Top cybersecurity breaches of 2021

[00:00:01] CS: Today on Cyber Work, InfoSec’s principal security researcher instructor and cybersecurity renaissance man, Keatron Evans returns to the show after two and a half years for the first in the series of once quarterly episodes breaking down big stories in the news and cybersecurity trends for the future. Tune in as we talk SolarWinds, Colonial Access Pipeline, Oldsmar, Keatron’s origin story and why just like practicing your scales makes you a better musician, master pen testers and security pros got where they did by mastering the art of repetition and learning. This one’s a must hear, folks. Don’t miss it. Stay tuned to Cyber Work.

[00:00:41] CS: Welcome to this week’s episode of the Cyber Work with InfoSec podcast. Each week, we talk with a different industry thought leader about cybersecurity trends, the way those trends affect the work of InfoSec professionals and offer tips for breaking in or moving up the ladder in the cybersecurity industry. Today’s guest, it’s a big one, it’s InfoSec own Chief Security Researcher and InfoSec instructor, Keatron Evans. Keatron is one of our most requested and highly rated instructors at InfoSec, and an integral part, if I dare say so of our success in security training.

We decided we’re going to try and have him on quarterly or as close as his busy schedule will allow to discuss some of the big things that are happening. Right now, we’re going to talk about some of the big things that have happened in 2021, in the realms of security and hope that we can find some takeaways that we can take into 2022. Keatron, welcome back to Cyber Work. My pleasure as well. The last time you were on to do a full episode, I think you were guest number three way back in 2018. I will assume that a lot of people have not heard that episode. If they haven’t, feel free to go check it out. It’s still up on our YouTube page. But since then, we always like to ask our guest’s superhero origin story. Where did you first get interested in computers and tech? When did you first get excited about cybersecurity? What was the initial draw?

[00:02:05] KE: Well, computers and tech in general, it was actually in high school. There’s a class and people know, I grew up in rural Mississippi. My senior class was literally like 35 people. My hometown had about 2500 people, 2500 total. But there was a vocational course called diversified technology. In there was an introduction to computers and CAD. There was an instructor, a teacher there, Mr. Curtis. Three days into that class, he told me, “You should do this, because you’re like just going way past everybody else on the assignments and the books.” I was like, it was just that spark, somebody saying, “Hey! You’re good at this. You should do this.” It had that amazing effect and I didn’t even realize that it had that effect until recently. Like a few years ago, I just thought back and was like, “That’s what it was right there.”

[00:03:00] CS: Yeah, absolutely.

[00:03:01] KE: That’s how it started.

[00:03:02] CS: Okay. When you say CAD, is that like the architecture, AutoCAD?

[00:03:07] KE: Yeah, Computer Aided Drafting.

[00:03:08] CS: Yeah. Okay. What was the sort of the span of that class that got you excited? What were the things that you were especially into or especially good at that the teacher complimented you on?

[00:03:18] KE: Well, it was just doing the exercises. You had to write these little scripts to automate like drawing walls and stuff, buildings. I just took that, and ran with it in and made it do other stuff that was supposed to be done. He was like, “Yeah, I want you to – don’t do the class assignments. Read this DaaS book and do everything in here.” He kind of sent me off on a separate path of exploring, and that’s what got me into it. Cybersecurity was something that came later. I worked in some other environments and some environments I can’t yet talk about, but I won’t be able to provide in two years. That’s how I kind of got into the cyber side, is doing that.

[00:04:05] CS: Got it. Okay. I love it. Did you ever move into the sort of architecture design side of things or did you just like the interface, and scripting and coding?

[00:04:16] KE: I actually did become a professional engineer, and it’s simple engineering, and design building and things like that, just a very little bit though. I mean, even when I was doing that job, they primarily use me as the IT person.

[00:04:34] CS: Okay. I love that. Yeah.

[00:04:37] KE: Because I was the only one that could do it. I was the only one that could do structural design and buildings not fall and do the IT stuff. So I got drafted to do the IT stuff.

[00:04:48] CS: I like that story, because one of our other earliest guests and one of my writers for InfoSec resources is Susan Morrow. Similarly, she started in I think chemical engineering and then discovered that she actually Like learning the part about like securing the data that she had created during chemical engineering better than she liked doing the actual chemical engineering, so she pivoted over to security like that. If it speaks to you, then jump for it.

Following up on that, how did you first come into contact with InfoSec? I feel like your name and InfoSec are inextricably tied for a long time now. How did you and Jack Koziol, our CEO start working together?

[00:05:26] KE: Our first business interaction was like 2002, I believe it was, or 2003. I mean, what happened was, I took one of his very first ethical hacking courses that he taught. I was in there and we just connected. We’re both in Chicago at the time. It was just a good connection, like it was good energy, the class was good. To give you a little bit of interesting history here that nobody at InfoSec knows about this. But you’d be the first to know.

[00:05:56] CS: All right.

