API security, vulnerability research and LGBTQ+ representation

Alissa Knight returns as the first ever three-peat Cyber Work guest, and the topic this week is — herself! Recorded at the end of pride month, Alissa talks about the benefits of diversity and inclusion when it comes to cybersecurity, her work hacking Bluetooth LE smart devices, her new company Knight Ink and a concept she’s created called “adversarial content.”

Alissa Knight is a published author, the managing partner at Knight Ink, principal analyst at Alissa Knight & Associates and group CEO at Brier & Thorn. She is a recovering hacker of 20 years and as a serial entrepreneur has started and sold two companies prior to the ventures she runs now. Alissa is a cybersecurity influencer working for market leaders and challenger brands in cybersecurity as a content creator. Follow her on Twitter and LinkedIn, and subscribe to her YouTube channel to follow her adventures in entrepreneurship and cybersecurity.

– Get your FREE cybersecurity training resources: https://www.infosecinstitute.com/free
– View Cyber Work Podcast transcripts and additional episodes: https://www.infosecinstitute.com/podcast

[00:00] Chris Sienko: It’s celebration here in the studio, because the Cyber Work with Infosec podcast is a winner. Thanks to the Cybersecurity Excellence Awards for awarding us a Best Cybersecurity Podcast Gold Medal in our category. We’re celebrating, but we’re giving all of you the gift. We’re once again giving away a free month of our Infosec Skills platform, which features targeted learning modules, cloud-hosted cyber ranges, hands-on projects, certification practice exams and skills assessments.

To take advantage of this special offer for Cyber Work listeners, head over to infosecinstitute.com/skills or click the link in the description below. Sign up for an individual subscription as you normally would. Then in the coupon box, type the word cyberwork, c-y-b-e-r-w-o-r-k, no spaces, no capital letters, and just like magic, you can claim your free month. Thank you once again for listening to and watching our podcast. We appreciate each and every one of you coming back each week.

Enough of that, let's begin episode.

[01:04] CS: Welcome to this week’s episode of the Cyber Work With Infosec Podcast. Each week, I sit down with a different industry thought leader and we discuss the latest cybersecurity trends, how those trends are affecting the work of infosec professionals while offering tips for those trying to break-in or move up the ladder in the cybersecurity industry.

Alissa Knight has had a lot of accolades and accomplishments in her career. She was walked-off her high school grounds by law enforcement for hacking a government server. She showed the heads of several financial organizations as she hacked their APIs in front of them. She wrote an entire book about the surprising ease of hacking connected cars, and all of these pale before the most important honor. She’s our very first threepeat guest on Cyber Work.

[01:42] Alissa Knight: Yes!

[01:46] CS: We talked about APIs and hacking cars in our previous episode. So I’m sort of previewing that, and I encourage you to go back and check those episodes out, because they were a blast. But today we are going to talk to Alissa about Alissa. In this episode, we are in the last few days of Pride Month. As Alissa has said in the previous episode, she is transgender and a lesbian, neither of which on their own is particularly prevalent in cybersecurity or the tech industry as a whole and in combination, rarer still.

Infosec believes that cybersecurity work should not just be open to people of all genders, races, orientations and experiences, but that a real effort should be made to intentionally and aggressively bring people of diverse backgrounds and experiences into the industry. This benefits everyone. Not only do we believe jobs and careers in cybersecurity industry are satisfying and rewarding for all. But as a field that is intrinsically understanding that problems get solved and threats are avoided by listening to and considering a variety of points of view, the entire industry I believe is improved by not just bringing a diverse workforce in, but listening to and absorbing their experiences and the approaches they bring.

So we uncovered a lot of territory today. We’re going talk about Alissa’s latest book, and yes, that is a third book, and it’s her autobiography. We are going to talk about her work hacking Bluetooth LE smart – Oh! Look at there. Hacking connected cars. Hacking connected cars. We’re also going to talk about her work hacking Bluetooth LE smart devices and her new comp any Knight Ink, and a new concept she’s created called adversarial content. We’d hear about that.

Alissa Knight is a recovering hacker of 20 years, blending hacking with unique style of written and verbal content creation for challenger brands and market leaders in cybersecurity. Alissa is a cybersecurity influencer, content creator and community manager as a partner at Knight Ink that provides vendor go-to-market and content strategy for telling brand stories at scale in cybersecurity. Alissa is also the principal analyst in cybersecurity at Alissa Knight and Associates. Catchy name. Alissa is a published author through her publisher at Wiley having published her first book on hacking connected cars and recently received two new book contracts to publish her autobiography and a new book on hacking APIs

As a serial entrepreneur, Alissa has started and sold two cybersecurity companies to public companies in the international markets and also sits as the group CEO of Brier & Thorn, a managed security service provider, MSSP.

Alissa, welcome back to Cyber Work.

[04:09] AK: Thank you, Chris.

[04:12] CS: Now that I’ve taken up 5 minutes of your time with that accolade –

[04:17] AK: That was quite a mouthful, but I appreciate it. No. It’s my fault. It’s my incredibly long history of –

[04:24] CS: It’s your fault for being so productive.

[04:28] AK: I’ve tried to do as much as I can as quickly as I can in my life.

[04:31] CS: Right. Let’s do the opposite of what we normally do on this show. Usually I ask guests about their cybersecurity journey, which the original inspiration was – And you’ve told us plenty about that. I’m going to flip this round, because I know we’re going to get to your autobiography later. So let’s talk about some things you’re up to right now.

When we last spoke, you were just working on an API security book, and it sounds like that’s still progress. How’s that coming along? And for those didn’t listen to the old episodes, if that, shame on you. But tell us what that’s all about.

