Cyber Crime Junkies

Understanding the Hacker Mind. Phillip Wylie.

February 15, 2023 Cyber Crime Junkies-David Mauro Season 2 Episode 13
Cyber Crime Junkies
Understanding the Hacker Mind. Phillip Wylie.
Show Notes Transcript

Interactive episode on why it's important to understand the hacker mind with security expert, Phillip Wylie, The Hacker Maker, Author of “The Pentester Blueprint: Starting a Career as an Ethical Hacker”. We discussed: understanding the hacker mind, how penetration tests help businesses stay protected, how hacktivists help keep businesses secure, new approaches to enter cyber security, best ways to protect business from cyber crime, and top security tips we all want to know. An incredible story from being a Professional Wrestler to a top security leader.  

VIDEO Episode Link: 👩‍💻  https://youtu.be/6waALMbcv04

/LETS CONNECT/

We Really want people to be able to Watch and Listen and we would love your help. 

📲 📲 PLEASE CONSIDER SUBSCRIBING.  It's FREE and it will help us to help others.📲 📲  

Our Channel @Cybercrimejunkiespodcast

https://www.youtube.com/channel/UCNrU8kX3b4M8ZiQ-GW7Z1yg

🔔  Want 💎 EXCLUSIVE💎  Content? For only $4 💎 SUBSCRIBE to Cyber Crime Junkies PRIME
https://www.buzzsprout.com/2014652/supporters/new

Our /SOCIALS and PODCAST/

📲 DAVID MAURO Linkedin: https://www.linkedin.com/in/daviddmauro/

📲 Cyber Crime Junkies Linkedin: https://www.linkedin.com/in/cybercrimejunkies/

📲 Cyber Crime Junkies Instagram: https://www.instagram.com/cybercrimejunkies/

📲 Cyber Crime Junkies Facebook: https://www.facebook.com/CyberCrimeJunkies/

📲 Podcast Cyber Crime Junkies:  https://cybercrimejunkies.buzzsprout.com 

🔔 Site, Research and Marketplace: https://cybercrimejunkies.com



https://www.youtube.com/channel/UCNrU8kX3b4M8ZiQ-GW7Z1y


Try KiteWorks today at www.KiteWorks.com

Don't Miss our Video on this Exciting KiteWorks Offer!

Try KiteWorks today at www.KiteWorks.com

Don't miss this Video on it!

The Most Secure Managed File Transfer System. 








PHIL WYLIE Full EP FINAL BEST 

[00:00:00] We spoke with Phillip Wylie, expert in offensive security. Covered topics of why it's important to understand the hacker mind, understanding the hacker mind, what is the hacker mindset, how to learn offensive security, understanding the hacker mindset, how to start as an ethical hacker. Also discussed how to learn offensive cyber security, understanding offensive cyber security, learning offensive cyber security, offensive cyber security explained , breaking into offensive cyber security, and best ways to learn to hack.

 

[00:00:00] hey, well welcome everybody to Cybercrime Junkies. I am your host, David Mauro and today we have a really, really good episode. Very excited about it. In my. presence as well is my illustrious always positive Co-host, mark the Mark Mosher. Mark. Good morning. Thank you. Thank you for self-correcting, David.

[00:00:21] Now I'm really excited about today's episode. I wanna jump right into this. Absolutely. So we're joined today by Philip Wiley, the hacker maker, author of Pen Tester Blueprint, starting a career as an ethical hacker. He's got several leadership, security certifications like the C I S S P, the OSUCP , the G W A P T, and he'll explain what all that stuff means for everybody.

[00:00:45] He's a highly sought after public speaker's. Got a fascinating arc and fascinating story on how he landed into this field. Frequently presents and he's well sought after at a lot of conferences. Got over two decades of experience, especially in the finance and consumer product area of offensive cybersecurity, the penetration testing, application testing, red teaming.

[00:01:09] He's mentored in educated thousands. He was featured in the, tribe of Hacker's Red Team book, and he's a podcaster and host of the Hacker Factory. Podcast, Phillip Wiley. Thank you and welcome to the studio. Thanks for the introduction. I think you got nailed it. Fine. Except you. Except you. You missed, you missed my book,

[00:01:32] Did I? Now I, I thought I, the pen tester blueprint started career as an ethical hack off the bat. If not, I'm happy. Don't, for a small, for a small fee, we can follow you around and introduce you like that every time you walk. Yeah, every time. Zoom, . Every time you get outta Zoom, I'll just come in and say that and then I'll pull out, I jump right outta the Zoom.

[00:01:53] Yeah. Great to be joining you guys. Thanks for inviting me. No, no, we're, I'm excited about this. [00:02:00] I, I wanna jump right in cause there's so much to cover. And I really, for a lot of our. Listeners and our viewers on the YouTube channel and such, and define some of the terminology that we use cuz everybody may not be, quite familiar with it.

[00:02:15] So we, we use the term hacker a lot and you know, that's can be a misnomer at times, right? Because David and I, we, we've got a whole team of hackers. They're ethical hackers. And then you going, which would be, you know, your, your adversaries, your, your threat actors. Maybe Philip, if you could just tell us at a high level ethical hacking.

[00:02:37] What is, what does that mean? What is that? Sure. Kind of, first of all, I'd like to mention that it's actually thanks to the media that people that break into systems for living or illegally, the terminology come from the media because this dates back to like the M I t, model, railroad Club or whatever, that, they were.

[00:02:58] People that were makers, creators, they were take building things or taking other objects that was meant to do something else and figuring out other ways to do it or enhance the capabilities of it. And the media over the years for the term for cyber criminal, that's where it came from. And Ethical Hacker, we have to delineate because ethical Hacker is the professional hacker that does this for living.

[00:03:19] make sure to mention that that's with permission. Right. So you'll make sure that you have permission. And the funny thing is the public don't understand most cases that ethical hackers are a thing they exist in. They have no idea. Yeah, they have. They have no idea. I mean, even, even people within our organization, when we started to explain what our ethical, what our red team.

