Episode 31: All Things CyberSecurity with Keith Hartranft

Pat: 0:31

Hey everybody. Welcome back to this. Week's edition of breaking down the bites as usual on the one driving this crazy bus. I'm your host, Pat, you can find me on Twitter @layer8packet. You can find Kyle who's riding shotgun as always on Twitter. He's @Danath256. You can find the show on Twitter at @Breakinbytespod we're pretty active on Twitter. So come say, hello, Kyle. We're back for another episode. Just keep this train going along. And more subjects, more guests here we are, man. How you doing?

Kyle: 1:01

That's it another day, you know, again, it's crazy weather, you know, it's like a hundred degrees outside today. It was melting everywhere I went,

Pat: 1:11

Yeah.

Kyle: 1:11

Yeah, pretty good. How about you?

Pat: 1:12

Yeah, I'm pretty the same stick. Right? So it was like a hundred degrees. And then all of a sudden, you know, it was the day I decided to clean my garage out and. Like towards the end, it downpour for like a half hour. And I had to like rush some things back inside the garage. So, you know, here we are nice and dry. We are back for another week with a exciting guest, at least exciting for me. And for you, Kyle

Kyle: 1:32

Yeah, definitely.

Pat: 1:33

We have Mr. Keith Harr on with us and Keith, you, me and Kyle go way back. I wanna say way back into the early two thousands. Right? So you when we all met, you were a professor at our local community college. So Keith welcome how you doing?

Keith: 1:49

Great. Great. Yeah. Thanks. It's always great to, you know, connect with the former students. And I try and keep my finger on the pulse and meet with a lot of former students and who are now, you know, esteemed colleagues in this industry. And it's really nice to connect really great to

Pat: 2:07

It's really cool. Yeah. So thanks for being here and giving us an hour or so of your time. I know you're a busy guy and you're a little circle of the world, so appreciate you coming on and hanging out and doing your thing here.

Keith: 2:17

Always happy to thanks

Pat: 2:19

Yeah, no worries. So, Keith I guess we'll turn back the clock a little bit. Like I said, you, me and Kyle, we all sort of met in the same circle. You were a professor at the community college where Kyle and I went to school. And then so I know I had you for a couple classes, Kyle, you probably had 'em for the same. We probably hit each other on different cycles of said class, but we all had you for, you know, roughly the same. And I wanna go on record saying that Mr. Keith harra taught me how to subnet. I'll just throw that out there right now. his way of subnetting just clicked. And that's like the biggest problem that I like when folks come to me and go, oh, subnetting is so hard. Like, how do you get it? I'm like, it's one of those things where. You do it until the math clicks in your head. And then you're like, oh, I was over complicating the shit outta that. Like like, it didn't have to be this hard, you know, it was one of those things. So no, your method of the, I believe it was the bucket method. If I'm not

Keith: 3:10

No buckets. Yes

Pat: 3:12

that taught me how to subnet and that stuck with me till this day. Like I can now do subnetting without a calculator. So, I am officially a senior guy cause I do not need a subnet calculator. So everyone please clap right now. Yes. So that's,

Keith: 3:24

Yes.

Pat: 3:25

all good. Yay. And the crowd goes wild, you know, that kind of

Keith: 3:29

Yeah. It's kind of nice. It's kind of nice that the buckets used to drive the Cisco instructor, Kevin mana crazy. And you know, I, it, Cisco eventually came out with kind of a new methodology of, you know, how to do variable length subnetting. And I had one of the students spring the paper over to me in class and he said, yeah, Kevin showed us this new method. And I said to him, oh yeah, that's nothing but Keith's buckets and he turned and walked away. I said, oh, well, that's nice.

Pat: 3:57

That's awesome. That's awesome. Shout out to Kevin. I think we talked about this last week. Once we get him out of nature, he'll be on this show too. He's busy with the kayaks and doing all that crazy stuff. So he'll be here too. So he'll meet Kevin in the next few weeks. Once we can wrangle him in from the outside and being all Daniel Boone on us. So it's all good. So so Keith let's start where you're at now. So you kind of jumped around a little bit, you know, I'm and I'm talking 20 years, so, you know, college professor jumped around a little bit and now you are where, why don't you start there?

Keith: 4:28

Yeah I'll go back to the community college. And, you know, I started the information security program at north Hampton community college. And in 2013 the. Lehigh university CISO job opened. I decided I was gonna kind of take a break from teaching and go into more of a practitioner role. So, I was the CISO at Lehigh for about four years. There, I actually also taught, I taught over in the business information systems. I taught risk management and information security, and then I actually ended up adding a cloud computing for business class over there as well. So I was trying to drag Lehigh kicking and screaming at the time into cloud. We weren't ready in 2018 fortune 100 in New York life called and kind of offered me the sky in the moon and, you know, all sorts of great dollars. And it was okay. I'm gonna go to fortune 100 and do this. The focus there and currently where I'm at the college board has been enterprise security architecture at New York life. I was also execution lead. So the focus has been on. The technology security side versus kind of the full ball wax that I had at Lehigh university as CISO. I still get into, you know, reviewing things like cyber insurance and legal and but it's more the overarching architecture and security deployment as you know, New York life and now college board are moving into cloud. So the AWS really focus and.

