Cybersecurity Wisdom: Balancing Work, Life, and Learning

Speaker 1: 0:00

How's it going, Brian? It's really good to finally have you on the podcast here. I appreciate you taking the time to come on.

Speaker 2: 0:07

Yeah, likewise Been looking forward to it.

Speaker 1: 0:11

Yeah, absolutely. I mean, you know, it's always interesting when I have someone on of your expertise and background, right, like I really like to hear about your mentality of you know how you approach different problems and you know because you are a hacker and whatnot and very, very different from how I approach problems. I tried to be like that double minded, you know person trying to view it from the attacker side but also view it from the defender side. And yeah, it's always interesting to talk to people of your same skill set.

Speaker 2: 0:51

Yeah, and I mean, to be honest, i started with Blue Team. You know most of it was Blue Team before it even turned into that. You know red And so, like understanding what the attacker was doing in order to better defend, i mean most of my experience, to be honest, is been around defense and response and only you know that specialization of the red team and that hacking mentality is really what kind of drives like the Blue Team You know, if the red team wasn't there, their main goal is to be, you know, a driver for change on the Blue Team. So it definitely is that you know two sided piece.

Speaker 1: 1:29

Yeah, how do you think you know getting your bulk of the experience on the Blue Team, how do you think that kind of formed or shaped your mindset when you're on the red team side of things? Because you know so, for me, when I was getting more into the Blue Team side of things, i actually took the CEH certification because I felt like it would be beneficial for me to understand, you know, at least get like a basic understanding of the attack capabilities, what to actually look for, try to develop somewhat of that attacker mindset and then translate it all over the Blue Team. But I would assume it's pretty different when you're starting out on the Blue Team and you're trying to learn how to defend right.

Speaker 2: 2:18

Yeah. So I guess a little bit of like kind of where that molded into in terms of like experience wise was I was, i was working in IT, so I already had experience with like computers and you know technology in general, just kind of like A plus, like how to fix computers type of work, and that eventually led into having a position where I needed to do like desktop engineering. So a lot of that was operating configurations and you know, setting different policies and managing desktop for an enterprise environment. So you learn, you know that security plays a big component in all of those configurations. So maybe the security department is coming and saying, hey, we need to have, you know, these configurations deployed onto you know X amount of servers or or laptops and work stations.

Speaker 2: 3:14

And you know that eventually bleeds into kind of being forced into understanding some security aspect. you know. and then once you start understanding, like, well, okay, well, now, if I put this group policy here, it means that you can't do this. Well, what if you do this over here? you know just that curiosity of going, oh well, that doesn't seem like it's good enough of a of a policy.

Speaker 2: 3:40

maybe we need to do something more, you know, to actually cover someone who's thinking creatively or outside the box And you know, it kind of just developed naturally into where I wanted to go to. But you know I had I already had like the, the launching platform at that time to be able to, you know, get that exposure you know to such, you know, enterprise configurations see in the blue team, you know in the, in the actual hardening of these desktops and then you know, looking at it from the other side and going, all right, i didn't have experience in pentesting at that at that point in my life but I knew that this wasn't the only way to block something I knew just didn't seem comprehensive. So that's kind of what built that curiosity maybe.

Speaker 1: 4:28

Yeah, i feel like curiosity and security is an absolute must.

Speaker 1: 4:34

You know it's, it's an essential aspect of any security professionals. You know mindset or skill set, because you know I remember back to when I was starting to really get started with my IT career, for college. You know I started to, like you know, learn more about security and learn about this field and whatnot right, and in doing that, i started looking at my own company's application a different way, like, okay, so how does this web app communicate to the database And how are we storing this data in the database? Like, what are we, you know, doing to actually secure it and encrypt it? What happens if I start shutting down these services over here?

Speaker 1: 5:19

And you know it led me down many, many rabbit holes that you know I'd spend an entire like work weeks going down, which was interesting because you know, then, when other people on my team even you know the engineers and I'm like I'm just an app specialist, you know when the engineers even would run into random problems, like the most random issues, they would go to me and be like, hey, do you have any idea of what's going on here? Like, before we go talk to the devs, do you understand it better than I do.

Speaker 2: 5:53

It's like man that root cause analysis here. You've been in the in the weeds so far and you've gone down these paths that now you've somehow become the expert across all the spectrums of those. You know individual, you know job functions of that app. I've been there, i know that.

Speaker 1: 6:10

So and it all comes from curiosity. You know, like, is there anything that you do potentially to keep your curiosity going Because it is actually really important? you know, like, i feel like if you lose your curiosity you start getting burnt out so much quicker in this field. But if you can somehow maintain it and kind of water that seed or water that plant you know you can keep on going in this field. Is there anything that you do?