[00:03:45] Offering is and what our ethical hackers do. They're like, we didn't even know that we had those. Really, what are you talking about? Yeah. It's really, yeah, because it's so powerful. It's, it's really, it's really intriguing [00:04:00] and you know, the professional term for what we do is penetration testing, but it's just right.

[00:04:05] More confusing when you use that term. And I've, and I thought, well, I'll just tell people that aren't in the business ethical hacking, they'll understand. But I can't tell you how many times I've talked to people and they said, is there such a thing? ? What you talking about

[00:04:22] No, that's good. And so with an ethical hacker, the obvious intent is to, to find vulnerabilities within an organization so they can remediate those vulnerabilities and avoid a breach and stay out of the news for all the wrong reasons, right? Like, that's why we do this. That's why you do this, right? Mm.

[00:04:42] Yeah, we're, we're thinking, and that's why just when they, they hear hacker and they think of, you know, a group of guys in a hoodie, you know, in some dark room just banging on a keyboard and chugging Red Bull and, you know, trying to get your password to your PayPal. I can't, that's, that's, that's different.

[00:04:58] Yeah. We've actually evolved centuries. From that old model, if you, of what a hacker is, because it's really, it's a criminal empire now. Right. You know? Mm-hmm. , it's, it's really changed. David, maybe you could touch more on that. Yeah, no, I, I, it seems to me like it's, it, it's what you mentioned, Phil, like they, the media kind of didn't understand it, and they needed to label it.

[00:05:22] Right. They needed a sound. . And so hacker is a great sound bite for all of the data breaches that are happening. Even though they, they happen in so many different ways and they rarely, and I'm talking about mainstream media, they rarely talk about social engineering versus brute force attacks, and you never hear them get into that, right?

[00:05:43] And so they just go, hackers did this. Right? When in reality the people that were the victims probably had hackers. Either employed or doing pen testing throughout the time. Right. And these are threat actors. These are criminal adversaries that either [00:06:00] bought their way in through, you know, initial access brokers Right.

[00:06:05] And or socially engineered their way, which is just kind of common. That's just old school fraud. Right. And the way they're organized, it's like old school mafia, the way they center it and. Alize it. Yeah. Mm-hmm. . But, but I really wanna hear from you, Phil, and, and what a great story. I mean tell the ladies and gentlemen kind of how you got started.

[00:06:31] You did, did not go the traditional route, right? Where you were a computer science major in high school, and then you studied computer science in college, and then you went to a big corporation, went over to help. Then went over to security and then did ethical hacking. Like that's minute let's, let's define non-traditional.

[00:06:52] So, did, did you wrestle a bear at one point earlier in your career? Yes. Yes. Okay. So, yep. Let's start maybe with that non-traditional. I wanna go back, even if it's okay, Phil, just tell, tell us. Yeah, tell where did you grow up? Like just as a kid, where did you grow up? Sure. What did you like to do?

[00:07:12] Obviously you like to wrestle or you were good at it, . Well, I grew up in Denton, Texas. Okay. And back in those days, you know, when I was a kid in high school and stuff, loved riding skateboards, roller skating. Mm-hmm. riding bikes. It's just kind of funny. We had video games back then like an at. But the thing is one that my wife and I talk about all the time, because the lack of activity in children these days, and we kind of discussed back then we had video games, but we'd rather go outside and play than whenever it was rainy or at night we would stay and play video games.

[00:07:44] But my background in high school, just kind of what got me more, got me in line with the wrestling thing was that, I was a power lifter. So I started lifting in in 1980, and then. Got into power lifting my [00:08:00] senior year in high school, did my first competition. So whenever I got ready to graduate high school, I had no idea what I wanted to do for a living.

[00:08:07] We had computers in our high school. We had Max in the art lab, and then we had some PCs and usually just the smart kids that took those classes and really wasn't a thing on my radar. And so when I graduated high school, I ended up going to wrestling school. Wrestled, you know, went to wrestling school.

[00:08:26] That took about a year or so to get through that, and then wrestled for a couple years. And then, I got married and I needed a more stable. Lifestyle, and then, you know, lifestyle and career that provided insurance and all that. And so I'd worked so many other jobs and I really like to share the story when I speak at conferences because there's a lot of people think that they can't do these things.

[00:08:48] But, you know, I'm a former meathead, power lifter, pro wrestler that, that, you know, never thought I'd use my mind for a living. And never in a million years I thought I would be doing something physical. But as I was making that transit, From giving up on this pro wrestling career to finding something else.

[00:09:06] I worked doing manual labor. I worked in restaurants, cooking, busing tables, washing dishes, probably all the things I did. Outside of that, the only thing I really kind of halfway enjoyed was I worked in a jewelry store selling jewelry. I'm kind of a goal-oriented, really person from power lifting . So I would try to outsell my coworkers and most, I was number one or number two each month and kind of through that ex, that's that a type personality, right?

[00:09:34] That's just the, that's that a type like whatever it seems like whatever you've had in front of you, whatever environment you've placed yourself. You've tried to be, you know, you compete against yourself, right? Mm-hmm. , like, I think that's, life is all about that. It's not about what others are doing. It's kind of like, how do we make the better version of ourself?

[00:09:53] And it seems like you've, like, yeah, to go from power lifting to like jewelry sales and like really, really [00:10:00] get good at that. That's great. That's a renaissance, right? You're like a, like you truly are a Renaissance guy. Like that's just so many different gambit. That's, that. That's amazing. How so, so fascinating is, and, and I love this story because when people, there's so many people that I know that are creatives or they're in marketing or they're, they're in like accounting and the way they describe what they want to do, it's a perfect fit for cybersecurity.

[00:10:35] It's a perfect fit. Like there's spots for them, but they don't think they can. They're like, well, I, I don't know. I don't, I don't know all that stuff. Like, I don't, you know, I'm, I'm not a, I, I didn't go to Compu. They always say like, well, I didn't take computer science in, in, in school. I didn't go. And I'm like, nobody, I'm working.