[00:05:55] KE: [Inaudible 00:05:55]. If you o back and look at techexams.net, which we’re heavily involved with now. Some of the very first boards and messages on there, right after I took that class a week after I went on tech exams, which is owned by completely a different party at the time, and I posted a message on there saying, “I took the ethical hacking course from Jack Koziol and it was great. He did a great job.” Then Jack came on and told me thank you for the kind words. Going full circle, thinking about what tech exams is now and who’s under, that an interesting piece of history there. All the way back in 2003 when I was a moderator on tech exam, I gave props to Jack and he came on and said, “Thanks” and now we – it is what it is now. Shortly after that, maybe a year or two after, I was featured in The Wall Street Journal article about hacking, and cybersecurity and Jack was also in it. After I saw he was in the article as well, I called him up and gave him a hard time about interrupting and taking over my media space. We had a laugh about that and that’s when we reconnected.

He was like, “Hey! Can you do this one class for us out in DC?” I went out and did it, and he was like, “Dude, I never get emails that good. You need to do more of these.” Of course, he’s always hyping everybody else but himself. He’s a modest dude. But I think he was, just kind of, feed me a little bit of extra comfort, a little bit of confidence boosting too. But he was like, “Yeah. My evals have never been that good.” He’s like, “You should do this more.” It went from that to creating courseware to teaching. And we were joking about the fact that there’s only a couple of us that could literally fill the call from a customer, take the requirements of the course they want, write the course, go teach the course and do the whole shebang.

[00:08:01] CS: Wow! Yeah.

[00:08:02] KE: And because we used to do that, that’s what we actually used to do. It was literally just he, and I and one salesperson at the time. When it came to writing the courseware and delivering it, it was pretty much we had to do the whole thing. Man, we’re so thankful to have a content team, and people that actually do it right, do it professionally now.

[00:08:25] CS: Oh, yeah! Yeah. I mean, I was an employee 36 here, and yeah, I mean, it’s just unbelievable how much larger things are at this point. Also, I feel like all these history stories you’re telling me all have these great sorts of actionable takeaways. I hope people are making notes, because like I say, before, you moved over from design into security, because it was more fun. But like also, if you have a great experience with someone, like a teacher or mentor, guru, whatever, tell people about it, and then maybe they see it and maybe you reconnect. There’s no reason to be stingy with your praise of people that helped you, because they see it and they come back. I mean, to that end – oh, sorry, go ahead. What are you saying?

[00:09:07] KE: Yeah. I was just going to say, “Yeah, you’re exactly right.” That’s the vibe. He and I have the right vibe from the beginning. I mean, we just kind of both are not really known for mediocre type work. We just kind of always go into our caves, and do our parts and just spit it out and here’s what the product is. There didn’t need to be a lot of talking about it. It’s just, you’re expected to do like your thing and do it well and that’s just it. That’s kind of how we’ve always had our relationship.

[00:09:37] CS: Yeah. I mean, that jumps nicely into my next question. I mean, it’s no huge surprise to a lot of people watching this video that Keatron is one of our most requested, most highly rated instructors by our students. I’ve seen comments about how much they liked your class from like on completely unrelated episodes of Cyber Work. You got your fans out there, which is awesome. But for those who are watching this who don’t know you and your role here at InfoSec, tell us about the work you do for us, specifically as chief security researcher, as well as instructor and any other job titles that I might not be aware of?

[00:10:17] KE: Yes. The principal security researcher, there’s a lot of different kinds of interesting research that’s happening in the industry. Like one of the things that I’m a lot focused on now and I just published a white paper through ISACA, which is one of our partners, by the way on machine learning and artificial intelligence in cybersecurity, and how it’s being utilized. That’s one area we’re trying to make sure that we stay on the cutting edge of what the research. And another area that’s really something that’s passionate for me that I’ve researched for a really long time is how people learn this technical content at a very micro level. I’ve always collected a lot of my own personal data about that, and I’ve applied that to my teaching methods and styles. I have like a natural passion for – I want people to actually learn the stuff, the material when we’re going through it.

I do a lot of research around what works, what doesn’t how, how do people retain this information. I’m looking at interesting ways to use machine learning to automate that, and take live feedback from people as they’re learning. The machine and the computer together kind of auto guide that person into what exercises they need to be doing, and how much longer they need to do it and stuff like that very early. But that’s one area that I’m kind of digging heavily off into right now. Part of that role is really just to, I guess, you could say, be the face of what you’re doing and what some of our problems are. Because I do a lot of these types of things, and podcasts, and appearances, and conferences and things like that.

But just to kind of give a peek behind the curtain of what’s going on and what we’re doing. We’re always doing exciting stuff and Jack has always been the type of person to just say, “Do something cool that works, that’s going to help the community and put it out there.” He gives us that blank canvas and just lets us go with it. That’s how we’re able to turn out good stuff like we do.

[00:12:24] CS: Okay. Based on what you’ve been studying so far regarding the way people learn and stuff, do you have any sort of hot takes or surprises that you’ve come upon that you can – has the report come out from [inaudible 00:12:38] yet or is it coming soon?

[00:12:41] KE: That report about the machine learning, how it’s being used in cybersecurity, that is actually out already, so it’s available. I think they have it available just for members now. It’s fine, our membership thing, you can go and read it. But it is available for all of you that are listening, that are ISACA members, you can go and read that white paper. But as far as the learning stuff that I’m working on, as far as helping people learn technical security better, that’s not public yet, because I’m still – we’re still heavy into the research of it. But that’s an additional thing that I look to share some more information about in 2022.