[05:00] AK: Yeah. Wiley is my publisher and the first book that I had published under them, Hacking Connected Cars, has been very successful. We are actually – So they just issued a new contract to me for an autobiography and an API security book. The API security book is going well. I have no idea why I signed up to try and write two new books at the same time. I have no idea what – I think that’s my theme of my lifestyle, right? I never have any idea what it is I’m doing.

[05:39] CS: You’re building your wings on the way down is – What’s the name who said it? Ray Bradbury. Jump cliffs and build your wings on the way down.

[05:47] AK: Yeah. Figure out as you go, right? Draw my fire. So I’m in the process of writing that book and I’m also in the process of writing my autobiography.

[05:58] CS: Cool. First, I want to ask you about the hacking connected car book. The reception was good. Have you heard of any companies that have changed their protocols or factory requirements based on the concrete examples you said in the book?

[06:09] AK: You know, it was great. I actually had several people reach out to me on LinkedIn letting me know how the book has changed their internal processes or actually defined processes at their organizations. So one of the things that I was really intrigued to find out was the head of a company that is building an putting on the street autonomous vehicles, the head of cybersecurity, vehicle cybersecurity reached out to me to let me know that they are actually using my book to perform penetration testing of their autonomous vehicles. So that was incredibly cool.

To know that something that I’ve written is influencing such a good company. And the vehicles that they’re putting on the street. Several car makers, several tier one OEMs have reached out to let me know that they made it required reading at their companies for their engineers for their vehicle security teams. So it’s great. To me, it’s not really about the quantity, but the quality and the impact that I’m making, right?

[07:26] CS: Right. Yeah. Those are concrete changes.

[07:28] AK: Yeah. I didn’t set out to be a New York Times bestseller. This is a very niche area of people interested in hacking connected cars. And the neat thing is I did get told that we’ve already sold over a thousand books. Over a thousand copies have shipped. And so it’s doing quite well. There’s quality and quantity, I guess.

[07:52] CS: I love it. We talked about the API book in the previous episode. Can you talk me through the sort of the scope of that? What is the actual sort of – I mean, API is obviously – You found some insecurities. So tell me about them.

[08:06] AK: Just a few.

[08:07] CS: Just a few.

[08:09] AK: As you know, last year, I went on this sort of global tour talking about the 30 financial services, mobile apps, that are reverse engineered and we found hard-coded API keys and tokens. And I recently – If you’ve been following my YouTube channel, and if you haven’t, please subscribe. And I published a video where I actually hacked a European Bank, and the bank was kind enough to allow me to actually film that and record it and actually publish it.

I’ve been doing a lot of vulnerability research in hacking APIs. And there really isn’t any content out there on hacking APIs, right? You’ve got the OWASP API Top 10. If you go out there and Google it. And if you think about the Hacking Connected Cars book, the impetus to me writing that book was because there is such a lack of content out there for hacking connected cars.

And so, for me, I guess the banner that I fly is wanting to be a content creator for content that really doesn’t exist. I like to really chart new – Really just go out the beaten path and chart new journeys and content that really doesn’t exist out there. So this made sense for an API security book.

I’m excited about that. I’m really wanting to get this book out a lot more quickly than my first book. When I walked into my first book, I was thinking, “Oh yeah! I’ll just kick one chapter out a week. I’ll be done in 10 weeks.” Three years later, it finally came out. I’m walking into this with more experience as a published author. Knowing how long books take. Knowing that you need to write every single day, knowing that it’s just progression, even if it’s not writing an entire chapter every day. Writing just a little. Maybe one page. Maybe two pages. That’s my advice for those aspiring authors out there who are writing a book. You need to write at least a little every day even if you’re not in the mood to write. You’re not going to wake up wanting to write. You have to force yourself to write. And that’s a big lesson that I learned in writing the first book. This API book, my goal is to get it out a lot more quickly.

[10:25] CS: Cool. Yeah. I mean, you were saying that you sort of are going in sort of uncharted areas. And API security wasn’t really a thing people were talking about per se, right?

[10:36] AK: Right. Correct. To me, adversaries go where the money is, and their mission is to monetize data. Data is worth more than oil. People have heard me say that before. And that’s what API is. Their mission is life, is to provide data to API consumers, whether it’s a mobile app or a connected car. Everything is pretty much connected to with APIs. The Internet of things, Internet of everything, they’re backend are API servers. Hackers know this. Their goal in life is to steal data and monetize it. How can they monetize it?

And so I can't imagine something that's more a contemporary issue than APIs. If you look at all the breaches recently, whether like the Apache Struts vulnerability that got Equifax, Mariott.  All of these are API vulnerabilities and API breaches. I can't imagine a more perfect time to get this book out.

[11:43] CS: Nice. Yeah. Yeah. It’s like you’ve defended the entire castle, but there's one weird door in the back that someone forgot to leave unlocked.

[11:50] AK: Exactly.

[11:51] CS: Yeah.

[11:51] AK: Yeah.

[11:52] CS: Yeah. Again, jumping from there to your other recent moves, because I emailed you few different places before I realized that you had set business for yourself here. So tell me a little bit about that.

[12:02] AK: I’m the queen of rotating email addresses.

[12:06] CS: If you don’t like this one, wait five minutes. There’s another one coming.

[12:09] AK: Exactly. Exactly.

[12:09] CS: So tell me about Knight Ink. For those who can't see my questions, print it out. It's Knight, K-N-I-G-H-T and then Ink, ink pen as is in writing.

[12:18] AK: It gets everyone.

