Chris Sienko: As you probably know October is National Cybersecurity Awareness Month and to celebrate, Infosec is giving away a free month of its Infosec Skills platform. This is a subscription-based skills training platform for cybersecurity experts. If you like to learn more please go to infosecinstitute.com/podcast and don’t forget to claim your free offer before October 31st. Welcome to this week’s episode of the Cyber Work with Infosec Podcast. Each week I sit down with a different industry thought leader and we discussed the latest cybersecurity trends how those trends are affecting the work of infosec professionals while offering tips for those trying to break in or move up the ladder in the cybersecurity industry. Our guest for today, Gary Berman lived through something most of us wouldn’t hope to experience in our worst nightmares. Through a combination of insider sabotage and collusion Gary’s company was hacked, duplicated his clients funneled off to an identical rival company and his bank account drained over the course of a decade. Fortunately for us Gary moved from a victim to an advocate role connecting with cybersecurity experts and leaders from across the vast field. He’s now the creator of the graphic novel “The CyberHero Adventures: “Defenders of the Digital Universe.” A series of graphic novels aimed at teaching cybersecurity awareness and moving its readers from passive fear to positive activity. We’re gonna talk today about Gary’s journey down his return to the light after a multi-faceted attack and his work for security advocacy across various infrastructure fields and he’s gonna give us his tips to help keep you safe. Gary thank you for joining us today.
Gary Berman: Thanks so much for having me, Chris.
Chris: So let’s start right back as far into the beginning as we can. What was the name of your company and what did it produce? When did it start? Can you tell me a little bit of those sort of the glory years, before we get to the glory years?
Gary: Sure, my better half, Valerie and I started a marketing communications and market research company in 1988. We were very fortunate just having started right out of our home to be able to build it to just about 100 employees after about 10 years. Things were going incredibly well because we were on the leading edge in terms of demographic communications and market segmentation and other communication protocols like that. So, we were able to sell 49% of our company which was called Market Segment Research to the, one of the largest marketing companies in the entire world, called the WPP Group based out of London. Oftentimes when there is a merger or an acquisition or strategic alliance expectations are incredibly high but are seldom really realized. Well, in our case we had kind of conservative expectations and it went through the roof. I mean, we had about a 400% increase in sales in the span of about 30 days and some of that is because of our relatively small size and here we were essentially just, you know picking up the scraps from this giant conglomerate you know, who may not wanna work on certain smaller projects but for us it was huge. So, you know, every–
Chris: So you were able to be to sort of get so much market space by being sort of, metaphorically the small fish in the big pond that could kind of sweep up the smaller targets is that more or less?
Gary: Yeah, that’s exactly right, it’s a good metaphor. And for me in particular I was very lucky because at the time I connected with the owner of the whole company and I was able through, just kind of using that connection to be able to interact with C-level people throughout all these operating companies because I was, you know, rather than saying. “Hi, I’m Gary Berman, you know “from Market Segment Research.” And of course, you know, they would never pick up the phone I said, “Oh hi, the CEO, you know, WPP “suggested that I give you a call.” And all of a sudden–
Chris: Doors open.
Gary: You know, calls right back, “Oh, Gary Berman.” And, you know, so that was the beginning of my kind of foray into C-suite. And, you know, since then I spent a lot of time and effort and listen and learn to C-level people across all sectors of the economy and I came to understand what they care about how they use their resources the stresses that C-level people are under for all the competing interests for their time and resources and things like that. So things were going great then unfortunately I was playing basketball ironically in a Jewish Basketball League which is somewhat of an oxymoron but and I can say that because I’m Jewish, you know and I broke my leg, so not a big deal typically people, you know have those injuries all the time and so I went to get it fixed up and to make a very long story short I almost died from blood clots and some other complications. So those complications were the predicate for the series of crimes that began at that time.
Chris: Wow, So to go back a little further what was your background prior to founding Market Segmentation the company had you always wanted to be an entrepreneur or is this something that just sort of was an opportunity that you grabbed onto?
Gary: You know, I started at seven years of age I had business cards printed up that said “Gary Lee Berman Lawn Barber”
Chris: Oh, right.
Gary: So, from an early age, you know I was taking, you know, with a push mower by the way for all the, you know, gas and all that stuff. And I was rebranding the experience as a lawn barber thinking, wow, you know, people get hair cut so why not get their lawn cut and I had a whole series of things like that very young. I worked in the Public Library system at a particular library and I always thought that the Dewey Decimal System was incredibly complicated to try to follow. One of the things I do is I return books to shelves you know, after people have brought back books and so I invented my own system in the library. And of course I could find the books but no one else could, so I got fired. That experience really taught me that I really didn’t wanna work for anyone else or any kind of bureaucracy because I was thinking, “wow, you know, this is pretty cool “here’s a whole new way of doing it “why don’t we try it?” That kind of thing. And that’s been really, you know, my ethos and maybe even my DNA, you know, ever since. I’ve always been incredibly entrepreneurial.