[00:13:17] CS: Okay. What classes are you currently teaching for InfoSec, either in boot camp form or skills form?

[00:13:24] KE: I mean, of course, everybody knows me for ethical hacking, because that’s kind of where I built my reputation from. I still do a decent amount of those incident response, cyber threat hunting and a lot of web application security stuff. I do some of those courses as well. But in the skills side, I do have an ethical hacking. The CEH just got released this week. I’ve got completely new exercises, completely new exploits and demonstrations that I’m doing in there. And again, just to get people to understand the material. So when they take a PenTest+ or a CH exam, it’s not like they’re trying to – it’s not like scratching glass or something like it. It’s a very smooth experience when they take the test because they understand the material.

[00:14:17] CS: Yeah, there’s been a lot of work in sort of making the actual interface of the study a lot more intuitive and a lot more like the real thing. I remember how sort of command line, everything was before we had this whole sort of virtual experience.

[00:14:37] KE: Yeah, for sure. So that, I have the problem – maybe one of my most popular courses right now is the cybersecurity foundations course, where I’ve put a lot of time into creating that. A lot of what I created there came from that research on how people learn technical content. And when I say how people learn it, I mean, people that don’t have a technical background. Because for me personally, that’s where I see the biggest gap is, organizations continue to try to turn to traditional IT and computer science backgrounds to fill these roles. But there’s a huge untapped market of people that don’t come from a traditional IT background that even don’t come from traditional demographic of who you see working in these industries that are absolutely brilliant people. You’ve had some of them on these podcasts as well.

We all know, every conference that I go to, I was doing one in Vegas right before COVID in 2019. I broke a record. I had like 700 people in that breakout meeting. I got pictures of it. Not a lot of people in that audience looked like me. That was kind of surreal that I was the one lecturing, but nobody in the audience looking remotely like I looked. It was kind of a surreal moment for me. It made me kind of realize that – and I always struggle with that, like as a person that’s kind of out front trying to do these things, I always struggle with, how can I do more? I feel like I need to do more to bring this wonderful career that I have to bring that opportunity to other people that are from my community, where I grew up in the rural South, and just in communities in general that normally would have access to this type of thing. I personally am working on and trying to come up with ways to bridge that gap, to make it easy for those people to transition over.

[00:16:31] CS: Yeah. Do you ever give any thoughts on that? Have you seen any changes or any sort of initiatives in that area that are working, or making or is it still a long way to go?

[00:16:40] KE: I believe so. Yes, the Cyber Women’s Jujitsu, I think it’s called.

[00:16:43] CS: Oh, yeah. The Women’s Society of Cyberjutsu, yeah. I love them. Mary has been on there too like three times? She’s awesome.

[00:16:49] KE: Yeah. I think that’s a great initiative. She’s doing great work, and it seems like – I think we just partnered with them like today, or yesterday or something. That is – I think she’s kind of got a head start, most of them that are trying to do it. That’s a great effort right there, and I support that 100%. But some of the things that I’m looking at doing is just going into a lot of these areas, like where I came from, and standing up something to kind of be a gateway for people to get into it. And speak in a language that’s not super technical, because I think that’s one of – well, I’m certain that’s one of my strong points, is taking extremely technical material, and making it digestible for people that aren’t.

[00:17:35] CS: That’s huge.

[00:17:37] KE: I think just enough to get them interested, so that now, they can go and do the boring part, because they’re interested in the nuggets that I’ve given them. I think that’s worked well for me over the years. I’m trying to just come up with a way to scale that, to make it more digestible. I mean, even playing music and things like that, I tell people, playing scales, practicing scales, it’s boring, but it’s something that’s got to be done. What was a breakthrough for me in learning and mastering jazz, and being able to play on a regular basis at the House of Blues in Chicago was coming up with an interesting and relatable way to practice scales. I’m sort of sitting there playing scales.

I’m trying to create the equivalent of that for learning cybersecurity, because, to be honest, a lot of it’s not sexy. Some of the process of learning cybersecurity is extremely boring and monotonous, but it’s something that has to be done. Otherwise, you end up in a position with a job and a title with a whole lot of gaps in your knowledge base. And yeah, it’s not a good place to be for you or your organization.

[00:18:41] CS: Yeah. If you’re trying to train a carpenter, you can show them the table and be like, “Look how much fun it’s going to be when you have that table finished, but now you have to learn how to use a plainer or you know.”

[00:18:50] KE: Exactly.

[00:18:51] CS: Something like that. And you have to know those things, but you have to be able to see the end in sight. I always think about, there’s a sitar player named, Nikhil Banerjee who, his teacher made him study scales for 10 years before he ever let them do a raga. He like tried to do one just on his own while he thought his teacher wasn’t listening. And he nearly got kicked out of the school or whatever. But yeah, I mean, that’s a very doctrinaire example. But yeah, I know, you can’t just do scales all the time. You got to find the joy in the thing. I think that’s also just, I mean, that’s one of the big things that we harp on all the time about cyber work, is that like, people so often psych themselves out of cybersecurity careers, because they don’t feel like they have the tech background, or that they need a tech background, or they’ll never catch up on a tech background. It’s not necessarily the case. Like you said, it’s learning a few tools and understanding the core concepts and that gets you a long way, I mean.