Pat: 6:07

Nice. No, I like that. That, that brings me to a point now. So I'm sort of, I'm in an architecture role now with where I'm at at customers bank, and it's an interesting vertical to be in. And the last couple places I've worked to, you know, now everyone's moving to the cloud or at least in some facet, right. Cuz it's almost elephant in the room where it's too big to ignore, you know, that sort of thing. So, you. Personally, I want you to take on this too, Keith personally, I think securing the public cloud in the next five, 10 years is going to like absolutely explode as far as, you know, trying to get that, like wrap your head around what that actually means. Everybody says, oh security. Yeah, that's great. But there's like, there's these crazy avenues that you can go down in these rabbit holes, you know? But it's like, you know, now with people doing public cloud, right? And most people are doing, I wanna say people, I mean, companies, most companies are doing, you know, some sort of hybrid, right? So you have an on-prem somewhere. That's physical. You can go. If you have something down, you can physically touch. That sort of thing. And then they have some, you know, either some sort of development or testing, or like a dev sandbox sort of thing in the cloud where nobody really gives a shit what happens to that data sort of thing. So there is some sort of hybrid there, but I think as more people start moving towards the cloud for actual production work, I think securing that public cloud and what that actually looks like is going to be absolutely huge in the next 5, 10, 15 years as these things start to mature. So I just, I want your take on

Keith: 7:39

Oh, I, no I AB I absolutely agree. And I think. It's here now. It's kind of arrived. I think you're seeing it, you know, really hit hard right now. And you know, being a security practitioner and heading into cloud it just pulls in all what I'll say all the disciplines of information security, you know, you have to. Have a firm understanding of identity and access management. You have to have a firm understanding of you know, variable, the, what we were just talking about, networking with VPCs and, you know, you have security groups and okay, how do we get network segmentation, separation account, and organization organization and separation. So, so you have that network component, you have a huge application development component you know, Applications teams are, you know, they're using things where it's just code like Lambda. So, you know, writing secure code writing APIs, what, you know, what are secure APIs, how to secure those properly when they're exposed directly to the internet, are they behind, you know, application gateways and you know, how that's all handled. And then, you know, you have all your security tooling, that's cloud native, and as well that you've gotta pull in. You know, if you're in the AWS world, you're. You know, as an example, you're pulling in, you know, you're logging and monitoring your cloud, watch your cloud trail, your security hub and kind of understanding how all that needs to be baked in and embedded into the environments, the architecture as you move forward. So it's just, you know, it's kind of, I'll say security and it, and networking on as, you know, really having to have mastery or an understanding of all the

Pat: 9:31

Yeah, that's a good point.

Keith: 9:32

interesting, you know, I had, I. You know, today I had a group that I'm not a, I'm not super familiar with the like SIS data streams. And they're like, oh, we're gonna use SIS data streams. And I was like, oh, was this through review? Because you're, you know, directly exposing this and I'm not certain, you know, what else do you have wrapped around it? Because, you know, normally that would be behind like an API gateway or something like that. Like you you're kind of stripping this down that it's identity based protection only, and I'm not comfortable with that. So make me comfortable with it and have 'em walk through what, you know, what they're thinking and what they're looking at. And I happen to be on a, on an AWS solutions architect call at the time. So I had the AWS solutions architect to kind of help with that as well. Just to talk through, yeah, here are some of the recommendations you wanna do, and then it, you know, he. Kind of turned back to me and said, but you know, organizationally, Keith's gotta be okay with it. And you know, at least we, we kind of solutioned it to get there, but you just, you end up having to kind of learn on the fly, understand services that teams are proposing to use or new services very quickly. And it's just a mountain that, you know, like I said, crosses applications, networking, IAM I didn't even get the data protection. You know, how you locate sensitive data Development teams typically, you know, cryptography and secrets management. They have very little understanding of how to do it and, you know, providing those, you know, standard architectures for them hate to consume secrets and keys and, you know, do it within the cloud. And then, you know, bake it into their deployments as their Terraform deployments. It, its, you know, just a lot to, to if.

Pat: 11:28

I agree with that. And I just, you know, now that I'm working closely more closely, I should say with other departments, right. Security being one of them. Cause I feel like in the last five years, everything is just driven through security. So then it says, okay, they have to sign this off because they, you know, do the research or they, whatever you know, says, okay, well, I like at previous places, I couldn't even like download an app on. On my laptop without going through security or even, you know, suggest an app that we could use department wide without having it blessed, you know, by security, that sort of thing. So, do you think like the security teams are being used as, I don't wanna say scapegoat, that's the wrong word, but like to say, Hey, like put all the eggs in that basket and let them make those decisions. And if that blows up in their face, then they're, they have egg on their face. Right. Do you feel that like, is there a lot to that? Cause I feel like there's a lot there, like legal and you know, like who makes these decisions as far as okay. Is no pad plus plus okay. For me to put on my laptop, you know, that sort of thing, like, you know, oh, let me get by security for you, you know, that sort of thing. So like, what is the process there as far as like, okay. What delves a app to be. Okay. Versus not okay. And reasons why.