Chris: Yeah, you’ve been a builder and sort of a builder of systems for a long time it sounds like.
Gary: Well, you know, it’s interesting. I got this thing from my mom you know, this value system of elevating people. So a slightly different way of saying it, Chris you know, rather than a builder of systems it was really more a builder of people. You know and to seek out the good qualities you know, in people while trying to help refine those things that any particular person would need and I am the beneficiary of that in the cybersecurity ecosystem you know, to an incredible degree which I guess we’ll get to, you know, in a while.
Chris: Sure, yeah, let’s go back to the complications from the broken leg, you said that those complications were sort of the, shall we say the stress point that started this whole thing? So what happened next?
Gary: Well, you know, as part of it the reason I even I’m sitting here talking to you was just somewhat of a miracle because I was, prior to surgery for this I let this physical therapist know that, you know, I felt this burning in my leg and it felt different and she just said well it’s just part of, you know a complicated injury, I said okay. So, one day at about 2:30, 3:00 o’clock in the morning my phone rang, which, you know you never want your phone to ring at 2:30 or 3:00 in the morning. So I popped out of bed, you know, my heart was pumping and here’s my physical therapist on the phone and she said,” Mr. Berman, I just had a dream about you.” And I went, “What?” She says, “You need to go to this place, you know, now.” And I we went, “What?” You know, and I hung up, so I went back to sleep and a few hours later, you know, I was nervous from what she had said and I decided to go and it turns out it was a Cardiovascular Institute. So I got there and it was already really crowded in the waiting room. I’m thinking, oh great, you know I don’t have an appointment I’m gonna be here for, you know, 10 hours and as soon as I said my name is Gary Berman these doors just flew open and five people came and got me. So, I thought one of two things, either I was a VIP or I was in big trouble.
Chris: She had called ahead for you or something, huh?
Gary: Well, I knew I was not a VIP. Anyways, so they found out what it was and, you know, thank goodness I survived. So, I was out of my own company for an extended period you know, really, almost about nine months and I had a trusted right-hand person and several other trusted people including an outside tech contractor who even 15 years ago when this first began, this episode was an absolute expert at Unix and at Mac OS in particular and he’s kind of like a mad genius you know, when it comes to computers and systems and he’s very much ahead of his time. So much so that they spoofed my website and they redirected phone calls so that if someone would call my office number was actually through another exchange went to a shadow company. They had literally set up an identical company with a different name but told everyone that I was no longer in the business and that, you know, we’ll handle your work and my clients were very big important clients like AT&T and Best Buy and General Motors and Procter & Gamble and, you know, we had worked hard my wife and I you know, started from nothing to earn reputation, you know that we were so blessed to have. And so one day how I found out that there was something amiss was I got a phone call from the CEO of one of the member companies that we were working with as part of the acquisition and she said to me, she screamed to me, she screamed at me which is the first time it’s ever happened in my career and she said, you know, “Gary what the eff “is going on in your company?” I almost dropped the phone and I said, “What are you talking about?” I had no idea and she said, “Well, I just got a call from one of your people “that there’s rampant fraud “within your data collection infrastructure “and that you’re under investigation by the FBI “and that I should cease communications with you.” And my jaw just dropped. Are you kidding me, you were award-winning firm incredibly well respected nationally giant clients at the C-level and all of a sudden I get this, you know, call completely out of the blue. So I called an all-hands meeting and I explained what had happened and right away we did redundancies. You know, we redid some of the survey research that might have been in question and found everything to be completely validated to 100% you know, from a quality assurance perspective and there was nothing. But even so, just to protect my reputation I returned $185,000 to one of our clients just as a precaution. And that was a tremendous amount of money for us you know, this wasn’t something like, “Oh, here you go.” I mean, this was bad, but I figured my reputation is worth it, I’m gonna totally refund this particular client and we redid the project and found it to be perfect again. Nevertheless that poison was planted in her ear. Well, then a second client, then a third and then a fourth and then a fifth. And then I later learned like layers of an onion they had called all my clients saying that we were under an investigation and to cease communications. And there were, there were actually 19 attack vectors which, you know, I’m sure we’re gonna talk about in a little bit, and so I kept the company going for several years and depleted all my savings and, you know, I went a little crazy after we sold the company, I never had any money and so we bought a really nice house, you know and then I had to sell it and actually one of my presentations I revealed something I never thought I would but I showed a receipt from an ATM it showed that I literally had one penny to my name. So we paid back over $1,000,000 you know, to other companies we didn’t have to but we took the ethical route and we lost everything and it wasn’t just us, if it was just us you know, I could say fine, “Like a phoenix rising from the ashes.” You know, being a victim unfortunately it’s not particularly interested in today’s world because there are so many victims of everything and the key is like, what do you do about it? And we’ll probably talk about that you know, also a little bit later.
