Episode 200 extravaganza! Best of the Cyber Work Podcast (and $1,000 in prizes!)
PLEASE NOTE: Around minute 47, I incorrectly say that Eric Milam, author of the definitive report on the BAHAMUT threat group, is employed by HP. He is, in fact, employed by Blackberry. I sincerely apologize to Mr. Milam for the error.
In this special episode, we look back at how the show has evolved over the past three years and celebrate our amazing guests and viewers. You've helped grow the Cyber Work Podcast to nearly a million plays!
To give back, we're launching a brand new way for EVERYONE to build their cybersecurity skills. It's free. It's hands-on. Oh, and did we mention there's more than $1,000 in prizes EVERY MONTH.
Huge thank you to all the past guests who shared their expertise over the past 200 episodes. The timings of everyone in this episode are listed below. Happy listening!
– Get your FREE cybersecurity training resources: https://www.infosecinstitute.com/free
– View Cyber Work Podcast transcripts and additional episodes: https://www.infosecinstitute.com/podcast
- 0:00 - Intro
- 0:42 - Monthly challenges and $1,000 in prizes!
- 1:30 - Cyber Work Podcast origins
- 2:32 - First episode with Leighton Johnson
- 3:16 - Finding our first guests
- 3:46 - Keatron Evans on incident response
- 6:54 - Susan Morrow on two-factor authentication
- 8:54 - Susan Morrow on GDPR
- 11:03 - Susan Morrow on "booth babes" and speaking up
- 13:20 - Alissa Knight on getting arrested for hacking at 17
- 16:39 - Alissa Knight on API security
- 19:14 - Ron Gula on cybersecurity challenges
- 23:23 - Amber Schroader on the real work of digital forensics
- 26:19 - Theme of the Cyber Work Podcast
- 27:01 - Jeff Williams on creating the OWASP Top Ten
- 31:23 - David Balcar on the biggest APTs
- 33:46 - Elie Bursztein on breaking into cybersecurity
- 37:37 - Sam King on AppSec frameworks and analysis
- 41:17 - Gary DeMercurio on getting arrested for red teaming
- 47:19 - Eric Milam on the BAHAMUT threat group
- 53:39 - Feedback from Cyber Work Podcast listeners
- 55:16 - Alyssa Miller on finding your career path
- 57:24 - Amber Schroader on computer forensics tasks
- 59:07 - Richard Ford on malware analyst careers
- 1:02:02 - Career action you can take today
- 1:02:19 - Rita Gurevich on reading and learning
- 1:03:20 - Snehal Antani on transitioning careers
- 1:04:26 - Promoting underrepresented voices
- 1:05:09 - Mari Galloway on women in cybersecurity
- 1:05:31 - Alyssa Miller on diversity "dog whistles"
- 1:10:11 - Christine Izuakor on creating role models
- 1:10:52 - We want to hear your story
- 1:11:40 - Monthly challenges and outro
[00:00:00] Chris Sienko: Hello and welcome to episode number 200 of the Cyber Work with Infosec podcast. I'm your host Chris Sienko. And I'm thrilled to be celebrating this major milestone for the podcast with you. The purpose of this episode is to reintroduce you to the Cyber Work podcast, give back to the community who helped us get to 200 episodes that got us nearly a million listens and views and over 42,000 subscribers on YouTube, all the people who download, listen, watch, comment and even join in during the live video premieres every Monday at 1pm Central. We want to tell you about some new ways to learn, show you some highlights from our first 200 episodes, and hopefully provide an effective roadmap for exploring past episodes of the show.
[00:01:44] CS: As you probably already know, I start every episode of the podcast by asking our guests about their cybersecurity journey. So now I'm going to do the same for Cyber Work. What was our journey? Well, Cyber Work’s first episode went live on YouTube just over three years ago, on July 12th 2018. Originally titled The Infosec Institute Video Series, I recorded my part of each episode in an actual storage room at our then offices in Elmwood Park, Illinois. You see, quiet space is at a premium when your company and most of its employees’ primary job is selling cybersecurity training over the phone.
Our first guest was Infosec instructor, Leighton Johnson, who spoke about the path to becoming a security architect. Here you can take a listen to my – Let’s be generous and say unpolished introduction.
[00:02:33] CS: This is the first in a series of videos that we'll be doing, which will include several types of security information and discussion. Hope you will check back regularly, because we'll be covering several different areas of security. Some weeks we'll be doing security awareness topics. Some weeks we'll be doing tools of the trade. We will do an occasional tool deep dive. And as we are doing this week, we'll be looking at security career paths. Our aim is to break down the journey from security newcomer to an elite security practitioner. So if you feel like you're sitting at the bottom of the security organizational ladder and aren't moving up as quickly as you'd like, stay tuned.
Our guest this week is Leighton Johnson, and he’ll be talking to us about the path to the role of security architect.
The words may have been stumbling and hesitating. But the purpose of the podcast was set from the very first words. We're here to move you up the ladder in the cyber security industry. It just took a lot of patience and a few dozen episodes before the message became a little cleaner.
I got a prior reputation to work off of. My earliest guests on the podcast were mostly close members of the Infosec family, including great and underseen episodes featuring Infosec instructor and superhero, Keatron Evans, speaking here about the work of an incident responder.
[00:03:47] KE: One of the one of the key things that I find that I have to kind of remediate when we come into organizations is the communications, right? Because they don't necessarily know who needs to be communicated when. You have HR, and PR, and legal and all these other people that need to be involved in an incident that you on the surface wouldn't think about, because we think about incident response as more of a technical thing.
And lot of it is, but there's a whole software management side to it to where you have to communicate details of that incident to the right people at the right time. And you have to make sure that you don't communicate certain information kind of prematurely or ahead of time. We can look back at some cases where, for example, when LinkedIn had a breach a few years ago, they immediately reported and said, “Hey, we had a breach. We lost 7 million records.” And then they had to come back a month or so later and say, “Oh, we were wrong. 117 million records.” So it kind of looks like maybe you didn't know what you were talking about the first time or maybe you released that information a little too soon.
So helping organizations understand how to navigate that is sometimes the biggest challenge. The technical stuff, either it is or it isn't, that's what I love about the tech stuff. It's binary. Either this technique will work or it doesn't. And if it doesn't, you move on to something else and try to solve the problem another way. But the people side can be more challenging sometimes. So I think you have to, if you want to be kind of a manager or do all things incident response, you have to be good at communicating with people and calming people down. Because I tell people all the time, that's one of my biggest roles is to come in and be the calm, because a lot of these organizations, regardless of how big they are, they haven't had a lot of experience going through major breaches. So when they have one and their media is involved, a lot of times the first day of my job is just calming everyone down and saying, “Look, guys. Okay, they're in. Like rushing, and running around, and acting like the world's going to end, it's not going to speed up this process. So they're in. We're not going to get them out instantly. So let's go through our methodical approach. What's your policy and procedure and your playbook say?” Let's look at that, and let's see if we can operate within that. And if I find that it's got too many flaws or it's too limiting, then I will, with approval, go outside of that, and maybe you can go back and adjust that procedural document once this incident is handled”.