[12:19] CS: In the previous episode, we talked about your move toward writing in the #knightriders. Clearly, writing is still at the center of what you do. Can you tell me about what Knight Ink is up to at the moment and what some of your other vulnerability research is doing at the moment?

[12:34] AK: Yeah. Some of my followers know and began actually following me when I was an analyst at Aite Group. I have since left Aite. There was a difference of direction. And so I wanted to be a content creator. So I started a content marketing firm called Knight Ink. Just like you mentioned, the plan words of INK. I see myself as a writer at heart. So Knight Ink, INK made sense.

So what I do at Knight INK is I create content assets for cybersecurity vendors, specifically cybersecurity challengers, entendre brands and market leaders in cybersecurity. So I typically only work with cybersecurity vendors. What I do is I create white papers, blogs, videos, whatever the content asset is; info graphics. And the unique need sure of the content that I create is that it comes from the lens of a former hacker.

I like to say that I'm a recovering hacker of 20 years. So the content that I create is from that perspective of an adversary, which is how I coined the term adversarial content. Vendors who want their story told from the perspective of an adversary wanting that story to be why people need their product versus what it does, which is what I think CISOs and buyers care most about is adversarial content is the best way to tell that story.

Adversarial content by definition from my perspective, is content that is created from the perspective of an adversary. Meaning I’ll hack at technology, hack a product, hack an endpoint and to show how that technology would have prevented that from happening. Would have detected or prevented it. So it shows interested buyers that this technology does exactly what the marketing material says it does. That if this is an EDR technology, this is how it actually stood up to an active attack from an adversary.

So, the idea, the concept has really taken off. I work with a lot of the major brands out there in cybersecurity telling their story. I believe that people don't buy what you do. They buy why you do it. It’s Simon Sinek. So that's what I do with adversarial content.

[15:10] CS: Okay. Yeah. So just to make sure that I'm sort of getting it right in my head. Like a regular review would say this product, in theory, should do this, this and this. And you're saying I tried to pack in using this way. And because of this product, I wasn't able to. Or if it'd been better, I wouldn't have been able to, but I was able to. Something like that.

[15:31] AK: Exactly. One of the things that I do is I work with my clients and help them create what's called Blue Ocean Strategy. And if no one's read that book, Blue Ocean Strategy was written by two MBAs out of Harvard Business School who wrote the story really around this concept that you eliminate your competition by making it irrelevant. And Blue Ocean Strategy is the idea very much like Cirque du Soleil, who didn't set out to create a better circus. They set out to reinvent what the circus was. So I help companies find their blue ocean.

To me, features of a product are a moving target. Any company can put a white paper out there and say what their features are. And to me, that doesn't really resonate at a visceral level what buyers and what CISOs like adversarial content would, where you're showing, “Okay. This is what an attack against and API endpoint, in the case of Salt security, which is one of my clients, is this is how what it looks like when your API is being breached. And this is how this technology detected it and prevented it from happening.

I think that with so many solutions out there on the market, that CISOs are looking for a different kind of content. When you think about it, more than 64% of buyers today make their purchase decisions off of custom content. Meaning that 64% of those interested in the services of Infosec Institute aren’t finding out about you guys by clicking on banner ads or click on Google ads. They’re making their decisions off of the videos of the podcasts, the papers, the blog articles, all of the custom content out there. I believe that that is the future of advertising. I believe that traditional Google ads, AdWords, whatever may be is dead, and that custom content is the future of marketing.

[17:26] CS: Yeah. And all of you who are doing exactly what Alissa said with us, thank you.

[17:31] AK: Exactly. Good job.

[17:33] CS: Yeah. Can you tell me some juicy bits from your autobiography? What kind of stuff are we going to cover here? Let’s spoil it a little bit. Not too much, but just a little bit for the readers.

[17:44] AK: Yeah. I have to be careful, because I got to take care of my boy at Wiley.

[17:50] CS: Okay. Yes, of course.

[17:52] AK: Yeah. Great guy by the way. Cool cat. Wiley doesn't publish autobiographies. Technically, I can't call it that. It is a non-fictional narrative.

[18:04] CS: There you go. Yeah. Yeah, it’s a real squishy territory between memoire, autobiography, whatever. Yeah. Yeah.

[18:11] AK: Exactly. Exactly. Yeah. It’s really – It’s my coming up story. It’s my former life and my former skin, as Eric Heinz. It’s so weird to say that name. And my transition really sort of becoming Loki, where I transitioned in 2008, and my journey as a trans woman in a male dominated world, male dominated industry in cybersecurity. Sorry. My world is cybersecurity. And what that experience has been like.

It’s interesting for me, because it's a very – It's a very unique perspective being able to say that I’ve lived my life as two completely different sexes, two completely different genders. And living my life as a man and then living my life as a woman, it's very interesting because you don't really prepare for that. You don't prepare, because as a man, you read about the inequality of men and women in the workplace, the wage disparity.

Being passed up for job opportunities in the workplace as a woman over a man with the same or less credentials or experience, it's a real thing. And I didn't prepare myself for what that would be like. And you would hope that an industry as new as cybersecurity. Because if you think about it, cybersecurity isn't very old. It's not like steel –

[19:59] CS: Like banking or something. Yeah.

[20:02] AK: Yeah, banking or investing. It's a nascent industry that we are trying to figure out as we go. You would think it would be more progressive when it comes to equality and inclusion, and it's not. There was a Tweet storm that occurred, and I thinking you brought it up in a previous episode, where I got involved in a threat that actually became my most viral Tweet. And it was about a gentleman who made the statement that cybersecurity moves too fast for women, and that women would rather be at home and be homemakers and be family-oriented versus being in cybersecurity. And it was shocking to me, because this is a very prevalent narrative.

