values help define what is right and wrong in cybersecurity, and what are the duties and obligations of cybersecurity professionals.” and “Act honorably, honestly, justly, responsibly, and legally” are found across a multitude of blogs and websites.

There is more than sufficient evidence out there provided there is a proper venue for victims to share in a manner that would protect the multitude of victims, including those who have attempted to come forward in good faith. These individuals, while not perfect by any means, have shared concerns privately to protect the reputation of an industry and to solve a common problem.

A reader recently forwarded vBTruth a letter sent by the ISSA-LA President Richard Greenberg to the reader asking for a character reference sent January 2024. We were able to authenticate the email as a legitimate email.

I am being targeted by a misinformation campaign by a few unethical people. I would be most appreciative if you could write a character reference for me, mentioning the work that I have done for ISSA-LA and your speaking engagements with us. I have been building the programs, including personally inviting speakers, for the annual ISSA-LA Security Summits, Women in Security Forums, and CISO Forums. I created and chaired the CISO Forums and Women in Security Forums.

Please feel free to reach out if you need more information or have any questions.

This email sent by the ISSA-LA President raises several questions including:

  1. How many individuals has the ISSA-LA President sent this email to?
  2. How many victims has the ISSA-LA President mischaracterized and flat out lied as “unethical” as part of this email campaign?
  3. How many victims has had their reputations tarnished and possibly destroyed when individuals reached out to the ISSA-LA President for “more information” or “have questions”?
  4. How many individuals have written character references and possibly have inadvertently tarnished their reputations personally and professionally?

Since vBTruth first published our original piece, we have been working tirelessly behind the scenes on fact checking, finding credible sources of information. Under California’s Public Record Act, we requested the City of Santa Monica produce documents. The City of Santa Monica oversees the Annenberg Beach House and its associated operations.

Over the last several months, we have been slowly combing through the 2000+ pages produced by the City of Santa Monica. We still expect additional documents to come in the weeks ahead. Among the documents produced were several invoices and permits.

On several occasions, we observed ISSA-LA’s name co-existing with Layer 8 Masters and/or Planet Cyber across multiple documents. We also observed Layer 8 using ISSA-LA’s resources such as the Post Office Box across multiple documents.

Our public records request review has raised numerous questions, including:

  • Is there confusion between ISSA-LA and these for-profit conference events?
  • How severe is brand confusion between ISSA-LA and the private for-profit conference company?
  • Did the ISSA-LA President and Vice-President receive non-profit discounts for their for-profit conference, potentially defrauding taxpayers?
  • Are potential attendees being diverted to a private, for-profit conference?
  • Are potential revenue sources from attendees, and from sponsors being redirected away from ISSA-LA members and into the pockets of the ISSA-LA President and Vice-President?
  • In the process of searching for sponsors, is the ISSA-LA President and Vice-President having first pick at sponsors for their conference and leaving scraps for ISSA-LA?
  • What ISSA-LA resources are the ISSA-LA President and ISSA-LA Vice-President using beyond the Post Office Box? Did the ISSA-LA board know and/or approve the usage of the ISSA-LA Post Office Box?
  • Are the ISSA-LA President and Vice-President using ISSA-LA members’ money to fund and pay for their personal, private, for-profit conference? Are they treating ISSA-LA’s like their own private bank?

vBTruth spoke to one nonprofit attorney about accessing financial records and minutes. Members of a non-profit association have rights to inspect financial records and minutes. Under California Law, a member can inspect:

  • Articles, bylaws, and all amendments to articles and bylaws (5160, 7160)
  • Adequate and correct books and records of account (6320(a)(1), 8320(a)(1))
  • Minutes of all board, committee and member meetings (6320(a)(2), 8320(a)(2))
  • Member lists (6320(a)(3), 8320(a)(3))

At least one individual, who we understand is still an ISSA-LA member, has publicly stated they demanded to inspect financial records and minutes on November 19, 2023. On December 5, 2023, they have not received access to any financial records and minutes.

Ten business days passed as stated by this individual, and no financial records or minutes were provided by ISSA-LA. Why would ISSA-LA not simply open the financial books and minutes? Do they have something to hide? All of these questions are significant, especially if the ISSA-LA President and Vice-President are using ISSA-LA as their own private bank.

All of these questions are sufficient to wonder whether any character references written on behalf of the ISSA-LA President is worth the paper it is printed on.

Since no financial records were permitted to be inspected, it raises question such as “Are there financial irregularities? The lack of transparency creates the perception that the ‘books were cooked’ because the default position was to hide. Invoices and permits produced by the City of Santa Monica suggest this could be happening given the co-mingling of the brands. Plus, these invoices are no small dollar amounts. We are talking about potentially tens of thousands of dollars per event.

The fact is there is no misinformation campaign. Just individuals trying to raise concerns. In this case, something is clearly rotten because official government records show several significant irregularities that should concern members, leaders, and anyone who is part of this profession. These official government records show that resources of ISSA-LA are being used. These official government records show that there is clear brand confusion that makes it challenging for some individuals, companies, organizations, and sponsors to differentiate whether an event is ISSA-LA organized or is a personal, private, for-profit event.

Psychologist, educator, management consultant and author Saul Gellerman proposed four commonly held rationalizations for unethical behavior:

  • People tell themselves that their behavior is not unethical.
  • People think that their behavior is acceptable because it is in the favor of the business.
  • People think that no one will come to know about their unethical behavior.
  • People think that they will be protected even after doing something unethical.

In this specific instance, the ends do not justify the means. These men are not Robin Hood and his band of merry men.

What troubles this reporter is the lack of response, the lack of any action for over a year, and the rationalization of such behavior.

The essence of ethical integrity lies in consistency across all areas of behavior. Commendable contributions should not serve as a shield for unethical practices nor be viewed to offset misconduct. The true measure of an individual’s ethical stance is reflected not only in their capacity to contribute positively to society but in their adherence to ethical principles in professional and personal dealings.