So I just kind of slow everybody down and calm them down. I'll sit down and have coffee with the CISO and just to kind of let him see like, “Hey, look, if this guy's not freaking out, then maybe we shouldn't be freaking out either, because he's obviously done this a bunch of times. And he seems to be A-okay with all of this.” So that's a big part of it, is to have that calming factor, that calming demeanor, to not come in and act like the sky is falling, because I've run into other incident responders that have the opposite approach where they come in and make it seem like, “Oh, my God, everything's going to be so bad if you don't do this.” And that's really not what you want. Yeah, exactly. That's really not the approach you want to take, if you want to get callback at another incident.
[00:06:55] CS: And Infosec resources author, and privacy and blockchain expert, Susan Morrow, who is tied for the most number of appearances on the show, three times, talking in her episodes about moving beyond passwords, the implications of GDPR. And her experience as a woman in the industry.
[00:07:11] SM: Two-factor authentication by definition will improve security. However, there are always thoughts in all of this. At the minute, apparently, only 10% of Gmail users are actually using two-factor even though they've got the option. Not everybody offers the option for two-factor because the web developers have to add the capability in, and it's an extra piece of functionality and it’s actually a piece of cost for companies and so on and so forth. But it's not just that. On the user end, people don't like – They don't like two-factor. It's taken me, I know, and what course has taken me several years to actually add it into my Paypal account even though it's really, really important to do that. Because it's a pain, because you’re, “Oh, I put my mobile phone down. Where is it? I can't get in.” People get sick of it. But it is really important to do it if you can. Now, of course, it's not the perfect solution. There are now – There's a lot of people now finding vulnerabilities that allow session cookies and things to be – There's a new one, for example, in LinkedIn, where if you've got two-factor authentication initiatives in LinkedIn. There are there are ways of phishing even the second factor you can get the session and talk and you can actually hack someone's LinkedIn account. So it has to be implemented correctly and securely, okay? It has to be. And there are ways of doing it well and the ways of doing it badly. But if it's done well, it's a great way to prevent um certainly a lot of phishing problems that we have, but it's not 100 perfect.
[00:08:55] CS: Most of us have probably have a friend online or in real life who are saying what's going on with all of this? It seems like I keep re-subscribing to all my newsletters. I think one of my friends thought it was all Mark Zuckerberg ploy. Other people think it's just another way of them ripping you off. How would you explain GDPR to someone who thinks that this is just yet another ploy I suppose?
[00:09:21] SM: Yeah. I know the sort of whole – I think prices come to the forefront because of negative privacy press like the Facebook Cambridge analytical debacle. It definitely raised the profile, if you like, of what is privacy. So it is the kind of – It's a difficult thing to explain to people why it's important. A lot of times people say, “Well, I've got nothing to hide. I don't need to be you know privacy aware.” And there's there are a number of reasons that you need to be aware of privacy now because, first of all, aside from the sort of increasing cyber attacks and the data breaches, I mean, I think the last count is something like 9.7 billion data records have been breached over the last sort of I think it's – Well, since 2013. Gmail toll running a breach level index, and they keep tabs on all of this. But, anyways, works out like five million data records a day of being exposed. Privacy is a bit more than just having data stolen, but it's all part and parcel the same thing.
If you can if you can have control over your data, if you can have control over it, and that's really what GDPR is about, giving the control back to the user so they can control who has it and what to do with. It kind of feeds into the whole – The security, it's sort of like almost like a pipeline. It's part of the pipeline privacy and it feeds back into the security of that data once it's out of your hands. It only adds a little bit of control back into your life you know, because we do – All of us do feel like our data is out of our control now.
[00:11:03] CS: You recently wrote an article for our site, resources.infosecinstitute.com titled 10 Women in Cybersecurity to Know. And you included a bit of autobiography at the start specifically about the days when the only women on the floor of a cybersecurity conference were the so-called booth babes. As you noted the women of these conferences at the time weren't really there to bring knowledge or insight, but were “as a kind of prize for the male attendees”. And obviously things have changed a bit the intervening years, but obviously a lot more is needed. You posted a tweet from a colleague that expressed anger that this kind of thing is still going on. With platforms like Twitter making it harder to pretend that organizers didn't get the negative feedback for their actions, do you think that speaking up about these things in public spaces is making any difference?
[00:11:46] SM: Yes, definitely. I mean, to be perfectly honest, back in the day I didn't have a lot of confidence to speak about things like that. I've had some experiences. And it took a lot of maturity to build my confidence. A lot of younger women now seem to have the confidence that I lacked, and they're not frightened of standing up. And it's made a massive difference. And I'm really grateful to them for like having the courage to say this is wrong. I mean, when I think back, I feel quite ashamed that I haven't – I didn't you know pull people open to certain circumstances when they embarrassed me and it made me feel ashamed and were outrightly outrageously sexist to me. I didn't say anything to them. I should have said something to them. But I was fearful of my job and upsetting people and that type of thing. But no, people stand up. Yeah, it upsets a lot of people. And I know that there's a little bit of a backlash and men are thinking [inaudible 00:12:46], right? And I get it, because it would be really annoying. It would be really annoying because it does feel like sudden like tsunami of angry women. But oh my god, the alternative is to have submissive suppressed women. Do you really want that? Do you really want? Gosh! We need to work together in this world especially in cyber security, because it touches everything now. We have to work together. We'll have to like all use our talents together. So I'm grateful for those young women who've got the courage to speak.
[00:13:21] CS: Susan is tied for three with master hacker and writer, Alissa Knight, who has also graced our podcast three times.
[00:13:27] CS: How far back does your interest in computers, tech and security go? Is this something you're always interested in? Or did that come later in life?
[00:13:33] AK: Oh goodness! Yeah, so I started with a 486SX-25 back when the CPUs were square and you put like a CPU fan on. So yeah, they go back quite a ways. I started really getting into hackings when I was 13. Typical Hollywood story, hacked into a government network, got caught, arrested when I walked onto the school grounds. They were waiting. Yeah, and the charges were dropped because I was interviewed without my parents there. I guess they didn't realize they were interviewing a minor. It was like a couple weeks before my 18th birthday. Yeah. So I got off on a technicality.
[00:14:21] CS: What did you hack into? And was it just I wanted to see if I can do this?
[00:14:27] AK: Yeah. It was a government network I didn't – It wasn't for any – There was no really mal-intent. It was can I do this? It was more out of curiosity. And the good news is, is that because of that, I really had an opportunity to get a second chance and realize that it wasn't a black hat that I wanted to be. It was a white hat. And I wanted to be an ethical hacker. And I wanted to uncover these vulnerabilities that were so systemic across so many things. And nothing has really changed since then, right? So back then, it was all about getting the technology out there, getting the connectivity out there. And security was always an afterthought. So I'm a recovering hacker. I've fallen off the wagon a few times. I've been doing this for about 20 years. Seems like it's so long ago. So yeah, it's been a while.
[00:15:21] CS: Wow! I've asked this of a couple of guests before, but you had a pretty concrete moment where you decided, “Oh, I'm on this side and I'm not on that side.”
[00:15:32] AK: It was an inflection point, for sure.