Keith: 12:38

Well again, so I'll say this, you know, typically goes through some level of review. I it's interesting, you know, I had a colleague that I had worked with at Lehigh networking, went into a commercial side, networking management, and he said to me, I said, why don't you get more involved in security? He said, no securities where careers go to die. I don't think I agree with that. You know, we do tend to be toll gates or gatekeepers. The reviewers, if you will is this safe, but there's also that again, you know, things like to GSA the architecture, you know, arenas. They want things to align with business and business purpose. If you're gonna add an application or you're gonna, you know, add a service in AWS you want to get it reviewed. You don't want to increase the attack surface at the company or organization you're working with. And that's where kind of security comes into play. I often tell the development teams, look I don't wanna be. The bad cop. I don't wanna be the, Hey, you know, stop sign. If you will. We work together. I just wanna make sure your application, as you're designing, it works as you intended and folks aren't gonna abuse it, that it's gonna be a business positive not a business negative. So, so yeah, we do become the gatekeepers if you will. But it all starts with, you know, analyzing is this of a real need. Do we have other things in the organization that could, you know, we already have adopted that, could, you know, be utilized for this there's kind of a myriad of what that goes through. So I sit on enterprise architecture, review boards, I sit on security review boards. I'm usually the guy in the room that asks a lot of questions and is vocal about, you know, what are you thinking or how are you doing this? How are you doing that to try and get into some of those details? A, a lot of it with the guidance of, you know, Hey, are you as a development team or requester thinking about this strategically in how it fits in our world, in our environment what kind of users you're gonna have, how you're, you know, again the data, the access, you know, a lot of the places that I kind of touched on earlier with cloud as well, it. Just have they thought it through. So we go through those processes. Yep. And they could be simple apps. I guess I'll talk about I had a request recently. Hey, we want to install the 10 cent. Video app. And the question becomes why well, you know, Zoom's not working a for us and we're doing recruiting in China and we're not able to connect on zoom in China, but we think we can via the Tencent video. And I'm like, okay. How are our tools gonna react to that? You know, if we're running an antivirus is it gonna, is it gonna choke if it's communicating. The, you know, you're loading the Tencent app. Is there anything there that's gonna cause a problem. If it's a Tencent app and I'm assuming it's the same problem they're having with zoom, it's probably trying to connect with the end user in China, through Asian. Zoom or 10 cent servers. And if you're running something on the client or you're running a, like a web application firewall of some sort or a web application filter, I guess I'll say in our case like Zscaler is it a Zscaler issue? And, you know, we just need an exception for you. And all of a sudden zoom works. You know, again, we can back away from, you know, increasing our landscape with applications and adding the tenent app and all of a sudden zoom works with an exception for, you know, a couple of users kind of thing. So you know, a little bits about that business purpose. We're, you know, we're doing this in, you know, another country in China as an example. And we may have, you know, blocks or protections that. You know, the regular population, you know, it, 99% of your user population, it makes sense for, but there's one or 2% that it doesn't because it's their charter. And now you've got to kind of adapt those security, you know, architecture, security tools, applications, perhaps to meet the business need. And I think that's really what a lot of that analysis comes down to.

Pat: 16:52

nah, that makes a lot of sense as far as, you know, just trying to see the big picture and follow that all the way through, you know, it's not just a question of why it's okay. How is this gonna, like you said, Keith, how is this gonna react to, you know, what we have in place now? And, you know, do I have to poke a hole in the firewall on some weird obscure port? You know, that's like, oh shit. Like, you know that they're gonna love that, you know, that kind of thing. So there is it's a ball of wax that you just quite don't see on the surface until you really start peeling that on you, then go, oh man, there's a lot more of this than just, you know, port 10,002, you know, whatever it is

Keith: 17:24

And when you're in organizations where they can just go ahead and do what they want and kind of, you know, ask for forgiveness afterwards, not go through, you know, that tollgate process, you get all this sprawl and then you find you're trying to support all these different things. And, you know, like you said, you've gotta a client application that's supposed to protect you that, you know, it looks like you know, you've spaghetti, whole Swiss cheese you just have applications that have sprawled all over the place everybody's using and doing their own thing. And you know, it there's a lot to be said for then managing that, you know, not just the attack service, but the it sprawl as well.

Pat: 18:02

Yeah, I think that's a good, that's a good point.

Kyle: 18:05

Well, now I was just listening to what he was saying. I was gonna ask him you know, like what a kind of a typical day looked like, but he kind of covered it already. Cuz you know, you think of all the TV shows that you see about any kind of anybody doing security and it's like constant attacks coming in and there's people jumping on keyboards, just trying to like instantly defend and stuff like that. And you know, it's typically not how it goes at all.

Keith: 18:25

No I will say on particular days, if you go into, over into our cyber defense area, you'll have those kind of days. You know, days when things like I'll give an example at college Ford you know, S a T registration opens up, you know, that becomes a day when cyber defense is watching things really closely. There's, you know, auto registration bots, or there's some, you know, there's things that you see malicious activity, or you see things that, you know you wanna block or stop, or that are, you know, gonna impact the business, gonna impact availability of, you know, seats test seats, something like that. So there, there are those types of days You know, there's always the, Hey, we're gonna look, you know, look around and poke around and see if we find a soft underbelly to be able to get in and exfiltrate data. You know, there's those sorts of things. You know, I, and I'll say I've been through those. I mean, I gave the example at college board, but I ended up one of the big things, of course, you know, email and fishing always gets a lot of attention and, you know, attackers go after user credentials and it's always that user, you know, fish, and now we've got credentials and. The access that, that they look for. We, I co-presented with the FBI when I was at Lehigh. We had an attacker who, you know, when I told the story to our athletics department, they were like, gee, we never thought that would've been a group that would've been, you know, focused on. And it was an attacker from abroad who was focusing on our female athletes and our female athletes accounts trying to fish them. And then when he fished them, he would go through, you know, their one drives their G docs and he was looking for illicit photos or videos. And, you know, he was just digging. He would change Facebook accounts on them. But I ended up doing a presentation with the FBI because our alerting monitoring and alerting we saw it within the first day. So, we had about 12 accounts that were compromised and we saw it immediately. In the Prosecution of this individual there's documentation and they talk about university one and university two. We were university two university, one had somewhere in the neighborhood of 2100 accounts compromised than it was an 11 month process that they went through. And I had folks in the audience ask, you know, what was the difference? You know? And I said, if you're asking me, why did they get dragged around for 11 months? And we had. Stifled within a day. I said it was our logging monitoring and incident response. It was the scene. I said, we had stood up we got that information and we were able to respond. I said, I think we also were the ones who were able to provide the, know, the most documentation for the FBI and you know, this individual's prosecution and the whole nine yards. So it was kind of an interesting case. And I had many of them at Lehigh because I had responsibility for operations. Like I said, the whole ball of wax, but, you know, there's that side of it, but there's the other side of, you know, Like the detect and respond side. I think with security architecture, I'm firmly over in the preventative side and that's that whole shift left, you know, how can we, you know, build and inspect and do things, you know, prior to production deployment. Now we're gonna log and monitor and make sure, you know, you know, folks aren't dragging around the application by its nose kind of thing. But you know, it's that shift left to, to, you know, better coding, better applications you know, earlier architecture standards and structures and, you know, make that application much less vulnerable to those types of attacks.