People rationalizing their participation, attendance, and engagement in any event organized by the ISSA-LA President and ISSA-LA Vice President and has conscious knowledge of what is happening is endorsing, encouraging, and excusing this despicable, unethical, immoral, and possibly illegal behavior.

It makes you wonder if the values of trust, ethics, and morals are only upheld by individuals when it is convenient. It speaks volumes about an individual’s character when considering classic sayings such as “Guilt by association” and “Birds of a feather”.

This entire incident has many similarities and hallmarks to a similar case involving former Adelphia CEO John Rigas. It does not matter what an individual has done in the past or what they can do for you. It matters whether they see the error of their ways, and are willing to ask for forgiveness, rectify, and show remorse. I will never advocate for a cancellation; I will advocate for a resolution that hopefully all stakeholders will find acceptable.

In the words of Russian anti-corruption campaigner, Alex Nalvany, who reportedly died in a Russian prison yesterday:

“All that is needed for the triumph of evil is for good people to do nothing.”

Alex Nalvany

ISSA-International – Complicit, Complacent, or Cowards?

ISSA-International stood by doing nothing for over six months

There are few things more dangerous than a mixture of power, arrogance, and incompetence.

Bob Herbert, American Journalist

Information Systems Security Association (ISSA) Members are starting to turn on ISSA-International, its Board of Directors, and its Ethics Committee for its inaction and standing by watching as members were forsaken. The charges?

  • Dereliction of duty.
  • Ineffective leadership.
  • Abandoning their responsibilities.
  • Breach of fiduciary responsibility.
  • Absence of due care.
  • No confidence in the leadership.

The list of charges continues to grow as more victims have come forward to share their stories with vBTruth. The most surprising part of these charges – there is extremely strong evidence to suggest these charges have merit.

Several members have told this publication they will not be renewing their membership after their ISSA membership lapses and will not be participating in the association in any capacity. One member has shared they regretted their vote in the recent June 2023 ISSA-International Board election. If given the opportunity, another member would censure the ISSA-International Board and bring before all ISSA members a “motion of no confidence” to remove members of the ISSA-International Board.

From the multiple victims we have interviewed, ISSA-International was aware of these ethical issues for at least half a year. Multiple credible sources have stated that ISSA-International has known about these ethical issues, or was warned about impending ethical issues for at least a year, if not possibly longer. At least one source has claimed they warned ISSA-International over a year ago of an impending ethics submission related to fraud, corruption, conflicts of interests, and breach of fiduciary responsibility, however, they were unable to provide concrete evidence to support their claim.

One set of documents provided to vBTruth shows that ISSA-International received an incriminating complaint in March 2023 and acknowledged receipt of it, along with the subsequent artifacts supporting the allegation of fraud, corruption, conflicts of interest, and breach of fiduciary responsibility. Several of the same artifacts that were provided to ISSA-International are identical to what was provided in our original article during this investigation.

Multiple victims shared their concerns at the highest levels, including the current ISSA-International President, Shawn P. Murray, and the current ISSA-International Executive Director Marc Thompson. Multiple individuals have alleged they shared concerns as early as March, April or May 2023.

Our Analysis

Reviewing all available documents made available to us by one victim’s attorney, multiple complaints were lodged and stalled procedurally because the victim’s name must be disclosed to the perpetrator. Consistently, multiple victims discussed and raised concerns to the appropriate parties, including the current ISSA-International President and the Ethics Committee that they fear physical and defamatory retaliation from the current ISSA-LA President Richard Greenberg. There are repeating response themes from ISSA-International that the victim must disclose their identity and become a target of continued malice, slander, and libel.

As we wrote earlier, Arlene Yetnikoff wrote on LinkedIn that ISSA-International was not taking anonymous complaints that were detailed and factual because “Several fear, with justification, physical and defamatory reprisals for speaking out.” (emphasis added)

Multiple victims have told this publication that they refused to file ethics complaints, escalate or raise the matter because they have justified fears of escalating tensions. Several victims expressed deep frustrations with ISSA-International to enable whistleblowers to come forward anonymously or confidentially. To come forward would mean their identity would be known to the ISSA-LA President, thus escalating tensions. These victims were seeking to de-escalate and resolve these pressing ethical issues. Not escalate.

A Series of Unfortunate Missteps and Poor Leadership?

There appear to be several missteps that have led to the perfect storm where grievances exploding into the public spotlight on November 30, 2023 on LinkedIn.

The first misstep appears to be the lack of a whistleblower policy. Since its 2007 tax filing, ISSA-International reported to the IRS on its Form 990s tax filings that they did not have a whistleblower policy. For almost twenty years, ISSA-International decided not to implement a whistleblower policy. A nonprofit organization is not required to establish a whistleblower policy to maintain its tax-exempt status. However, the IRS regards the implementation of such a policy as a sound governance practice. This measure serves to guarantee that the organization’s assets are utilized following its exempt purposes, promoting transparency and responsible management. Organizations such as OWASP have whistleblower policies that enable employees, members, and volunteers to blow the whistle and remain anonymous. Those policies appear to have worked as Richard Greenberg, David Wettenstein, and Haral Tsitsivas are no longer in a leadership capacity at OWASP-LA and OWASP-OC.

The second misstep appears to be the lack of foresight, failure to grasp the severity of the situation and emotional intelligence. Instead of promptly consolidating numerous complaints into a comprehensive investigation, there seems to be a reluctance to address the issue discreetly and privately. The unwillingness to make a one-time exception, allowing whistleblowers to maintain anonymity or confidentiality to expedite ISSA-International’s resolution of the matter, reflects a failure to grasp the severity of the situation. The ongoing approach risks have continued to escalate the number of casualties each month and threaten to tarnish the brand and reputation of ISSA and its members.

The last major misstep appears to be the lack of wisdom to prepare for this ethical debacle. One individual we interviewed said they warned of an impending ethics complaint. Rather than prepare, the time was squandered away. No whistleblower policy was authored. No revised ethics policy was authored. It appeared that the status quo remained. The time appears to be spent congratulating the ISSA-LA Chapter President for being inducted into the ISSA Hall of Fame and the ISSA-LA Chapter winning “Chapter of the Year” in August 2023.