[00:15:34] CS: Yeah. So having armed police people approach you at school probably is a pretty solid way to get that change.
[00:15:44] AK: Yeah . I mean, it's definitely cocktail party bragging rights. All of a sudden I was the nerd that was picked on all the time and now I'm like being escorted off campus in handcuffs kind of puts you in the cool crowd. But actually because of all that, didn't end up returning back to school. I’m a serial entrepreneur. I did really turn my life around. I started my first company when I was 17 and I took it to a public company when I was 20. And started my second startup and sold that when I was 27. So really, for me, it was a very pivotal point in my life where, I like you said, this was the demarcation point where I need to turn my life around. This is not who I want to be. For me, that was a wake-up call. Say, “Okay, I can do this, and I can get paid very well doing this.” And the rest is history.
[00:16:40] CS: What are your sort of primary recommendations for securing APIs right now?
[00:16:45] AK: I would definitely recommend that organizations consider API management and API security to be two separate things. Now this is a religious debate. Because I’ve decoupled – I’m moving my mic here. Sorry. I’ve decoupled the technologies, right? There are certain analyst firms that want to consider the API management space to be all-encompassing, to include the API security gateways of the world. I think that’s wrong. I don’t think that security should be a feature of a management product, right?
So you have these API management companies that have included API security capabilities as a feature, as an add-on, whereas these companies like Forum Systems or 42Crunch, these companies have built their technologies from the ground up to address API security threats. So my recommendation to CISOs and buyers out there is yes, have your API management solution, but also look at investing in an API security product. It’s kind of like the old TVVCR combos, right? If anyone remembers those. When your VCR broke all you had was a TV, if your TV broke, all you had was a VCR, right? And then because it was attached you couldn’t really do anything if your TV broke.
Yeah. I kind of I see API management solutions with security functionality as being those TVVCR combos that should have never happened.
[00:18:09] CS: I see. So is there a resistance to this because of the usual I don’t want to spend more money on another service, or what do you think the friction point is?
[00:18:22] AK: No, I don’t think it’s a budget issue, I think it’s a lack of education. One of the things that I’m doing as a content creator and influencer is to really influence the market and help guide decision-making. And really help form that narrative. And the narrative that I’m addressing right now is the fact that the API management solutions, the API gateways out there are trying to set the narrative that you don’t need a security solution.
Now, I will give credit to some of the folks who are like connect us into ping identity, connect us in with OCTA. Those are great setups. Those are great ways to architect it. But understand that I think what’s happening is that just the market needs to be educated on the fact that you have API management and you have API security, and those are definitely mutually exclusive. In my mind I think those things need to be two completely separate things and they need to go together.
[00:19:14] CS: Two early breakthroughs brought big views and a strengthening of our reputation. For our eighth episode, I had the good fortune to speak to cyber security legend and philanthropist, Ron Gula, who told us all about his new ventures and the importance of philanthropy in the tech sector.
[00:19:27] CS: What are the big challenges you see sort of looming that need to be addressed or will need to be addressed as the sort of tech changes as the threats increase and so forth?
[00:19:41] RG: Again, depending on where you are in the industry, if you're a small business, if you're a home user or you're working in corporate IT, you're going to see some tremendous changes over the next couple years. Corporate IT, large enterprise is going to become a lot more compliance-driven. And that's not a bad thing. It just give people a goal that they should obtain. But being compliant doesn't necessarily mean that you're secure. It’s a classic debate that's out there.
Now when you move out of the enterprise business though when you move into SMB and home business, there's no way we can keep up. So you're going to see security more and more be hidden from us. If there's a security update in a phone, if there's a security update in your DVD player, your TV, it's going to be automated. It's going to be sort of out of sight.
And I'm a big fan of science fiction, right? So if you read Diamond Silicon. Oh my gosh! I can't believe I just flubbed Neil Stephenson's book, Diamond Age. If you read that. If you read Ready Player One, if you read Neuromaster, if you read these things about science fiction about the future, that's really where we're going, which means we are going to have a good bit of security, but we're going to have very little privacy and the things that we're giving our data to both corporate and advertisers, it's going to be really difficult to figure out who has what um and who knows what about us. I mean, all you have to do is read – The NPR had an article a week or two ago about ultrasonic tracking where apps on your phone are constantly emitting, or listening a little bit to the to your microphone. And if you walk into a store, there's a certain tone that we can't hear, but they're tracking you they’re in that store. And there're so many other nefarious in law enforcement and intelligence applications for it. It's definitely interesting.
[00:21:32] CS: So how do we stay ahead of these security challenges?
[00:21:36] RG: I think there's a there's a couple ways. I think, first of all, we have to understand that – I'm going to get deep on you here for a second. That this security in general, it's really a collaboration between people who make it, the people who use it, the governments who regulate it. So we have to fight for democracy. Ym you do not have security when you go to a non-democratic country. And we have to realize that. So we're not just competing with China and Russia for people overseas in Africa and Southeast Asia and Europe. We're really competing for how we want to govern ourselves as a society. So be involved with your politicians. Be involved with the local level. Know who's running. Know what those things are. It's really, really important, and it's going to be much more important as we go forward.
Second thing is you can't sort of not have an excuse. I mean, I'm sure there were farmers and people who didn't adopt the automotive when it first came out. And it's kind of irrelevant now, but the internet and the technology and what happens to our data is moving so fast. It's our responsibility not only to educate the youth, but to also educate the previous generations to make sure they understand and that they are not being taken advantage of with the right ways. Teaching ethics, teaching those kind of things. Again, it's all interrelated.
But then the last one's personal responsibility. We need to understand that there are people out there right now who don't go to the cloud. They don't go to Facebook. They don't have a smartphone because they don't trust anything. Now they might be the Luddites, but they might also be – Tthat might be the way things are going. If we have one or two breaches of a major – One of the fangs, Facebook, Amazon, Netflix, Google, whatever that could be a very disruptive type of thing. So we need to watch those kinds of things.
[00:23:23] CS: But it was when Amber Schroeder, CEO of Paraben, told us about careers in digital forensics as well as walked us through her E3 platform that we scored our first big hit with over 25,000 views. You all really like digital forensics.
[00:23:38] AS: The big thing to have everyone debunked, there are no lab coats, there's no one walking around in pigtails and feel of like they're that edgy like NCIS or CSI. It just doesn't happen. You will wear gloves all the time, because computer data is just as digital as other people's data. It still belongs to someone else. But the day-to-day is pretty simple. You spend a lot of time waiting for imaging to happen, because that's just a fundamental aspect of it, is that you're going to image something and computers only process so fast.
What I spend the majority of my time doing is image. And then I spend a lot of time in analytics and really trying to understand what my suspect is thinking when they're doing it. I do a lot of smartphones. And so one of the aspects of a smartphone that's different than on a computer is you actually learn a vernacular associated with that person. And that can be very hard, because there's a lot of times I'm like, “Okay, I totally don't understand what they're trying to say here. Let me figure out what this – If this acronym still means this when you're my age versus the age of my suspect, because it is so different.” And some of those psychology aspects really become a lot more important when you start looking at digital data, because it's very personal and active with that person.