[00:10:53] Like most people I'm, I'm with, or that I talked to on a regular basis did either. Right. Some of them went the traditional route, but so many have gone a non-traditional route per se. So like what can. Share about when, when you're mentoring people breaking into security, what are some of the, some of the things you, you guide them with?

[00:11:18] Yeah. Some things I guide 'em is to not overlook the basics because one of the things too, and one of the things I wanna share too, that I constantly get this questions from people I teach and mentor is, you know, I went through a background of being a CIS admin for six years, and then I worked on the blue team.

[00:11:35] In application security for seven years and they ask, do I have to make this? Do I have to take this path? And there's a lot of people out there that sometimes they're people that, that do actually gate keep. And then there's some people that, this is my experience, they're sharing their experience. They think because they went this route, other people need to do that too.

[00:11:55] And they're, they have good intent. But one of the things I tell people is, you can learn that cuz [00:12:00] if I would've known about pen testing or ethical hacking, When I first thought about going into, , it, I would've headed down that path first, but I didn't. But fortunately, going through all these other things helped prepare me for that job.

[00:12:13] So yeah, you don't have to be a CIS admin. You don't have to be on the help desk, but you need to learn the networking skills, the computer skills and that sort of thing, because if you get a shell, you know, access command on access to a server, network device. Absolutely. You've gotta know what to do at the command line.

[00:12:30] Yeah, exactly. Yeah. Right? Yeah, yeah. But, but the, I think what's important is that there are people, number one, there are mentors like you and, and several key others that will help you, that will help somebody steer them in the. Of where they want to go. And then there's some specific things to learn, right?

[00:12:53] I mean, you don't have to learn all about operational resilience and SOC management if you're gonna go into the red team side, right? Right. And I think eventually, eventually you will, like eventually you'll want to learn a little bit about all of this, right? And I think that's where C I S S P and things like that can come in where it gives you a good global view.

[00:13:17] Of the entire AR architecture. Is that fair to say? Yeah, and I think one of the things too is to look at all the different areas of security, because one of the things, if you want to be a pen tester, then do it more power to you. But one of the things I do, mm-hmm. . Recommend people do is go to some of these security conferences.

[00:13:35] Look at some of the other dis different disciplines. You may decide you wanna do something different. I had one of my former coworkers from US Bank on my podcast last year. He's my number one episode because the, the title I came up with. But what happened was he was in it there, he was taking some courses to get into digital forensics.

[00:13:54] He decided he was taking, taking all these sands? Yeah, he was taking, he was taking [00:14:00] these courses through Sands so it wasn't cheap. And then he decided, you know, maybe I should take the g n course because if I learn how to hack, I could be a better digital forensics person. So what happened? He took that course and it totally switched What he did, he went into pen testing.

[00:14:14] So if he hadn't explored other things, he would've been doing digital forensics. He may have loved it. He, you know, may have done, he may have been better at it, who knows? But he did get to determine , you know, what he truly was passionate about. And we, if we follow our curiosity and passion, we're gonna put in the time and effort to do it.

[00:14:31] Some of these things like digital forensics and pen testing are probably some of the most difficult roles in cybersecurity to learn. Yep. You know, if you're setting up firewalls. When I did that, that wasn't a big deal. I had the networking background, but learning how to hack was the most difficult thing I'd learned.

[00:14:46] And just my familiarity with digital forensics. My wife works in digital forensics and seeing her go through that, you know, it takes a lot of, effort and knowledge to be able to excel in that area. So. Let me, let me tag off that just a second. So your wife works in digital forensics. How did, what inspired her to do that?

[00:15:06] Like what, how, how did she get in there? So, yeah, she's got an interesting story as well because whenever we met, she was going to school to be an occupational therapist, so she made a couple Yeah. Career changes too, which is inspirational to folks. She worked in nursing homes in the late nineties.

[00:15:25] As a therapist. And what happened was the government quit, allowing as much money through Medicaid and Medicare for mm-hmm. , occupational therapy treatment. So one of her former, her co former coworkers said, my husband works at a software company. You should apply there. So she worked at a software company for 16 years, doing customer.

[00:15:45] Also doing some education, teaching customers on their software and eventually moved into management and got laid off there. And when she got laid off, I said, would you consider reeducating yourself for a different role? Because she wasn't sure what she wanted to do and she really didn't want to go [00:16:00] back into the healthcare side of things.

[00:16:03] And I recommended, digital forensics or data analytics and digital forensics was more interesting to her. So that's the, the path she's taken. And she's been doing that since like 2000. That's a really, and I think story, and I think that's a perfect example, right, of how you can pivot in your career no matter where you are in life and make a move.

[00:16:24] And not only that, within cybersecurity, you could be going down one path and discover that, Hey, this has led me to something else that I'm really in about. And you can pivot within cybersecurity and change your career. And I think that's what's really great. So it's the more people we talk to and David and my experience and the, the listeners that, that chime in that, you know, they, they were going down a particular path or they, they were.

[00:16:50] A server at a local restaurant, they really were paying their stories. So that's why we'd always like to share those stories. And that's, that is really cool that your wife got into digital forensics like that. , let me lemme switch gears for a second on you. Something I, I've been wanting to ask you since we talked last week.

[00:17:06] As we know, things change in cybersecurity like rapidly, right? Like all the time. Really the, the whole innovation of, of AI and what it's being used and probably shouldn't be used for by some unethical people, you know, with chat G P T and, and the other, platforms and services that are out there.

[00:17:26] What, what's your opinion on that as far as cybersecurity? Because David and I have talked to guys that are having AI right code for them, and I, and I just see this could go down a slippery slope at some point. What are your thoughts on that? I think the way we gotta look, I'm pretty excited about it because I kind of started playing around with it in the fall.

[00:17:44] I saw someone, what really got me interested was someone wrote a bash script to do reconnaissance for pen testing or bug bounty, and I went and looked at that bash script and was really cool that it went in and actually even the script installed the tools if [00:18:00] they weren't installed and they would run all those tools sequentially.