It does raise a question – why was the ISSA-LA President awarded Hall of Fame and ISSA-LA awarded Chapter of the Year when there were multiple complaints and allegations of misconduct? Especially when multiple ISSA-International leaders have conscious knowledge of ongoing fraud and malfeasance since the first half of 2023.

Complicit, Complacent, or Cowards?

Is ISSA-International Complicit, Complacent, Cowards, or all of the above?

Complicit

In our opinion, ISSA-International is complicit.

  • ISSA-International is knowingly putting individuals in harm’s way by requiring disclosure of their identities to a perpetrator.
  • ISSA-International is knowingly letting the number of victims grow, damaging their reputations. Many victims are leaving the Association.
  • ISSA-International’s silence and inaction only serve to enable and endorse the actions of a dictator and his cronies in a banana republic. It has escalated to where the ISSA-LA President is presently in the process of stealing the election.
  • Two of ISSA-International’s Board Members spoke at PlanetCyberSec on December 6, 2022.

Complacent

In our opinion, ISSA-International is complacent.

  • ISSA-International awarded “Chapter of the Year” despite knowing there are outstanding ethical complaints against chapter leadership, specifically Chapter President and Chapter Vice President
  • ISSA-International awarded “Hall of Fame” to a leader who has outstanding ethical complaints and clear conflicts of interest.
  • ISSA-International abandoned its fiduciary responsibility to do what is in the best of ISSA and its members.
  • ISSA-International has failed to protect the ISSA brand, and its chapters utilizing the ISSA brand, thereby indirectly harming its members.

Cowards

In our opinion, ISSA-International leaders are cowards. Those who are in the power of authority lack the courage to make hard decisions and act. It was easier to put the burden of responsibility on multiple victims. It was easier to pass the buck.

President Harry S. Truman had a sign on his desk that read “The Buck Stops Here.” Where does the buck stop at ISSA-International and who bears ultimate responsibility for ISSA-International’s lack of leadership and its continued series of failures?

The Current International President.

ISC(2) Board of Directors, General Counsel and Assistant General Counsel refusing to act on Ethics Complaint

Information Systems Security Association (ISSA) is not the only organization failing to act and protect people

Arlene Yetnikoff wrote on LinkedIn that ISSA-International was not taking anonymous complaints that were detailed and factual because “Several fear, with justification, physical and defamatory reprisals for speaking out.” (emphasis added)

On November 12, 2023, we broke the initial story that the current ISSA-LA Chapter President, Richard Greenberg, CISSP, was Accused of Fraud, Malfeasance, and Breach of Fiduciary Responsibility. We also wrote that several organizations were notified of this fraudulent and unethical behavior. Several organizations refused to act on detailed and factual complaints, including the organization International Information System Security Certification Consortium because the submissions were anonymous.

International Information System Security Certification Consortium better known as ISC(2) is the organization behind the industry certification Certified Information Systems Security Professional or CISSP. The CISSP is marketed as “the gold-standard information security certification.”

We at vBTruth interviewed one individual in early November and reviewed months of email correspondence from one individual begging both ISC(2) and ISSA to act. Despite ISC(2) and ISSA being told in writing, that they have “fear of reprisal, retaliation, retribution, duress, intimidation, malice”, the concerns were shut down and caught in procedural technicalities that centered on the need to disclosure the victim’s identity to the perpetrator, despite the fears being shared and justified. This article focuses on ISC(2).

Months Long Ordeal

On August 31, 2023, ISC(2)’s Ethics Committee received a whistleblower email sharing concerns about ethics and compliance violations, citing violations of the ethical rules to “acting honorably, honestly justly, responsibly, and legally”. The whistleblower email included a comprehensive, detailed description of the victim’s concerns, including several artifacts such as legal filings and screenshots.

ISC(2) declared in multiple Internal Revenue Service (IRS) Form 990s tax filings that they do have a whistleblower policy. vBTruth was unable to locate such a policy online and appears there were similar requests made in the past by other individuals.

On September 5, 2023, Assistant General Counsel Alex Rosenfeld responded to the victim that they must submit a signed, notarized complaint and that they intend to disclose the victim’s identity to the ISSA-LA Chapter President despite being informed of the fear of retaliation. Unusually, Assistant General Counsel Rosenfeld asked for evidence despite previously being provided the evidence in the August 31, 2023 whistleblower email.

On September 6, 2023, the victim responded to Assistant General Counsel Rosenfeld that they were seeking another process because the ISC(2) policies do not protect their identity. They cited the confidentiality agreement on ISC(2)’s website does not adequately protect them:

The board and its agents undertake to keep the identity of the complainant and respondent in any complaint confidential from the general public. While disclosure of the identity of the complainant will be avoided where possible, upon filing a complaint, the complainant implies consent to disclose (their) identity to the respondent (perpetrator), where the board or its agents deem it necessary for due process. Actions of the board may be published at its discretion. Parties are encouraged to maintain confidentiality and certificate holders are reminded of their obligation to protect the profession.

The victim was unwilling to put their livelihood at risk because the concern of reprisals was too great. They immediately asked for an exception to the policy and asked to remain anonymous.

The emails between the victim and Assistant General Counsel Rosenfeld continued throughout the month of September negotiating with the victim. It appears Assistant General Counsel Rosenfeld had multiple conversations with members of the ISC(2) Ethics Committee, comprised of ISC(2) Board of Directors Samara Moore, Laurie-Anne Bourdain, Dan Houser, and Edward Farrell.

Starting on September 18, 2023, Samara Moore, Chair of the Ethics Committee at ISC(2) was included in the email conversation by the victim, urging, and begging for ISC(2) to resolve the impasse of mandating the disclosure of their identity.

In an email on September 18, 2023 to both Assistant General Counsel Rosenfeld and Ethics Chairwoman Samara Moore, the victim writes “If ISC(2) accidentally discloses my name or identity against my direct or indirect wishes, it will be very detrimental to my career. I very much doubt ISC(2) will be offering me a six-figure salary and a career at ISC(2) for the remainder of my life.