Chris: Obviously the narrative is, even of itself pretty compelling and tragic but I wanted to dig a little deeper into some of the hacking tricks and security workarounds that these people actually used to gain access to your money and your files and your clients and so forth. So, you mentioned a few things that they spoofed the website and that they set up sort of alternate sort of phone calls but how did they sort of what were all the sort of pieces of this sort of complex web what did they do?
Gary: Well, there’s two parts. So the initial crimes were you know, according to the FBI, economic crime you know, ’cause they get in for money and then also a crime of opportunity because I was out and out of I just didn’t follow up on anything. And so during that time, it was also very early on I mean, Facebook, was just kind of invented. You know, people did not think about cybersecurity as part of like the zeitgeist, you know, overall–
Chris: Yeah so, like, what years would this be roughly?
Gary: That would have been like from 2000 to about 2006.
Gary: But I kept it going and like drip drip drip was just bleeding out, you know, without me knowing it. And so after we closed the company I moved on to some other things. I always been kind of passionate about causes so I worked on some things for veterans. I was the executive director of a project called the Anthem Project to help warriors returning from theater reintegrate back into civil society and then my wife and I started an education company for children after school called Grasp Learning and we did that for a while but we really just were struggling. So, about three years ago and here’s where I’m gonna answer your question a little more completely. About three years ago as a way just to try to put food on the table my wife and I agreed that I would try to go back to the market and the communications world which, you know, I had left then now about 10 years earlier and to go back, and so I put a few feelers out and I was really blessed. You know, I was invited to be a keynote speaker at a big conference and so I did, I spoke at this conference and people came up to me like, “Where have you been?” You know, “Hey, can you work on this project?” You know and I collected like this big stack of business cards, you know, people coming up to me you know, and so I came home, you know, that night. This is about three years ago and I told my wife and I had tears of gratitude in my eyes. I said, “Look, after 10 years “these people still remember our work “and want to work with us and let’s rebuild. “Okay, it’s fine, let’s get on with it.” So that night after no communications with any of the original people that committed these crimes three of them looked at my LinkedIn profile on the same night that I gave my keynote speech and then the next day the hacks happened. Boom boom boom boom boom. It started with just my LinkedIn account where my number of connections was just cut in half like just instantly. I later learned it was a different URL you know, I thought I was just logging into my LinkedIn account but I wasn’t. You know, who knows? You know, I’m just a regular guy I’m not a technology hire cybersecurity and I just, okay and I really just kind of blew that off and then over time they spoofed Google two-factor authentication they spoofed GoDaddy user interface they spoofed Norton VPN. Yeah, you would think Norton, you know, was pretty secure well, these guys, you know, spoofed the VPN and used alternative keyboards to actually write where otherwise there would be English you know, on a user interface of a VPN as just a sense of humor or something like that and there were 36 people connected to my OnStar account listening to conversations and it goes on and on. There were actually 19 attack factors. So, I hired a cybersecurity firm you know, and it was gonna be pretty expensive it was gonna be like $10,000 to do some, you know, initial forensics and I said, you know, I explained my story and I said, “Look, I only have $1000.” And thank God, you know, these guys were great they’re helpers in the world like you and all of your listeners. And so they helped me but I got a three page summary report and it said, in part that there was 90% chance that I was a victim of a man-in-the-middle attack and so that all my communications you know, that went out stopped somewhere and then decide whether or not they went out some of them, many of them were changed. I had a PowerPoint presentation Chris to Coca-Cola it was a proposal and the last slide you know, I wrote “Thank you” and it was changed to, you know, F U.
Chris: Oh my gosh.
Gary: So lemme ask you, do you think I got Coke as a client?
Chris: Yeah, probably not.
Gary: Of course not. And it went on and on and on and on. And it became something else and you know–
Chris: Sadism at this point is almost sounds like.
Gary: It was nuts, you know. And no one believed me which is another whole interesting thing about being a victim. Because, you know, I had to mask all this evidence turned it over to the FBI I had Secret Service in my home. You know, so they tried, attempted and they turned my stuff over to the US District Attorney who declined to open a case due to lack of attribution and that’s when I said, okay this is just nuts and, you know, because, you know, I was small and one of the many lessons I’ve learned is that, you know, law enforcement God bless them they do the best they can but they are stretched when it comes to this topic.
Chris: Yeah, so was it more that they had never seen something like this before or they just see so much of it that they were just like, ” It can’t be this.” Or something?