Pat: 22:15

Yeah, that makes sense. That makes a lot of sense that's really some interesting stuff as far as how long that takes. Cause I know typically and Keith, I guess I'll get your expertise here. How long does it typically take for, okay. Someone got in on a fishing through, you know, Sally's Sally in finance, right? Somebody got her to fish and now they've exfiltrated data that could go on for months before any sort of. Red tape or bells go off, right. Depending on the size or structure of your security department, right. That, that could take months. And then even further than that, okay. Say, oh shoot. Now we have, you know, we have a breach now, what do we do? Like, like how long does that take as far as like, like you said, get the authorities involved, get through that whole thing. Like, cuz I know like some of the big ones out there, right? The like the targets and the solar winds hack and those sorts of things. Like, you know, you heard about that. It was a year plus later you're like, oh shit, that happened last January. You're like, oh God, you know, that kind of thing. So I'm curious to like, I'm guessing the timeframe is different depending on size and scope of what was actually exfiltrated. Right. But like what does that process as far as like how long does that typically like take from, okay. She's hacked to actually the public knows about it. Right? How long is.

Keith: 23:27

Well, I guess what I'll start with like IBM and PON Institute had like a, you know, kind of the best things you can do that reduce, you know, your cost per record in a breach. And like incident response was always. First, you know, if you have a good incident response team, that's where you cut your cut, your costs per record. So significantly. So there's a lot of focus on, you know, maybe if you're gonna build fir things first, you know, that you have a robust incident response, that cyber defense piece. But a lot of the reports, the Verizon breach reports and other reports are gonna talk about like average of some UN unreal average of 270 days before a bad actor has been recognized. You know, you'll see numbers that are in those, you know, nine to 10 month periods. And the worst thing that can happen is I think when you're notified by an outside entity or agency that, Hey, you've been breached because we've seen your data, you know, being sold on the dark web or something like that. And when I was, I, you know, not to. Throw another university under the bus. But when I was I think it's well known when I was at Lehigh Penn state had a breach and it was us, I think, department of defense Naval information. And, you know, it was a case where the FBI, you know, notified Penn state that, Hey, we've seen this data and we think it's coming from you kind of thing. So, you know, they didn't even know they were breached you know, and that's definitely a case we could dig up and locate to chat about. But Yeah. You know, they are, you know, longer periods of times you know, having a robust cyber defense that recognizes, you know, bad actors you know, move movement within your network. That's anomalous where it appears, you know, someone is, you know, doing something they shouldn't or pivoting from, you know, one thing to another and it wouldn't normally happen. You know, just largely I. Well, I gotta give kudos. One of the things coming board, I, you know, with college board that I would've killed for at like New York life. We I've been really impressed with our cyber defense group. They really are on the ball. It's extremely robust. You know, we've done and seen some activities where, you know, they get tested and they're up to the challenge between threat hunting and, you know, incident response and recognizing unusual or anomalous behavior. It's kind of interesting to. I'll also say with the sea and some of the things like we had in place at Lehigh I was often surprised. I often tell, you know, interesting stories. I had a process. We had a process in place there for notifying others that they had compromised accounts. If it was another university I, or, you know, sending fishing, you know, I would send notifications or in some cases I'd even pick up and call. If it was something that was, you know, seemed urgent or was a little bit egregious. I made the mistake of, I found I had a, an incoming fishing campaign. It was. Basic a medical center account that was compromised and it was in Texas. And I picked up the phone and called their help desk. And I said, look, you want to close this account? Cuz they're sending out thousands of emails, they're hitting our filters and you've got a compromised account. I got a night shift to help this person who kept challenging me as to how I knew that. And I said, look, I'm seeing these come in. I said, I'm the CSO at? And you know, really pressed them on it. And to the point where, you know, I ended up. Like sending a follow up email and here's the sample. And he sent me a note back, like, no, this is just a phishing email. I said, yes, I know it's coming from your account. And this account, like I had to really point it out to him. And I ended up getting a call the next day from their security person. And I, cuz I was CCing them on the emails cuz I was having such difficulty convincing this person. He was apologizing up and down and he's like, is that something you regularly do? I said, well, when I saw that it was a medical center, I said, I did a look up and I said, you know, this was like I don't know a nurse or I, you know, it was a medical practitioner's account. I said, and I just, I wasn't gonna just, you know, Off into the ether, you know, report fishing kind of thing. I had others and I had other colleges I'd report, you know, Hey, I'm seeing an incoming fishing campaign and they'd say no, we're not seeing anything triggered yet. And I'd say, yeah, your thresholds are set to default, which is like 500 emails from the account. And they only sent 300. I said, trust me, I just I, we just received 300 that were blocked by our filters. You've got a compromised account. Do you want me to send you a sample? And you know, I would go through some of those things. There, there were some cool stories. I even. I don't want to go too far, but I even had some interesting folks get who, who were, who had their accounts compromised. When I was at Lehigh, we were getting so I'll put it this way. I was receiving phishing emails from a compromised ex Olympic medalist figure skaters account. And you know, when I looked them up, they were now working for a professional sports organization and I reached out to the organization, said, Hey, you got a couple compromised accounts. They're sending fishing emails. And so it's, it was fun. It was fun to be on the cyber defense side for a little bit in, in many ways.

Pat: 29:13

That's awesome. That's a good story. I like that. That's pretty neat.

Kyle: 29:16

Yeah, it's cool.

Pat: 29:17

One question that popped into my head we kind of talked about like, what, you know, some days are hotter than others, as far as from a cyber, you know, security perspective of trying to, you know, watch the world map as far as, you know, trying to track down who's who do you think. Special days in either culture or world events play a part in the hotter the cyber security game is so like, for example, like when Russia invaded Ukraine, like those couple of days, like D does that does world event? I'm assuming they do world events takes really heightens the ears of the cybersecurity defense people around the world and go, oh shit, we really gotta start watching the Xs and OS the bits and.