Speaker 2: 6:38

Yeah, well, curiosity and burnout, you know those are kind of opposite ends of the spectrum there. So I totally get what you're saying here. Is that creative or being curious or thinking outside the box? And you know that's kind of a personality trait, right, you can be trained and you can learn. You know how to be more effective at such things. So you know, just streamline it maybe, give a methodology and just focus in. But you know, like I've always been a person to DIY, for example, you know if there's something that costs money, you know and I'd be like, well, maybe I don't want to go out and spend it, i'll try to build it. Or you know, i'll grab a paintbrush and do it myself. And you know, that's kind of just always the personality type I've been my whole life And that is something that I think is needed, not necessarily as a prerequisite, but to be a, you know, a hacker. You know, not a pentester, but you know that hacker mindset, i think, is really about being curious And keeping that passion alive, of course, is a balancing act.

Speaker 2: 7:45

You know, when you have, you know, demanding family and jobs and you know work life balance is a big deal right. So I don't think I have a specific advice other than to just not have any, not have anything take over. You know the things that you feel passionate about already. You know. So I still go outside and you know I like mountain biking and you know I have a beer league hockey crew that I play with. So it's a balance. You can't you can't always stay. You know hands on keyboard and you know working till four in the morning on those projects and then maintain a healthy lifestyle right. So I'm learning more and more as time goes on that you know it's more of a balance and that's probably my advice is just keeping more of a balance with with your personal hobbies, your IT you know related hobbies and then your professional life too.

Speaker 1: 8:39

Yeah, that's very true. You bring up a really good point is having those kind of hobbies, you know, that have nothing to do with anything technical. You know, like mountain biking is yours, Mine would be probably like detailing my car, I'm really into that, at least recently It's. It's something to kind of break the monotonous, you know, of our day to day, right, Because in security it's not always like the flashiest, flashiest thing, right, Like we're kind of called in, you know last minute when people don't know what is actually going on And we're just there for, you know, probably 30 minutes versus a problem, right, Like that's when we're earning our paycheck, so to speak, Or at least that's what a friend of mine says. You know, like we, we earn our paycheck maybe a week out of the year.

Speaker 2: 9:34

Yeah, it's like the legal team and the, the security team are usually the most I don't want to say hated that's a strong word but it's. there's a, there's a certain thought process you know people in the business might think of when they're talking to those departments, because we like to say no or we're we're at the end. I think it's shifting a little bit, to be honest, and you know, security is starting to work as a whole, like with businesses, the business to drive you know further things, and I think that helps or not helps, but rather, seeing all these breaches that happen in the news, and you know security is more of on the front page. So we, you know it needs to be seen as less of the gatekeepers and more of just enabling, you know, it and the business to be able to do their jobs effectively but also safely. So but there's a certain stigma. you know that that's still there, needs to be overcome, but there's a certain stigma, sure.

Speaker 1: 10:34

Yeah, you know it's interesting that you bring up legal because, like recently, i had to myself like review some contracts and stuff that I have going on on the side And it was like it was an interesting like learning curve for me because I I haven't had to put on my legal hat in a while since I got my bachelor's in criminal justice And so, like it was, it was like doing security but from a different aspect, like okay, if I leave this statement in here, what risk does that open me up to? you know, like things that I'm sure you know any lawyer would would just find a cakewalk right. Like I'm like spending you know hours on it, reviewing it and editing red lines and all that sort of stuff. So it's just an interesting, interesting similarity. I didn't really think of lawyers, honestly.

Speaker 2: 11:27

Yeah, Well, you mentioned, you know, creativity and thinking outside the box, and that that's applying towards everything. So you're looking at this document, you're going, you know what. I think I might need to put something here, or what, what, what, what if this scenario happens, you know, and all those, all those things play into it. You know, if you're doing a pen test, regardless of what your scope is and everything, if you're thinking about it, you know very narrow, you're not going to find everything that your adversary is going to find, because you're scoped. You're scoped into this, this certain mindset Okay, I have to only do X, Y and Z And at that point you're, you're just a human vulnerability scanner. You know you're not really getting that, that element of of being creative, And that's where I think that, that these types of like skills are really, really important. You know, when any company is looking to find someone to be able to do an effective penetration test, that manual, that human factor, you know, plays such a big part in it.