[00:19:47] KE: For sure. I mean, in 2020, I’ve taken more than a handful of people that had no technical background whatsoever, and help to mentor them to a point to where they’re now doing vulnerability scanning jobs, and some of them even pen testing jobs. And of course, I don’t want to take all the credit, like they put the work in in time. Just giving a little guidance, giving them that nugget that they can grab on to and pull in. One of the other things too is, I like creating other mentors or helping to create other mentors. There are few people like Devin and people that I’ve mentored over the years, and I’m seeing them doing some mentoring on their own.

[00:20:30] CS: That’s great.

[00:20:31] KE: I encourage – like I love to see that because it kind of feels like the knowledge base is growing exponentially, and we need it in our world, you know, right?

[00:20:39] CS: Yeah, for sure. To get to the idea of today’s episode, we wanted to use as a framework. We’re going to kind of recap some of the major newsworthy security breaches that happened in 2021, and get your takeaways on them. I feel like rather than just reminding folks so what happened or doing like a ranked list of the gnarliest breaches or whatever, or we can at least impart some takeaways for the future of security practices, and maybe tie each of these into some sort of takeaway action that listeners can do to get started in this type of work. Does that sound good?

[00:21:11] KE: Yeah, for sure.

[00:21:11] CS: Okay. Let’s start with possibly the biggest breach story of the year. We’re talking about the SolarWinds breach, of course. I keep trying to record an entire webinar around this topic, which even included a hands-on demonstration of the attack. I encourage all of you listening here to go to our YouTube page, just type in InfoSec and you’ll find the webinar as well as just the isolated walkthrough of the man the middle attack. For those of us who are new to the breach, though, give us a quick summary of what happened, how the breach was mitigated and how you think this event and story will change how security is done in the future.

[00:21:48] KE: Yeah. So basically, what happens is, SolarWinds makes a lot of network engineering products. They’re not really a security vendor. Although we’ve gotten into security a little bit, but they were – they made their fortune and made their name on products that help you manage, maintain, and monitor your network. One of those products, Orion, it may be the most popular product in the world for what it actually does. It was heavily distributed, almost everybody that has a big network probably has it or has had it at some point.

The data breach actually happen at SolarWinds. Someone compromise the SolarWinds, got into that product, put malware in an update of that product, and just waited for that update to get pushed down to all the SolarWinds customers. I think part of it that’s confusing for people is how – well if it’s SolarWinds, why do I care it? Well, it wasn’t just SolarWinds. It’s pretty much anyone that was using that product, and had gotten that update in that certain timeframe ended up with that malware in their environment. Now, we have companies that are breached, because they have that specific SolarWinds product in their environment. That’s what made that really complex. It also made it eye opening for us as far as supply chain, because that essentially is a supply chain attack. Where you attack the supply, and then everybody downwind from that are down chain from that get compromised as a result of it. That’s what was significant about that.

[00:23:22] CS: Yeah. I guess, I don’t remember. Was that it like an insider thing? Or how did how did that get into this update that got pushed down to all these platforms?

[00:23:33] KE: Yeah. So they got compromised. Let’s just say the organization got compromised. SolarWinds got their own breach of where their code got –

[00:23:42] CS: Got it, okay.

[00:23:43] KE: And then that got put in there, and they just waited for it to get pushed out.

[00:23:48] CS: Yeah. They just – they put it in there, and then just sort of wait until it’s time for an update, and then the update happened and it was contagion everywhere?

[00:23:55] KE: Yeah.

[00:23:56] CS: Okay. Wow! I guess speaking in a practical way, for listeners who would want to help prevent future SolarWinds breaches in the future, what job role should they be preparing for now, what experiences should they be seeking? What are the areas that if you’re sort of like trying to be on the parapets and looking for stuff like this? Is it secure coding? Is it vulnerability management? Is it all of these things, other things?

[00:24:23] KE: Yeah. I mean, I guess and once since most all cybersecurity roles would kind of be preventing it. But more specifically, if you’re talking about in the trenches, hands on the keyboard actively fighting these threats, SOC analysts would be a great one because that’s more – it could be an entry level position, and you’re immediately put right on the forefront of looking at stuff that’s coming in and deciding if it’s bad or not. So that would be a good place. Pen testing, you’re looking for these types of vulnerabilities that cause SolarWinds to get breached, and hopefully, as a pen tester, you find them before whoever did the SolarWinds hack finds them and get the same with it.

Incident response roles, and speaking of that, my incident response skills course, I have a skills path. In skills, if you just search for incident response, it’s the one that’s got the skills path, little pathway beside it. In that course, I’ve recently added a project or a capture the flag exercise where the student has to take a packet capture and a memory dump of machines that were compromised with the SolarWinds malware. They have to investigate that, and answer some questions and submit that to us to get that certificate that says, “I completed it.” If you really want to dig into SolarWinds, you can jump into that course and actually do a project where you have to go through it, investigate it.

[00:25:47] CS: Okay. So you’re basically replicating what someone did as soon as they found out about it.

[00:25:52] KE: Yes.