Gary: You know, what a great question. You know, it’s a little of both Chris. They do see so much, I mean, of course we we all know that you know these days. But it was kind of hard to believe, you know. So what I did after that is I decided to be my own forensic sort of person and I just listened and learn and tried to figure out stuff that I couldn’t. I started taking photographs using my phones. I had five different phones that were attacked in different ways. Several used Bluetooth vulnerabilities several using sim swapping some of them they did some social engineering. I had a Wi-Fi and I have all this documented by the way. Like by AT&T, by Samsung. You know, so this is not like some Gary thing, you know. And if I had to self-assess I mean for all of your listeners you know, I would say that my, you know, accuracy rate is probably around 80%. You know, and about 20% of the stuff I experienced were false positives, you know, and–
Chris: I’m sure you get paranoid after a while, obviously yeah. How could you not?
Gary: Well, paranoia is an unfounded fear. So no, I was not paranoid, I was hyper vigilant and those are two different things.
Chris: Of course, yeah, that’s what I meant. I mean, like you said you were finding false positives because you had so many actual positives that you started seeing it everywhere I imagine.
Gary: Yeah, for sure, you know and actually on that point I actually was so interested to benchmark my own experience for the ultimately the good of others that I looked into the Carnegie Mellon Institute they have a CERT for insider threat impacts and they documented in this kind of iChart a PowerPoint chart with these six vertical columns on about 10 boxes. The negative impacts on a business from insider threats and there were 57 known threats according to Carnegie Mellon and I had 23 of them. But they were grouped, you know into, you know, economic effects and physical effects and psychological effects. And the psychological one for me was incredibly important and this would be about the first time I’m ever saying this to anyone but, you know, a lot of people close to me thought that I was nuts. That what do you mean, you know, this this and this? It scared them because it was like Swahili. You know, it’s just cybersecurity and everything that you and all your listeners view is foreign, it’s another language to 99.9% of all people. Like me, you know. And so I decided I had to learn something about this and at 60 years of age there’s no way you know, I was gonna get my CISSP or, you know, get credibility I just was very self-aware about that. So I bought a book called “Cybersecurity for Dummies” Have you ever seen those yellow books like with the black stripe?
Chris: Yep and the little guy on ’em.
Gary: Yeah, so I thought, okay perfect “Cybersecurity for Dummies” and I get the booked I’m all excited and Chris, 10 pages in I was lost.
Chris: Oh yeah, yeah, it’s still a lot.
Gary: You know, I mean, well I just used maybe a different part of my brain or something, you know. So rather than giving up I found the author and I told him that, that 10 pages in I was lost and he just started laughing. Like almost crying from laughter and finally, you know, he caught his breath and I said, “Why are you laughing so hard?” He said, “Well, it’s not really for beginners.”
Chris: Yeah, just the name of the series, yeah.
Gary: Why do you call it “Cybersecurity for Dummies”? And that’s when I realized there had to be a better way and was the beginning of my big pivot from victim to advocate.
Chris: Yes. You said you did the PowerPoint presentation where you tell your story and you showed off several hacking tricks that were used against you and you mentioned them briefly including hacking your phones and your LinkedIn account. Could you tell me more about some of those hacks how they were so effective and undetectable? Like how they got there, ’cause I mean, it seems like I think, part of the thing people probably when you said that they don’t believe you or whatever. Like when we think of, like hacking attacks or phishing attacks, we think of you know, just some punk who hit your email once or, you know, put a virus in there but like it’s terrifying to think of 23 different attack vectors in sort of a coordinated attack against one person who’s trying to rebuild their organization after being cleaned out, you know seven years ago or whatever. So could you, I mean, obviously it’s painful but could you sort of tell me about the sort of, the network of these things how they, you know, you said that they saw your presentation on LinkedIn and then immediately went to work that night. Like what did they, can you sort of retrace the steps of what they did to sort of build this cage?
Gary: Sure, what an interesting word, cage. You know, I’ve never thought of that but as you just said it, it was in some respects it felt like–
Chris: You sound surrounded, yeah I mean, it’s everywhere you look, your phones every mode of communication has got something on it.
Gary: Okay, so I’ll just start with what I was able to kind of uncover, remember I’m not a forensics guy–
Chris: Oh that’s fine. Neither am I.