Speaker 1: 12:27

Hmm, yeah, that is. it's very interesting, you know you. you you talked about being narrow minded, right, or how you could be. Do you think how you break out of that is with experience? And so, like, specifically, you know, when I was getting, when I was getting my master's degree, we had a pen testing class And like, the one thing about the degree that I got, at least from the school that I went to, was extremely hands on, you know. So they had one class, you know, every semester that created a secure network, and then they literally had a red team class that the entire semester they only learned how to break into secured networks And then the final was to break into this secured network that the blue team class had set up. And you know, i actually like put the things that we learned to the test And I kept on running into this, this roadblock, where, you know, i felt like my skill set was limited.

Speaker 1: 13:31

Right, because I don't I don't do pen testing, i don't really ever do red teaming. That was kind of the one time I did it, you know, and so I'm not used to thinking of problems in that way or exploring problems in that way, and so I was very limited in my skill set, but there was other people on my team that you know obviously did it a lot more than me, that were able to try a lot more different things, even just have the you know kind of the right thought path to try the different things that may or may not have worked. Do you think that comes with experience or training or you know what? what kind of did it for you?

Speaker 2: 14:13

Yeah, a little bit of both. Right, having that curiosity is going to be, you know, a personality trait, but I do think that being able to be knowing your methodology comes with experience. You know getting into security, or let's focus, not just security but like getting into hacking, you know, and penetration testing. You can go all over and get these little nuggets of ideas, you know, and little things, these disconnected ideas that just pop up everywhere, you know. Maybe it's your watching Twitter and there's, you know, a tactic there, you know, or a technique as QL injection, and you may understand that you maybe did a module, but there's nothing that's bringing that together, you know, and making it into this like foundation that you can actually apply. It's just these disjoint ideas. And then you go, okay, well, you're ready for your first pentest or, in your case, a capstone project or whatever it may have been, and you're like, well, what do I do here? You know, because I know I did go to my course. I think I applied these skills in the right way, but now here I am presented with a problem and it's just not. The pieces aren't fitting into anything, and that's something that I think that has to come with, you know, training and experience. You know both of those And you know you talked earlier, you know, about like OSCP, about talking about that, and I think that that's really, really important because I also did the CEH, by the way, which I also think is important.

Speaker 2: 15:51

So the EC Council, the practical exam, but specific with the OSCP, when I set out to do that, i didn't have. I had these disjointed ideas. You know, i had the things that I was learning in the CEH and maybe some stuff that I had tried through school, but nothing to actually give me a foundation or a methodology to be able to apply it in a real world scenario. And that's where I think the OSCP really does a good job at. It forces you to get hands on in their labs and then take some, take these ideas and turn it into like a work product. You know something that comes out of it cohesive.

Speaker 1: 16:38

Yeah, so can we talk about that a little bit with the CEH, you know, if you don't mind me asking, when did you get it?

Speaker 2: 16:46

Well, maybe 2015. Okay, somewhere around there. I got OSCP 2017 and it was a couple of years before that when I got the CEH. So exact timeline, not exactly aligning, but I was working at that time as a desktop engineer, so I was doing that engineering stuff and that's when I was starting to get into security. I was also going to school, you know, granted for information assurance, which you know helps to kind of reinforce some of those skills. But I knew CEH and I was like, all right, if I'm going to do security, i need to get a CEH. It's a good starting point.

Speaker 1: 17:29

Yeah, i mean, you know, full disclosure. I have really, i have reamed on the CEH on this podcast before And the primary thing is the cost. Right, you know I took it probably back in 2015, 2016. Okay, it might have been $350, maybe $400 at the time for an attempt. I thought it was extremely reasonable, especially, you know, the exam, at least at the time, was multiple choice, right. So, like, i thought that it was a very reasonable price.

Speaker 1: 18:06

But now you know, with it being like over $2,000 or even like 3,000, you know it's like okay, what's the value that we're actually getting from this cert that justifies that cost? And I understand why they're pricing it right, like that, because they're getting federal agencies, they're getting government to pay for, you know, people to take these certifications And so they're like, oh, if you want to work in the agency, they accept this cert. You know, and I always tell people that it's important. It's actually extremely important for you to understand everything in that book for the CEH, like you should. You should know all of that material, especially if you're going to be a pen tester. It is not that important to have the certification necessarily. I would recommend going for basically anything else you know. Like is that?

Speaker 1: 18:58

kind of is that kind of where your mentality is with it too. Is there some value that I'm not seeing? Because you know, honestly, right, like I failed it. I was two questions short because I had taken a pen testing final the day before and some dumb reason I thought it was a good idea, while my brain is mushed, to go. You know, take this certification Like.