For some reason, there're a lot of people that believe that, “Hey, cybersecurity isn’t for women, and here's why.” I was trying to play devil’s advocate. I was trying – Look at it from other people's perspective. But it's hard to find logic in a lot of the things I'm reading. I mean, there's a lot of, I think – There're a lot of things that people need to be educated on when it comes to just women issues, but trans issues. There's this belief, and I hear it a lot, that trans women shouldn't be allowed to participate in women-only sports. That's so stupid to me.

I think it was actually Seth Rogan's podcast where he actually talked about this, and the narrative is being spread a lot. I can understand, I think, from that perspective. But people don't understand that when you go through HRT, your upper body strength is a man. As a man's body gets depleted, your upper body strength pretty much goes away and deteriorates. There are women on the tennis court – I used to be a competitive – I used to play tennis competitively and go to tournaments. And there're women, biological women, that could kick my ass on the tennis court. And they are biological women that have much more upper body strength than me. I just think it's – And I don't think it's ignorance. I think it's education.

[22:42] CS: Yeah. There’s going to be a learning curve.

[22:44] AK: Yeah. For example, martial arts. There are biological women that could wipe the floor with me. I think it's educating people and understanding and also the unique perspectives, and we’ll probably talk about the blog article here in a minute. Unique perspectives that the LGBTQ community brings to teams, brings to the workplace that you may not find in a less inclusive culture.

[23:13] CS: Right. Now, I want to jump back to a phrase. You've said it a couple times. You said becoming Loki. You want to sort of talk about – I assume you're talking about the sort of Norse God? The Marvel character, whatever?

[23:23] AK: Yeah.

[23:24] CS: Yeah. Yeah. Yeah. I’m a little rusty. Loki is sort of a chaos agent, right?

[23:30] AK: Yeah. And it's funny, because obviously that name was a handle I chose as a man.

[23:36] CS: Okay.

[23:37] AK: But Loki can be a woman.

[23:40] CS: Okay. Yeah, what does that mean becoming Loki?

[23:44] AK: Yeah. Becoming Loki is really just, for me, outside of the Marvel franchise. It was my hacker alias. There was actually a very famous, or infamous, hacker tool called Loki, which was a nice EMP communication vector. So becoming Loki – Yeah, becoming Loki was really just my growing up story, my coming up story in my life from when I started hacking at 13 to where I am now in my journey, where I am now in my career, where I'm now no longer in the bash shell so to speak. I’m taking those lessons learned and taking those life stories and applying it in a different way through content.

[24:37] CS: Right. Yeah. No. I mean, is there still that sense of like being this sort of chaos agent or being this sort of like this mischief maker in the –

[24:48] AK: Yeah. It’s funny, because there’s a painter, famous painter, by the name of Fabian Perez. And I collect paintings, and one of the things that I do is he created this painting, this piece called Untitled. And it's this beautiful painting where you see a bunch of men in black trench coats and hats and fedoras facing one way. It’s kind of like the Apple commercial that became very famous. And there's another gentleman who was wearing completely different clothes and facing the opposite way.

And so I bought that painting because I very much saw it as myself. So there’s this change agent, that this not going against the grain. Or sorry. Going against the grain. Not following the masses. And that's really been my life. And I couldn't imagine a more fitting hacker alias than Loki as the god of mischief, the god of chaos, creating chaos.

If you look at my career, I discovered the first vulnerability in hacking VPNs and published it on BUGtrack in 2000. It was a rapid stream vulnerability. I spoke about a second vulnerability that I discovered in hacking VPNs and spoke about it at Black Hat Briefings in 2001. I lost my job as a result of presenting that vulnerability. The company wanted to put a gag on me talking about it, refuted it, did everything they could because they were in the middle being acquired by Avaya. And this company was called VPNet.

If you look in my career from wanting to just create waves and be a disruptor, becoming Loki, and the alias Loki was so fitting. And to this day, I’ve always wanted to be bigger than life. And this has been my narrative.

[26:46] CS: Nice. And that’s the title of the book as well then, Becoming Loki is the autobiography?

[26:49] AK: No. That’s something. I'm hoping there won't be any USPTO trademark issues with Marvel in doing that. I'm going to spell it L-0-K-1.

[27:03] CS: Oh! There you go. Coming 2022 from Wiley Press. I don’t know. Or whenever. So I wanted to talk to you because we always have fun talking, but I also wanted to talk to you because we’re recording this at the end of June. It's probably not coming out until July or early August, but at the end of Pride Month here. And as you teased out a little bit, I want to talk about LGBTQ+, people in cybersecurity industry.

You wrote this really nice article on the topic for our infosec resources site. By the time this comes out, it will on the site now. I hope you all check it out. Where you laid out plenty of reasons why it's not only a benefit for the cybersecurity industry to bring a large assortment of people of differ backgrounds, gender, ethnic, people with and without physical disability into the arena. But can you also talk more about the ways in which not doing so is actively hobbling the industry?

[27:53] AK: Yeah. It was an awesome opportunity to write that article, and I appreciate Infosec Institute and you for making that available to me to participate in. I really started out what’s shame on me, because my whole career, my whole life – When I say my whole life, I mean, my life starting from 2008 when I transitioned. I was 29 years old. I'm 41 today. A lot older than I look.

[28:27] CS: Like me. I’m exactly as old as I look.

[28:28] AK: You look great. I’ve never wanted being transgender to be part of my narrative. I never wanted to be a beautiful trans woman. I wanted to be a beautiful woman. And so I really – For those who follow me, know that I've never really talked much about being trans. I mean, I think I have one article out of the 50 plus articles or 60 articles I have on LinkedIn called becoming Alissa Knight. And there's a video on it that shows my transition in pictures. And that's the only time I've talked about it. And it's because I've never really wanted it to be part of my story.