On September 26, 2023, the discussion focused on “not disclosing the victim’s identity without their consent”, however, the responses do not appear to allay the concerns of the victim.

On September 27, 2023, Assistant General Counsel Rosenfeld wrote to the victim, “…as previously communicated, we undertake to keep the identity of the complainant and respondent in any complaint confidential from the general public. While disclosure of your identity will be avoided where possible, where/if the Committee deems it necessary for due process, we will reach back out to you for your consent to share your details. If you choose not to allow us to use your name, the committee will determine whether it can proceed with the available information with the necessary redactions.

When we interviewed the victim asking why that was not satisfactory, the victim was concerned that their understanding of ISC(2)’s position was that the Committee would very likely need to disclose their identity as part of due process. They would need the victim’s name and a signed/sword affidavit. Given their unwillingness to disclose their identity, the whole endeavor would be a mere exercise in futility. ISC(2) would have the sole power to dictate terms to the victim.

On September 29, 2023, the victim appealed directly to the ISC(2) Board of Directors and requested that they remain an anonymous whistleblower and grant any exception to the policies at ISC(2). In the email to the Board of Directors, the victim writes:

I continue to express concern that the confidentiality policy and process being proposed is insufficient because the accidental, intentional, or unintentional disclosure of my identity would be detrimental to my career.

The victim also expressed that “The individual I am reporting shall and will view this as a great affront, escalate the situation, retaliate, and seek retribution” and that “Similar individuals who share similar concerns on this CISSP certification holder and ISC(2) member have unanimously agreed that to proceed with a signed affidavit and full disclosure of my identity …would effectively paint a target on me.

The victim also expressed (emphasis added) that they “have a genuine fear and concern that should my identity be disclosed, there would potentially be a physical confrontation, altercation, and my physical life safety would be placed at risk.

The email was sent to all members of the board, however, based on the emails we reviewed, only ISC(2) Board of Directors James Packer, Laurie-Anne Bourdain, Dan Houser, Rachel Guinto, Samara Moore, and Guy Ngambeket received the email because several emails were guessed and there was no list of emails published on the ISC(2) website. We observed a series of emails that show several emails were not properly delivered. Reasonably, six out of twelve Board of Directors received the appeal asking for a board consideration on anonymity and whistleblower status, three of which sit on the Ethics Committee.

On October 12, 2023, ISC(2) General Counsel Graham Jackson emailed the victim to schedule a call with the victim and discuss the nature of their concerns. Based on our conversation in early November 2023 with the victim, the victim felt there was some positive progress on their phone conversation on October 21, 2023, however, they still felt they did not have the necessary assurances their identity would be protected despite being assured their identity would not be disclosed without permission by ISC(2) General Counsel.

While the victim respects and understands the procedural hurdles to maintain integrity on the ethics process so that there is not a deluge of false ethical complaints, the victim still felt the hurdles were extremely advantageous to the perpetrator and not balanced.

Our Analysis and Thoughts

When we reviewed months of emails between the victim, the two attorneys, and subsequent conversations that included Ethics Chairwoman Samara Moore, and a direct appeal to the Board of Directors, one quote the victim wrote struck me deeply:

If ISC(2) does not act, chooses not to act, or fails to act, it puts our certifications at risk because the very core tenet of our profession is ethical behavior. To continue to not act means all holders of ISC(2) certifications will face devaluation of the certification because it now raises questions of integrity of all ISC(2) members. ISC(2) can no longer guarantee that its members are ethical.

While it is not mandatory for a nonprofit organization to possess a whistleblower policy to maintain its tax-exempt status, the IRS views the adoption of such a policy as a commendable governance measure. This practice aids in safeguarding the organization’s assets, ensuring their consistent utilization in alignment with its exempt purposes. The whistleblower policy can include volunteers and members.

Despite the Form 990s we reviewed stating there is a whistleblower policy, our impressions is there is no whistleblower policy. The response by ISC(2) is insensitive and callous at best, and seems to set the stage for a physical altercation and harm at worst.

It would seem ISC(2)’s Board of Directors, Assistant General Counsel, and General Counsel are holding steadfast to a process despite having a whistleblower policy. They seem unwilling to find a reasonable means to protect the victim’s identity while getting to the bottom of fraud, corruption, breaking the law, and clear ethics violations. The General Counsel, the Assistant General Counsel, and members of the Board of Directors seem unwilling to consider, let alone grant an exception despite being presented with overwhelming evidence. Even without the affidavit, it seems reasonable in this reporter’s eyes that given so much independently verifiable evidence, the Ethics Committee could move forward to evaluate the matter at hand. The emails we reviewed suggest that both the ISC(2) Ethics Committee and Board of Directors are choosing to ignore the matter on a procedural technicality because they must know the identity of the victim despite being presented with overwhelming evidence.

The victim is also directly telling ISC(2)’s Board of Directors and General Counsel they feared being harmed physically and losing their livelihood during tough, challenging, economic times should their identity be disclosed. The victim is forced to pick between filing an ethics complaint and losing their career, a tarnished reputation, unemployed, unemployable, and hungry on the streets. Adding insult to injury is the possibility of spending months healing from their physical wounds and emotional distress from potential assault and battery.

Any reasonable individual would pick their personal welfare over an ethics complaint because the ethics complaint yields no real tangible benefits, personal or professional.

The CISSP states the first priority is life safety. Human safety. Life Security has precedence and priority over above all else. That includes written policies.

Perhaps these ISC(2) Board of Directors who hold a CISSP need to be reminded of the importance of life safety?

OWASP-LA withdraws from upcoming ISSA-LA Holiday Party

In an update to our article: Someone Being Naughty before the ISSA-LA Holiday Party?, we were informed today that the Eventbrite pages for sponsorship and registration for the upcoming ISSA-LA Holiday Party no longer lists OWASP-LA as one of the non-profits participating in the upcoming event.

