TEC Talks Podcast: Cybersecurity with Gavin Klondike

Hello, and welcome to Tech Talks, a podcast by the Technology Education Collaborative.

Tech is an Arizona nonprofit that supports the secure, thoughtful use of technology by

empowering people with information about the technology they use each and every day.

Today, we're talking with Gavin Klondike, a senior security consultant and host of the

YouTube channel NetSec Explained.

Thanks for being here, Gavin.

Thanks for having me.

So this is the way this works.

We bring in a technologist and we ask them the same five questions.

Everyone gets the same five questions, but obviously we get different answers.

So you're ready?

Let's go.

All right.

What would you say your title or position is?

So my title is Senior Cybersecurity Consultant.

What that means is that I help companies realize the business value of cybersecurity investments.

Right now I specialize in penetration testing, mostly around application security, cloud

security and AI.

Companies hire me and my organization to come in, break their stuff, and then turn around

and tell them how we did it.

Sounds like fun.

Absolutely.

So that brings us nicely into question two, which is, what does that look like on a daily

basis?

On a daily basis, as a senior consultant, what I do is kind of go hand in hand with

sales and pre-sales, and then I do a lot of the engagement work itself.

So typically we'll have a conversation with the client and then understand and identify

what exactly they're looking for.

Typically they're looking for a penetration test.

And so a lot of regulations require penetration tests now, especially around PCI and SOX compliance.

So this is now a requirement.

Other companies like to be a little bit more proactive with their security.

So even though they're not regulated, they want to make sure that they can give their

clients and their users a strong reassurance that they take security seriously.

So they hire us, we get an understanding of what their environment looks like, what their

concerns are, what keeps them up at night, and then we go through and perform scoping.

So in scoping, we identify how large is the application, how long is that going to take,

and then we go through and start doing the engagement work.

Typically when I do the engagement work, I first will test all sorts of different applications.

So these will be desktop applications, web applications, sometimes mobile applications.

And so I need to get an idea of what it looks like from a user's perspective just to understand

what the heck the thing does.

And then from there, I'll go through and do an application mapping.

So I'm looking at every piece of functionality, including the stuff that users will typically

ignore.

From there, I start doing some threat modeling, some light threat modeling, and then I'll

do exploitation and try and find, okay, if I enter a one here instead of a two, do I

get access to somebody else's information?

Can I do something like SQL injection and get access to their database?

Can I get access to their server or maybe some files uploaded?

And then from there, we write a report and have a conversation with the client, walk

them through what we found.

We try to highlight and identify certain themes like, hey, I noticed that you have really

strong server-side controls, but your client-side controls are really weak and we want to work

on that.

Sometimes it's cryptography related, right?

You don't really have strong crypto here.

Here's ways that you can improve that.

And so we like to be very positive, very proactive and say, hey, this is what you need to do

in order to make your system more secure.

Okay, so if you were going to walk me through a hypothetical situation, let's say I came

to you and I have a small business and I accept people's credit card information.

They buy things.

I have an in-house app, right?

So there's an app they can go to to purchase things from my store.

Is that something you would help me with if I was worried about somebody getting everybody's

credit card information?

Yeah, absolutely.

First, I would try to get a better understanding of your application.

How do you process credit card information?

Do you do it in-house?

So that would put you under PCI compliance or do you outsource that through Stripe?

So that would probably be one of my first questions.

Do you run credit card information in-house or do you do that through a third party service

like Stripe or PayPal?

Okay.

All right.

So the third question I have for you is what is your least favorite thing about your job?

Because I don't care how much you love what you do, there's always going to be something

that you may not enjoy quite as much.

That one's a little tricky because I've found a way to make the hard things easier to do.

It's not that they get any less hard.

It's just that you get more used to it.

It's kind of like going to the gym.

I would have to say the things that I like least is probably reporting and probably having

to balance meetings with the engagement work.

When you're more on like that junior or mid-level, you primarily focus on the actual implementation,

the actual hands-on keyboard engagement work.

But when you get to my level, you have to do a lot with client calls and interactions

and then you're pushing the technical side of the business and saying, okay, here's how

we're going to build standards around our reporting.

Here's how we're going to build standards around our pen testing pipeline or our sales

pipeline from the technical side.

Here's how we do our scoping.

Right now, one of the big projects that I'm taking on is writing vulnerability templates

so that my juniors and people underneath me can take those and it makes their report writing

process easier.

The reporting and having to balance the client conversations with the business work and the

engagement work on top of it.

So a lot of responsibilities.

I think an interesting thing I'm just going to point out is that in my conversation with

many different kinds of technologists, it is incredibly common to hear that sometimes

it's exactly that reporting and to some degree, client interaction that falls on the less

enthusiastic side for them.

Like the farther they get away from the actual hands-on kind of working with technology,

you know, there's an inverse relationship to how much they're enjoying what they're

doing.

Yeah, absolutely.

Let me, all right, I'm going to tell you this about myself though.

So it's not the writing the report that I have a problem with.

It's everything I find, I get this little happy chemical that says, yay, you found a

finding and then immediately it goes to, you're going to have to write that up now.

So you don't even get the full dopaminergic experience.