So a lot of it spent in that troubleshooting, because stuff is abused. And so it doesn't process like perfectly like they have on TV. I think if my mom calls me one more time and says, “Why don't you do stuff faster? They did the email in like 10 seconds.” And I was like, “Mom. It's not TV. It takes a couple days.”
[00:25:16] CS: No one's rotating 3D models in front of them.
[00:25:19] AS: No. They didn't just pop that out of nowhere and they're like, “Oh, I’m good. Yeah, great.” No. I'm still breaking the exchange server down. She's like, “Exchange? They didn't have that on TV. You made that up.” And I was like, “No. I didn't.” It's interesting because the CSO effect has really changed the digital forensic space. It's made it a lot more attractive to people that they're actually interested because it exists. But as far as day to day, I mean, realistically, a t-shirt and jeans we're actually casual in our lab, but we still treat it like a science. There're a lot of checklists. There's a lot of making sure you're following it and doing the same procedure every time, because otherwise I'd be doing more of an art than a science.
And then of course there's validation. We do it once a quarter. So we have to revalidate our tools. It's kind of like calibrating a computer in a way. So we do that as part of our lab procedure. But I don't know if a lot of people do that. There's a lot of writing as well. No one ever talks about that in computers. You've got to be a good writer. There's a lot of it.
[00:26:20] CS: As the episode number started creeping into the double digits, the Infosec video series got a fresh coat of paint, although we were still in the storage closet, and changed the name to Cyber Speak. It was on the right track, but it wasn't there yet.
The point of the podcast, no matter how sensational the guest or rip from the headlines the topic, it’s always going to be career development and career advancement within cyber security. This is my pledge to you. Even if I manage to get the head of the dark side hacking group on the show, I will ask that person about their favorite resume tightening tips.
Speaking of guests, we have had some mighty high profile guests on the show. I've been fortunate to speak with Jeff Williams, creator of the original OWASP top 10 list.
[00:27:01] CS: How did you come to found OWASP?
[00:27:05] JW: That was interesting. In the early 2000s, there was really not much awareness of application security, but we were building web applications. People, they’re starting to bet their businesses on these web apps. And so I started consulting, and actually a part of GE came to the company that I was working at and said, “Hey, we really like your data centers, but we want every line of code reviewed before it goes on the Internet.” And so company fell over themselves to say yes, but they had no idea how to do it. They were looking for somebody who had really strong software background and knew a lot about security. And so I got the call to go start that program and run it.
I built one of the world’s first application security teams to do that work, and then we grew a whole bunch of customers inside – This was at Exodus Communications, if you remember them. During the dot-com boom, we got to look at how people were doing security in all the top properties of that, before the dot-com crash. We grew a great set of services with threat modeling, and architecture review and training, and code review, and penetration testing, and things like that, to help companies try to get it right.
That’s kind of what led to the OWASP Top 10 is people were working on the Sans Top 20 at that time. When I talked to them about app sec they were like, “Well, yeah, maybe after I finished the 20,” and that they would never do that. So, I said, “We really need a top 10 of our own.” And so I drafted the first one and we got it out pretty quickly there. It was an amazing time in app sec.
[00:28:53] CS: You were really kind of in new territory there, like you said, there was the SANS 20, but no one was really thinking about app sec in those sort of complex ways in terms of security then, right?
[00:29:07] JW: Very few people had the idea of a program around app sec. They did app spec here and there on certain projects, but not any kind of structured program. Coming from my background of very high assurance, I tried to mix some of that into what I brought into this very fast-paced, dynamic web app security world. That’s still the challenge.
[00:29:31] CS: Yeah. I’m sure that’s always the challenge. Speaking of that challenge and the top 10 list, what was the original process of compiling the risks, and has that changed at all? Obviously, it doesn’t modify every year, so it’s only when you feel like things have sufficiently changed that you need to modify. How did you come to that original 10 list? What data were you using to sort of order it and so forth?
[00:29:59] JW: Well, at that point, we’ve been doing app sec services for three or four years for some of the largest companies in the world and we had our data, just our perception of what was important. The first version was really, I wrote down my top 10 and then brought it into work, and we argued about it for a few days, and then wrote it up and put it out there.
Really, it’s not that complicated. The top vulnerabilities and risks have always been pretty obvious and they haven’t really changed in the last 15 years dramatically. It’s all basic blocking and tackling kind of stuff. Security today is really messy. People are barely doing what I consider just north of negligent. It’s really not good. In fact, it’s a failure of OWASP, right? If we had succeeded – My original vision was we’d put the top 10 out there and then we get those under control, help people fix those, and then we’d add and move higher in security. But it’s still the same stuff. It’s still injection and cross-site scripting. It’s the same kind of things, authentication, access control. It’s unfortunate, but we’re not making progress.
[00:31:24] CS: Master threat hunter, David Balcar of Carbon Black. Give us some examples of some of the biggest and scariest APTs out there right now. Like who are their targets and what types of security measures are being put in place to try and combat them?
[00:31:34] DB: Sure. This is a great answer I’m going to give you here. So some of the biggest ones are the ones we don’t know about yet, right? That’s the key with APTs, for sure. But if you look at some of the big ones right now, if you look at a story that was published on Motherboard just recently and all over the place was the supply chain attack against Asus, their live updates software. So it affected, I don’t know, a ton of million machines, however many people downloaded that new firmware. Or not firmware, but updates for their Asus live software, right? That’s crazy. The supply chain is the Holy Grail, because if I can get that, you’re going to trust everything walking through your door. If you look at– And you can definitely Google this stuff, look up Lenovo hard-coded password for their fingerprint reader.
Are you kidding me? So I don’t even need a fingerprint. I can just type in a hard-coded password. That’s crazy. Or like the keyboard scraper that was on HP laptops last year from the factory. I was asked when I give speeches and stuff about security, I said okay, “How many people have HPs or whatever?” Not to pick on them. I mean it could apply to anybody. But how many are actually re-imaging their machine clean when they get it? You get maybe 20%, maybe 15% of the crowd that says, “Yeah, I’m doing that.” The rest of them go, “No, I just take whatever’s coming at me.” Those are big.
Some of the other big ones, I guess mainly the financial. My specialty is financial and insurance. I would say around like Lazarus and Finn7/carbonak, whichever name you want to give them this week. And it’s really about they’re going after the money. They’re going after Swift transfers. They’re going after ATM fraud, creating accounts, depleting those accounts. That’s really big. If you look at what the Carbonak gang did, they stole close to a billion dollars and they were very persistent. They stayed in these networks for a long time and stealing money multiple ways, that’s for sure.
[00:33:47] CS: Elie Bersztein, fraud and anti-abuse researcher at Google.
[00:33:52] JK: Coming into cyber security, it wasn't even called cyber security back in the 90s, right? I think it's just interesting that how you entered the field is very different than how a lot of young people are entering cyber security nowadays. They're not reading frac and they're not looking at bug track and all those things that were I thought really like a lot of fun and really draw you in. I just wonder for younger people that are trying to enter the industry, in my mind it's good and it's bad, right? It's more accessible. There's more information out there, but it's less personal. There's not like a small group of people that are really invested in helping you learn, like they were back – Just because I’m old and like talking nostalgic about the hacker scene in Chicago in the 90s that I grew up in. But I don't know. What do you think about that? Was that your observation as well with younger people that are coming into the industry?