[00:18:03] Do the reconnaissance. So that was very interesting to me. So, so I started exploring it and then through checking out some YouTube videos and things, I saw some, the, the big power for me is, and I love is, is using it for writing. So I'll actually use chat g p t for my summaries and titles for, for my podcasts.

[00:18:22] And so just trying to. Outlines for something that you're wanting to learn, you know, articles you wanna write, it's super powerful for, for writing. But one of the things that really even got me interested in it all is the company, company I'm currently working for is P Cognito. They have a SaaS-based, external attack service management solution, and it uses machine learning, AI, and, and natural.

[00:18:49] Programming or natural programming language or whatever, natural. But any rate, it, the thing I saw from being a pen tester and where people that are pen testers, you don't have to worry about this, I don't think we're the demographic that has to worry about this hurting our jobs. Companies really hadn't been able to skill, to do, to scale, to do as much pen testing as they need.

[00:19:10] And from my job, seeing how they're able to do reconnaissance over thousands of hosts, which would take someone, even with scripts and stuff a long time, they're able to automate that machine learning and ai. We're at a point now. We can't. And one of the things too is I say as a pen tester, ever since I've been in pen tester, there's been vulnerability scanners.

[00:19:31] But we gotta look at it like this. Tools have evolved at one time, pen testers didn't. Vulnerability scanners, they had to script or write program sort of thing. Yep. This is an evolution of tools. It's gonna make our job easier and, and get rid of the mundane things so we can focus more on the, the fun stuff like the hacking.

[00:19:47] So I think it's really just gonna elevate the school set, the tilt, the tool set. I really can't wait to see what the vulnerability scanners end up being capable of in the exploitation frameworks, although it's gonna make it. Easier for the bad guys, but [00:20:00] they had the capabilities to begin with. And another thing is, is ethical that this is out there.

[00:20:05] To be used it, you have to look at all the hacking tools. If you made the hacking tools where not everyone had access to it, then we'd have a whole generation of security researchers that would not exist. So yeah. Right. We have to. Yeah. To me, to me it's, it's one of those generational technologies. It's gonna be the people that understand it and the people that haven't tried it yet.

[00:20:28] Right. Or just dabbled with it. It's definitely something. Whether you're not technical at all and you just wanna write right, and you're, and you're creating a, a proposal for something, or a legal brief or a medical description, whatever it is, engage with those programs. Because even for ideation, just to be able to throw up ideas and have it spit out some, some framework, and then you can put it in your own words, it's, it's phenomenal.

[00:20:55] Yeah. I'm, I'm really moved by it. What, what I'm concerned about is, do you. , do you see it? And I, I think I know the answer, but what is your opinion on whether it's gonna be able to create or generate polymorphic code, like code that adapts on itself and that gets into a system? Yeah. I think it's possible.

[00:21:15] And eventually what happened and, and even, and before we get a little further, what, there's one quote I want wanted to share too, is, one of the best quotes I've seen around AI is AI won't replace people. A person using AI will replace. But yeah, I think there's capability. That's a great way, . Wow. I love that.

[00:21:32] Yeah. And one of the things too, when you're talking about poly polymorphic code and just be able to, and in the same spirit, is general ai. That's where. I listened to Daniel Meas, there's podcast, and he was been speaking on general AI and interesting enough, open, open. AI said from the investment they got from Microsoft that now they're able to start working on general ai.

[00:21:55] And with typical ai, you have to feed it information. It has to [00:22:00] learn. Once you get to general ai, it's when it comes up and does things on its own, you have to feed instructions. Now, computers, both as general ai, it can learn and figure out how to do things on its own. Currently, if it's going to create some kind of exploit code, you have to feed it the information, and sometimes it takes some tweaking.

[00:22:18] Once we get to general ai, whenever that happens, it's just gonna be a learn you. It is scanning a system and it can figure out how to break in, but we're not at that point yet. Yeah, absolutely. Absolutely. And we've got a bunch of different questions and some comments from some of the, listeners on the livestream.

[00:22:34] We'll get to those in just a second. So thank you for those. Anybody has any questions at all, please throw them, throw them in into the chat. We, we will get to 'em. Let me ask you about pen testing because there's, there team seems to me in the field some confusion. There's some smaller companies that might not have somebody that is a practiced, trained ethical hacker, right?

[00:22:58] Like a true penetration tester that will. Buy a license to a tool and run a scan and give a client all of these reports that just kind of drone on, and then try and sell them proposals to kind of fix those things when they're not really, really critical. And then you have like the, in my opinion, kind of the true penetration testing.

[00:23:19] How, how do you, do you see the difference there? Like, are you seeing it or are, are you really only dealing with the, the true penetration test? Yeah, I've, I've seen a lot of different cases of being in there. You see the, the, the bad , experiences along with the good experiences, and I've talked to some folks that, that how they got their start in pen testing.

[00:23:41] They were working for a global company and basically they're instructed to go in, do a nesta scan. Put the results in their boiler plate template and hand them to someone as a penetration. That was David and I see a lot of, yeah, so there's a lot of that. Some people are just, you know, sketchy business ethics, and then some [00:24:00] people legitimately.

[00:24:01] Think that's the way it's supposed to be done, but it's not. But you see, but you see a lot of that. And so if you're building out a practice in a company, you wanna make sure you hire someone, experienced. Then actually we've got someone listening today. John Jackson, he's one of the best hackers I know.

[00:24:16] He's, a penetration tester and he's like the actual fine zero days and that sort of thing. So, You definitely wanna find people that, yeah, John's pretty awesome. I had him, I've known him from the security community, and he's a, he's a really good hacker. He's, I think he's even doing some things for like, the government or something.

[00:24:35] Wow. Very cool. Wow. That's phenomenal. Alright, John Jackson, welcome to the show and we sure reach out to us. We'd be happy to have you as a guest. Yeah, you should have him on. He was one of my first guests. We'd be happy to. Experts in the industry. Right. This, this one comes highly recommended from one of the experts in the industry.