That makes three non-profits who have had their names removed. Interesting enough, the respective Eventbrite pages for registration and sponsorship has language stating “four” non-profits are participating.

We will share additional updates as they become available.

Allegations of Election Fraud at Information Systems Security Association Los Angeles

Credible Claims of Election Fraud turns Information Systems Security Association Los Angeles into a Banana Republic

Reporter’s Note: If one had told me I would be doing a story on election fraud and a stolen election, I would have mocked one for suggesting such preposterous ideas. I very likely owe some colleagues in the industry a case or two of merlot and an apology.

On Thursday, November 30, accusations of election irregularities, election interference, and election fraud were made public on LinkedIn and that the election currently in progress at Information Systems Security Association Los Angeles (ISSA-LA) is being stolen.

Arlene Yetnikoff, a former ISSA-LA Advisory Board Member, wrote an open letter urging people to “ask questions as to how this happened and the reasons why.” Karen Worstell, author, a current ISSA fellow, the former ISSA-Puget Sound Chapter President and founder of the ISSA-Rainier Chapter, backed Arlene’s concerns of election irregularities in LinkedIn comments that several “qualified nominees” she submitted did not appear on the ISSA-LA ballot. In a now deleted comment, Karen Worstell hinted that an ethics complaint was in motion, however, there is no definitive proof an ethics complaint was filed, what the contents of the ethics complaint was, and when it was submitted.

Rafal Los commented that, “Given what I’ve personally witnessed in my many trips out to LA, I’m not surprised it’s come to that. When professional organizations become more about personal gain and money to be made, it’s a recipe for this exact outcome.”

Our Analysis

When the news first broke out, our initial review of the claim was that this was highly irregular, suspicious, and could possibly be false. A copy ballot was posted on Friday, December 1 by Joshua Chin potentially validating the claims there are potential election irregularities. No one from vBTruth saw the actual election ballot, however, all indications suggest the ballot is legitimate.

We reviewed a copy of the ballot posted on LinkedIn, and there is only one candidate listed in each category, except for one category: Education Director. There is no option to write in any candidate in any category.

Over two days, additional information surfaced, including the platform being used was Election Runner, which has support for Write-In candidates.

Karen Worstell has gone on the record on LinkedIn stating that the bylaws “are not being followed” and the “election is engineered”. Potentially two candidates if not more candidates running for the 2024 board that appear on the ballot have not attended six-chapter meetings, board meetings, or conferences organized by ISSA-LA, however there is no definitive evidence.

Among the “qualified nominees” that were properly nominated by Karen Worstell are former board members and former advisory board members of ISSA-LA. They were all blocked from running and appearing on the ballot. One qualified individual was nominated to be President of ISSA-LA, according to Joshua Chin via Karen Worstell through LinkedIn comments. It would seem to indicate that the election is engineered for the current President to maintain his presidential powers.

For the purposes of giving the current ISSA-LA President the benefit of the doubt, and we look at actions at face value, there is still evidence that the ISSA-LA President is abusing and clinging to power. The Ballot has not one, but two empty positions: The Education Director and the Executive Director. The Executive Director position does not even appear on the election ballot. Neither position has the ability for one to write in a candidate.

The inability to write in a candidate for two clearly vacant positions and writing in alternative candidates deprives ISSA-LA members of their due process of voting and selecting their board members. After the election closes, who gets to fill those vacant spots? Per the ISSA-LA bylaws – the current President.

Where is ISSA-International in this process? At least one board member, David Vaughn, was tagged on the comments of Arlene Yetnikoff’s post, however, ISSA-International is strangely silent in this process – which could be interpreted as a strong endorsement of the current ISSA-LA board’s action. The lack of any action in this continuing saga, in this reporter’s opinion, could indicate that ISSA-International has abandoned its responsibilities and could be in breach of their fiduciary responsibilities.

Let us call a spade a spade. The entire ISSA-LA election process is fraught with irregularities and has potentially several ineligible candidates. The ballot is setup in a manner to enable the current President to win and maintain his power.

The ISSA-LA chapter is a banana republic – run by a dictator and his cronies.

Someone Being Naughty before the ISSA-LA Holiday Party?

This story is part two into a several months-long investigation conducted by vBTruth. During the investigation on the accusations of fraud, malfeasance, conflicts of interest, and breach of fiduciary responsibility, we at vBTruth ultimately felt this story warranted coming out of retirement and sharing these individuals’ combined stories. vBTruth is continuing its investigation and will report subsequent updates as new evidence is uncovered.

…We have not given approval to include our name in the Eventbrite invitation and I was surprised to see it in the (Eventbrite)… I wasn’t even aware tickets were already on sale for it.

― Shannon Brewster, ISC2 LA President

As part of our ongoing, months long investigation into accusations of fraud, malfeasance, conflicts of interest, and breach of fiduciary responsibility at ISSA-LA. vBTruth recently observed an upcoming joint holiday party on Eventbrite, allegedly hosted by ISSA-LA, Women’s Society of Cyberjutsu, Open Worldwide Application Security Project (OWASP), Association of Information Technology Professionals – Los Angeles (AITP-LA), the Southern California (SoCal) Chapter of the Cloud Security Alliance and ISC2 Los Angeles.

vBTruth reached out a few of these organizations to confirm their participation and attempted to obtain copies of any agreements.

More than one organization was surprised that they were included in the holiday party because they did not give consent. Even more surprised was the fact that their respective organizations were featured as one of “six” non-profits hosting the holiday party – on both the ticket sales page and separate, sponsorship sales pages. Both ISC2 LA and Cloud Security Alliance stated that the use of their names on were unauthorized.

ISC2 LA leadership had some informal discussions over email with ISSA-LA’s board regarding a joint holiday party. They reached out a few weeks ago and invited us to participate but we had not made a final decision. We were waiting on a written proposal and an agreement that disclosed the expected costs and responsibilities.

Given that nothing has been finalized, we have not given approval to include our name in the Eventbrite invitation and I was surprised to see it in the (Eventbrite)… I wasn’t even aware tickets were already on sale for it.” Shannon Brewster, ISC2 LA President wrote to vBTruth.