[00:35:07] EB: It's a hard question, but I think in a way, yeah, things have changed. I think there will always be small community and I think they still exist. It just happened that our field is so big that the community is not one anymore. It's just a few of those and sometimes intersect, sometimes they don't intersect. I remember the old days as well, right? One thing I can say and I don't know if it's very much public, but frac was never one group. There was a few groups. And frac in the U.S., but at some point frac was handed over to some people in France, some people in Germany at a different point in time. And so frac was never one group, right? It was a set of people. We didn't know the other group to be honest. I know who were in frac friends, or some of it to be honest. Maybe some of them I don't know. I don't know we know everyone.
I think to be honest very few people know who created frac. I do, but I’m not going to say. But I don't even know if it's public. And I think frac was this kind of decentralized organization of like a group of people who started questioning on the Internet because they found it interesting and then groups already started to create. They still exist. Like Defcon, we have the villages, right? Which are essentially a special group of interest on security. The election security group is very tightly run. Everyone knows them. Everyone who work on that would know Alex Alderman and Mad Blaze which are kind of like the forefront of those. But if you go to the car hacking village where they do a lot of things on death rows these days, they are completely different group. I don't know them. I knew of them, right? And so I think they you can get into car securely very easily by entering that community. And so I think you're right. You did not enter the security community anymore.
In a way, depending on what your career path is and what you want to do it, will make it something harder. It will make something easier. I think there is more room. So it's more opportunity because security is so pervasive .At the same time if your goal is to be like the guy known for security worldwide and I don't think it exists anymore.
[00:37:38] CS: And Sam King, CEO of Veracode.
[00:37:41] JK: Where do you draw the line between what languages and frameworks should be doing in terms of security and third-party security assessment, static analysis, dynamic analysis tool should be doing? And then what should just be developer skill in terms of secure coding ability? I mean, I think that’s something that many organizations struggle with is where to draw those lines.
[00:38:06] SK: Yeah. So I think the developer skills piece to me is a pretty basic piece, right? Where I feel like if you're an organization that is writing code that's going to be used for a critical process that's going to transact critical data that, for your organization, provides any kind of an attack surface, you want to make sure that the developers that are creating that code have the right skill set around how to write secure code, right? And so I think that that's a pretty fundamental thing.
It's amazing to me that I have – earlier we talked about the fact that I have two degrees in computer science, and I got those degrees a while back. But I don't have a single course in both, the bachelor's or master's curriculum, that talk to me about how to write secure code. Now, that is changing. A lot of university programs are incorporating how to write secure code. We've done our part here. We actually did a program called Hacker Games where we ran a contest for eight universities across the US and the UK and developers of the future. We gave them the opportunity to come in and compete with each other on who can find and fix the most vulnerabilities over a certain time period. We gave $50,000 in charitable donations to the institutions of the organizations that won. So we did all of that, because we believe that equipping developers with the right skills and the right knowledge is pretty fundamental. And we should do that ranking as part of our educational curriculums. But if not, certainly, as these developers start their professional careers, right?
And then there's the concept of trust, but verify, right? So how much should a language or a framework innately have? To a certain extent, that's going to be dependent on the developers of those languages and frameworks. And to say that everyone is much more aware of what kind of security vulnerabilities continue to persist even when you go to newer languages, right? I think everyone knows that. And so as awareness around that increases, you would expect that as people come up with new frameworks and new languages, they're keeping security in mind in the way they are thinking about architecting it. But at the same time, just because that's the case, you still have to verify what actually came to be in this piece of code when this piece of open source code got combined with that custom code, which calls into that API, which then gets put into a container and gets deployed over there, in my AWS, infrastructure, etc. So I don't think that it's any one thing. It's a combination of these things. Because there's the core skill set of people that write the code. There's the awareness and responsibility that people that are creating these technology platforms are increasingly having as a result of what we're living through. And then there is the verification process. Let's make sure that as multiple pieces of code came together, that we can attest to the security of that.
[00:41:17] CS: But also I had guests straight out of the biggest news stories as when I spoke to Gary d mercurio and justin nguyen who were arrested and jailed for conducting a legal red team operation on an Iowa courthouse.
You’ve been on the promotional tour and you recounted this a million times. But if you don’t mind, could you walk us through the event yourself, if you don’t mind? Can you reconstruct the work you were doing at the courthouse the moment you trip the alarm, to the authorities, and the response when they arrived?
[00:41:42] JW: Do you want to take it, Gee?
[00:41:44] GD: I suppose. So let’s see, if we’re just going over that portion of it, we actually arrived at – I don’t know, 11:30-ish, if I recall correctly. We kind of did a walk around on the building. When I say walk around, typically, when go to a building and you haven’t been there before, you walk around and you check all the things out. Our walk around was we parked in the back and walked to the front.
When we got there, the Sheriff’s Department is actually right across the street from the courthouse. So it wasn’t like a surprise that we knew that the police were close by. Yeah, we walked up, and Justine was trying the door at the same time I was trying a badge that we had taken from another building just to see if they had multi-building access. So it was, “Beep!” And then Justin opened the door and I’m like, “Did it work?” And he was like, “No. It just opened.” I was like, “Oh, okay. Just shut the door,” and then we proceeded to bypass the door just to give them the benefit of the doubt.
In this – I don’t want to say in this scenario. But this engagement, overall, there was an overlying theme, which was really easy access to everything. And so this was another one of those times where we just kind of shook our heads, said, “Okay, let’s give them the benefit of the doubt.” What would happen if there wasn’t a mistakable? Or what would happen when somebody did leave the door wide open somewhere else? Which again was a recurring thing. So we shut the door and then just went from there.
[00:43:12] CS: Was it just that the door had like not closed all the way or something like that?
[00:43:15] JW: Yup. That was it. Old door, right? Super, super old courthouse. They literally still have the original latch on doors from hundred years ago, probably. Of course – There is my dog. I’m on queue. They’ve been upgraded things.
[00:43:37] CS: We’ve got three guests on the show today.
[00:43:38] JW: Yeah. They’ve upgraded things. In putting a crash bar on the back of the door itself, but the actual old-school locking mechanism of the door is still there. And I think that’s actually what interfered with the old locking mechanism of the old door handle that was there and then the latch wasn’t able to latch, if I remember right. I could be wrong.
[00:44:03] CS: So you heard the alarm going off and you’re like, “Okay, we’re just going to wait until they get here and we’re going to explain ourselves.” And then they arrived and they didn’t want to hear an explanation.
[00:44:13] JW: Actually, there’s a little bit more to it than that. As soon as we went in the door, there is an alarm panel on the side, and part of what we do is to make sure that people aren’t using default codes. Because a lot of people set up their alarm and they never change their –
[00:44:25] CS: Yeah, 1234 or something like that. Yeah.