Now, Chris, I’m not saying that there's anything wrong with trans people who do make it part of their narrative, who go on Twitter and talk about it.

[29:19] CS: No, for sure.

[29:20] AK: They’re great people, and it's awesome. That just has not been me. I don't go to trans support groups. I think everyone should have a therapist, somebody to talk to. When I go see my therapist and talk to my therapist, I don't talk about the fact that I'm trans or woes me, I'm trans. But shame on me, because I should have talked about it more. Every year there is a huge suicide rate and a huge murder rate of trans people. And that needs to change. One life is too many. And the children who are committing suicide, because that girl who threw herself in front of a semi-truck because her parents weren’t accepting the fact that she was trans. Shame on me for not being more vocal and being more out there about the fact that I'm trans. And despite the fact that I'm trans, the success that I've had in my career to be able to be that story to trans people that just because your trans, it doesn't mean that you have to work in the adult entertainment business. Just because you're trans doesn't mean that you have to be a sex worker. You can have a white-collar job. You can be successful in business despite being trans. And how far you go in this life is dependent on you and not being able to accept no. Being able to accept no because of the fact that your transgendere, or gay, or lesbian, or whatever your identification is.

[30:59] CS: Yeah. In working towards solutions to the systemic and long-term problems, sometimes it helps to start with the outcome we want and to sort of see it and reverse engineer our way towards from where we are now. So can we sort of talk about what in your mind is the ideal outcome for people of diverse gender and sexual orientation having a place at the table, specifically in cybersecurity? I mean, what would it look like not just on a hiring level, or numbers, or whatever, but as an office culture, as a culture of collaboration and information sharing? What are some ways not just in hiring, but at all levels that we can move towards this outcome do you think?

[31:35] AK: Yeah. I mean, what I want people to understand is there’s definitely companies, hiring managers to understand is there’s a difference between equality and inclusion. So, I think the move in right direction is doing more than just changing your logo to rainbow stripes during Pride Month. Companies that are doing that, you need to ask yourself the hard question. Beyond making our logo a rainbow, what have we done to be a more inclusive culture beyond just being – Providing equality in our culture, but including LGBTQ+ in the conversation at a place at the table? Being part of that.

In the previous question you asked, what does that look like? What are those contributions? One of the things I can tell you is while there's a lot of research that's been published around women and the disabled, being part of that inclusive culture, there isn't much on LGBTQ+ inclusion. It wasn't until June of 2020, this month, that the Supreme Court rules on protections in the workplace for LGBTQ+ people.. It's, 2020, Chris, and the Supreme Court is just now acting on this.

On the anniversary of the Pulse Nightclub massacre, Drumpf roles back trans protections in healthcare. I think that conversation needs to continue to be had outside of June. And I think though one of the things that I can say is even though – So because there isn't much research being published on this, I can only offer my opinion. My opinion is that in hiring LGBTQ+ team members, that they do provide a different perspective. Let me explain.

[33:40] CS: Okay.

[33:42] AK: When you have the minority, when you have individuals on your team who are members of a minority that are not only just persecuted, but sought out and killed for how they identify. Meaning, until street people are found tied up to the back of a car and dragged until they’re killed, strung up from a tree for being straight, the understanding just wouldn't be there.

It's going to continue to be that way. Meaning that a common question I get is why do gay people need a parade. I don't see straight people having a parade. Well, it's because you're not killed for being straight. You're not passed upon job opportunities for being straight. We need those parades. We need that recognition because of how many people kill themselves every year from being LGBT. How many people are passed up and lose out on opportunities because they’re LGBT?

In my experience, I believe – This is my opinion. I believe that people who are member of the LGBT community have a different perspective. They provide a different perspective to problem-solving because of those decades of persecution, because of the challenges that they have in their lives force themselves, just are impelled to go above and beyond what their straight peers would do. It's almost like we have something to prove in the workplace. So we take it further. We go the distance. We get 200%, because we want to change and prove those conscious and unconscious biases wrong. You know I'm saying?

[35:39] CS: Yeah. Also, you’re just having to solve problems much more often all the time anyway, just the process of living. Yeah.

[35:47] AK: Yeah. We’re constantly trying to solve problems that are created and are brought to us.

[35:52] CS: Called not getting killed. Yeah.

[35:54] AK: Yeah. I feel like whereas straight people don't have those challenges in life where, for example, walking down the street and trying not to look gay, or walking down the street and not look trans. In trying to constantly solve problems, we bring a unique perspective to team problem-solving in companies where maybe we’re groomed and it's in our DNA to try and constantly solve problems and come up with creative ways to do it. I don't know. Is there any empirical data or any scientific data that I can go and point at that proves that? No. There isn’t.

[36:39] CS: But we’re not going to find out unless we try. Yeah.

[36:41] AK: Right. It's my opinion. I'm not saying that straight people can’t solve problems or create [inaudible]. So trolls, put your guns down. I'm just saying that, from my perspective, Brier & Thorn, were a women-led organization. Every single person in our management team is a woman. We are more than 50% LGBTQ. I have seen instances where the team members who are LGBT in our company have brought very unique perspective, very unique solutions to problems that our street team members didn't come up with. I'm not saying that they're better. I'm not saying that – I'm just saying that maybe there's something in our DNA. Maybe there’s something in our day-to-day life challenges that brings that.