Keith: 29:59

Yeah. And news particular news and, you know, and folks that take maybe stances or stands and you know, how that is perceived you know, may come under attack. Yeah. Like, like I said, it was a little surprising, you know, to, again, to our folks, our athletics folks, and we met with all the athletes at Lehigh that our female athletes. You know, in particular targeted. And we had there, we had, you know, social pages for the athletes. So, you know, if you went to a volleyball player's page, you know, they had their favorite color there. And what the attacker was doing was using the social information, media information on their pages to reset their passwords, you know, easy questions like, you know, My dog's name and you know, my mother's main name and what's my favorite band. They were all listed in the social pages, on the athletics boards. So, you know, we tried to, to coach them a little bit, look when you're going through this, you know, we don't, we want you to put yourself out there and be human, and we want you to participate in the social network that Lehigh is presenting to you, but just please make your security questions to reset your password more challenging than the information you're posting publicly. So, yeah. Like I said, there's a lot of things that come into play you're right. The news who's invading who like I said, stances political stances or. You know, events like, you know, the Roe V Wade repeal and who's on what side? I'm sure there's, you know, all sorts of attacks out of things like that.

Pat: 31:40

Sure. Now that's interesting stuff there.

Kyle: 31:43

That's it's just crazy to hear all the stuff that's going on that we, you know, we don't even know about Keith, does any of that follow, like, like when we had those weird spikes in like, everybody's going crazy over certain cryptos and things like that. Did you see anything around those times too? When it was like, the doge coin is going crazy and game stop is going nuts and, you know,

Keith: 32:05

Yeah, I, and I wasn't particularly plugged in at those times. So I'll say no I haven't, but I will say compromise for crypto mining is definitely, you know, huge. And, you know, that's the thing with security move into cloud. Anything that's weak has a soft underbelly you know, where, you know, an attacker can jump in and crypto mind you know, where access keys are posted in a public S three bucket throw in a public get repository or something like that. They seize those opportunities to to spin up, you know, 400 instances in an account and crypto mine, An hour until, you know, you know, IR shuts 'em down. So I, from that aspect I definitely seen it. I haven't seen it with, you know, like, the cryptocurrency fluctuations or things like game stop or AMC fluctuations and Reddit type stuff. I haven't seen activity around that though.

Kyle: 33:10

Yeah. I didn't know if that would kick something off if like, everybody's just like, do these things, you know, and like, You know, then you get more attacks on, you know, potentially people's wallets or something like that, trying to, you know,

Keith: 33:22

I I have not. I mean, if there's a posted vulnerability though, that's, you know, you'll immediately see, you know, folks out there scanning and, you know, again, looking for that soft underbelly of vulnerability so that you will see immediately and again, a good threat hunting incident response type team will see a lot of that activity and almost know that there's gonna be a CVE coming that there's gonna be some kind of notification coming. Yeah. We were seeing scans on and wondering why you'll often hear that when a new vulnerabilities released.

Kyle: 33:59

Okay.

Pat: 34:01

Sweet. Yeah, that's good info. It's just it's just kind of crazy to me. Like how. Vast the security field is like, there's just so much, so many veins to it. So like, and I feel like it's exploded last like 10 years, cuz all you hear about are these hacks and then these companies go, oh yeah we should have a better security department. Let's go hire, you know, however many people that sort of thing. So I guess my question is then like, okay, if you could divide it up, right. Red team, blue team purple team. That seems to be the the dividing lines in the last couple of years. People really wanna say, oh yeah, I'm team red or I'm purple team or I'm this or whatever. You know, in my vague understanding of it, it's red team is offensive security. Blue team is defensive security and purple team is a mixture of both of them. Do you have a better explanation of that or am I way off.

Keith: 34:50

I, no I mean, there's some of that. I look at it as I guess I look at red blue purple as a little bit differently. Maybe more of like, if you, when you form a red team, they're the attack team. They're the, a malicious outside or malicious insider, however you're setting up the rules of engagement. If you will blue or purple. Are your, you know, more internal, we're gonna test our own systems. We're gonna put it through the paces. Red is more of a, you know, I'll say the tag of a malicious outsider with little knowledge of the system and how, you know, are they gonna attack and go at it? And compromise blue purple is more that it's almost like the difference between external audit and internal audit the way I would look at it. But I, I don't get so mixed up in the colors as I think that intent to test systems. I mean, that's the, again, that's the ultimate in like detection and corrective controls. Hey, we were able to get in, we were able to compromise. This is what we were able to get. I is something that all organizations should do or should it aspire to do? I always like when you're with an organization that can form their own internal, so I like blue or purple if that's what you wanna focus on in as internal teams. Cuz I often see the internal skill capabilities of development teams and the security teams are much higher in those groups. So I won't compare and I won't name the names, but I mean I, at Lehigh, I work to form our own purple team. The folks through OSCP the Kali Linux training and I pulled from systems administration networking, my security group, and Client services. So we had like 15 people go through, we ended up with a team of four and actually a former NCC student. Who's the security architect over at Lehigh forest Crowley, Forrest got his OS C E, which is the offensive security engineer. He spent some time working for rapid seven and yeah, and he is back at Lehigh. So, you know, we, I saw the knowledge and understanding of compromise and how to defend against compromise. Just go up in leaps and bounds. With that formation, when I started at Lehigh, we had an external pen tester, so we had a red team exercise. It was actually procured before I even started at Lehigh. And it was kind of one of the first activities oversaw as CISO and it was great. And, you know, giving. Folks at the college, the understanding of what an outside actor would go through and they might do. And and the guy was great at working with the teams and whatnot, but it just wasn't the same as forming that internal knowledge base to kind of go at and test your own systems. And then at Lehigh, when eternal blue, you know, was there and want to cry we did our own testing. We found, you know, oh my God, you know, there's some things here that, you know, an attacker really could get into and we made changes in corrections and, you know, we're, we. Ahead of the attackers. You know, it's hard to say, cuz you know, want to cry in eternal blue were like two year plus, you know, zero days before they were released to CPE CBEs. But you know, again, it just, it felt better that our internal teams were doing that investigation versus having to pull in someone from the outside. So when I think of red, you know? Yeah. You wanna bring those, there is typically greater expertise in bringing at, in and outsider. The man, the rapid sevens, the black Hills folks, you know, that do pen testing their specialty they can do some special and amazing things. I think from a understanding of compromise threats being able to better inform your development teams, organizations that form their own blue or purple teams, those internal teams there's just greater strength in I think, security knowledge and understanding within the organization. So, you know, I've, I've, since now worked working for an, worked with an organization, working for an organization that have do it differently. Again, there's contrast the two, one with internal blue purple team, and I think the security knowledge and understanding, and. Response is infinitely better than the one that just strictly does the outside experts doing the red team testing and providing the reports. You end you do you end up with a lot of struggles with the development teams, you know, you hand 'em a report from an outside third party pen test team, and they're challenging, you know, the legitimacy and the then do you have the internal expertise to recreate the exploit and show them, Hey, this is, you know, really can be done. If you don't, you know, you just, it loses some of its teeth. So that's why I say, I think having those internal teams is a big plus in organizations.