Gary: In mind I’m not in law enforcement I’m just this regular marketing guy, you know. And so with that as a caveat what I actually began to do was, I invited a bunch of CSOs Chief Security Officers to connect with me on LinkedIn and just to listen and learn and I did everything I could to try to understand like what could cause this, you know? Like the car for example? You know, my GPS screen was wobbling and it was new R and so I took it to the local car dealer where we bought and I said, “Look, my GPS screen is wobbling.” And they had me wait in the store aisle waiting room with terrible black coffee which I’m sure we’ve all been in and about a half hour goes by and the head service guy comes in to get me and he points his finger like this and he goes you know, like this, follow me. I mean, okay, so I go in and follow him we walk into the service bay with all the noise of, you know, rit rit rit and all that. And he goes, go around in the passenger seat. I said, okay, it was on a bay but not in the air. So I get in the passenger seat and all of a sudden I hear a female voice and the service guy says, “Ma’am, can you please repeat what you just told me.” And I’m like, “What?” You know and all of a sudden I hear this voice it was OnStar. Yeah, operator in OnStar told me, that lot that there are 36 cars that, you know are attached to your account. I said, “I only own one.” You know, “And what is it?” And one thing led to another so we got it documented by the car dealership exactly what had happened. I’m there stationary, that they, that this guy or whoever else found or he figured out all OnStar, then they tried to do telemetry of the car, you know to plug it into their devices and it wouldn’t acknowledge the car and things like that. So that’s just one example of one kind of vector you know, the other ones, just came up because I tried to use things, you know. I thought, okay great, you know, let me try you know, multi-factor authentication, you know, on Google. So I switch from GoDaddy to Gmail and I thought I was doing it fine and then, you know, I was getting text codes and then one day I just noticed that the code was the same as the other one that I got ’cause I looked at my phone and saw SMS you know, the various text and then I looked further and they were all the exact same code. You know and I had learned that the way these things are supposed to work is, you know, these are single-use tokens and so each one should be unique and it should come from a masked five digit number you know, from SMS, I mean, I just learned about all that. And I said, “Well, mines not.” You know and then like layers of an onion I finally figured out that somehow at that time you know, they had spoofed Google two-factor authentication you know and so I asked, I can’t tell you any deeper–
Chris: No, yeah of course, that’s fine.
Gary: But I have learned I’ve talked to a lot of cybersecurity people they tell me how those things, you know, they are done and all that stuff. You know and then, I mean I could go through another 16 if you want but I’m not sure your listeners wanna hear that.
Chris: Yeah, obviously the giveaway with the GPS was the wobbling which I guess was you know, just the sheer amount of sort of interference that was going on within it. So, in your PowerPoint you showed a bunch of examples where you would have like what the VPN was supposed to look like and then the one that they had where it didn’t have the sort of toggle on the bottom and things like that, so, like based on that I guess rather than point out every one of them what were some of the sort of visual clues. Like one of them your workstation had like a slightly different graphic in the background or something like that. Like, what should people be looking for you know, if they have a general feeling of something’s wrong but I don’t know what? Like what are some things they should be looking for or who should they be going to?
Gary: I mean, that is just a huge question.
Chris: Of course, yeah yeah, we gonna break it down.
Gary: But for me, I mean, I would just always go back to the basics, you know, basic cyber hygiene. By the way, since you mentioned my presentation with your permission I just wanna go back one second because–
Chris: Sure, sure sure.
Gary: You just caused me to think about something. So one of the things about being a victim is you’re scared or you’re ashamed or you don’t really know exactly what it is, you know and things like that. So in my case, I never told anyone about any of this for all those years. You know, that I’ve lost a multi-million dollar company until a little over a year ago I was invited by Gartner to give a speech to their Security and Risk Management Conference in National Harbor, Washington DC. And so in preparation for that talk, I thought okay, what are, this level of people who really know what they’re looking at you know, from a cybersecurity standpoint you know, what can I show them that they can scrutinize and things like that. You know, that’s why I put together this particular visual PowerPoint because it just shows pictures and their videos. I have videos of hacks actually happening like through my routers and things like that. So, I quickly gathered that PowerPoint day and, you know, Chris I’ve been a public speaker for, you know, 20 years and never get nervous. You know, I’m really lucky that way but before that speech I was just shaking in my boots. Because first time I would have ever spoken publicly and not just that, to people who really could shoot down everything that I showed. They could look at it, they know what they’re doing. These are cybersecurity experts. You know, I could go, “Oh my God, you know.” All this is, you know, wrong. Anyways, so I did the presentation and not only, you know, did I get you know, sort of these rousing round of applause a whole line of people came up in a line wanting to get autographs of my comics which, you know, we’ll talk about in a minute. And Chris, I have to tell you. Just like this moment right now for me how grateful I am because in you in all of your listeners I have found a home. You know and so all I do now is I travel to all these cybersecurity conferences you know and listen and learn and do what I can to help you know, people with the skill sets, you know, that I have and the story’s not over.
Chris: Again, in your PowerPoint you described yourself as the Forrest Gump of cybersecurity and you had a bunch of photos of sort of well-regarded people that you’ve sort of collaborated with or spoken with or, you know, spoke alongside or whatever could you give us a list of some of the folks that you talked to about this case and your history?
Gary: Yeah, Kirstjen Nielsen, the former head of DHS Forrest Gump, I mean, I’m doing a comic right now for a big consulting company and I’m gonna be traveling to Dubai to train 300 kids on cybersecurity, you know. And I’m thinking like, what am I doing here? I’m gonna be doing an interview with Gary Kasparov the World Chess Master, because he’s into cybersecurity now and I got connected to him. Those are just a couple of current examples.