Speaker 2: 19:23

I think in hindsight you look back and you're like, okay, was that valuable? You know, after it's already done, you've already gone through it, you know And you're trying to give the best advice, maybe to your listeners and you know what would you tell yourself if you were to redo that without the knowledge that you had now, i guess. But looking back, i think it's valuable. I was spending, like I got an app on my phone that would ask me like five or 10 questions from like a test bank of CEH And I would just be on my phone, you know, once or twice a day or just remind me of these questions. And I got so, like so accustomed to knowing what those questions were. You know the types of answers that the CEH was looking for, and by exam time I was like, okay, let's do it. And the test questions that I was doing were very, very close to what was actually on the exam. So it was like, okay, did I get value out of actually getting the certification? Probably not, you know, because I had just memorized all these concepts and the ideas. But did I get value out of the training? I think so. I think that that forced me into, like you said, consuming that content And then now it's just ingrained in my brain and whether or not the test was effective, you know it really doesn't matter. You know, just as long as you said, have that core information. But I certainly know now they after that practical, you know, because there's the lecture book one and then there's now the practical, but there's so much.

Speaker 2: 20:58

It's a big space in the certification game. Now There's a lot of players. There's a lot of, you know, resources that didn't exist when I, at least, was going out like try hack me. And you know, hack the box And some of those things. You know there's a lot of alternate ways you can consume this content and get ramped up faster than maybe what the CEH can provide.

Speaker 2: 21:18

And you know, i started security in college. That's like I've had barely any IT prior to that. And now you know you see kids that are coming out of high school with just mad skills. You know they may not have all the experience right, but they might be able to go to, like the CTF at a conference because they've just got exposure. There's better access, which is awesome, you know, but it's different.

Speaker 2: 21:46

So I think that if somebody was to ask me like, hey, what's the certification you recommend. First, you know you kind of got to get an idea about what kind of personality they are or maybe where they want to land, you know, for a job in five years And I'm not going to say OSTP, unless that you want to be that hacker. You know it's a tough thing. You got to really put your mind to it. You can become obsessed essentially with studying And whereas the CEH, you know, i think, like you said, it gives a very good entry into the concepts of, like the terms and you know things that you're going to be seeing on a day-to-day basis.

Speaker 1: 22:26

Yeah, i agree, you know. I think another way of potentially looking at the value of a certification is, you know, looking at the jobs that it will enable you to potentially get right. Like nothing is guaranteed. You know, just because I have a CCSP right Doesn't mean I'm going to be in cloud security, like maybe I don't have the experience or I'm not a good fit for the role, or whatever it might be. Like that CCSP doesn't just cover everything. You know all of the requirements, right, but one way to look at the value is, you know, looking at where you're at.

Speaker 1: 23:05

And you know, at the time, for me, i think I was making, i don't know, maybe 70,000 or something like that, right, so the CEH, you know, would have given me a decent bump if I had started to go down that route more, and so that's how I viewed it, you know, because the cost of the cert wasn't that much And so it kind of just made sense, right, it was the next reasonable or logical evolution, you know, to my learning and whatnot. But you know why don't we talk about the OSCP? a little bit Was going into it, you know, was there anything that Maybe you had to go and like learn or relearn, or was there a certain certification that you felt you know, oh, i wish I had. I don't know, maybe a forensic certification or something like that, right Where, um, in a situation where you felt like you were underprepared for it?

Speaker 2: 24:11

I was certainly under underprepared. So, um, i I got into the OSCP. you know, i was like setting a goal right And I was like, okay, i just got, i'm going to do this. I was lucky enough that my company was able to front the cost of that certification. So I did the 90 days. you know, i was like I got plenty of time to study. you know, you get 90 days in their lab. at that time They didn't have the subscription model they have now, where, where, it's like a yearly thing. But, um, and I set up the exam afterwards and I was like, okay, this is, this is what I'm going to do. And I get the email to start off, you know, and it's like all right, your lab time starts. now You get the course book and all the video content that comes with the OSCP And I was like all amped up, i'm ready to go.

Speaker 2: 24:57

And, uh, i watched the videos and like the first module and I'm like, oh my gosh, this is going to be so hard. I don't know anything and I'm you look through into the syllabus and you saw it when you registered. you know what the syllabus is going to be, but then you see how many pages it is and like how much content is there, and you're like, okay, this is, this is the real deal. This is going to take a while to get through all this. And, uh, one of the things that you know, maybe, like others had more experience in this, but coming from just operating system experience with the desktop engineering, I didn't know anything about stack based buffer overflows or, like you know, reverse engineering or debugging anything, and that was like a huge component at. I don't know if it's still the same way with the OSCP these days, because it's kind of an antiquated way to exploit, you know, a binary, but it certainly teaches a concept of like what it means to overflow a buffer.