[37:32] CS: Yeah. Also, cybersecurity is such about thinking outside the box and so about problems solving. It’s so about like finding the most unlikely answer. And like whether you’re seven playing Infocom texts games or whatever. It always comes when you’re like, “I’d never thought of that from that perspective,” and you do that by talking to other people. You learn like other experiences, accessibility issues, if you have differently abled people on your staff.

But to go back to what I was saying before, I think there needs to be sort of like a distinction made between saying, “Oh! We’d be cool with having LGBTQ people in our staff,” versus actually like seeking it out. Those are two very different things saying, “Oh! Hey, we’re inclusive. We definitely don't mind having you here.” But that's a lot different from saying like, “We're going to actively look for you. We’re going to find you where you are, and whatever that means. Do you have a sense of like how one sort of makes the jump from for A to B?

[38:37] AK: Yeah. I mean – And know it brings up that whole token debate, like are you the token LGBT or token woman? I hate that. I guess at the end of the day, yes, screw it. Yeah, it's fine. If that's what it is, then that's what it is. But we need to be purposeful about that. If you want to talk, call it a token position, then fine. If that changes things, not changes the world, then fine. Whatever you want to call it.

I think the move from point A to point B is saying we have a position currently staffed by an LGBT individual. We are going to replace them if they resign or if they are terminated with a new LGBT individual. I don’t know. You know what I mean? Something has to done. You know what I mean? It’s not like you can go out there and sit on the job posting. LGBT only –

[39:43] CS: Only can apply. Yeah. Right.

[39:44] AK: Yeah. I'm not saying that, but I mean if we can do something to change that curve ,if we can do something to change that percentage, it needs to be done because of these advantages, because of these things that I feel like we bring to the discussion as a member of the LGBT community.

[40:04] CS: Yeah. And I think also, maybe some of that is having some kind of mentorship program inside the company or having sort of alternate spaces and things like that. Because, again, like you say, whether you consider yourself a token member of the group or not, it's going to be unusual if you're the only person there or – And it’s also different when – I think people of all sorts of backgrounds, it's like if you have that one thing that you’re interested in, you have four other people at your job that have that as well. Then you have this sort of cohesion that helps things. And this is on a much larger level than that, obviously. But I think it’s a point.

[40:44] AK: Yeah. Chris, change comes from the top, right? I mean, it’s reinforced by leadership. What companies can do definitely, it’s like, “Okay, maybe as well as having a booth at RSA or having a booth at Black Hat Briefings, maybe they have a booth at an LGBT conference. Maybe they have a booth at a trans conference. Maybe they sponsor an LGBT conference.” There are a lot of LGBT conferences. Where is the corporate sponsorship at those events inside your security?

[41:16] CS: Get in on the job fairs.

[41:18] AK: Right. Where is it? Yeah, they’ll have their graphics designers change their logo to a rainbow, but where are they putting money where their mouth is? Where are instances and evidence of them getting involved in supporting the LGBT community? Reinforcing the creation of LGBT clubs within the company, LGBT sport events, LGBT softball games. Whatever? I mean, something that says, “Okay. If you don't support LGBT rights and inclusion at our company, guess what? We won't trying to change you, but we will support LGBT rights and inclusion at this company. Whether you’re on that train or not, we as a company support this, and we want our employees who are members of the LGBT community to feel supported and feel welcomed.

[42:22] CS: I think that, also, if you have something like that, then it also sort of makes it welcoming where you have this thing where people who might have questions or whatever, they see that there's a group of people having fun here and it's like, “All right. We can – Let's talk. Let’s sort of like learn. Let’s learn together,” and things like that. And it's not just like, “Oh, the person over there. I don't want to ask the wrong thing or whatever.”

[42:48] AK: What am I not allowed to say?

[42:51] CS: Yeah. Right. Right. Yeah.

[42:53] AK: What words am I not allowed to use?

[42:54] CS: Yeah. I mean, that’s the thing, is this is important and it’s crucial, but it can also be fun in theory.

[43:02] AK: I mean, I had an HR partner at a previous company let me know that she didn't understand trans issues, and she really wanted to be educated on it. That's awesome. That's amazing. I think the reason why we've gotten to where we are in the United States as Americans with our current with our current president is because of a failure for us to come to the table and talk.

In social media, whatever it may be, let's have that conversation. Not in being insulting or denouncing any particular belief or saying you're stupid or you're wrong, but coming to the table with questions and understanding. You may not agree with a particular person's lifestyle or choices or how they identify, but you should sure as hell support them. You should sure as hell understand. You may not have to agree with it, but you should respect it and you should understand it.

[44:15] CS: Strive to understand it. Also, yeah, I think just being around people of different backgrounds. It's a lot easier to say, “Oh, you know how they are,” when you've never met any people like that or whatever. But then when you work next to them and you solve problems, “Oh! That was clever solution,” or whatever. I mean, that's what's move the needle over the last 20 years anyways. A lot more people know who have a gay friend who's come out, or what have you, and it’s the sort of prevalence of it. You’re like, “Okay. Now, I understand that this is just another human being, smart, thoughtful.”

[44:55] AK: Yeah! It’s like wife's favorite movie is Train Wreck, and where this point where this woman at a party says, “Yeah. I don't understand those gay people.” And then the main character is like, “Other people?” It’s like, “We’re human. We bleed red.”

[45:17] CS: We like to eat food. Go out.

[45:18] AK: Yeah, exactly. It’s like when 9/11 happened. I didn't understand the Muslim faith. But I went out there and read about it and read the Koran and tried to understand the Muslim religion before I said anything about it. The problem is we as Americans come out and we say a lot of stupid, ignorant things without fully understanding and educating ourselves on it. That's what I do not agree with, is someone taking an opinion or a position on something without researching it and understanding it. Understand both sides of the conversation.