You just get to have like a false high.

It's like a quick high and a quick low and I'm just like, I was on a, I was on an assessment

recently and I was investigating what I thought was going to be one thing, very likely to

be a finding.

And then I wound up finding six other issues around it that I wasn't even looking for

at that point.

Every single one of those are now new findings that I have to document and so I have to sit

and spend a whole day writing a report when, you know, usually it'll be, ideally what you

should be doing is documenting and reporting as you're going through and you're finding

the findings.

But if you find a lot of them, then you have to essentially dedicate a whole time to time

block and say, okay, this is the period of time when I'm going to do the assessment work.

This is the period of time when I'm going to do the report writing.

And so that really takes me out of it.

Okay.

So what then, going to our next question, is something that you love about your job

where you get to have the full experience of the high.

What is a high you get that doesn't crash?

I get to break things.

That is my job.

Can you give me an example of that?

I can only talk a little high level.

Everything else that I have is under NDA.

Again, my job is to break into companies and tell them how I did it.

So it's really fun to talk to a company and say, hey, I changed my user ID from a two

to a one and now I got access to somebody else's user ID.

Anyways, I wrote a little script that just keeps guessing all these different numbers,

you know, go up one, two, three, four, and now I enumerated a hundred thousand user accounts

and here's all of their database information.

And you just had this right here for me to exploit.

So you enjoy stopping the hearts of CEOs.

My favorite thing is stealing data.

I love stealing data.

When I was a kid and I saw the movie Hackers and also a lot of cyberpunk anime, I was a

really interesting kid.

I just love the idea of being able to break in, steal a bunch of stuff and then walk out

and nobody noticed that you were there.

That translates into my professional career where I just really love stealing data.

It's fun to talk to clients about that and say, hey, here's all the information that

you have on your system.

Let's talk about how to keep it protected.

So if somebody was looking into doing this themselves, what is the one practical thing

you think they should do in order to enter this industry and be successful?

I would say embrace self-study.

One of the challenges with penetration testing and security as a whole, it's not as difficult

today as it was when I first started out.

There's a lot of learning resources, a lot of free resources online, but it's almost

like reading a book on how to run a marathon.

It's not going to help you past a certain point.

There's going to be a lot of tutorials and the tutorials are good.

It's a good place to start, but you really need to start practicing on your own.

And so you go to certain resources.

Right now there's the, I recommend Live Overflow on YouTube.

I recommend John Hammond on YouTube.

Of course, my own channel, NetSec Explained on YouTube, a lot of great tutorials talking

about different perspectives and the thought process and the methodology that people go

through.

Once you get a solid idea of what a methodology is, something that you can copy, then start

doing some of this on your own.

You can get hands-on experience through Try Hack Me, through Hack the Box.

You can even go for certifications like the OSCP.

And so those teach you practical skills and usually they'll have a practical evaluation

where here's a server, here's a Kali Linux box, break into this system, have fun.

And so it's this struggle where you learn the most.

So for people who are just starting out, that's part of the game.

Sometimes you have to bang your head on the keyboard and see what falls out, but at the

end of the day, you do need to practice.

All right, so final question is, do you have any community groups that you're involved

with?

Any side passion projects that aren't related to what you do professionally?

Anything you want to share with our listeners?

I recommend for anybody to join either their local 2600 group or their local DEFCON group.

There's one in every major city.

So you can just Google, you know, if you're in Atlanta, Georgia, Atlanta 2600, Atlanta

DEFCON group.

Surround yourself with like-minded people, people who are interested in growing and developing

skill sets.

You'll learn a lot from them.

You'll also have a lot of crossover between people who are starting out brand new like

you and people who have been doing this for years because we remember where we came from

and that's how we got started.

Phoenix 2600 is one of the groups that I'm part of.

I also do a lot of stuff at DEFCON, so I'm with the AI village and we do a lot of things

at DEFCON.

Last year we had the world's largest generative AI red team event in coordination with the

White House and pick an AI company.

Nvidia was there, Google was there, Anthropic was there, OpenAI was there.

They're the creators of the chat GPT.

The third group that I'm a part of that I would recommend people hop into is take a

dance class.

I know it sounds weird, but a lot of engineers focus and double down on their engineering

side of things.

You know, the tech side of things, but you really need to develop some of the social

skills because that a lot of people will say is the hardest part is not just the hard skills,

but the soft skills and being able to communicate with people.

Take a dance class.

It's going to take you out of your element.

It's going to get you more exposed to people who aren't, you know, super techno nerdy like

yourself and it will make you a little bit more of a well rounded person.

So personally, I recommend looking for either something like country swing or West Coast

swing.

Those are really easy to pick up or salsa, which is also really easy to pick up.

That's excellent advice.

Well thank you so much for taking the time to speak with us today.

Absolutely.

Thank you for having me.

This episode was recorded at the Advanced Cyber Systems Lab at Gateway Community College

at the Washington campus.

The ASCL is a tech hub open to the general public where you can use a 3D printer, record

a podcast, practice advanced tech skills on one of our servers and more all free of charge.

If you don't know how to do any of that, but you'd like to learn, there's plenty of people

here who will teach you.

So come on by and stop into the ACSL.