Speaker 2: 25:57

So do you get your code to execute by sending, you know a jamming, different characters into a field you know, for example, and all of that was really well documented and laid out by the OSCP team, you know. so they were able to. here's the video, here's the content. but really, until you start watch, i watched that video like a hundred times probably, you know before I like to watch the videos first and then kind of go on keyboard after. That's just the way I learn. And as soon as I started going on keyboard and kind of looking left at the video okay, what are they doing? Okay, i'm doing this and started actually going through And I didn't really understand step by step of what was happening. You know, i was learning, but I was just typing the commands and looking at the keys and looking at the debugger screen that I opened for the first time And then I was like I'm going to do a debugger And then eventually, like you said, he kind of just learned that experience And you go Oh, okay, that's that clicked. this time, you know, and I think I'm actually starting to get that.

Speaker 2: 27:00

So I wouldn't say that I had anything that I could have done better to prepare, because I think that the OSCP coursework does a really good job at preparing you for the content for that you're going to be tested for, at least when it came to that kind of that kind of stuff. And I was familiar with Metasploit as well, which I believe that you were only able to use Metasploit under like one of the exam machines. So there's like five exam machines during the exam And you know one of them. we've pretty much a guarantee that you're going to get that stack based buffer overflow back in 2017 at least. And then you know, okay, that's one machine I could probably get, and then two of them will maybe Metasploit. I can, you know, find something with Metasploit, and maybe that's two of them, you know, and I only have a couple more. So if I can get the rest of the coursework to a good point where, like, i'm just gambling on on that coursework to just guide me in the right direction, that maybe this will, this will be a success.

Speaker 2: 27:59

And and what happened, though, is I procrastinated. I procrastinated. I did like the exercises for until that stack based buffer overflow, and then, after that, i kind of just fell off. And then, by the time that last 30 days came in if you recall, i said 90 days, that last 30 days I was like, oh no, this is like, this is the time, that time to be a newborn. you know, she was only a month old at the time. I had 30 days left before this exam, and I'm stressing out, going, oh my gosh, i'm going to do this, but became obsessed, you know, dedicated myself. I there was not, you know, five minutes where I had free time, where I was not on that VPN in the labs doing everything I possibly could to to try to get it. I spent a tremendous amount of time And then, by the time that exam came, i was like, well, this is about, as you know, prepared as I'm ever going to be, you know, to be able to do the test.

Speaker 2: 28:55

and it was a random Tuesday, you know, and instead of taking the test at home, it's a 24 hour exam. And I got a newborn, you know, at home and like this. So I was like, wait, this isn't going to work. I need to find a place where I can, you know, seclude myself and just dedicate myself to this test right now. And so I ended up going to my office and like at work, and locking myself in, like a room, you know, and just saying, all right, i got 24 hours, get this done, you know. and luckily I was able to get it. I got it the first time. I was pretty proud of myself and it was. it was certainly all 24 hours spent. I did not sleep a single waking, waking minute.

Speaker 1: 29:38

Yeah, Is it? is it 24 hours to do your hacks and get into the devices and then another 24 to create the report? or did I deal with differently now because, at least when I was looking at it, that's what it was?

Speaker 2: 29:54

Yeah it was 24 hours. And then you're essentially you're put into an exam lab environment, like a VPN environment, so similar to how you were just working in the machines. You know, with the lab environment. They're like, okay, now here's your VPN access that expires at like 23 hours, 59 minutes or whatever, and and like so you just VPN and then now there's a certain number of machines that are in there that you you need to access and you can, like, you know, reboot them if you think that something's broken. You know, just like a virtual machine kind of environment.

Speaker 2: 30:26

And then, after that 24 hours is done, your timer goes for another 24 hours to make a penetration test report about your findings. So that was something I never done before either. You know how do I make a pen test report. That's going to. They're great, you on your pen test report and your findings.

Speaker 2: 30:45

So you best, you best make sure that everything you did, what you documented with screenshots, because you can't go back and get that information again. You got to make sure that everything you did was well thought out. Documented notes are taken, you know, screenshots, whatever, because then you can just put it into report afterwards. And it took me another 24 hours for that report to granted. I did get some sleep, you know, and I was able to do that one at home. I didn't, i didn't stay at work for 48 hours. That'd be a nightmare, but uh, yeah, i was able to get that report and send in. And man, when I got that email a couple days later, you know, they were great. They were stressful up until that point, but when I got that email said I passed, i was like I made it so, so, happy, was a really big accomplishment.