An anonymous source familiar with the matter at Cloud Security Alliance told vBTruth that “they never agreed to participate at the holiday party and were extremely disappointed in the attempt to obligate the SoCal chapter in(to) participating and the unnecessary deception to the (security) community at large.

Both Cloud Security Alliance and ISC2 LA have issued demands to have their names removed from any promotional material or website stating their participation in the holiday party. Both have stated they will not be participating in this year’s holiday party. At one point, the sponsorship Eventbrite page stated five non-profit organizations. It was further updated to remove ISC2 LA.

Both Eventbrite pages have been updated since the demands were made by Cloud Security Alliance and ISC2 LA.

Another recent significant update was the keynote speaker at the holiday party. On November 2, 2023, the website featured Bryan Hurd, Chief of Office, Aon Cyber Solutions (Stroz Friedberg). Fast forward to November 10, Bryan Hurd has been removed from the website and replaced with Demetrios Lazarikos (Laz).

The question we have not been able to answer is: “Why was Bryan Hurd replaced one month before the holiday party?” The only two logical conclusions were:

  • Schedule Conflicts
  • Unauthorized Use of Name/Attempt to Obligate

An analysis of both claims would lead us to believe at vBTruth that it was an attempt to obligate Mr. Hurd as the keynote speaker of the holiday party without his consent.

First, we have not one, but two attempts in a single event to obligate, maybe force, two independent organizations to participate in the ISSA-LA holiday party. Both organizations have issued statements to vBTruth, stating they never agreed to participate.

Next, we can assume it was not a ‘mistake’ per se, but intentional. Two Eventbrite webpages listed all organizations allegedly hosting the holiday party. It also listed the actual names and the actual number count of organizations participating. To list and name a number organizations, including two organizations who did not agree to participate, on two different Eventbrite webpages and with both having a precise count of non-profit organizations participating on both Eventbrite webpages, one must conclude that this was intentional.

Lastly, keynote speakers are typically booked months in advance. To cancel at the last minute usually means a change of schedule, or something personal is occurring. It is highly unlikely a schedule conflict occurred to force Mr. Hurd to withdraw because it is a holiday party and holiday party usually have large turnouts and a keynote speaker would set the necessary time aside and block calendars.

That leaves the last option: Unauthorized use of name and attempt to obligate. There are already two documented instances in this one event to obligate two other organizations. It is certainly not unreasonable to assume that more attempts occurred without the general public’s knowledge.

“There’s an old saying in Tennessee — I know it’s in Texas, probably in Tennessee — that says, fool me once, shame on — shame on you. Fool me — you can’t get fooled again.”

― President George W. Bush, 43rd President of the United States of America

Regardless of what happened with Mr. Hurd, it does not change the fact that ISSA-LA falsely published two organization’s participation and tried to potentially strongarm and obligate their entire organization and their respective leaders. Marketing this event to both potential attendees and sponsors of participation by organizations who did not agree to participate is duplicitous, dishonest and fraudulent behavior.

Those reasons alone puts ISSA-LA and its leaders on the naughty list and rightfully earning all of them lumps of coal this holiday season.

ISSA-LA Chapter President Accused of Fraud, Malfeasance and Breach of Fiduciary Responsibility

This story is part one into a several months-long investigation conducted by vBTruth. During the investigation on the accusations of fraud, malfeasance, conflicts of interest, and breach of fiduciary responsibility, we at vBTruth ultimately felt this story warranted coming out of retirement and sharing these individuals’ combined stories. vBTruth is continuing its investigation and will report subsequent updates as new evidence is uncovered.

Sunlight is the best disinfectant. This mantra of transparency still remains true today. After several months of attempting to resolve concerns of fraud, conflicts of interest, self-dealing, breach of fiduciary responsibility and malfeasance behind closed doors with no resolution, individuals are finally coming forward and shining a light.

Multiple individuals, including several current and past members of the ISSA-LA Chapter, have accused the current sitting ISSA-LA Chapter President and now the former OWASP-LA Chapter President Richard Greenberg and the current sitting ISSA-LA Chapter Vice President and now former OWASP-LA Chapter Vice President David Wettenstein of fraud, conflicts of interest, self-dealing, breach of fiduciary responsibility and malfeasance. The accusations of malfeasance and breach of fiduciary responsibility are starting to extend to the current sitting ISSA-LA chapter board for turning a blind eye to conflicts of interests by the current Chapter President and Vice President, failure to enforce the bylaws of the chapter, and failure to remove the Chapter President and Vice President. The number of individuals making accusations appears to be growing more and louder by the day. The number of victims continues to grow with each passing moment, and the number of causalities in this journey towards finding a resolution continue to rise.

On March 25, 2021, ISSA-LA Chapter President Richard Greenberg filed articles of organization with the Wyoming Secretary of State’s office, forming a new limited liability company: Layer 8 Masters. Legal business filings were obtained from both the Wyoming Secretary of State’s Office and California Secretary of State’s Office. Listed in these business filings were Richard Greenberg, Haral Tsitsivas, David Wettenstein, and Alexander Braehler – members of the limited liability company. The purpose of the business is to host cyber security educational events under the brand “Planet Cyber Sec Conference”.

Since September 2021, Planet Cyber Sec has held 11 cyber security conferences throughout Southern California, including CIO/CISO Forums, AppSec SoCal, and other security conferences and events.

ISSA-LA, a 501(c)(3) nonprofit charity, is operated by a volunteer group of individuals who make up the leadership and board of ISSA-LA. These same volunteers have a primary place of employment in which they derive income from for expenses.

While it is not unethical to hold a primary place of employment and serve concurrently on a 501(c)(3) nonprofit board, nor is it unethical to directly compete against the nonprofit, it is questionable to start a brand new business that competes in the same industry, the same vertical, the same geographic area, and space (security conferences) that offers nearly identical services, and where the same for profit company and nonprofit obtains the vast majority of its income – while concurrently led by identical sitting leaders of both the for profit organization and nonprofit organization.