Chris: Yeah, yeah yeah yeah. Let’s talk about it, one of your big projects at the moment arguably your biggest one, it’s right there behind you and the screen is the creation of your comic book series entitled “The CyberHero Adventures: “Defenders of the Digital Universe.” So, tell me about the comic, what’s it about? Who’s it aimed at? What was your impetus to create it? And so forth, what’s it all about?
Gary: Yeah, thanks for that question. Well, the genesis was actually from a psychological experience I went through as part of the hacks. You know, I went to see a marriage counselor my wife and I did, because you know this is devastating on a bunch of level. And one of the tools that he advised me to use was to start journaling. You know, just sort of random thoughts of a cluttered mind you know and you just write it down. So, the approach I took was to just dictate you know, in voice memos and just whatever was on my mind at any time. It was very cathartic and so after you know, a couple of months I decided to have my voices my voice memo was transcribed and I ended up having over 60,000 words. I later learned that you can do a novel at about 70,000 words, so I could. Okay, I’ll start writing a book and so I did. I started writing a book called “St@lking On Air”. And the cover is super cool you know, because it shows this, a Wi-Fi signal because this figure of a man, you know just looking up and a shattered glass all around you know, this character, which is was what I thought. So I got maybe, I don’t know, half way through it but writing a book is really hard, you know and I didn’t have that skill and so I had to find another way and that’s what kind of led me to “Cybersecurity for Dummies” and then when I realized that there had to be a better way. I had happened to see spider-man and so that was the light bulb, you know, that went out I said, “Superhero comics.” You know, maybe there’s a way to distill complicated technology information into something that most people can get their heads around at least to amplify the need for, you know, cyber awareness that kind of thing. You know, it’s not a training protocol, you know. By the way I’m not a vendor, I don’t sell anything I haven’t made a penny in three years. Although right now we just got a sponsor. So, I wanna give a shout out to AON you know, the largest insurance company in the world has reached sponsor our comics so which was a real nice surprise for us. But, anyways, so I didn’t know anything about comics. So I’m like the least qualified person. I knew nothing about the subject you know, plus or minus cybersecurity and nothing about the modality you know, of how to do comics or draw. You know and other than that I thought, okay, I’m perfect. So, I had to learn about comics as it happens, I was up late one night and I saw the tail end of an announcement that there was a Comic-Con in South Florida where I lived that morning, the next morning. So I said, Okay, I’ll just go and check it out. So I go and I put on my sport coat you know, white shirt, khaki pants and I pull into the parking lot and, you know, as soon as I get out maybe 15 seconds this woman comes up and she’s dressed in green face with antenna and this giant butterfly wings and she says, “Sir, I think you’re a little overdressed.” And I have a photograph of that. You know and that was an understatement so have you ever been to a Comic-Con?
Chris: I haven’t but I have a lot of friends who work at them and display at them and dress up for them and so forth, yeah.
Gary: Oh you have to go. I mean, it expands your mind, you know. And at first I was judgmental I’m really like, what, you know these people are spending so much time and effort into this but then by the time I left, which was five hours later I was only gonna stay for 30 minutes and I was so, you know, into it that I realized wow, look at the creativity, look at the storytelling look at the self-expression the ability to have an alter ego you know and the ability to have fun and not take yourself too seriously you know and things like that. So I got bit by the comic bug and so I worked at first on a minimally viable sort of product cover of a comic and it was actually called, “The Adventures of Cyberman”. And so, for the next Comic-Con I went to I had this prototype covered on my t-shirt like I had a really big, big giant cover of a comic and I went to this Comic-Con because I thought I could listen and learn. So there was a line of people waiting for an autograph from a really cool guy from Marvel Comics who worked right under Stan Lee and he was like one of their big ones. So I said, “I’ll just wait mine “and, you know, I’ll get an autograph. “You know, that’ll be fun.” So I go up there and I have my big shirt on with my cover and I say, “Sir, can I ask you a question?” And he was, “Yeah.” I said, “What do you think about this cover, you know “The Cyberman Adventures.” And he looked at it and without even blinking he said, “I think you’re gonna get sued.” That’s what I said, “What? What do you mean?” He says, “Well, have you ever heard of Doctor Who?” And I said, “Who? No, I haven’t.” And it turns out it’s this Giants franchise that’s been around for 50 years or something, you know.
Chris: Yeah, the Cyberman.
Gary: Exactly, they have these characters called Cybermen and, you know, they even look a little like one of my characters and I never knew it. So I said, “Oh man, you know, I realized kill that.” So I went to the community for help. I put that comic cover on my LinkedIn page and at that time I had maybe 500 contacts or so you know, I never really used LinkedIn very much. I started inviting CSOs to send me real life stories of blinded real life stories of cyber crime answering the questions, you know, what happened? What were the consequences? And most importantly, what were the lessons learned for possible inclusion into a comic book series. And I’m really just humbled to say that as of today I have 21,950 connections of the most important people in the world in cybersecurity and IT like you wouldn’t believe it. And they just started helping me and that’s when I realized that this was actually not about me and that there was the mission here. And so my mission is to, you know ’cause the only time you hear about cybersecurity or hacking is when the Black hats win and so I thought we could make my comic and my team’s mission to shine the light on the unsung heroes who toil in anonymity day and night to keep us safe. You know and to say thank you, and that’s all I do starting at 4 a.m. every day.