Speaker 2: 31:34

I got this tattoo, tattoo in 2017. So I was like that's a, like that's a life goal.

Speaker 1: 31:41

Yeah, yeah, absolutely. I mean, you know I've wanted to go after it myself, but I feel like after this year I'll consider it again because, like this year, i want to knock out an AWS cert and CIS is P that I've been putting off for like three years. You know, i'm getting laughed at by people because they're like you could literally go take it right now without reading anything and pass it And, like I know I'm just lazy, i don't want to spend the money, you know. So my company's finally finally going to pay for it. Nice, most likely So so we'll see.

Speaker 2: 32:23

Yeah, that's a, that's a big one. I know. I know several people that have a CIS SP and I think they all took, like the you know, the big crash course, you know just immerse themselves in the content completely And then, i think, whatever course they had, they took the exam afterwards. but it covers a broad spectrum, right? So, depending how long you've been working in industry and where your strengths lie, you know, maybe you could just swing it and pass it. I wouldn't say that's the best strategy, but yeah.

Speaker 2: 32:52

Especially if you're, like you know, sometimes getting the search like help on it from an HR perspective, right, and you talked about C E, h and just to go back to that, just real quick, certified ethical hacker, you know, to a company that doesn't have a modern, or not a security company that doesn't have a modern, you know, pulse into what a security individual might have, that certification might actually look like a more valuable certification than O, s, c, p or or others, just because of the way the terms are. certified ethical hacker Well, we want one of them, you know, versus offensive security, what you know. so sometimes it's the name of the certification that can help on the on the paycheck.

Speaker 1: 33:36

Yeah, that's, that's an interesting point. I actually never really thought about it like that too. And it's, it's more popular as well. You know, like if HR were to go and look up you know O, s, c, p and C E, h, they're going to see a huge difference in marketing material. And you know, i mean I obviously I like offensive product, right, but you know, the C H, i mean they just they market their product a little bit better, they sell it just a little bit better, you know, and that's why they have that, that premium on it, right. Um, it's, it's an interesting area for sure. You know, you, you mentioning that You had a newborn at the time, like I, i have a newborn right now, my first kid, thanks, you know, i literally told my wife I'm like, i literally like could not do anything That I'm doing right now if it wasn't for you like, oh, yeah, she has to.

Speaker 1: 34:38

You know she has to like fully focus on the baby. And I can focus on the baby for a Short amount of time to give her a break and whatnot. But, like I got to go back and do work, i owe back and create content and courses and you know all this other stuff, because I'm trying to build up a brand and whatnot, you know, and there there is a negative Possibility of me being able to do all of that and raise a kid.

Speaker 2: 35:05

I think yeah if you, if you, if I go to ask my wife is a hey, you know, remember that time I was studying for the OSCP She's, she's gonna remember that time too, as well.

Speaker 1: 35:17

Yeah, it's. You know this, the CCSP was kind of like that for me were like I just had to shut everything off and completely just immersed myself in the content and I failed it the first time around. Actually, i actually took a bootcamp And then, maybe two weeks after the bootcamp, i went and took the test and I failed it Somehow. It was just the.

Speaker 1: 35:43

The questions that I was used to were completely different on the exam And, like the whole style was different and everything and I like figured out, like, oh, i've been using, you know, the wrong Test question bank, like this is. This is horrible, you know. But the second time around, like I was able to knock it out of the park Because I did, you know those that fine tuning right, like when you fail something, you got to adjust how you were studying, what you were studying, all the different stuff, and so I took that time in between because I think you got away like 90 days To retake it like a cool down period.

Speaker 1: 36:23

Yeah, I don't know why they do that. You know, maybe it's to like kind of actually like weed out people that don't actually belong Getting that exam. I don't know why they would do that, but Other places don't do it like that. They was like two weeks or something like that. With AWS It's like seven days.

Speaker 2: 36:44

Learning it and, you know, adapting. But this is where that, depending on who you talk to in industry is what, where they value certifications and you know the balance between industry experience and certs. Because you're saying, listen, i, i know this stuff. But I went in and I took the test and I didn't pass it the first time and I was like I don't agree with the way that they were, you know, maybe framing the question or it was ambiguous. And if it was a real-life scenario then this would be if you're coming up with those type of Responses, looking at exam, you, you probably already beat it. You know, you're already there. You, you got the talent, you got, you got everything there. Is this certification, you know, really going to help you? you know, outside of just getting that goal, you know, and closing up the loop there, maybe not, but you know. So you're saying like, okay, well, i had to adapt some of the learning to fit the narrative of what the tester wanted me to answer. So That's, that's some of the add.