[00:24:51] John Jackson. Reach out, John, feel free to reach out@cybercrimejunkiesgmail.com or@cybercrimejunkies.com. Thank you, John. Thank you, Phil. Thank you for that. Oh, you're welcome. You're welcome. So let me, let me a ask you this. Let's shift gears a little in the context of. Recent data breaches that have been in the news.

[00:25:12] Right. , password managers, one of the best practices that the industry always tells, small to mid-size businesses as well as larger organizations, and even individual families. Right. Because I, when, when we're out there training, mark and I are part of in info guard and we're out there training people as a public service and when we're doing.

[00:25:33] You know, we're always making some recommendations, but we lean on people like you to to feed us those, right? And they change over time because at certain times there are certain things that people tend tend to miss. Password managers have always kind of been a suggestion. Personally, I always like algorithms that you just memorize and then just use based on what you cite.

[00:25:55] But password managers are definitely convenient. Obviously there've been recent [00:26:00] breaches with Last Pass and Norton's and things like that. What are, tell us what are your, what's your feedback on that? What's your insight on that? Kind of with me, I think it's password managers is still a good idea. And our last pass, they've been breached several times now.

[00:26:15] So I would personally, I was using it for work and after they got breached, it wasn't the major breach that they had, but one before that. After that, I kind of deleted my account and quit using it. So, . A lot of companies don't get breached. A lot of the comp platforms we're using LinkedIn. Different social media platforms get breached, and that doesn't mean, you know, To get off of 'em, you know, of course, change your passwords.

[00:26:41] Same thing with the password managers, but I had switched to a different one. I was actually on Ca Kaspersky at one time, but Yep. You know, even like f FBI is, is saying not to use it, you know, there's still a, you know, I don't know. For sure what the details, if they're giving information to the government or not, but they're doing business in Russia, so you know, if Russia wants that information, they've got it.

[00:27:04] Got it. Keeping 'em from getting it. So I got off Kaspersky and I actually use Keeper now, but I think you really need to, because one of the things I had a bad habit of, and if we're not using something like password managers, then we're trying to, there's a lot of password reuse and I was kind of guilty.

[00:27:20] So one of the reasons I went to and, and put a concerted effort in to switch everything over to a password manager is to to not have those, those risks of password reuse. I could use pa, you know, very complex passwords without having to remember those. And then just the only password I had to remember is the one for my vault.

[00:27:38] Just makes something strong for that. Yep. Otherwise, if you. You could adhere to the Moser methodology, which is the yellow sticky note, or write it down in a spiral notebook that's titled passwords and leave it on your desk. . That's always great for me. I've only been times, so it works. Yeah, so, so [00:28:00] you, you'll, you'll appreciate this.

[00:28:02] So I was presenting at a conference. It was over in San Antonio and. I was waiting for, there was like a, like, there was a lot of people in the room, right? And I'm up there and I had to call because I couldn't get on the the wifi there and, and I had to call for their it who was gonna, Put down their sandwich and it was gonna take like three hours to do that.

[00:28:23] And I had to start in like eight minutes and I'm like, this can't be that hard. So literally I looked around and boom, found wifi password, found the other password. And from there like I was actually even able to get into other things. There's no reason I should have been able to get into just by having that public password.

[00:28:42] They didn't even have the network segmented or anything, and I was doing this kinda all in front. Group of like 170 people and I was like, here, here you go. Like, here's, we'll, we'll get to this in just a second of why you're not supposed to do this, but here's a great example, right? So the Mosher methodology of like throwing it on the,

[00:29:06] let's, let's talk about, ok, we're talking about vulnerabilities on the network or, or perceived or recognized vulnerabilities with on a. So that leads me to another ever evolving and changing aspect. Is, is the internet of things, right? With all these new devices and the, the lax insecurity, which I think has tightened up over the years.

[00:29:25] You know, when, when a lot of that stuff first rolled out to the consumers, it was, it was very lax, but what's your opinion? What do you think On, on, on Internet of things and as it relates to you know, to cyber. Yeah, I think one, one thing we need to take it seriously because some cases people think, oh, it's a webcam, it's not gonna affect anything.

[00:29:42] But when this webcam is on your corporate network, right, and using default credentials that someone, a, a, a way someone could get in, especially if you got a wireless network or someone's on the network. And plus also when we gotta look at information security or cybersecurity in general. At one time it was [00:30:00] information security, data security.

[00:30:01] We're trying to protect data. It wasn't all just digital. So if you've. Cameras that someone could breach, then privacy could be breached. It could. Someone's privacy that doesn't need to be exposed. Or it could be some company document documents or something that maybe, you know, if you're at a bank or something and the cameras are focusing on a desk to make sure they're watching whoever the.

[00:30:25] Tellers or people working there, that's information someone could gain. So you wanna take that that seriously. But one of the things, you know, you, you saw a lot of problems with back then was some of the webcams and, and different iot devices had embedded credentials in it, so you couldn't even change it.

[00:30:40] It was hard coded into the firmware. So I think we really need to be careful, make sure we're doing proper seg network segmentation, that we, people can't get access to it, that doesn't need access. And in some cases, if you can do any kind of, that's, Yeah. That, that seems to, I didn't mean to cut you off, but the, the network segmentation seems to be so important, right?

[00:31:00] Because mm-hmm. , when you're able to access from the smart refrigerator in the kitchen area right, to the corporate network, and you're still able to gain access to things you shouldn't. How do we, how do we manage that? I think that's really key. Yes. And then just, you know, and then doing things like with your, your wireless stuff, if you can do some Mac address filtering, just different.

[00:31:25] The more hoops you can make the attacker jump through, the more difficult it's gonna be. And sometimes it's not always, you know, people always wear, you know, people, you know, I talk to all the time that take, take this seriously. But another thing too is, you know, most cases in nation states, not trolling through your neighborhood, gonna hack your wifi.