Pat: 39:58

Yep.

Keith: 39:58

I often encourage too. That's a great place to start like your journey. If you wanna learn more about, you know, pen testing or compromise, you know, port swagger and burp suite has their own little free university that you can go through, you know, how to use the burp suite tool to test web applications and the it's a hands on lab and lab environment. And I'm a big promoter of, you know, if you can learn for free it's me you know, the port swigger stuff is really nice. It really is. So, you know, it's a great way to get a taste of a piece of web application and pen testing. I think

Pat: 40:38

That's a good point. And also you mentioned Black Hill Security Group shout to John Strand, who is the owner of Black Hills security. He is a great follow on LinkedIn. He's got all kinds of stuff up there. He's tremendous. So if you're not following John strand owner of black Hills information security do that right now. Like right this second, cuz he's

Keith: 40:55

Yeah I'd agree. You know, again people like Black Hills you know, you mentioned that the lead there, that group in particular, they release a lot of great stuff, you know, Troy hunt and, you know, there, there's a lot of great follows where you can also kind of immerse yourself and come up to speed with, Ooh, this looks like something I'd really be interested in, what are they doing and how do they do it? Great suggestion. Yeah.

Pat: 41:20

Also Keith, I kind of wanna spin off of that as far as, like you said, you know, for folks breaking in cuz OB obviously that's what this podcast is, you know, is target audiences. Would you, and like I said there's multiple facets of this thing that we call security, but would you agree, you know, some of the Comptia stuff, right? Security plus pen test plus cyber plus or Cysa plus I think they call it now, like those triage or those three are kind of a decent place to start as far as you wanna try to peel back that onion and get a little taste of that.

Keith: 41:48

Yeah, it's a great place to start. You know, I, all the organizations are trying to get more intro or introductory level type stuff. You know, AWS has the cloud practitioner and they try and kickstart you, you know, understanding and learning in cloud ISACA now has CSX, which is a cyber security intro course with ISACA ISC two has now a new one that's kind of junior to the CISSP to get you started on that trail as well. But you're right. I mean, CEH security plus any of the Comptia stuff it's a great place to kind of kickstart a lot of that. Yep.

Pat: 42:29

Yeah, I feel

Keith: 42:30

And again I would say if you can augment it with, you know, our, you know, again, web I keep going over networking. People typically don't know web application security. And if you can kind of cross train a little bit over, if you're an, a networking infrastructure person it's a good thing to learn a little bit about web application security to jump over to something like, you know, the port swigger training it's free. I think synopsis has some things it's, you know, looking at some of those web application testing tools OWASP has zap, which is similar to burp suite. You can kind of do your own training. It just going through a lot of the OWASP top 10 web application vulnerabilities and learning to play around with zap and things like that. OWASP also usually publishes, you know, the top. You know, security tools. If you're a networking person, you probably learned wire shark, but again, jumping over to something like Burpe Suite app it takes you in, into another area, discipline area. I think of information security. So going through like the OWASP top tools list and playing around with tools that are, I'll say maybe a little outside your comfort zone is also a great way to go.

Pat: 43:43

Yeah. And I'll mention this again. We've mentioned this on the podcast before, but places like Hack The Box Try Hack Me. Those places that give you sandboxes to do this stuff is phenomen like that wasn't around when you were teaching us, my man, it just wasn't, it just wasn't here. So it's, you know, it's nice to see how far things have come. And we've talked about this before, the amount of free training that's out there, that everybody seems to be a content creator nowadays can really open that open those doors and whatnot, but try hack me hack the box. They do, you know, they do a nice job there as well, trying to get you into all sorts of things. And it's very structured as far as the way they're. Their their courses are, or their different rooms as they call them. Right. And you get a sandbox, you really see what an actual hack is and you go, oh man, that's pretty cool. So yeah, all that stuff uh, Range Force is another one. That's out there. That's doing some really cool things in that space. So, range force, try hack me, hack the box. You can't get enough of that stuff. You really can't.