[00:25:53] CS: That’s great. Okay. Yeah. That’s great because it’s not just the technical of it, but you also have to provide the writeup. Because, again, I bang this drum all the time, but, a soft skill of being able to write reports in a relatable way is just so crucial for so many of these jobs, like you have to explain it to non-technical people.

[00:26:11] KE: I mean, yeah. For pen testing for example, it may be the most important job, because when you do a pen test, you spend six weeks, eight weeks, three months working on a big engagement. You’re doing all this technical stuff. But the people that are paying for that pen test, all they’re ever going to see is the report. They’re never going to see what hack you did. They’re not going to see that you made windows turn back flips and Linux do a summersault. They never see any of that stuff. What they’re going to see is what’s in that final report and that’s what they’re going to base the value on.

[00:26:41] CS: Yeah. You can’t even show it to them and expect them to go, “Wow! I don’t even know what it is.”

[00:26:46] KE: Right.

[00:26:47] CS: I want to jump on to the next major story. This is one that I’ve covered a lot of times on here, because it’s kind of one of my personal obsessions within the cybersecurity area is the water treatment plant in Oldsmar, Florida. As I understand it, hackers somehow managed to take over the controls of the water treatment system, and attempted to increase the amount of lye going into the water, which would have poisoned, if not killed anyone drinking the water. There’s a security technician on site who saw the cursor moving around and was able to shut it down. I think there were also sort of security measures in terms of certain chemicals not going in and large amounts. But not every municipality security person on duty might be so lucky. Can you talk about some of the larger implications of this breach as result regarding the current state of public infrastructure security?

[00:27:36] KE: Oh, sure. This has more significance to the current environment than you might think. What happened was, the attackers were able to get in and access something called TeamViewer. What TeamViewer is –

[00:27:49] CS: Oh, I know TeamViewer. Well, that’s how I do any fixes on my mom’s computer. She’s in Michigan, so I’m like, “Just type in the code, and then I’ll take care of updating your Windows.” Yeah, anyway.

[00:28:00] KE: Yeah. For the audience, I’ll explain what it is.

[00:28:02] CS: Please.

[00:28:03] KE: TeamViewer is a product that you put on your computer if you want people to be able to access your computer remotely and help you troubleshoot it. For example, I have, like you said, I have family members that have me remote into their machine all the time and fix things. Now, what happened was, some attacker was able to get access to their TeamViewer account, and get access to that computer. The computer actually had access to the OT environment, and the skate environment, which should have not been the case, but somehow, it was.

They were able to get in and do things to try to change amount of lye or chlorine or whatever as it’s going to the water. The significance of that is number one, when you have enterprise TeamViewer accounts, usually the way it works, is you have a TeamViewer administrator account that has access to potentially hundreds of computers. We never knew because they never disclose whether or not these hackers access the main account and were able to access any computer or was it just that one computer. They never really said what the case was.

The other thing to think about too is, when COVID hit, so many of us went from working in person to working at home. The amount of sales for TeamViewer went out the roof, because now, there’s a lot more TeamViewer type work going on, because people have to troubleshoot people’s computers remotely. They can’t use remote desktop and things like that, because they’re not on that same network and all these things. That’s significant, because I’ve seen several breaches myself this year, where tools like TeamViewer were the culprit, which is the initial entry point. If you think about it, it’s not a lot different. It’s not too much different than SolarWinds because they didn’t actually breach the water plant aside from TeamViewer.

[00:29:57] CS: Yeah, they breached this third party.

[00:29:58] KE: If they weren’t using TeamViewer, they may not have gotten into the environment. Not to slam TeamViewer, every single product has potential security holes, right? It was TeamViewer that day, it could have been any TeamViewer competitor the next day. But you know, in that case, that was really supply chain-ish as well, because TeamViewer is how they got in. Now, it could have been that they have a zero-day exploit that they’re able to get into TeamViewer with that nobody knows about. Or it could be the owner of the TeamViewer account was using a password like 123, ABC, or something like that. Usually in these cases, when I investigate them, that ends up being the case more often than not, that it’s just weak credentials, no two-factor and that type.

[00:30:44] CS: I’m kind of going off script here. But like I said, I’ve talked to several people about infrastructure security over the past year. I talked to Emily Miller, who’s from Mocana and Dirk Schrader talked about healthcare security, and how there were something like 15 million pieces of health data that were completely unsecured, and not password protected and everything. The thought that just kind of kept going into my head was, we have these swaths of public infrastructure, public – that are sort of soft, not very well secured or not secured at all. And it just seems like a really like great opportunity to sort of like help in your community or get your experience before you have your first job or whatever. But can you can you speak to it? Because almost every guest without question says, I don’t know how I don’t drink while I read all this information, because it’s so scary. There’s just so many sort of potential entrance points and things like that. Can you speak to the anxiety of like this sort of mass of squishy security, and what’s to be done about it by the future?

[00:31:52] KE: Yeah. I mean, I’ve kind of seen it so much that I’ve kind of become a little numb to it. And plus, usually, when I see these things, and I see these events, and these data breaches, I see them from the standpoint of that customer has called me in to help them solve the problem. I’ve kind of gotten myself mentally conditioned to where when I go in, it’s strictly about trying to solve the problem and then I get emotional about it later when I’m home. That’s why I don’t have hair anymore is what you just described there. Keeping it all in. But that’s what happened. It is a lot and it’s a big problem to try to solve. And then you see things like Zero Trust, and these are some great initiatives. But zero trust is not like some magic cake that you kind of throw over all your infrastructure and it fixes everything.