It is clearly unethical, and a clear conflict of interest to be using the ISSA-LA member’s money, the ISSA-LA’s non-profit resources, and to be profiting from their position as leaders in the non-profit for a for-profit organization, especially one directly owned by the ISSA-LA Chapter President and Chapter Vice President. The Chapter President and Chapter Vice-President has been using member’s money, using member owned resources, have a conflict of interests, and are potentially profiting from sponsorships and revenue from ticket sales at their for-profit enterprise while potentially leaving ISSA-LA members holding the bill on indirect expenses. Multiple individuals have raised these concerns privately and quietly, often having lengthy conversations and sharing their concerns.

Multiple newsletters sent by ISSA-LA share a consistent repeating theme of offering an ISSA-LA member discount to attend Planet Cyber Sec events. Each email lacks any notification and disclosure to anyone reading the newsletter that the current Chapter President and Vice President were owners of Planet Cyber Sec and had an equity and financial stake in the success of Planet Cyber Sec. Effectively the lack of transparency, how each email is phrased, could be perceived, and interpreted by any reasonable individual “Planet Cyber Sec” is an ISSA-LA organized event. vBTruth was able to obtain copies of newsletters and verify their authenticity.

One individual interviewed by vBTruth, on condition of anonymity, because this individual had concerns about a reoccurrence of being harassed, defamed, and slandered by the Chapter President, witnessed firsthand at the brand confusion, promoting, and selling Planet Cyber Sec at other local events. Representatives from ISSA-LA gave away tickets, selling it as “ISSA-LA is giving away two tickets to Planet Cyber Sec”. There was no disclosure to potential speakers, and potential sponsors that Planet Cyber Sec is directly owned by the ISSA-LA Chapter President and Vice President.

The list of concerns continues, ranging from inappropriate use of chapter resources such as mailing lists, chapter intellectual property, multiple social media accounts across multiple platforms owned by ISSA-LA. vBTruth has independently verified that select social media owned by ISSA-LA does indeed promote Planet Cyber Sec. In all instances, there are no disclosures the Chapter President or Vice President are owners of Planet Cyber Sec.

This individual further alleges there was never any chapter board approvals given to Planet Cyber Sec or its owners to promote Planet Cyber Sec, to use chapter social media, and other chapter assets in the manner it was used for Planet Cyber Sec. The same individual alleged that Richard Greenberg sent Planet Cyber Sec information across all multiple marketing channels – all done without permission and a vote by the chapter boards, effectively bypassing chapter board approval not once, but multiple times.

One individual vBTruth interviewed, on condition of anonymity because they feared retaliation and physical harm from the Chapter President, stated they had serious misgivings and concerns not just over the use of chapter resources, but chapter member’s money. According to the individual, the Chapter President spent member’s money on himself on lavish, all-expense paid trips to RSA Conference, in San Francisco, CA, and BlackHat USA in Las Vegas, NV. These trips were completely paid for by ISSA-LA members. These trips are not cheap. Hotels can easily run over a thousand dollars a night during RSA Conference and BlackHat USA, according to this individual. These board approved trips were intended to raise the profile of ISSA-LA and build relationships with potential speakers and sponsors.

However, this individual alleged that the Chapter President was no where to be found during RSA Conference and BlackHat USA. This individual never ran into the Chapter President at the RSA Conference or BlackHat USA exhibit halls. Several other individuals with ties to the Chapter President never encountered the Chapter President on the exhibit hall floor. vBTruth was unable to verify the claim, however the individual was able to provide multiple receipts and credit card bills showing their presence at RSA Conference and BlackHat USA. vBTruth was also able to find photos on social media indicative and aligning to what this individual alleges, including one photo where the Planet Cyber Sec logo is clearly visible on a polo shirt worn by the ISSA-LA Chapter President while on ISSA-LA member’s money.

At the same time, there were serious questions whether the time and money spent on these trips or utilization of LinkedIn was for the Chapter President’s personal gain, his personal business, or for the Chapter. As one individual pointed out, “It is very hard to distinguish whether Richard was doing things to build his business or for ISSA-LA as they are all comingled together.” This pattern mixing utilization of chapter funded resources for personal gain extends to LinkedIn as well, as ISSA-LA is paying for the Chapter President’s LinkedIn Premium account.

The concerns of unethical behavior, using member’s money, using chapter resources, creating brand confusion, self-dealing, and the lack of transparency and reasonable disclosure have created various degrees of confusion. It is believed that more than one exhibitor thought they were sponsoring and giving money to ISSA-LA and not Richard’s Planet Cyber Sec. There has been at least one accusation that the President and Vice President was redirecting and diverting potential sponsors, money (through sponsorships and ticket sales) and speakers away from ISSA-LA events and towards Planet Cyber Sec while lining the Chapter President’s and Vice President’s own pockets.

The concerns have triggered a wave of resignations at ISSA-LA, with at least one confirmed resignation was in protest to the unethical behavior by the Chapter President and Vice President. Based on information that vBTruth has been able to assemble, the board turnover at ISSA-LA has been extreme. Since May 2022, at least eight ISSA-LA chapter board members have resigned or have chosen to not continue on the board. Their roles range from Chapter Secretaries, Chapter Treasurers, and multiple Directors. That is at least an 80% board turnover in 18 months on a ten-seat chapter board, or a 67% board turnover on a twelve seat chapter board. Several individuals appear to have held board positions multiple years and abruptly quit with no public reason given. Additionally, starting August 2023, six advisory board members also abruptly resigned over a short period of two months. Yet the President and Vice President continues to remain in power ten plus years later.

At least two board positions remain vacant to this day, in violation of the ISSA-LA bylaws: the Executive Director and Social Media Director positions. In the upcoming 2024 board elections for ISSA-LA being held December 2023, the position of Technology Director is unfilled, and the Executive Director and Social Media Director are mysteriously not on the ballot nor being advertised as vacant.