Speaker 2: 37:41

The other side, you know, view of what certifications look at, is because you know You can have somebody that could just knock it out of the park. You know, you just bring them on and they're just like a perfect, you know candidate. They have all these, all these skills you could apply and you could have someone that that maybe passed one or two certs, maybe even the ones that you didn't pass. That could just be. This doesn't get everything, you know. They just don't see how all those pieces connect. So it's a balance.

Speaker 1: 38:11

Yeah, it definitely is. You know and I try to be a little bit more calculated with What certifications I get how it will actually benefit, you know, my career, if it's, if it's worth me investing the time to learn the material and all that sort of stuff. I don't like. I don't like the shotgun approach where it's just like, okay, i'm gonna get every cert, comp T offers, you know every cert ISC square offers and make that, make that headline or that title You know super long on LinkedIn, right, like people people with with that kind of Background raises red alarms to me when I'm interviewing them because it's like, alright, how much of this do you actually know? if we start going off book, you know and start going real world, like, what are you actually going to be able to do? You know, and sometimes, yeah, they can do it all. Sometimes, mostly time that I have interviewed someone like that, they haven't been able to do. You know 50% of what those certs actually like, teach and are supposed to reinforce.

Speaker 2: 39:21

I've certainly seen. You know the, the LinkedIn. You know to two-line, you know cert, cert, cert, cert acronyms that go on for days, or an email signature. You know that goes across and you're like, okay, i mean, granted, you earned those. Good, that's very, very good. But I haven't had any experience so to find anyone or know anyone that had that. That was Positive or negative. So usually it's a couple you know and even if you got more, you kind of just choose which ones you might want to advertise. You know as your, as your profile, yeah it's not.

Speaker 2: 39:56

It's not important for me to advertise my security plus right Like I got the second or like you know I had an A plus from back in the day and maybe some Microsoft You know little little certain there too, but you know it's it's not valuable for, for what I would be needing to use it for, you know, is now it's all. You know. The OSCP, the OSWP, that was a nightmare and a half to Nightmare and a half to, and I'm studying right now for the PEN 300. So that's more client-side exploitation. So it's stuff that I know.

Speaker 2: 40:33

But again, just bringing all those disconnected pieces about client-side exploitation and bypassing antivirus and EDR solutions and then bringing them into a more of a technique that I can just land in an engagement and understand, ok, this is what I want to do to get around some of the defenses that are going to be there, because OSCP doesn't really touch on any of that stuff. Oswp is very specific to web applications and source code analysis and that, whereas now the PEN 300, the other side of this triangle is the client attacking the client. So it's been challenging for me, to be honest, to get the time to be able to dedicate to it And my goal is to have that by the end of the year. So we'll see, we'll check back in with me in 2024 and we'll see Right.

Speaker 1: 41:29

That is extremely interesting getting around the security tools that I, for instance, deploy and run and manage and configure in an environment. Even as I'm configuring them, i'm thinking of ways of how to get around it. I was working at a company And I mentioned this in a previous podcast that I was working at a company that I deployed I think it's like a cloud proxy or a DLP solution It was both And their whole purpose was ensuring that you could have exfil data from the environment. Well, immediately my head went straight to all right, well, let's test this out, let's see if I get this out, let's see what I can do with this file. Well, what if I encrypted with just a basic password? Does it get past the filter? And I found like 10 different ways to get around the solution that I was deploying And there's like nothing I could do about it, because it's not like a checkbox or a configurable thing in their UI. It's a limitation of that product. It's like, oh yeah, if it's this, it's going to get out, no matter what.

Speaker 2: 42:53

Yeah, that's where that defense in depth comes in. That's frustrating, though. When you go in, you think the product's going to do something and you go all right. Well, here I see this data, it's going out. You're supposed to be protecting against that or at least blocking it in some way, right?

Speaker 1: 43:10

Right. Yeah, it was funny too, because I told my manager and he goes oh no, they assured me that that wouldn't happen And I was like all right, well, look at this. And I emailed a document to my personal email.

Speaker 2: 43:23

I assure you the opposite.

Speaker 1: 43:28

That was a very interesting conversation, because things like that can go one of two ways You could get into trouble for doing it, or the vendor gets into trouble. There's been a couple times where I've had to play that game.