A lot of people, and I’ll say this carefully. A lot of organizations are not even at a maturity point to even be able to start implementing something like Zero Trust. This is something that’s going to take some time, before it even has any real impact in what we’re actually seeing on the ground. Definitely, it is stressful. It is a lot. I think you have to compartmentalize it, right? You see it, you freak out about it for five minutes, and then you put your head back down and get back to work.

[00:33:18] CS: Yeah. Yeah, yeah. It’s going to be a lot of layers of patching, and repair, and small steps and small changes. To that end, I guess that leads nicely into – I wanted to talk about President Biden’s directive on immediately addressing and patching vulnerabilities on federal government servers. I mean, we’ve had guests speak a lot this year about the importance of prioritizing vulnerabilities that are actually exploitable, rather than working around the clock to close vulnerabilities that can’t be exploited anyway. I think when you hear 100,000, vulnerabilities and stuff like that, it sounds enormous. But then when you sort of drill down into how many of those could actually be dangerous or whatever. Do you have any thoughts about the implications of this directive or giving it’s a step in the right direction? Should it be refined?

[00:34:07] KE: Yeah. I mean, I think it’s a good directive, but I also think we have to be realistic and that it’s not as easy as just saying something. Because, for one, what you just said. Sure, everybody’s been coming on saying that like, “Yes, we have to focus on the vulnerabilities that are exploitable, and not the ones that aren’t.” But you know, part of what we do as pen testers is specifically that. We take a report that says there’s 100,000 vulnerabilities and we try to exploit them all, and we come back and say, out of the 100,000, 500 of these, we were able to exploit. The ones that are leftover are probably false positives, or they are ones that you could spend time later over a long period of time trying to get those taken off. But that’s a very complex process, and a lot of organizations are saying that they’re doing that.

When you ask, “Well, how are you deciding which ones are exploitable and which ones aren’t?” Well, our expertise or you’re not valid. You have to validate these things. You have to go in and see, because the minute you say you patched all the exploitable vulnerabilities, and then you get exploited by one that you didn’t patch. Now suddenly, it looks like the whole process of what you’re trying to do there loses its weight and gravity. I think we have to be careful about that and make sure that we’re validating, when we say the ones that aren’t really exploitable versus the ones that are.

[00:35:27] CS: Okay. So you’re saying don’t dismiss so many of these out of hand without knowing.”

[00:35:34] KE: Exactly.

[00:35:34] CS: Okay. Yeah, because then, you get into the, “Well, I’m focusing on these five things while 75,000 lay fallow and some of those are still in it.” Okay.

[00:35:44] KE: Then there’s a concept of what I like to call exploit and vulnerability creep, right? You might have three vulnerabilities, and I’m dealing with this with a customer right now. You might have three vulnerabilities like cross site scripting, reflected cross site scripting, and two other things that are medium or low vulnerabilities individually. But you chain those three vulnerabilities together, and use them interactively with each other. And suddenly, it’s a critical when you put them together. I think that’s missing in a lot of the security testing, and testing and things like that. When you’re able to take several different vulnerabilities that seem benign, and put them together and make them into something that’s not benign. This is what attackers do. This is exactly what attackers do, and I think we have to do a better job of modeling that when we’re testing and evaluating security.

[00:36:33] CS: Okay. I mean, do you have any? Like, what would your sort of version of the directive be in terms of close all vulnerabilities now or whatever? If you had the magic wand to sort of rewrite it or whatever, would you change it at all or is it fine the way it is or would you add things or amend it?

[00:36:52] KE: Yeah. I would amend it and make it a little bit more realistic and say, “Look, let’s start with this. Let’s start with making sure that software with known exploitable vulnerabilities are not being put out into the environment. Let’s beef up that part of it. Because everything that we do in cybersecurity eventually comes back to bad software, software with security vulnerabilities in it as far as the hacking stuff goes. I would probably make it more like a phase thing. First phase is, let’s really nail down putting out bad or insecure software as the government migrates. Bbecause the US government’s migrating rapidly to cloud services now. There’s a lot of opportunity there in that migration for some things to be re-engineered. And if we’ve got to be re-engineering, we might as well try to beef up and bake in security at the beginning of when we’re re-engineering these things that used to be on premise.

I would put some language in there to address that. Then further, make it a little bit softer approach to addressing the vulnerabilities that are critical, making sure that we address them and we find them, but also just being realistic with the timelines and things like that. Because when I read it, I did feel like something’s in there just sounded a little bit unrealistic, and at least that the maturity level that these organizations are at now.

[00:38:23] CS: Right okay. Again, like you said, I think so much of this is going to be, we’re going to have to think 10, 15 years out in terms of strengthening things on lower levels before you can start doing the advanced level stuff. I was going to ask you a question about the Colonial Access Pipeline. I feel like a lot of the same lessons or takeaways as they are with Oldsmar, and with SolarWinds and so forth. But I guess I wanted to speak a little bit about supply chain security. Certainly, we’re hearing about that with holiday shopping season and prepare everything, going slow. I mean, can you speak about some of the end of your security issues that are sort of more directly involved with shipping, with just sort of like commerce, and quality of life and whatever else you want to call it. It looks like COVID is not – the working situations aren’t going to change that quickly here. Can you speak sort of like your predictions for the coming year about the sort of stuff?