Citing these concerns, multiple individuals have privately raised numerous questions, concerns, and complaints to numerous organizations including, ISSA-LA, ISSA International, OWASP International, International Information System Security Certification Consortium, and other organizations regarding the founders of Layer 8 Masters and Planet Cyber Sec.

At least one individual has expressed their concerns to one organization’s general counsel because they fear potential physical harm by the Chapter President, as well as slander as they have been the confirmed victims of slander by the Chapter President.

They also expressed no confidence or independence in the ISSA-LA board. They firmly believed that any action brought by the members would not lead to any action because not enough victims or individuals would be willing to come forward and confront and challenge the Chapter President and Vice President in a meeting as written in the ISSA-LA bylaws. They have concerns that those frustrated members and victims have chosen not to renew their memberships, refuse to get involve and have tried to move on, or transferred as members to another chapter as to keep distance between themselves and the current Chapter President and Vice President. They also firmly believed that the board lacks independence because Richard Greenberg, Chapter President of ISSA-LA and face of Planet Cyber Sec can appoint and fill vacant ISSA-LA board positions, per the ISSA-LA bylaws. They reasonably believe the board is now filled with the Chapter President’s cronies.

OWASP International appears to be the only organization who has conducted any investigation of the complaints and examination of the evidence to date on the unethical behavior of Planet Cyber Sec founders. It appears that OWASP International found the complaints valid as Richard Greenberg, Haral Tsitsivas, and David Wettenstein are no longer listed as leaders of OWASP-LA and OWASP-OC. vBTruth did not reach out to OWASP International to verify because their website cites confidentiality related to these types of issues.

Tensions, frustrations, and anger have reached a breaking point with multiple victims and individuals. Many are suffering from emotional exhaustion. They want to close the chapter on this saga.

Other than OWASP, these victims and individuals believe more than one organization has turned a blind eye. These organizations are refusing to take any actions and refusing to move forward due to procedural semantics because their policies do not allow whistleblower and anonymous submissions. Often these victims find themselves having to defend their positions to remain anonymous because of a deep fear of retribution. Multiple individuals have expressed similar concerns, including potentially physical altercation, physical intimidation, defamation, slander, harassment, or libel between themselves and Richard Greenberg.

One question remains: Who actually cares about these ethics violations and will take action to stand up to these clear infractions and violations? An individual lamented that this has been a frustrating, disheartening, and discouraging multiyear process.

These victims feel abandoned. Alone. Exhausted. The very ethics, and the upstanding principals spoken throughout the security industry ring hollow. These organizations are no where to be found when confronted with overwhelming evidence that something is amiss.

What lies ahead for each remains to be seen. And yet there are those who continue to champion the ethics, the morals, and the principals that so many have seem to have conveniently forgotten.

vBTruth will be continuing its investigation into this story. Stay tuned for additional updates, including a Part 2 to this story.

Early Lessons Learned from Capital One Data Breach

Capital One, one of the nation’s largest financial institutions announced that one of its employees has gone rogue and was responsible for stealing information from consumers, and small businesses.

This information included personal information Capital One collects at the time it receives credit card applications, including names, addresses, zip codes/postal codes, phone numbers, email addresses, dates of birth, and self-reported income. Beyond the credit card application data, the individual also obtained portions of credit card customer data, including:

  • Customer status data, e.g., credit scores, credit limits, balances, payment history, contact information
  • Fragments of transaction data from a total of 23 days during 2016, 2017 and 2018

Approximately 140,000 Social Security numbers and 80,000 linked bank account numbers were also compromised as part of the theft. 1 million Canadian Social Insurance Numbers were compromised as well.

Capital One stored consumer and small business information on S3, a cloud storage offered by Amazon.com.The court complaints detail the investigation conducted by the FBI that enabled an attacker to access download data from Amazon S3 from up to 700 different S3 Buckets.

There have been a number of different data breaches related to improper security controls at various organizations using Amazon S3.

Something as simple as a misconfiguration can have huge consequences to an organization’s reputation. With a growing number of data breaches from medical records to how one purchases, it is starting to paint a comprehensive picture on the average individual. With any technology implementation, due diligence must be performed to reduce the likelihood of a cyber breach.

 

Cloud Computing does not outsource risk and security

Cloud computing is simply borrowing someone’s computer. By no means does it equate to transferring the risk and security responsibilities to that entity. Risk and threat models need to reflect the change of ownership of computers, and where data lives on a day to day basis. At the end of the day, it is on executive management and senior management to understand and accept that risks and security burdens are still on the organization but appears differently operationally. Cloud is not the silver bullet to your security challenges.

Regular Reviews

We are all human. We make mistakes. No one is perfect. It is the reality of being mortal. It is important that assessments, audits, penetration tests, and red team engagements are performed on a regular basis. It is even more important that the mantra of trying to “pass” these engagements by any means possible be put behind us. Achieving a passing score is an important metric but achieving it by any means possible sets an entire organization back because it does not allow the necessary resources to be allocated to address gaps identified during these reviews. When sick, we do not get better unless we disclose all the symptoms to a doctor can assess and prescribe the correct medicine.

Soft Skills

Technologists, practitioners, subject matter expects, and management need better soft skills. The days of assume that management understands everything is long gone. The days in which technologists and practitioners staying in their cubicles or digital walled gardens is no longer possible. Technical experts need to improve their abilities in communicating risks of adopting technology. Management needs to press upon their technical experts to due proper due diligence to identify risks.

Audit, Logging, Monitoring, and Acting Upon Them

A huge saving grace for Capital One was the level of detail the logs enabled them to reconstruct the series of unfortunate events. Organizations should have robust logging and controls in place to protect those logs. However, despite Capital One having these logs, the data breach went undetected for close to four months. Consistent active monitoring and knowing what to look for is essential to identifying anomalies quickly and rapidly. Your threat hunters are looking for needles in ever growing haystacks.

This data breach joins the long line of many. We can not accept that data breaches are the new norm. As we learn more from this insider attack, more lessons we should learn to minimize the likelihood of another data breach of this magnitude. We must be vigilant to protect our stakeholders who entrust us to protect our data, our identity, and our livelihood at all times.