Keith: 44:34

Yeah I agree. I agree. And, you know, I, the one thing I'll say I miss that I've tried. Push a little bit more for our college board. We had a training stipend at New York life. I was always big on training and providing training dollars at Lehigh. Again, I always I had folks complain at New York life. Oh, we, our stipends only $2,500. I can't take a SANS course. I, and I, you know, not to pick on SANS the courses are awesome and they're great but I'd say what the, what, why the hell are you looking at SANS? You know, I, at $2,500, I'm, I've got a cloud guru. I've got books out the Wazo I've, you know, I'm paying for all of my certification memberships. I'm paying, you know, I'm, I've got, I. Two dozen things I'm doing with that $2,500. And that's why I say if it's free, it's me and I look for the cheaper stuff that you can set up and do independently. I mean, I mean, sometimes you need that guided You know, that, that guide through the material as well. I, you know, the one thing I've done at all the organizations I've been at, I ran 'em at Lehigh. I ran 'em at New York life. I'm running 'em at college board our lunch and learns, you know, this fall I'm offering the AWS security specialty for any of the staff that. You know, want to take it to get the cert you know, folks often ask me or bug me, you know, I've got the laundry list of certifications and I say, yeah I keep studying. So I keep taking the tests and, you know, I've had, 'em paid for, so it's like, but then I give back, it's like, oh, this is a great course. I think for others to build that internal knowledge, if it's pen testing or if it's just general cloud knowledge or so I've run the, you know, architect, associate courses, I've run the security specialty courses, I've run CISS P I've run CCSP classes at the organizations I've been at. I think it's important to try and, you know, build within the organization if you will. So.

Pat: 46:30

Yeah, another one I have to give a shout out to is the cyber mentor too. We had Zach hill on a couple months ago. He is part of the cyber mentor and they're doing some really great courses over there. In fact, we have an affiliate link with the cyber mentor and that'll be in the show notes. If you guys wanna click on that, get some get some cool training on the cyber side and give us a little kickback with the with the link click. So to be on the lookout for that in the show notes, but the cyber mentor doing some really cool things over there as well, and they're just continue to evolve and those guys are just unbelievable. So go check them out for sure, via our links. I guess, I guess lastly, Keith I'll kind of talk about this as far as I, I feel like, and again, I'm sort of plugged into the cyber community out there on LinkedIn and there's a bunch of guys out there doing really cool things. Shout out to Josh Mason and Neil Neil bridges, formerly of INE and all those guys really making a difference and trying to really have people break into cybersecurity. I feel like there is a stigma out there as far as like, it's sort of hard to get your foot in the door of cybersecurity, cuz it is so important and sort of white, hot, if you will, that people want, like these companies want. People coming in and they wanna hit the ground running and you need five years, but it's an entry level position. Like I, I guess your, your thought on that, Keith, as far as like, how do you sort of break those chains and sort of get in there and really give people a chance cuz as you know, there's I forget what the statistic is, but there's, you know, thousands of jobs that go unfilled because they can't find seats and it's like, there's more cyber security people than ever, but yet we don't give them a chance to come in here and do their things. So I'm just curious on your take on that.

Keith: 48:06

Yeah, I'll say a lot depends on the company and the way they work and the position. I would encourage folks, you know, keep trying. But I'd also tell 'em too, you know, if you have some it skills or you're just coming outta school, you know, do something to augment those skills with, you know, either an entry level or basic level certification or take some of that. You know, some of those courses, trainings that, you know, you could put that on a resume and show that you know, you've got some hands on or, you know, knowledge or understanding in the field as well. I was always, I've always been really big on hiring entry level folks and kind of building them up. So my approach has been different when I've needed. Folks now I say that and I did do a hire before I left New York life. And it was a senior level person, the organization there was different. We needed more leadership and guidance and I'll say strategy to, I think, to move our internal teams forward then to maybe build out. But there were spots there where, you know, if it was a vulnerability management analyst or it was a security analyst over security, a so analyst, you know, there, you know, entry level Would've worked and somebody with, you know, a CSX could have moved into the, that role. In fact I mentored somebody who was over in our quality assurance area to get their CSX and they moved into that role. So again, I kind of say, I tell folks, you know, go down a trail to prove your skills, if, and then keep looking because yeah, some companies, you know, based on the way they're structured they want senior leaders to kind of move. You know, what they have for, and a lot of that's the development teams, but then there are others that, you know Hey, we can build this person up. We, you know, we'll add them to the team. We need somebody who can learn fast. Who's demonstrated they've, you know, dove into this skill and figured it out. Again I go back to Lehigh at Lehigh, we. Students I always got funding to do student interns. So when I left, I think we had six of them and they were building some of the best things we had in our InfoSec. We had what we called canaries. We had raspberry pies deployed throughout the network that were doing intrusion prevention, intrusion detection. That was a student intern project. We had deployed open source cuckoo, which we were doing our own malware analysis via Cuckoo. That was a student intern built project. You know, we did a lot of stuff there at New York life. I had student interns and in fact in the summer it just wasn't year round, or as long as you know, at Lehigh. But I still have some of those students reaching out to me. I'm now, you know, I encouraged New York life to try and hire them and, you know, again, do we have the Rex and what's the organization look like we were, again, it was leadership, more leadership and consultants that we were using than directs. But I've been in contact with them trying to pull 'em over into college board. I'm very big on, Hey, you know, somebody who's kind of dove into the material. Yeah. They have a background and, you know, might be. CCNA Cisco, it might be that they, you know, they got a comp side degree or they got a mathematics degree. Can they, you know, go down these trails and work in these areas and, you know, pull 'em in and kind of build them up to do, you know, some of the security tests we have at hand that's, you know, I'll say the implementation pieces again, if you need, you know, overarching strategy architecture, those are usually more, more senior individuals. So, you know, I think targeting specific positions that are more operations analysts to break in if you have a four year degree. Yeah. Maybe entry engineering you know, systems, you know, get started, but you know, also run down some of those security training trails as.

Pat: 52:06

Yeah. I'm curious to get your opinion too, cause I've seen various opinions out there on the Twitterverse, if you will. Do you think like a security operation center is more like a security help desk or is there more to that?

Keith: 52:18

I will tell you there better be more to that.

Pat: 52:21

good answer my friend. Good answer. cause personally I don't think so personally, but I, I've seen, you know, people try to break in, they go I'm a sock analyst and it's like, like, is that the equivalent to the infrastructure side? You know, help desk side, I guess, you know, to some people, it is like, I would assume it has to be how your organization is structured. Right. That comes down to anything.

Keith: 52:43

Yeah. And I would tell you, no, I think there's I, I think there's a little bit of a higher degree of investigative skills and problem solving that's needed over in the SOC than perhaps to help desk. Now I'll have somebody from help desk come and wanna beat the shit outta me.