[00:39:25] KE: Yeah. I mean, I definitely see an uptick and we talked about this before, like where – when you think about ransomware, it’s definitely something that we associate with like Colonial and big companies. But what I’m seeing slowly tick up is the amount of ransomware attacks that are directed towards the consumer to individuals. Because now there’s the infrastructure and I hate to say that in a negative light, but there’s the infrastructure in place now where we’re sending everybody back home to work from home. The infrastructure is right to ransomware attack individuals now.

I’ve even seen now hybrids of where I’ve had family members, for example, that are – even if it’s what is real or imagined, they imagined at least they are influencers, right? They have these Instagram accounts that are popular in their circles, and one family member had their Instagram account compromised and hacked. [Inaudible 00:40:22] and the attacker said, “Give me 500 bucks, and you can have it back or else, I’m going to post really negative stuff and I’m going to keep hitting up your family members asking for money.”

[00:40:33] CS: Wow!

[00:40:34] KE: You pay me $500 in Bitcoin and get it back. That’s a low volume or low profit type of attack compared to $40 million, which is some of the numbers that we saw this year so far. But if you can make up for that in volume, right? If every person that thinks they have a hot Instagram account, they give you 500 bucks. I mean, you can still make a lot of money doing that. I see the value of going after the consumer going up. This holiday season seems like a good launching point, groundbreaking time to start that process. We’re starting to see signs of that a little bit. But I do you have that video that we released, Hacked for the Holidays, that I go into talking about the scans with the prepaid cards, the gift cards, and all of these other things that they are ramping up for the holidays.

People are just not paying attention. Some of us are shopping last minute, so people are just going fast. I would definitely say, watch that video, make sure you watch it because I go into detail about some of the major scams. But if it sounds too good to be true, it most likely is. The main thing is, go slow, slow down with your transactions, make sure it makes sense. Because yes, most of these things just doesn’t feel right a lot of times.

[00:41:54] CS: Yeah, absolutely.

[00:41:55] KE: Just take your time. Go slow, and you may be okay.

[00:42:01] CS: Everybody has elevated stress levels this time of year anyway. So as soon as you see like, “Wait, I didn’t buy the shoes for $225,” better dispute it or things like that. You just got to take a breath and realize there’s other ways to sort of approach these problems.

[00:42:19] KE: Yeah, for sure.

[00:42:21] CS: I guess using the big crystal ball, what general security trends would you like to see take off or gain traction in 2022? This year was scary in several ways, from a security perspective. And while security folks are like the men and black, so to speak, candidly staving off, total catastrophes without the knowledge of the general population. Do you have any recommendations or predictions for the ways that things could change for next year? Do you think there’s any kind of public perception issues that security experts can address regarding like high-profile breaches, and personal phishing attacks and other such issues that are now kind of the fabric of our lives?

[00:42:58] KE: Yeah. I mean, in one sense, I want to tell people to just strap in for the ride, because these things are not going to go away. I’m on the back end, front end, however you want to look at it, coming up with security solutions, trying to educate people. I don’t see that there’s any magic bullet that we’re going to produce in 2022 to fix it, all right? These things are here to stay and we’re going to have to live with. But I still believe the most important aspect is from a corporate standpoint, from the individual consumer standpoint, everybody has to up their game on their education as far as what they know about cybersecurity and what they know about the attacks.

I’ve already planned it. My family has given me a whole hour of time when we meet up for Christmas. They’re going to get some cybersecurity awareness training from me over Christmas break, just to get their knowledge level up to a certain point that they don’t fall for the most obvious things.

[00:43:57] CS: That’s great.

[00:43:58] KE: I believe that if we start to kind of push that, in general. If we would just take the cybersecurity awareness IQ of the general population up by 1%, you’d be amazed at how much impact that would have.

[00:44:13] CS: Absolutely.

[00:44:13] KE: I still think that’s probably our best weapon, is just to educate people, because still, phishing and client-side attacks are the number one way that organizations are getting compromised. Definitely, when people, individuals are getting compromised.

[00:44:27] CS: That’s some great advice for individuals and some for a personal perspective. From a professional standpoint, what advice would you give cybersecurity students, yours or others who are getting their knowledge and experience in 2022? Are there any trends or innovations that they should be watching for in the new year?

[00:44:45] KE: Well, not really trends or innovations. I mean, I think definitely the cyber ranges are picking up, our Cyber Range is great. But the thing that I want to say to people that are trying to get in and trying to excel, for one, you have to kind of decide, do you want to just do this and make money? Or do you want to be absolutely great at it? Then if you decide you want to just make money at it, that’s fine. You can do what everybody else is doing. You can make money and do well in the industry. But if you really want to excel in it, you have to understand that you got to put the time in to exercise those muscles. Just because you’ve done an exercise in the Cyber Range, it doesn’t mean you know how to do that exercise. You’ve done it one time, that doesn’t mean you know how to do it.