Chris: Okay, so walk me through like an issue of Cyberhero Adventures. Like what are the sort of stories like, what are the the characters like? What are we actually going to see? Is it told as sort of an adventure story? Or is it told, like how do you get the sort of how do you sort of combine the adventure and the knowledge in the same thing?
Gary: Yeah, what a great question. And we wrestled with this, right? I mean, from nothing, so it took a long time. But the first thing I did is anthropomorphize hacks you know, I had to find some other way instead of a 1 and a 0 to bring actual hacks to life. So, as luck would have it you know, the cybersecurity community the IT community are into video games they’re into comics, they’re into all that you know. So, if you think of the names that people give to hacks are already comic names and things. So, my very first character that we created was Wilbur WannaCry. But think of the name, WannaCry. I said, “Oh okay, I get that.” So, we drew this, sort of goofy looking bug you know, with tears, you know and I created a backstory that if one of the tears touches you it’s gonna, you know, encrypt your computer and then you have to make a decision about, you know, whether or not you pay ransom and then if you’re gonna pay ransom you know, what guarantees do you have that they’re gonna give you you know, the encryption key and, yeah I mean, these are criminals. So that’s how we get into the story through the characters. So, some of our characters, besides Wilbur we have Ivan the Identity Thief we have Boris The Bug, which is interesting too ’cause these characters and everything evolve as we learn from the community. So for example, it used to be called Boris The Bugger and then I got this email from a guy in London he says, “You might wanna not call it bugger.” Because in London or in Australia has some sexual connotations, you know. So we changed it to Boris The Bug. But on a more serious note at first my biggest villain was Queen Malory, like malware. And she was the head of all of these villains you know, the creatures and stuff and so we printed about 700 copies we distributed it at a conference in New York and very quickly several different women in different settings, after they looked at the comic and they said, “Lemme ask you a question “are you aware that we’re trying to recruit “more women into cyber security?” Yeah sure, you know, I’ve heard a lot about that and diversity and all that. “‘Cause then why do you have “your lead character be a villain?” And I said, “Wow, that’s a good point.” So in the subsequent addition we changed it from Queen Malory, using the same art we changed the backstory to Queen Jio and Jio stands for a real person her name is Jennifer, Jennifer Sunshine from IOActive. So we took the first letter for her first name you know, J and IOActive, we called her Queen Jio you know and that part of her mission is to empower young people to take stem courses especially young girls and to encourage young women to pursue careers in cybersecurity and you know, and things like that. Half my characters are Hispanic or African American or Asian we have a veteran, you know, so I’ve listened and learned about, you know, the benefits of more diverse people and views within the community. So we took that to heart. So we have 16 characters you know, about eight of them are the villains and about eight of them are heroes. The heroes are all real people and for different reasons we put them in. We put a CIA agent in there, she was, had amazing stories. By the way, I’m glad to give all your readers the PowerPoint you know, that you were talking about. You can make that available if you want if they they think it will help with them.
Chris: Might well, you know, put a link to it or something in the YouTube here so.