[00:31:41] You need to be secure. But in some case, some cases you need to be, you know some level of security is gonna limit. A whole class of attackers, you know, script kitties. You know, if you, if you do Mac address filtering on your wifi network, there's a reason they're not gonna, you, you'll, you'll get rid of them or someone that's [00:32:00] just curious.

[00:32:00] You know, some cases people have such lack security that someone that's not a hacker without any experience could get on there. And that's one thing that's interesting too about some of these breaches. It's not always some elite hacker or natia state that's breaking in. , it's just opportunity. It could be someone's, someone's kid or someone, just a little bit of technical experience, browses into something.

[00:32:22] They find an open network share or something. So some, a lot of times it's opportunistic, not really someone that's highly skilled. Whenever I think of internet of things risk, we always think of that, that case where the guy walks into the casino and sees the exotic fish tank in the, in, in the lobby and breaks into that through the smart thermometer in the water.

[00:32:44] And from there gains all of the financials on 25 of the biggest whales, 25 of the biggest gamblers, and then publishes. , like, it's like, like seriously, like how did we, let's, let me dig down into that just a little bit. For the families out there. For the people, right? All of us, you know, every organization when always talk about this in terms of companies and organization, but, well, it's still all made up of people.

[00:33:10] We all have like houses or families or places we live or whatever, and. A lot of us have bought those smart refrigerators, those Alexa, Google, like the home pods. Like everybody's got this stuff around their house and most people don't know that they need to go in to the portals Right. And change the passwords.

[00:33:33] I know a lot of people, like a lot of people, even after they get them, they wind up not even connecting 'em to their wifi. Just to be safe, like they just still use 'em as a traditional oven or as a traditional mirror or whatever the smart device is. What, what advice do you have? Do you have any, any other thoughts on what PE people can do in individuals for to, to protect families?

[00:33:57] Sure. Make, make sure you're using strong [00:34:00] passwords. And the thing about that's nice about when it comes to smart devices, IOT devices, it's not something you regularly log into. So it could be a really long password. The more longer the password, the more complex, the more difficult. It's for someone to break in and even do network segmentation at home.

[00:34:16] I mean, set up most of your decent routers will support multiple subnets and it's not that difficult. You create a different sub. with it. And so there has to be some routing in place for them to jump to the other device. So simple things like, simple things like that will, will go a long way. And then really make sure that you're working on, on your connection to the internet.

[00:34:36] Make sure you got a firewall in place. Have that really secure because your risk's not really gonna be your neighbor coming in through your wifi unless you're somewhere in a very highly populated area. You know, neighborhoods, you're not really have to worry so much about attackers. You're more, more at risk going to a coffee shop, but make sure you got that firewall.

[00:34:56] Exactly really locked down using, you know, many layers of security. So that way, and one things people overlook to sometimes is just, you know, what antiviruses and things like that can do, you know, and firewalls on your, your personal devices. Excellent. So, Some people won't know how to segment a network at home, right.

[00:35:17] Or in their small business. But there are, there are. It's not that hard. Right? You don't have to be very technical to, to, to do that. And most of the routers and firewalls that they have, even at the consumer grade level, there's a YouTube video on how to do it. It's, it's, you, it's really, really not that. So I always like to kind of go down to that level because I think that's something that impacts everybody.

[00:35:40] Or it gives us something to tell our elderly family members when we go visit because all of us that are in technology in any way are, are tech support for our elderly family members, right? Like we always are the ones, like it calls for that. There's some great questions. You can follow Kimberly can fix it, one of the listeners, [00:36:00] and absolutely a 100% effective way on the internet of things not affecting your network.

[00:36:06] The safe way to do it is don't even connect them. There's always that option. Yeah. And, and, you know, and then maybe for a small fee, some of the listeners could do a sad consulting job and help you s your network. So, you know, there's, there's multiple resources. There's no reason not to do it. I do Mac address for drink if at my home.

[00:36:27] You know, there's no reason that, that, a small business can't really believe that. David, there were some good questions in the in the chat comments. You wanna take a second? Maybe? Yeah, I wanna go through some of them. Is that ok, Phil? Yeah. Is that okay? Sure. Can we, can we address some 'em? So North Star two.

[00:36:41] So North Star two asked what would you propose as an alternative to password phrase for wifi? Passwords for wifi seem to be an outdated thing, easy to crack since they need to be easy to share and. Great question. What would you how would you address that, Phil? I would actually use the password phrases because I mean, it's one of the things, and it doesn't have to be too difficult to remember because one of, one of the things over the years I've done is trying to make things more user friendly at home , which drives my wife crazy.

[00:37:12] Sometimes you find once she gets a new device and trying to get on the network because it had the Mac address filtering on there, but. With password phrases. Sometimes it can be as simple as you can take a combination of phone numbers, birth dates, and make it really long. So they say really the tougher to crack passwords are the longer ones, not so much the complexity.

[00:37:32] So it could be a sentence, you know, you could find a, a book and pick a sentence out of it or whatever. Or just something easier to remember. But then again, you know something, you're constantly have to log in. So you, you maybe add new devices. , but even a longer complex password's not that bad because I'll, you can e and with that you can also save those in your password managers too.

[00:37:52] And if you have like a password manager that has like family sharing, then you can share securely those, those password [00:38:00] passphrases for your wifi devices. Absolutely. So Don Dobson said a hundred percent agree on the network segmentation. I think that's really key. Ask the Red Cross that got hacked from their wireless thermostat that was plugged directly into their network.

[00:38:15] That's interesting. So again, network segmentation, right? Like, and, and it's, it's really also a matter of almost Pam, right? Like privilege access management. Once they get in, what do they get to see anyway, right? If you can control that, if you can control that and you can limit it, it's very similar in theory to endpoint management on devices out in the field, right?

[00:38:39] If, if they can only get a portion of that device and not come to central headquarters and gain access to the, to the main organizational network, then then the job is at least limited, right? Cuz not all data breaches are equal. Would you agree with that? Yeah, I agree. What in, in terms of severity of breaches, right?