[45:52] CS: Sure. Yeah, discomfort and learn about it too.

[45:57] AK: Yeah, exactly. I mean, I was telling someone the other day, it's like if you want to find news that supports your position on something, you can go out in Google it and find people that support you. That doesn't make you right. What you need to do is go out and Google it and find out more about it whether they agree with your position or not. It's like people that choose to only watch more liberal news channels than more conservative news channels. They listen to the people that agree with them, agree with their opinion.

I like to watch the BBC. I like to watch NPR. I want to hear both sides of the conversation. That's how I live my life. I don't want to listen to people that are yes-men are going to tell me what I want to hear and what I support. I want to hear both sides of the narrative. I want to hear both sides of the conversation.

[46:47] CS: Right. Yeah, this has been great. So I want to sort of move us into the future here now that you're kind of you’ve written your autobiography or you're in the process. So what are your next challenges that you’ve got planned for yourself? Because, clearly, you don't sit still for very long. What are your plans for, say, the next five years for yourself and Knight Ink and your books and your legacy?

[47:10] AK: I’m writing a screenplay, and that is all I'll say about that. Yeah, I’m writing a screenplay. I'm writing an autobiography. I'm writing the new API security book. Right now – Gosh! There's a lot going on. I’m building a new house with my wife. We just got married in January. She's left her full-time employment to come work for me at Briar & Thorn. We’ve started a company together. She's a partner of mine at Knight Ink. We are starting a venture capital fund together and we’re investing in startups. I don't know if you know this about me, but I'm a day trader.

[47:52] CS: Oh! I did not know that.

[47:54] AK: Yeah. I’m day trading and doing swing trading. With COVID-19, I’ve made some awesome investment opportunities in the stock market. So, I'm doing a lot. I am ready to start this new book in my life with my wife and our new life in Las Vegas. We’re building a house. Yeah, I’m having fun. I'm having a good time.

[48:19] CS: I love it. You mentioned before too that you’re never quite out of the vulnerability assessment game and stuff too. Like you still – Because you do a lot of writing, and obviously other things. But like you still really get a lot of enjoyment out of finding vulnerabilities and hacking into –

[48:35] AK: I do.

[48:36] CS: Yeah. Talk about that a little bit.

[48:39] AK: To me, you don’t have to completely abandon it. Just because you don't want to be in Materpreter show all day long does, it doesn’t mean you have to completely give it up. I’ve figured out how to actually blend it with content creation. And it's making for very unique content. It makes a very unique voice and cybersecurity. Yeah, vulnerability assessment, vulnerability management can be woven into everything you do.

And I want to talk about this for a moment, Chris. One of the things I'm really struggling with right now are the people that believe you cannot be a hacker unless you're a programmer. And I couldn't disagree more with that statement. I have met some amazing hackers. I have met even the most impressive hacker that I ever met was a woman and couldn't write a single line of code if her life depended on it.

I think it's just this more elite than thou attitude that’s so systemic in our industry. And the reason why I left cybersecurity for a while after I sold my last company – And it needs to be changed, because it creates less of an inclusive culture. Just because you can't program doesn't mean you can’t be an amazing hacker. It doesn't mean you can't publish vulnerabilities. I've got so many CVE's to my name, and I could not even write anything beyond a printf statement.

You do need to be a programmer to be a hacker. I had someone just today messaged me on LinkedIn and said, “I'm going to vote for you for this hacker of the year award that I was nominated for. I want to find out if you can write a buffer overflow.” What the hell does that have to do with being a hacker? I mean, you're not a hacker unless you can write a buffer overflow? Come on! I mean, a lot of the applications today are web applications. What the hell as you talking about? You know what I mean?

Everything has moved to web application. Everything in – I mean, it's rare to find a setup.exe file anymore in applications. Everything has moved to the web. I don't even know why that's still the thing. Look, there're a lot of people. A lot of your listeners are going to disagree with me. Fine, disagree with me, and let's have a conversation about it. But whether it's the VPN vulnerabilities that I published, whether it's the API vulnerabilities that I published, whatever it is. Not a single vulnerability have ever published required me to be a programmer.

[51:18] CS: Okay. Well, let’s talk about that a little bit. Like I said, we’re Cyber Work now, and so we’re talking about this sort of job industry aspects of it. If you are feeling intimidated because you can't program, but you want to be a hacker. What are the things that you can sort of make up the difference with? Obviously, there’s not even a difference to be made up necessarily. But in the eyes of people who are hiring you and might want to throw roadblocks in front of you, like, “Well, write a buffer overflow,” or whatever.

[51:42] AK: I mean, ask ourselves what hacking is. Hacking is creating a stimulus, sending a stimulus to an application or a product, whatever it may be, a service. Sending a stimulus that the developer didn't expect to receive. That’s hacking. It's creating a stimulus that the developer didn't expect to receive and attempting to exploit that.

Now, when I'm hacking, when I'm looking for vulnerabilities in something, I'm analyzing how it works. As a hacker, you're trying to figure out how things work. So you can figure out what kind of stimulus might be something the developer didn't expect to receive. When I was publishing those API vulnerabilities, I was simply just intercepting traffic with the mobile app of the bank. And if you go to my YouTube channel, you'll find that video of me hacking the bank through the API server. I walk you through intercepting your mobile app traffic for the bank and looking at it and analyzing it and figuring out how it works. That's a hacker. You're analyzing something and figuring out how it works.

And then figuring out, “Oh! Well, what happens if I change this field? What happens if instead of submitting my account number at the bank, I said make Chris's account number at the bank? What will happen?” And lo and behold, the API server for the bank accepted it and allowed me to transfer money from Chris's account to my account or change the pin code for Chris's Visa ATM card instead of mine?