When I learned to drive, the first time I successfully went from my parents’ driveway down the road and came back, I thought I knew how to drive. But two accidents, later, I realized I didn’t actually know how to drive. I just done it one time. When you’re doing these exercises, and when you’re training yourself, and when you’re getting certifications. Just because you pass an exam, just because you did that exercise doesn’t mean you actually know how to do it. It takes repetition. So you need to challenge yourself and discipline yourself to have that endurance to do things over, and over and over again until a lot of the mechanical stuff becomes automatic and second nature. When you see us doing these demonstrations, and as you know, I do all my demos live. I don’t do any prerecorded things. That confidence comes from just doing it over, and over and over again, until I know every possible outcome of what could happen bad. If something happens wrong, then I take it, I’m able to take that and use it as a teaching opportunity. Because I’ve already thought of every possibility of what could happen when this thing goes wrong.

I’m not smart. Usually, if you put me in a room with 10 people, I’m probably the 9th or 10th smartest person, like I’m towards the bottom of the list. But having that discipline and that endurance to sit there and do something over, and over and over again. That puts you at the next level. I listen to Kobe Bryant stuff a lot of times and the things that he used to say. He would always say that like there’s many, many people in the NBA that’s more talented naturally than I am, but not a single one of them will ever outwork me. Because if I see them work harder than me, I will immediately do more work than they are. I think we need to bring that into this preparation, especially those of you who are trying to get in. Outwork everybody. Outwork everyone and you will rise to the top and you will definitely stick out as being different than everybody else that’s trying to do the cybersecurity inference stance right now.

[00:47:33] CS: That’s awesome. That’s a great point and it goes back to your concept of musical scales versus actually getting to play a song, like you got to learn the scales. It’s so important.

[00:47:42] KE: Absolutely.

[00:47:43] CS: Yeah. Just make it work for you and make it fun for you.

[00:47:45] KE: Yeah. When you play that song, if you don’t practice scales and get those down, you’re going to sound just like everybody else who just learn how to play that. But if you master fundamentals, now, it’s art and you sound different, somehow the same as everybody else.

[00:48:01] CS: Remember Coltrane saying, you worked with Thelonious Monk and said, if you weren’t listening closely, it was like you walked into an elevator shaft with no elevator and not really watching. So as we wrap up today, Keatron, can you tell our listeners about some of the projects, classes and other activities that they should watch out from you in 2022?

[00:48:23] KE: Sure. Just work and talking with Meghan and Kate the other day. We’ve got some really extremely exciting and big brand things coming up in 2022. So definitely keep paying attention. I can’t talk too much about this, say much about it now. But one, it’s something that I’ve been wanting to work on for the last 20 years. The stars have aligned. InfoSec is in the right place. We got the right people in place to where we could actually make it into something now. So just look for something really, really big from us from a brand standpoint and outreach to try to help people get into the industry. We got some great stuff coming up for that. Also, I’m going to do updates to my incident response course, that’s in the skills path. I’m going to do updates to that.

We just released a few days ago the updates to the ethical hacking stuff that I produce in there. Really proud of that. And just an uptick in these things, we’ve agreed to do one of these podcasts per quarter. I’ve agreed to do more stuff with Jeff. There’s going to be a lot more of these types of things that you’re going to see coming from me. I’ve adjusted my work schedule, because I do have a business as well, doing pen testing and stuff like that. I’ve brought on some more help. I’ve adjusted that to where I have the flexibility and the time going into 2022 to devote more time to doing outreach and trying to help people. Because honestly, that is what I get the most enjoyment from, is sharing this information and being on these podcasts.

[00:49:55] CS: Phenomenal. I love to hear it. Finally, last question, for all the beans, if our listeners want to learn more about Keatron Evans or our many activities, where can they go online?

[00:50:04] KE: They can go to infosecinstitute.com/authors/keatron-evans.

[00:50:12] CS: Perfect. You want to tell them about KM Cyber, any of your other activities?

[00:50:17] KE: No, not really, I want to keep it on training. Everybody knows I do run a successful pen test incident response forensics firm. We do pen testing and incident response worldwide. We’ve got probably six projects now going on in Europe, and we have a bunch of projects going on here in the US. That was my first love, and that’s still very successful, and I’m proud of that and that’s what I spend most of my time doing.

[00:50:47] CS: All right. Well, Keatron, thank you for joining me today and for all your insights. I could I could talk to you for hours, but I really appreciate you taking an hour with me here.

[00:50:55] KE: The feeling is mutual.

[00:50:56] CS: Awesome.

[00:50:57] CS: As always, thank you to everyone who is listening to us and supporting the show. New episodes of the Cyber Work podcast are available every Monday at 1:00 PM Central both on video at our YouTube page, and on audio wherever you find podcasts are downloaded.

I’m so excited to announce that our Infosec Skills platform will be releasing a new challenge every month with three hands-on labs to put your cyber skills to the test. Each month, you’ll build new skills ranging from secure coding, to penetration testing, to advanced persistent threats and everything in between. Plus, we’re giving away more than $1,000 worth of prizes each month. Go to infosecinstitute.com/challenge and get started right now.

Thanks very much once again to Keatron Evans and thank you all so much for watching and listening. We will speak to you next week.