[00:39:03] What are some of the most important things? Catching it right away, right? Limiting access. What, what, how, how, how would you look at that? Yeah. One of the things, if your, your environment, if someone if you've been breached, some things you might, someone mentioned earlier about, Kimberly mentioned about disconnecting iot devices.

[00:39:22] So at that point, you may just want to take your internet connection offline until you can get things remediated. And if even if it's say a, you see it's on. Certain network segment, take down that network segment. But one of the things too is make sure that you, one of the things I've seen too is that you're taking the right approach.

[00:39:41] Because I have a friend that does some side consulting for a company. They got a pen test because this company got breached. If you got breached, a pen test is a good idea, but get your digital forensics and incident response team in there to find out where they come in from and be able to shut down that activity.

[00:39:58] Get them outta your network [00:40:00] before you perform a pen test. , you figure out how they got in later. You need to stop the bleeding and take care of, you know, the, the breach itself. Yep. Yeah, absolutely. Exactly. Fix it. Kim Or Kim fixes it just mentioned in the chat about just ask chat g p t. They'll show you how to do network segmentation, which is pretty, pretty, that's pretty spot on.

[00:40:25] Here's an interesting question. What steps can organizations take to effectively defend against adva? APTs, right, advanced persistent threats. Given, constantly involving nature of these attacks and the limited resources that are typically available for cybersecurity. Well, that's, that's a loaded question, right?

[00:40:42] Yeah. There's, yeah. What, what do, what do you, when you address APTs, what do you, how do you envision the best defense for them against them? Yeah, you've gotta constantly be evolving your defenses, you know, making sure that you're staying on top of your patching. Not, you know, if you got firewalls, make sure you're staying with the latest OS for those firewalls, right?

[00:41:10] Make sure you're constantly evolving your defenses, but also too, you need to know your enemies. So having Pentest perform red team operations, finding those holes that could be exploited, keeping up with threat, inte. Using resources like the Mire attack framework to understand these different type of attacks through threat intelligence and mire.

[00:41:29] You can figure out what type of APTs would target your, your type of industry. Yeah, great point. Absolutely. Let's touch on the mire attack framework because we. We use it in our organization. Most people on our podcast always, always mention it, and it's, it's for obvious reasons, but tell us why you see the value in using that framework to address risk.

[00:41:55] because it really addresses the threat actor, how the attackers work. You know, you've got [00:42:00] some, some great technologies out there and things that work for defense, like Zero Trust. But with Mir, you're understanding how the threat actors work. I mean, it's really nice because even if you're doing any type of red team operations, you can go through there and emulate an A P T, see some of the common tools that are being used.

[00:42:19] So it's really one of the things that I. Is one of the best features is that it helps the blue team or the defenders understand the attackers without having to go out and learn to be a pen tester. Yeah, that's a great, that's a great way of looking at it, right? Because understanding the adversaries, the, the organizational structure, how they're organized, how they execute is so important because otherwise, , you're just making all these assumptions about how they're gonna get in, or what they're gonna do or what, what, what methods they're, they're gonna use north Star two s.

[00:42:56] Do you think there should be some sort of basic info people have about it before they use this stuff? Kind of like, you should be able to change a tire before you drive a car type thing. It's a great question. An interesting Alex, like it's a, that's a great question. So, Phil, well, what are, what are your thoughts?

[00:43:14] I'll be glad to share mine , but I'm not the guy, so I guess they're referring to the, the actual individual users. So, yeah, if you're, if you're, you know, using technology to home, then definitely the more educated consumer you are, the better off you're gonna be, plus configuring this stuff. So I would definitely say that you want to learn if you're using this stuff, learn about the technology because people that don't understand the technology, and this is, goes to even being a home, more likely to get breached and someone understands it cuz you're able to configure things properly.

[00:43:48] And so yeah, I would make understanding that, understanding the basics of security. Even if you're interested in in pen testing, then you really should understand the defensive side of things too. How to be able to meet the, remediate those [00:44:00] items and protect against it. So yeah, any level of knowledge, it basics and basic security.

[00:44:06] If you're just a an individual user, then that's definitely something that would be. Absolutely. I would agree. And with, with the resources available today and this, the, the openness and willingness to help with the cybersecurity community online you know, you, you can self-teach yourself very easily.

[00:44:25] Like Muhammad said, MAC filtering and guest networks are best for home networks. And you, you can, you can line that really easily or you could , as Kim said, you could go ask chat G p t and probably find out just as. Yeah. I think there has to be some, some basic level of knowledge, some foundational understanding to, to maybe not even properly protect yourself, but at least to give yourself a fighting chance.

[00:44:48] Yeah. And situation Mac address filtering. So, so changing your, your wifi access point to be f b i surveillance van is not good enough. , you see all your neighbors looking out the window. Like, I think that was one of the first things. Yeah. Remember doing that back in like 2008, 2009, and doing it. My neighbors were like, did you guys hear there was like an FBI van in the , my wifi, like, do you work for the fbi?

[00:45:18] I'm like, if I did, I wouldn't tell you. But no

[00:45:25] that's, that's an old one. Somebody else here commented on the breach need IR before pen testing, you know, incident response. Evaluation. And I think what the question is it's from, it's from Tim Lawrence here, I believe, and Tim, you can clarify it, but my understanding of what he's asking is should they focus on operational resilience like war games, tabletop exercises?

[00:45:50] I don't think they should be. Yeah. I mean, there's a huge value in that and I'm a huge proponent of that. I don't think you do that before pen testing. I think it all needs that. No, I [00:46:00] think, I think he was referring to post breach. You've been, I think, host Breached. Yeah. Yeah. I think he was, I think he was commenting on what I was mentioning earlier about the company that had been breached and then, and then they're wanting a, a pen, doing a pen test first.

[00:46:14] I think he was just kind of giving us anemian. Yeah, absolutely. Yeah. I mean, what, what's your view on war games and tabletop exercises? Is that something I see a lot of enterprise organizations doing it. I don't see a lot of small businesses and small to mid-size businesses even aware that they exist.