Speaker 2: 43:43

It reminds me of, it was an engagement I was on and I was tasked with doing an egress assessment. So, coming from a known containerized environment that's supposed to be locked down, cloud-based environment and only a certain set of whitelisted services and things could be accessed, going out, and so I was planted into this environment. I didn't have to get in. I started from inside and the goal was to get out, and I ended up finding out that one of the whitelisted websites that they used was whitelisted And it was a public website that I could go and register an account for. So, using the outside, i went and I registered an account And then I used the subject and description field of my own account to submit from that containerized environment that was whitelisted, to go to that website. So I could essentially stage payloads and get the data out going through this man in the middle proxy, through their own infrastructure.

Speaker 2: 44:49

So there's always a way to be able to say, ok, our product is going to stop egress or block everything from going out, but there's always going to be a way to get around that, and most of the time it's a misconfiguration or something that wasn't brought up as a risk until it's demonstrated. But you demonstrated it yourself at your organization by saying, hey, here's this email. It definitely works. Dlp is not working, this isn't working And we're an assessment, a full out assessment, to show the risk And they were able to clean up that environment And now it's better. Good client of mine.

Speaker 1: 45:30

Yeah, that's really interesting. How long did it take you to discover that?

Speaker 2: 45:37

It took a while. Yeah, essentially you have to go through an entire attack surface and go what can get out, can I go anywhere? And then you might only have IP addresses And then you have to enumerate what those are And then from the outside you go all right, are any of those an Nmap scan? essentially, get that list of things that I know I can get to from this containerized environment And I know what the public IP addresses are. Those because I'm scanning. It was a cloud-based And now can I Nmap or any services listening on those IPs that I identified.

Speaker 2: 46:12

And then you see there's some web services. Then you start going to that web route And you, ok, can I? what access do I have to give data to that website? Oh, it looks like there's a public registration. I can actually register an account on that website And once I was into the user profile this is techniques. I don't remember where I actually learned this. It wasn't novel with me, but once I was in that web application I knew what to do. I was like, ok, i'm going to stage something here From the outside, i'll plant a command And then I'll tell a script that's running in the environment, that containerized environment, to pull that down and then execute the command and return the output back into the description field. You know, and it was all fancy and encrypted and stuff And I was pretty proud of it.

Speaker 1: 46:57

Wow, yeah, was that after you got the OSWE?

Speaker 2: 47:02

Yeah Yeah, it was a pretty recent pen test.

Speaker 1: 47:06

Oh, ok. Yeah, That's really interesting. Has there ever been a situation where you couldn't find anything, or you couldn't exploit something, just couldn't figure it out? Has there ever been that sort of situation?

Speaker 2: 47:21

Yes More times than not. So there's certainly an element of that imposter syndrome effect of coming in. That's a big term these days And I am certainly not immune to it by any means. And I personally I get personal sometimes with my assessments And if I'm not getting something that I think is a big deal, i'm like I'm just not trying hard enough. What am I missing here? And I'm going through looking at my methodology what did I miss.

Speaker 2: 47:57

What's happening. And then you come back to it and you realize you're like well, penetration testing itself is a methodology And you have been hired, or either at your company or as a contract for a firm. you're going through this methodology to demonstrate the effectiveness of their blue team, identify any gaps that there might be in risks and weaknesses. And if you go through that methodology and you give it everything you've got granted you have commercially available tools, you have expertise that you're relying on, of course, to lead you to a quality review and you're not finding anything, that's a win. A win for what is a successful pen test? Because a win for the red team is a failure at that blue team, the defense, and a win for the blue team is a failure on the red team. So what is a successful pen test? I don't know. I can't answer that. It just means that we went through that methodology, identified and now we have a better understanding of the security posture of that application or environment that you've been testing.

Speaker 1: 49:10

Yeah, it's almost like a. It's just a win for the organization overall, because if you find something, they get the opportunity to make it better without someone actually hacking them and extracting the data. But if they don't get it, then it's like, ok, we're doing a good job with the blue team. It kind of starts the cycle over, right. But, brian, i don't think that we have much more time, unfortunately. I always try to be very cognizant of my guest time, but before I let you go, how about you tell my audience where they could find you if they want to reach out? Maybe you're on Twitter or LinkedIn or something like that, and we'll go from there.

Speaker 2: 49:55

Sure, yeah. So you can find me on pretty much any of the socials at Secure Komodo And I'm on LinkedIn, i operate pen testing. So Redline Cybersecurity is my firm, and if you or any of your listeners are looking for a pen test, that's my shameless plug.

Speaker 1: 50:13

Awesome, well, thanks, brian. I really appreciate you coming on And I'm definitely going to have to have you back on once you pass the PEN 300, right, let's hope? Yeah, awesome, well, thanks everyone. I hope you enjoyed this episode.