[00:44:27] GD: Right? And it’s always the same depending on what company you’re using, what company is installed into the alarm panel. So that’s the first thing we did, was try and make sure they’re not using the default codes. Usually have 20 to 30 seconds depending on the alarm system to punch in said code. After we did that, after we went through the codes that I could remember, we actually set the alarms off ourselves. I just kept hitting the same number over and over and over again to see if it had a lockout on it, and probably the third code I tried, or I should say the third entry of the bunk code I knew wasn’t going to work actually set it off. So it did, I think, went off about 10 seconds early. So as soon the alarm actually went off in earnest and started blaring, I turned to Justin. Justin was actually there for kind of – I don’t want to say a training regiment, because the guy is brilliant, but it was like the next step in the evolution, is he was supposed to take over the physical aspect of testing at Coalfire. So part of being the lead of that is to teach others.
And so that is basically what it was for is, is that was supposed to be Justin’ – I don’t know what do you want to say. Certification training –
[00:45:41] CS: Initiation or – Yeah. Okay.
[00:45:43] GD: Initiation. Yeah, whatever you want to call it, where I came and gave him the ominous, the ominous you’re good to go, and you can go and train. Train everybody and take physical world. This is what it was. So I was making him – I was letting him make all the calls, right? So I turned to him, “What do you want to do? Do you want to bounce or do you want to stay here?”
Again, still under the training guys to see what he would do. But I helped. I don’t want to say I trained, because I definitely didn’t do that. But I helped train Justin on a lot of things. I know he makes the right decisions, because I helped him make a lot of those decisions early in his career.
But again, once again, his decision-making was impeccable. And he’s like, “No, we’re not doing anything wrong. We’re going to get out of the jail free card. We’re here under the order the customer. So let’s just wait and see if law enforcement shows up.” So that’s what we did. And to be honest, it’s the right call. There are a lot of people in the industry that would have left. And there are a lot of people in Coalfire that would have left, and that’s the wrong choice.
[00:46:44] CS: Yeah. You’re telling a different story than you mean to be telling, I imagine.
[00:46:49] GD: Yeah.
[00:46:50] CS: Now you look like perpetrators who’s running. Yeah.
[00:46:53] GD: Yeah. And we’ve actually given talks on this, is there are a lot of people out there who have this pride welled up of never being caught. And if you’re never really ever getting caught, you’re never really pushing the boundaries if you’re testing every aspect of the customer that you should be testing. You’re letting your pride get in the way of, “Well, I’ve never been caught. No one’s ever got me.” It’s like you’re not testing right if you’ve never been caught.
[00:47:20] CS: And with Infosec’s CEO, Jack Koziol, in the co-host chair, we spoke to Eric Milam of HP, the leader behind the team that created the Bahamut Report.
I want to talk about the scope of Bahamut. Does this suggest anything for other threat groups in the future? I mean, this seems like a fairly large and unprecedented threat actor. Does this level of ambition give future cyber espionage groups a working template to create from? Have you seen any other groups that are taking hints from this group and upping their game in that way?
[00:47:54] EM: I mean, yeah. They've definitely, if I was a bad guy and I was looking for a measuring stick, they would definitely be that, or they could be that. Again, wanting and understanding how execution is done, it's really the level. I can watch how well you do a podcast, that doesn't mean I could go do it.
[00:48:22] CS: I’m just going to say, just because you like Jordan, it doesn't mean you can dunk like Jordan.
[00:48:25] EM: Right, right. They've definitely laid out. You can look at them and see – I hate to use the term role model. That's not a good term based on what we're talking about, but you can definitely see a path, or a blueprint as you stated to follow. Again, I know I keep saying this, but the big thing is just their patience and their operational security is above what we normally see. I mean, it's state actor level.
Again, I think they've been trained in this. They could be ex-military. They could be something associated with that, but they really know what they're doing more than most threat actors out there. I think we're going to continue to uncover things from them. I do think, yes. I think people will look at that, or people will leave that company and go start their own and it will be cut from the same cloth for sure.
[00:49:28] CS: Go ahead. Go ahead.
[00:49:28] JK: Sorry, just on specific attack. Just on specific tradecraft, the report mentions that malware is a last resort. It's really account takeovers and it's pivoting. In your opinion, is this the future, or is this what all these threat actor groups are – this is the state of the art to where I mean, I guess if you can comment on that methodology, like malware as last resort and compared to other things you see in the industry and how you feel that’s going to go out and change the future?
[00:50:08] EM: I mean, they use, for the ones that we analyze, there could be other projects out there that we don't know about where malware is key. The ones that we looked at and what this group is really good at is and I think you can see it in the report, it's espionage and it's psychological operations. Psyops stuff. You don't necessarily need malware in all those cases. Maybe to gain a foothold.
One of my specialties when I was a pentester was spear-phishing, just because it's easy. You send out a thousand e-mails, you're going to get some stuff. Now, they didn't do that obviously. They were highly targeted and against individuals they knew would get them in. Again, which shows another level of awareness of what their targets were and how to manipulate them, or get access.
In the white company paper that we did, they used malware after they had already done what they needed to do in a certain area and if they wanted to pivot to a different area of the organization. They set one side of the organization on fire as a diversion, while they went and took over the other part and did what they needed to do over there. That was pretty interesting.
I think, I think there's an evolution of those types of things, even outside of that. If you look at even TrickBot, Emotet, Ryuk combination, it's okay, get in, get information that will – that someone's willing to pay for and then ransom that box too. I think that is going to continue to rise, because in the old days, it was just they would ransom it. Now it's a whole campaign to get data to have it and then use that as a as a true ransom leverage point.
I mean, I do think that most campaigns of this nature, they want to be stealthy, extremely stealthy. They don't want to use malware. Those are the things, the longer you can stay in an environment undetected, obviously, the more you're going to find. That is their goal in these campaigns. It's like I said, earlier, mostly espionage information gathering.
[00:52:28] JK: I mean, you and your team are publishing a report against a very sophisticated psyops espionage company. What are your dinner conversations like at home? It’s like, “What did you do today, honey?” Tell me about the personal aspect of working against Bahamut?
[00:52:56] EM: I mean, it's definitely a lot more interesting for my co-workers than my family. I’ve been in this field for a while, so it's like, “Oh, hey. I took over XYZ casino today. Look, I’ve got access.” They're like, “Yeah. Whatever, dad.” They just go whatever, play their video games, or shoot basketball, or whatever. They've heard all the stories for a decade, so to them it's like, “Eh.”
The one thing I can tell you is I’ve made sure that every child that I’ve had has had a computer, or an iPad, or something from the age of two on. I know a lot of probably psychologists would say that's really bad and maybe it is, but guess what? They're going to be the next generation and they're going to be trained from the age of two.
[00:53:40] CS: When we look back on these episodes, the aspect of this whole thing that's most important to me is hearing from you, the listeners, you, the watchers. Letting us know that the podcast has helped you get unstuck in your cybersecurity career. It's focused you on what areas of study and learning you want to emphasize to do the type of cyber security work you want. And best of all, I've heard from people who said it gave them the courage to step out on what feels like a very shaky limb and jump into a new career direction.