[00:46:35] When, when I talk to owners of businesses or even their IT teams, who the owners think are their security teams, which is a scary thought right there, right. . But they, but they believe that, that, I mean, they have never even heard of it, nor have they really heard of managed, like sim or, you know, endpoint protection and things like that.

[00:46:56] But, but really the, the practice of all of those policies that you have and who does what, it's almost like a live racy document, right? Like, who would do what if it's boom, like right at like, at the time of boom, who does. . Yeah. Like what happens? What are your what, what's your insight on that? I think it's really important for management to understand, you know, especially I think they're more important, most important when it comes to this is an incidence, this is how we respond.

[00:47:28] Going through those type of exercises. And one of the things for people listening to, if you want a way to do this and, and make it more easy and kind of fun, is black Hills Information Security has their back doors and breaches card sets mm-hmm. that you can use, that people are using for these desk, these tabletop exercises.

[00:47:45] I think there could be some importance there. But once you get to a company small enough, I think it's more or less, you know, just going over the policies and procedures periodically will work well enough. I think you get small enough, I don't really know how much you know, that would help. And [00:48:00] then, you know, some cases people will bring in someone to direct their tabletop exercise.

[00:48:04] So it may be on Budget of a smaller company, but back doors and breaches are just reviewing, reviewing the documentations for the process and procedures would be good and make sure everyone's informed and having these in place too. Because one of the things too is I've talked to some fellow, fellow offense security professionals that have been places to where they were performing pen tests and actually during, it was like a more of a red team operat.

[00:48:30] It's supposed to be cover covert. No one know knows what's going on. They didn't tell enough people in management that they actually had IR teams on site investigating it. So there wasn't someone in the know somewhere, someone in that control group needed to, to be in place that could have said, yeah, this is this is not a actual incident, you know, or Wow.

[00:48:48] Yeah, , holy. Hey, Phil. Thank you so much. We have thank you everybody for, for joining in the questions that we've had as well. We're gonna have links to we'll, we'll release this as an audio episode as well as a YouTube video. After it goes through post-production and we will have all of your information, your links and things, can you tell some of the people and, and, and the listeners what you have, what's on the horizon for you?

[00:49:17] Are you, is BSides gonna be coming up? Do you have presentations? I saw that you're doing some office hours on LinkedIn. Are you also on, on any other channels and what are those? Well, let's see. One of the first things I've got, or some, I've already spoke at a conference and done some other virtual and in-person events, but I've got the B W B B W I C, which is a women's organization.

[00:49:44] It's a women's organization. Yeah. It's I'm trying to think, breaking barriers is what the BB stands for, so yeah, I am familiar with that. Yep. I'm. To them virtually on the 18th about pen testing careers in Dallas. There's a D F W InfoSec conference [00:50:00] coming up next month. And then April there's the space con, the people that did the red, the Red Hat Con Conference in Kentucky last year, they've added a different one at Kennedy Space Center.

[00:50:13] So I'll be doing a workshop there on starting a pen testing career cuz. , I kind of came up with this idea to go beyond my pen tester blueprint talk or different talks on getting into security. Part of the workshop will be on how to get into pen testing, but then we're gonna go a step further and do some hands-on things like doing a gap analysis against our skills, do a skills inventory gap analysis to figure out your personal blueprint to get into pen testing to that.

[00:50:42] And yeah, I was trying to actionize it a little bit. That's, that's absolutely We'll be links all this and how they can connect with you. Yeah. And, and are, are you, are you doing regular office hours, like every day or every couple, couple times a week really, or Nah, that's, it's ad hocs is something you've been doing recently.

[00:51:08] Yeah. Hawk is, someone wants mentoring, they message me on LinkedIn and we can have a call or sometimes can be answered with. , you know, a a, a chat through LinkedIn or, but always happy to help people. That's fantastic. Well, thank you for all you do for the security community, all the insight that you have.

[00:51:28] And if, if anybody hasn't seen his book, the, the blueprint for a pen testing career, it's, it's phenomenal. I've, I've read the, the portions of the digital version, but I want to get the actual, I'm, I'm old, so I like to. The books, you know, so I'm, I'm, I'm gonna a hard cover for . Yeah, no, I'm definitely gonna grab it, Phil.

[00:51:52] So, I, I, I, I think it's, it's coloring books. Yeah. It's, it's, it's the pen tester blueprint, starting a career as an [00:52:00] ethical hacker. And it's published by Wiley, no relation to Philip Wiley. Yes. Spelled ironic enough. Ironic enough. That's usually the way people misspell my name, so it's just funny. Yeah, exactly.

[00:52:11] Just like the publisher of the book out that way. . Phil, thank you so much. That's fantastic episode. I had fun. I've still got a ton of questions I wanna ask. We may have to do a part two for those listening. I, I know, I, I feel like I just looked and it's like coming up on the hour and I'm like I am. I've got like a million more questions for you, , so Yeah, we can always, I'm not gonna put you.

[00:52:33] Papa. We'll, we'll reach out. We welcome Chance Speak again cause we would, we're, we're happy to have you on again. Yeah. And thank you. This was a lot of fun. Yeah. And thank you everybody for joining. These were great questions. I love it when, when yeah, when, when listeners ask and chime in with some really good questions.

[00:52:53] It was excellent. So thank you so much everybody. Me up. That's a great way to start the day. It was really good. , thank you very much. No. Was awesome everyone. This was a great episode. Enjoy the rest of your week. Philip is always a pleasure to speak with you and much, much happiness and and thank you very much.

[00:53:12] Thank you. Had a lot, so much, a lot of fun. Thanks. Thanks. Thanks everybody. Cyber Crime Junkies. Thanks for listening and watching. Got a question you want us to address on an episode, reach out to us@cybercrimejunkies.com. If you enjoy our content, then please consider subscribing to our YouTube channel at Cybercrime Junkies.

[00:53:32] Connect with us on all social media like LinkedIn, Facebook, and Instagram, and check out our website. It's cybercrime junkies.com. It's cybercrime junkies.com, and thanks for being a cybercrime.