Gary: Yeah, if it can help them. They can see for themselves, you know some of what we are talking about and stuff like that. We’re releasing a new edition for Cybersecurity Awareness Month you know, starting next week and it’s called “Follow the Money” and the reason it’s called “Follow the Money” is from a content and editorial standpoint, you know now that we’ve anthropomorphize the hacks and then we have real-life heroes depicted. You know, what are the stories which is, you know, a part of your question. I get them from real people, so what I’m about to tell you came from a senior person at the Department of Treasury who’s in charge amongst other things of cybersecurity and stuff like that. And so this particular story actually involved a contest where the winners received what we call a Sirilexi we just combined the name Siri and Alexa to a digital home device called the Sirielxi and they’re going, “Wow, this is great.” You know and then so the way we teach is we have a drone fly-in, you know about the Sirilexi sing remember, they’re always listening so be cautious about what you say. So that’s way that we impart you know, just a very basic thing to the reader so they start becoming a little bit safer. So in that issue, we use drones to fly in with different bits of advice. Don’t click on the link, you know, don’t open you know, basic cyber hygiene. Since that causes most of the hacks anyways it seems so that’s really all we’re capable of you know, focusing on. So just to finish that story, so what happened was they won this device, oh everything’s great. Then they found out they won a first class trip to, it happened to be Australia but in the comic we call it Web Surfer Paradise. So it was first class and this really happened. So, a limousine picks them up another, you know, car’s following them take their luggage, their champagne. Go to the airport, fly first-class all the way to Australia, all free and they were very skeptical. Like, “Oh, you know, we have to give our credit card.” it was nothing. And so they go and they have this amazing, you know, time and so a week goes by they come back and they’re coming back from the airport where they land and all of a sudden woo, woo, woo, woo you know, sirens and helicopters flying over then these guys, they get pulled over on a highway and there’s these guys in hazmat suits white hazmat suits from head to lo. They go, “Ma’am will you step out of the car.” And they’re going like, “What?” you know, they were freaking out. And so they go and they get out of the car and surrounded by police, they have guns, they have hazmat you know, they could have been handcuffed and then they crack open the trunk they break into the trunk of the second vehicle and they have a Geiger counter and also your you know, the clicking of a Geiger counter and a piece of luggage, you know, it was insane and they take it out and it turns out that in these telescopic handles they were smuggling in enriched Uranium, beside the handles. They were mules, unbeknownst to them. So the next part of that I have a real CIA agent explain mules and she says, “You know, if we think about mules “you know, let’s think about motivations “why do criminals do this?” Well, the number one reason is usually money, you know but there are other reasons but it’s usually money. And so he said, “Let’s go back to like the gold rush.” So I take the reader back to 1849 because turns out there are a lot of parallels between then and now, like then they mined for gold now we mine for data. You know, there were black hats and white hats in cowboy movies as way to distinguish in this industry now we say, are they in the wild? You know or in kind of the Wild West. You know, there’s a certain level of lawlessness and stuff like that. And so we take the reader into understanding how to stay safe through those kinds of stories. So, in the learning industry this is called disguised learning.
Chris: Right, now so if people want us to read these issues I can sort of see the website back there but where should they go to get an issue or read them online or get PDFs or print copies or whatever, whatever they want?
Gary: Sure, I would appreciate that and if they like it share it with people. They can go to cyberheroescomics.com and there’s a digital e-readers there you can download them yourselves, you can have PDFs and like I said, there’s no cost for any of that. We’re working on our first animations now you know, to bring the comics to life. And one editorial thing, I just wanna make sure that I impart with you, is from a content standpoint we’re creating 16 quarterly issues focused on the DHS critical infrastructure sectors and so, you know, our next four additions well, we’re releasing “Follow the Money” in the next week or so then we’re gonna be doing Healthcare because it’s incredibly vulnerable to hacks and, you know, personal health information and digital medical devices and IOT devices. I mean, that industry is just, you know, vulnerable. I’m sure all your listeners know that. Then we’re gonna do IT then we’re gonna do Telecommunications and then Automotive over the next four years. So those are the subject matters that we operate around and we seek stories for those. And I would love for people to connect with me on LinkedIn you know, I post stuff that makes you tilt your head you know, like sort of like, you had a dog and you go like, oh, that’s what I’m trying to tap into sort of this inner child that all of us have.
Chris: All right so–
Gary: By the way who is your favorite superhero, can I ask?
Chris: Oh, that’s a very good question. I would say, boy that is a very good question. I would probably go with… I’m not a huge superhero guy I guess The Incredible Hulk maybe.
Gary: That’s a good one.
Chris: Yeah, he’s good, he’s got a lot of complexity around him, you know, he’s got the he’s had some ups and downs .
Gary: Yeah, yeah, well, you know what, it’s funny not funny, it’s very intuitive that you said that because, you know, one of the things I had I tried to model our work after, is Marvel. You know and Stan Lee, you know, may he rest in peace they had this thing called the Marvel Way and there were these six principles, you know and essentially, you know, to paraphrase being vulnerable, is incredibly important because nobody is born a superhero. I’m talking about like in real life we’re all just babies, you now and then life happens, you know. So I hope that we all have superheroes in us and I would like to ignite that child passion again in this industry.
Chris: All right, well and on that note Gary thank you very much for being with us today.
Gary: Thank you so much for having me and thanks to all your listeners for being unsung heroes.
Chris: All right and thank you all, as he says thank you all for listening and watching. If you enjoyed today’s video you can find many more of them on our YouTube page just go to youtube.com and type in Cyber Work with Infosec. Check out our collection of tutorials interviews and past webinars. If you’d rather have us in your ears during your work day all of our videos are also available as audio podcasts. Just search, Cyber Work with Infosec in your podcast catcher of choice and as Gary mentioned in honor of National Cybersecurity Awareness Month Infosec is offering a free month of it’s Infosec Skills subscription-based learning platform to listeners of this podcast. Just go to infosecinstitute.com/podcast and click the learn more link to learn more about it and be sure to claim your free month before October 31st. I think it goes away. Thanks once again to Gary Berman and thank you all for watching and listening we will speak to you next week.