One of my favorite stories while doing this podcast is about Ben Garrett, an Infosec scholarship winner in 2019. A member of the Cherokee Nation, Ben came to cyber security after working sales and running heavy equipment for an overseas oil company. Desiring a change, Ben discovered a computer science class later in life. When describing his cyber security journey, Ben said, “I spent a lot of time on Infosec's website reading everything I could find. And I listened to the Cyber Work podcast. I listened to every podcast and webinar they posted. Instructor Keatron Evans had a huge influence on my decision because he gave me the confidence to believe that I could actually do it. Those resources helped me come to the conclusion that cyber security would be a good choice for me.”
For every Ben Garrett whose story I'm lucky enough to hear about in this way, I like to hope that there's a dozen more Bens out there using Cyber Work episodes detailing what it's like to be a security analyst, penetration tester, cloud security manager, or red teamer to focus their interests, deepen their obsessions or just give them the spark they need to start something new.
[00:55:17] AM: Yeah. Let's talk about where to start, and I'm going to give you just a little bit of a selection out of the book. That is you've got to know yourself first. Know what interests you. You don't have to pick your career for life. You don't have to pick the aspect of security that you're going to be in for the rest of your life. Because the thing is, once you're in security, it's really easy to pivot around and go wherever you want to go. But come in with some sense of what interests you, what about security as you're looking for a job here.
The activity I give people, the exercise I give people in the book is if you really need to just sit down and figure this out, a great way to do it is go to some security blogs. Pick 5, 10, maybe 15 security blogs and news sites and other things, and grab the headlines that interest you the most. Look back over the last few months. Grab just the headlines that interests you the most from those. As you get them together now, rank them out as to which ones seem most interesting, and then look for the patterns. What's in those headlines? What are those headlines talking about that what was the rest of the article? What was in there? What aspect of security was it? Was it something with IoT security? Was it something with your OT security, pipelines getting breached lately? Not breached but ransomwared.
I mean, that is such an important first step because I do get these and I know a lot of my colleagues do too, get these messages from people looking for help. You ask them, “Okay. Well, what part of cybersecurity or what do you want to do in cybersecurity?” They’re like, “Well, I just want to learn cybersecurity. I just want to learn it all.” That’s a huge domain. You’re not going to learn it all. I don't know it all, so I can't even teach you it all if that's what you're looking for. But, yeah, I mean, know yourself. Know where it is that you want to go and chase that initial dream. Get in. Then now, if you decide later, “Yeah, I really don't like doing threat analysis,” okay, great. So you pivot into app sec or something? Who knows? I mean, you can do that.
[00:57:25] CS: For listeners who are just learning about this profession for the first time, can you give us kind of a basic description of what a computer forensics professional does? What are the regular tasks and projects that you do and what makes the job interesting?
[00:57:39] AS: A computer forensic professional is going to go through and they’re going to do imaging, which is a scientific method of copying data. And then after that is done, they’re going to go through and actually go through all the individual pieces. So if you want an analogy for it, it’s like taking the box, the puzzle and then finding all those pieces. Putting it back in the box, taking the box back and saying, “How am I actually going to put together this puzzle with the way that they did it?” And you might be missing pieces that you have to go and find. All of that is part of the digital forensic and profession and experience. It’s definitely for people who like to really think through the minutia of the data. And so if you only like to look at big pictures and you don’t like focusing in on, “Hi. I’m going to be doing the same thing for the next couple weeks.” Then it’s probably not the best choice. But if you really love the Minutia side, then it’s a good choice for you.
My best investigator I have on my team, she has a psychology degree, and she loves the details. And she is just fantastic at it, because she understands how people think. She understands how they work with their data. So she was not obviously originally in this field, but she’s become one of my best investigators, because I was able to teach her all the nerd stuff. That’s not hard]. I can’t compensate for that way you think through your data.
[00:59:07] CS: What are the roles and responsibilities of a malware analyst in 2021?
[00:59:12] RF: So I think there are two flavors of malware analysts. Let's start with that. There're the guys and gals that work inside the cybersecurity industry, right? So they worked for a vendor. And then there are very large enterprises, BLEs, that have their own SoC that also have malware analysts in-house. And those jobs actually look somewhat different. They share some similarities, but they have some pretty big differences as well.
So let's talk about the similarities. At the basic level, what a malware analyst does is they do a lot of reverse engineering of malware. So some attack will come in. Some machine will get compromised and they're going to look at the implant on that machine. Understand what its indicators of compromise were. What did it do? Did it open any other back doors? What was the infection vector? And then your job diverges. So if you're in the industry, you're mainly focused on how do I detect this thing? How do I stop it? How do I automate detection of this?
So one of the big things in industry is that we're dealing with millions of infected files a day, or in fact millions of different bits of malware every single day. If I had to have people look at that, I'd have an army of people. I couldn't afford it. And your malware, anti-malware software would cost you a thousand bucks to see it, right? So how do we do it? We do it with automation. And so my malware analysts not only –There's a continuum, right? As they get more and more seniors, they progress in their career. They start off on writing signatures, writing signatures, writing signatures. As they progress, it's I'm looking at things that are more interesting. And then it's I'm looking at detection techniques that fit well with this family of malware that lets me detect this stuff more generically.
Now, in an enterprise, you're not so focused. You're not focused on writing detection signatures. What you're focused on is working with the rest of that SoC team the incident response team to go, “What was the impact?” So you might get teamed up. You might get teamed up with a network analyst. You might get teamed up with the incident response team. You might get teamed up with the SoC itself to see what's going on.
So at the end of the day, the basics are the same. I'm pulling apart malware. And that's finicky and it's tiring and it's fun. But what you do with it, the output's different. In my industry, it's I'm all about detecting not just this bit, because detecting the piece of malware that it's in your hand is easy. Detecting all its brethren, that's hard. So there's the detection aspect.
In the company, it's more the investigational aspect. So it's what are the threats that can come against me if I'm Bank of America? What are the threats that are going to come against me if I'm Wells Fargo? What impacts me? What was the impact of this in my environment?
[01:02:03] CS: One thing I ask nearly every guest is something I'd like you to ask yourself if you're feeling stuck in your career. What's one thing I could do today that will put me on the first step to the cyber security career that I want? Fortunately, our guests always step up to the plate with great ideas.
[01:02:20] RG: So I would say read, read, read, read, read. The nice part about cyber security is there're so many companies that are propping up all the time, right? And we are a community of information sharers. And we very much are excited about publishing our viewpoint, blogging about what we're learning. And more often than not, it's real information coming from practitioners. It's not all marketing stuff that's nonsense to a technologist's mind. It's a lot of people that just want to educate what they're seeing, what they're feeling, how things are going. And I think that type of research will really help people get their head wrapped around what are the important areas that are being focused on and where should I pay attention to and where should I focus on when I start uploading my resume to job boards and things like that.
[01:03:21] SA: One of the best architects we had at Splunk, a guy named Dave Simmons. Dave, he was a Carnegie Mellon graduate, but he was a home builder. Like his real background before he went to school was building houses. And it made him an incredible architect, because if you want to go build a house, you've got to take the outcome and then decompose it into its piece parts. And you've got to figure out how to layer the foundation, with the plumbing, with the wiring, with the framing and so on and so forth. So the mentality of taking an N state and then decomposing it and then being able to execute against is what made him a great architect.