Pat: 52:59

This is not a help desk session.

Keith: 53:01

But, you know, I'll tell you this I'll, this is the way I'll frame it back in. I think it was 2010. I did a presentation at lab man, which we hosted at NCC and it was, you know, it organizations help desks. And one of the messages that I gave there was, you know, help desks are gonna need to be ready for the. Deluge of applications that are coming your way, all these little apps that are gonna come with textbooks, all this new online learning stuff that you're gonna need to support and your help desk is gonna be stretched. So across so many more applications that they're gonna have to be hungry to dig in. They're gonna have to be fast learners. They're gonna that, that the help desk is gonna dramatically change. I think that. You know, kind of what I would consider a SOC analyst has to be there's just no way there's no, there's not a core, there's some core, but they gotta really understand. They gotta dig. They gotta, Hey, I see this it's unusual and why. And they gotta be able to connect networking, dots, you know, understand IP addressing, and what's normal and what's not normal. And yeah, I know we're plugging in ML and AI and all of that other stuff, but you know, there's still that, that piece where, you know, problem solving skills are just so huge in this industry. And I just think there's a little bit greater a test over in the, you know, SOC threat response, incident, response side of things. Then perhaps there is with, you know, it support side,

Pat: 54:43

Yep. No, it makes sense to me. No, that's a good point. Kyle, anything else from you? As far as I see you kind of nodding your head over.

Kyle: 54:50

Now I was just listening to that's. That's awesome. Yeah. That's so good.

Pat: 54:55

She just wanted have smart people on. So Kyle and I can learn and go and, you know, get something new every day. It's wild, how this works. People think we do this like to be seen and whatever. It's like, nah we bring smart people on so we can learn that's the whole, that's the trick.

Keith: 55:07

Nah,

Pat: 55:07

Don't pay attention to the man behind the curtain. Right. It's one of those things, you know, so it's,

Keith: 55:12

No I, you know, I look at things like this. I, like I said, I like to stay connected with former students. I look at, you know, what you're doing here and it just makes me smile. It's a great pathway to head down. I just love where, you know, so many of my former students have landed and what they're doing and it, it's great to, to kind of share in that. So I just love that the direction you have here, that's really cool. It really is. I, it sounds so condescending to, for me to say it makes me proud, but it, I, I. I keep saying, you know, I, I always want I go back to John Wayne and the Cowboys and, you know, I always want my students to be better than I am. And you know, when I see students that are doing all this cool stuff and you know, they've gone down all these trails it just makes me so happy. I meet recently met for a lunch with a former student and he had post, you know, when you guys I'll say you all, any of you post, you know, via LinkedIn, Hey, just did this or got a certification. You have no idea the joy I have. And I said, I probably screamed louder than you did when you got the score. I, you know, that's a great accomplishment.

Pat: 56:24

funny. funny. Yeah. Keith's probably like, yeah, those guys couldn't even subnet. Now here they are talking architectures and podcasts. Yeah. Pop Papa bear is proud. Oh yeah. You know,

Keith: 56:37

That's great. Great to see the growth. That's great to see the growth. That's what it is. And, you know, the other thing is too, like you're doing something like this, so you're clearly happy with your path. You're happy with your choice. You're happy with the profession and, you know, I. Start with students, you know, I just want you all to be happy. You know, when I have a student, that's just, when I was at the community college, I remember having a chat with a student, you know, that they were fine. They were making through the curriculum. And I said, you know what? The thing is, you just don't seem happy with this. Would you be happier doing something else? Well, yeah, but you know, I, my mom or my dad thought, well, no, it has to be you. And it's kind of so neat to see that this is so much a part of you.

Pat: 57:24

We're closing the walk with me session with Keith hard right now. We're now man this has been awesome, man. We're right around that hour, mark, where we try to keep the sweet spot. So people kind of, you know, don't tune out at us and get out, get into outer space on this. So, Keith, this is awesome, man. Thanks so much for coming. This has been an awesome conversation. Can't thank you enough. And you mentioned ML and AI sort of on the tail end of this. We're gonna have you back and talk about that cause I find that stuff fascinating. So we'll, you'll be back. You'll be back to talk about that and kind of how that

Keith: 57:51

well, well, you're gonna have to gimme some lead time. I'm gonna have to pull out my UHR and actually figure it out.

Pat: 57:59

It's a chalkboard, my man or white erase board, whatever it is. Yeah. The dry erase board. Yeah. So, no, thanks everybody for joining this week on breaking down the bites podcasts, we're here every week as you hopefully listen to us every week. So, make sure you visit our website, breaking bites, pod.io. That's where you can subscribe to the show on your favorite platform, right. Links to everyone. Is there iTunes, Spotify, Google podcast, Stitcher. Pretty much anywhere. Or if you just need an RSS feed, right. There's one there as well. So you never miss a show if you're on iTunes, which a good chunk of you are, that's where most of our listeners come from is iTunes and, you know, surprise. They're the big elephant in the room. Throw us a rating on there. That would be awesome. Or simply, you know, tell a friend think telling a friend in these technically connected times works just as well, sometimes even a little better. So that would be awesome too. Word of mouth is always great. Follow us on Twitter. Like I said @breakinbytespod LinkedIn, we have a new LinkedIn page as of this month linkedin.com/company/breaking-down-the-bytes facebook.com/breakingdownthebites, the discord server that we're hanging out in. That's getting better by the way. That's a, the invite is in the show notes though. So come hang out with us in discord and that's it. Keith, it's been awesome. Appreciate we'll certainly have you back for some other discussions, Kyle, it's been real. It's been fun. You know, we'll do it next week. Rock and roll. So, that's it, Keith. Thanks. Thanks again. We'll we'll see everybody on the

Keith: 59:22

Thank you. Thank you. Thank you all.

Kyle: 59:24

Bye.