[53:20] CS: I don't like anything about this example. [chuckle] But go on, please.

[53:26] AK: In our hypothetical situation.

[53:27] CS: Sure. Yeah.

[53:30] AK: That's really what hacking is. I challenge anyone to stand up to me and tell me why I'm wrong. Because in every single scenario, it's understanding how an application works. Understanding – A lot of times, you don’t even get access to the source code for something. So you’re still trying to figure out how it works and what it's doing.

To me, as a pocket monkey, as somebody that likes to hang out at layer 3, there are so many vulnerabilities that I found simply by just analyzing packets and analyzing data at layer 3, and sending a stimulus to an application that it didn't expect. I think this is a great debate. I think this is an awesome thing that I want to have. This is a discussion, a dialogue that in respectful discourse should be had, because there are too many people out there who believe that you're not a good enough hacker, you’re not a hacker unless you know how to code. I think it's wrong.

[54:30] CS: Yeah. Again, it’s leaving people behind that don't need to be left behind.

[54:34] AK: Yeah. I mean, we need to welcome as many people as we can to this industry, to cybersecurity, and they don't all have to program. What about social engineers?

[54:46] CS: The challenges are only going to get pernicious and strange as we go on.

[54:50] AK: I agree. And adversaries want nothing more than to exclude people who might think differently or color outside the lines just simply because they're not a programmer.

[55:00] CS: Yeah. This is a color of the line, outside the lines kind of a job.

[55:03] AK: It is. It is.

[55:05] CS: All right, one last bonus question for you. For people who want to get to know Alissa Knight better, where can they find you on social media?

[55:13] AK: Yes!

[55:14] CS: Yes! Time for the plugs.

[55:14] AK: If you haven’t yet – I’ve finally reached a thousand subscribers on YouTube. And in order to join the partner program, in order to join the partner program, I need to get like 40,000 hours of watch time. So go on my channel. Watch my YouTube videos.

[55:31] CS: Let it rip. Yeah, check them out.

[55:33] AK: Yeah. Support me. If you support my content, if you support me, definitely watch my videos on my YouTube channel.

[55:38] CS: What’s channel called again? Or is just Alissa Knight?

[55:40] AK: Yeah. It’s youtube.com/C/alissaknight. I do a weekly video upload, a weekly live broadcast. I'm getting be doing another live broadcast today. You can find me on twitter @AlissaKnight, and that’s Alissa with an I, and Knight with a K. And you can also find me on LinkedIn. So, follow me, subscribe to me.

[56:01] CS: Alissa is very prolific on LinkedIn as well. I see your stuff on there all the time. You got a lot of good articles, vids. Everything is kind of there. It’s a good clearinghouse.

[56:10] AK: Yeah. I’ve got like 30,000 followers now on LinkedIn. So, definitely follow me there and connect with me. And if you’re looking for ways to support me, support other content creators, like and share our stuff. Subscribe to my YouTube channel. Hit that little ball icon to be notified of new uploads. For those of you who are reading articles, watching videos, there's no better way to support them by hitting like and sharing it.

[56:39] CS: There you go. Check out, if you're so inclined, Hacking Connected Cars on Wiley.

[56:43] AK: Yes. Please. Definitely go buy my book and write a great review about it on Amazon. I'm reading some trolls on Amazon that are writing some negatives reviews about my book. So if you like my book, please definitely write a positive review.

[56:52] CS: People who want to continue hacking connected cars.

[56:55] AK: Yes! Yes! Write a positive review.

[56:57] CS: Okay. Well, Alissa, thank you again for your time and talent. It’s always such a treat to get to talk to you.

[57:02] AK: Yeah, thank you, Chris. I love being on your show. Thanks for the invite to join you again.

[57:05] CS: It’s always a pleasure. Thank you as ever for all of you for listening and watching. If you enjoyed today’s video, you can find many more of them on our YouTube page. Just go to youtube.com and type in Cyber Work with Infosec to check out our collection tutorials, interviews and past webinars. If you'd rather have us in your ears during your workday, all of our videos are also available as audio podcasts. Just search Cyber Work with Infosec in your podcast catcher of choice. And as Alissa said, nothing helps us better than to give us a five star rating and a nice review on iTunes, or Stitcher, or wherever you do it. So please, if people have been doing, it’s been helping. Thank you.

For a free month of the Infosec skills platform that you heard about at the start of today’s show, just go to infosecinstitute.com/skills and sign up for an account. In the coupon code type cyberwork, all one word, all small letters, no spaces, and get your free month.

Thank you once again to Alissa Knight and thank you all for watching and listening. We will speak to you next week.

Free cybersecurity training resources!

Infosec recently developed 12 role-guided training plans — all backed by research into skills requested by employers and a panel of cybersecurity subject matter experts. Cyber Work listeners can get all 12 for free — plus free training courses and other resources.


Weekly career advice

Learn how to break into cybersecurity, build new skills and move up the career ladder. Each week on the Cyber Work Podcast, host Chris Sienko sits down with thought leaders from Booz Allen Hamilton, CompTIA, Google, IBM, Veracode and others to discuss the latest cybersecurity workforce trends.


Q&As with industry pros

Have a question about your cybersecurity career? Join our special Cyber Work Live episodes for a Q&A with industry leaders. Get your career questions answered, connect with other industry professionals and take your career to the next level.


Level up your skills

Hack your way to success with career tips from cybersecurity experts. Get concise, actionable advice in each episode — from acing your first certification exam to building a world-class enterprise cybersecurity culture.