And so similarly, from a cybersecurity standpoint, if you are an auto mechanic, you are a world-class troubleshooter. You're able to take a little bit of – Some basic symptoms and figure out through systematic troubleshooting and diagnosis where the problem is. And so you've got these. You just have to recognize those inherent characteristics that can't easily be taught.
[01:04:27] CS: Cyber Work believes that the cybersecurity industry is at its best when it has the most diverse pool of talent and the most diverse backgrounds at hand to solve problems. And we're not alone in that belief. Cyber Work will always be dedicated to promoting the voices of women, minority, LGBTQ+ and cyber security professionals from all backgrounds and experiences. And I want to hear from more of those voices. If you are or know someone in the cyber security field who is neurodivergent, or disabled, or from other backgrounds and would like to tell your story about your experiences in the field and how to bring more people like yourself into the industry, please get in touch with me at email@example.com.
[01:05:11] MG: I think two women just need to see that there's a pathway to that world. Everybody doesn't want to be technical forever. And so having that visually out there to say, “Hey, you can do all of these things to get to this point,” is definitely helpful. And then keeping the finish line at the same place. So don't say these are the things you need to do to get to X, and then you move the finish line to Y.
[01:05:32] AM: Right back to what we were just talking about, it’s recognizing the actual business value of diversity, right? It frustrates me when we have these conversations. First is the dog whistle. There's a dog whistle out there that I want to throw and smash things every time I hear it, and that's when someone says, “Well, what we really need is diversity of thought.” No, dog. But that is a dog whistle to say that, “Well, we can accomplish diversity of thought by hiring a bunch of white dudes.” No, you can't? You absolutely cannot and you have to recognize. I mean, there are so many examples now. Look at the AI models that were creating deep fake images of people. It turned Barack Obama into a white man. How did that happen? Because of bias, right?
Or I think one of my favorite stories is the TSA, the new body scanners. They find out these body scanners unfairly targeting women of color. Why, you ask? Well, because there are certain hairstyles that are very predominant to black women that it was having problems with. So isn't that kind of got you questioning now? Didn't you have any black women in your test sets? Like shouldn't this have come up? So from security, it's the same thing. It’s recognizing that. So, yeah, when people say, “Well, I want diversity of thought,” well, you better think about how you get diversity of thought.
Then the other part of it is stop thinking of diversity as this like feel good thing. We want to make people feel good that we're inclusive and blah, blah, blah, blah, blah. Diversity is what makes us. As I said early in this podcast, it's what makes us stronger in this sense of collective solutioning or collective problem solving. You need those various aspects. You need people who look at things very different ways because of their experience. Someone who can look at a body scanner and say, “What's that going to do when I walk through with my hair like this?” Because they know from other experiences that that particular hairstyle they have gets treated differently.
I think those are the kinds of things. We don't recognize that right now in a lot of senses. We don't see that. It is actually a business value to be diverse and it's something that you have to hire for. Now, I'm not saying you're going to go out and say, “We only want black applicants for this position.” That would be illegal, right? This is illegal as saying, “I only want white applicants for this position.” But rethink what your qualifications are. What are you looking for in terms of the people you want to hire, and how many of those just reflect your own personal experience or your own personal biases? How can you look at what makes somebody a good fit and a good diverse fit for your team, inclusive of things that maybe don't fit into what you write immediately think of in terms of what that person and that role should be? It’s so broad in that sense.
[01:08:44] CS: Yeah. And not just checking off checkboxes but also like disabled people or neurodiverse people. There're so many places where the interfaces and the technology are being used, like you said, differently by different people. Yeah. It seems like it should be like an exciting opportunity to be meeting with people and thinking in these ways and stuff. But there's that that sort of feeling of like, “Oh, god. It’s June. Hurry, hurry, scramble, scramble.” We got to do the thing.
[01:09:18] AM: I mean, yeah, and I could go on for days about the rainbow washing and everything that goes in Pride Month, right? I mean like come on. Live it 12 months of the year or don't bother. Yeah. That reminds me of another dog whistle that's out there too that frustrates me, and that is the, “Well, we want to hire the best candidate for the job.” Again, it’s suggesting that, well, if I hire a black person or I hire a neurodivergent person, they're automatically less qualified. No. You need to rethink your qualifications and what makes a person qualified. How are you evaluating? Chances are you're not evaluating them on level playing fields. You have biases in how you evaluate. As a result, you are going to be immediately shaded towards hiring someone who looks and sounds and acts like you.
[01:10:12] AM: Also being able to separate what is true for me versus what might be projection. And I think that helped me a lot in staying encouraged and not letting some of those sort of naysayers or whatever you want to call them hold me back. But then I feel like the other piece from a role model standpoint is I essentially had to kind of create my own fictional role model.
[01:10:35] CS: Yeah. Yeah, your sort of idealized version.
[01:10:38] AM: Yeah, exactly. So I had this imaginary role model where I picked all of these strong traits and things from different people that I had seen and that I knew and kind of use that to mold like this is who I want to be and this is how I'm going to get there
[01:10:52] CS: I hope you found this 200th episode entertaining and interesting, and maybe it's convinced you to check out some past episodes from our deep archives. As we embark on at least 200 more episodes of Cyber Work, I want to talk with you for a moment. I want to ask you a question. What problems are you currently facing in your cyber security journey? How can we help? Answer in comments. Tell me your story. Who do you want to see on the show? What do you want us to ask them about? And most importantly, I want to hear about your cyber security journey. If you can tell us about something you've done differently in your career as a result of the podcast or one of its guests, I'd love to hear about it. Let me know at firstname.lastname@example.org. I might read your story on the show.
And don't forget, our Infosec skills platform will be releasing a new challenge every month with three hands-on labs to put your cyber security skills to the test. Each month, you'll build new skills ranging from secure coding, to penetration testing, to advance persistent threats and everything in between. Plus we're giving away more than one thousand dollars’ worth of prizes each month. Go to infosecinstitute.com/challenge and begin the challenge today.
All right, that's it for now. Join us for a new guest, a new topic, a new tip for your career and your same old host, Chris Sienko, right here on Cyber Work. Thanks again and we'll speak to you next week.
Subscribe to podcast
Free cybersecurity training resources!
Infosec recently developed 12 role-guided training plans — all backed by research into skills requested by employers and a panel of cybersecurity subject matter experts. Cyber Work listeners can get all 12 for free — plus free training courses and other resources.
Weekly career advice
Learn how to break into cybersecurity, build new skills and move up the career ladder. Each week on the Cyber Work Podcast, host Chris Sienko sits down with thought leaders from Booz Allen Hamilton, CompTIA, Google, IBM, Veracode and others to discuss the latest cybersecurity workforce trends.
Q&As with industry pros
Have a question about your cybersecurity career? Join our special Cyber Work Live episodes for a Q&A with industry leaders. Get your career questions answered, connect with other industry professionals and take your career to the next level.
Level up your skills
Hack your way to success with career tips from cybersecurity experts. Get concise, actionable advice in each episode — from acing your first certification exam to building a world-class enterprise cybersecurity culture.