1
00:00:00,000 --> 00:00:04,760
Hello, and welcome to Tech Talks, a podcast by the Technology Education Collaborative.

2
00:00:04,760 --> 00:00:09,020
Tech is an Arizona nonprofit that supports the secure, thoughtful use of technology by

3
00:00:09,020 --> 00:00:16,080
empowering people with information about the technology they use each and every day.

4
00:00:16,080 --> 00:00:29,960
Today, we're talking with Gavin Klondike, a senior security consultant and host of the

5
00:00:29,960 --> 00:00:31,680
YouTube channel NetSec Explained.

6
00:00:31,680 --> 00:00:33,440
Thanks for being here, Gavin.

7
00:00:33,440 --> 00:00:34,440
Thanks for having me.

8
00:00:34,440 --> 00:00:36,040
So this is the way this works.

9
00:00:36,040 --> 00:00:39,600
We bring in a technologist and we ask them the same five questions.

10
00:00:39,600 --> 00:00:42,640
Everyone gets the same five questions, but obviously we get different answers.

11
00:00:42,640 --> 00:00:43,640
So you're ready?

12
00:00:43,640 --> 00:00:44,640
Let's go.

13
00:00:44,640 --> 00:00:45,640
All right.

14
00:00:46,200 --> 00:00:48,720
What would you say your title or position is?

15
00:00:48,720 --> 00:00:51,740
So my title is Senior Cybersecurity Consultant.

16
00:00:51,740 --> 00:00:56,840
What that means is that I help companies realize the business value of cybersecurity investments.

17
00:00:56,840 --> 00:01:00,880
Right now I specialize in penetration testing, mostly around application security, cloud

18
00:01:00,880 --> 00:01:02,540
security and AI.

19
00:01:02,540 --> 00:01:06,260
Companies hire me and my organization to come in, break their stuff, and then turn around

20
00:01:06,260 --> 00:01:07,260
and tell them how we did it.

21
00:01:07,260 --> 00:01:08,260
Sounds like fun.

22
00:01:08,260 --> 00:01:09,260
Absolutely.

23
00:01:09,260 --> 00:01:12,840
So that brings us nicely into question two, which is, what does that look like on a daily

24
00:01:12,840 --> 00:01:13,840
basis?

25
00:01:14,040 --> 00:01:18,240
On a daily basis, as a senior consultant, what I do is kind of go hand in hand with

26
00:01:18,240 --> 00:01:22,120
sales and pre-sales, and then I do a lot of the engagement work itself.

27
00:01:22,120 --> 00:01:25,260
So typically we'll have a conversation with the client and then understand and identify

28
00:01:25,260 --> 00:01:27,640
what exactly they're looking for.

29
00:01:27,640 --> 00:01:29,700
Typically they're looking for a penetration test.

30
00:01:29,700 --> 00:01:35,280
And so a lot of regulations require penetration tests now, especially around PCI and SOX compliance.

31
00:01:35,280 --> 00:01:36,940
So this is now a requirement.

32
00:01:36,940 --> 00:01:39,820
Other companies like to be a little bit more proactive with their security.

33
00:01:39,820 --> 00:01:42,940
So even though they're not regulated, they want to make sure that they can give their

34
00:01:42,940 --> 00:01:47,740
clients and their users a strong reassurance that they take security seriously.

35
00:01:47,740 --> 00:01:52,100
So they hire us, we get an understanding of what their environment looks like, what their

36
00:01:52,100 --> 00:01:56,460
concerns are, what keeps them up at night, and then we go through and perform scoping.

37
00:01:56,460 --> 00:02:00,600
So in scoping, we identify how large is the application, how long is that going to take,

38
00:02:00,600 --> 00:02:03,340
and then we go through and start doing the engagement work.

39
00:02:03,340 --> 00:02:08,020
Typically when I do the engagement work, I first will test all sorts of different applications.

40
00:02:08,020 --> 00:02:12,980
So these will be desktop applications, web applications, sometimes mobile applications.

41
00:02:12,980 --> 00:02:16,680
And so I need to get an idea of what it looks like from a user's perspective just to understand

42
00:02:16,680 --> 00:02:17,860
what the heck the thing does.

43
00:02:17,860 --> 00:02:20,980
And then from there, I'll go through and do an application mapping.

44
00:02:20,980 --> 00:02:25,460
So I'm looking at every piece of functionality, including the stuff that users will typically

45
00:02:25,460 --> 00:02:26,460
ignore.

46
00:02:26,460 --> 00:02:29,420
From there, I start doing some threat modeling, some light threat modeling, and then I'll

47
00:02:29,420 --> 00:02:34,780
do exploitation and try and find, okay, if I enter a one here instead of a two, do I

48
00:02:34,780 --> 00:02:36,680
get access to somebody else's information?

49
00:02:36,680 --> 00:02:40,320
Can I do something like SQL injection and get access to their database?

50
00:02:40,320 --> 00:02:43,020
Can I get access to their server or maybe some files uploaded?

51
00:02:43,020 --> 00:02:46,000
And then from there, we write a report and have a conversation with the client, walk

52
00:02:46,000 --> 00:02:47,400
them through what we found.

53
00:02:47,400 --> 00:02:51,460
We try to highlight and identify certain themes like, hey, I noticed that you have really

54
00:02:51,460 --> 00:02:55,320
strong server-side controls, but your client-side controls are really weak and we want to work

55
00:02:55,320 --> 00:02:56,320
on that.

56
00:02:56,320 --> 00:02:57,760
Sometimes it's cryptography related, right?

57
00:02:57,760 --> 00:02:59,460
You don't really have strong crypto here.

58
00:02:59,460 --> 00:03:01,280
Here's ways that you can improve that.

59
00:03:01,280 --> 00:03:04,860
And so we like to be very positive, very proactive and say, hey, this is what you need to do

60
00:03:04,860 --> 00:03:06,900
in order to make your system more secure.

61
00:03:06,900 --> 00:03:11,200
Okay, so if you were going to walk me through a hypothetical situation, let's say I came

62
00:03:11,200 --> 00:03:15,020
to you and I have a small business and I accept people's credit card information.

63
00:03:15,020 --> 00:03:16,020
They buy things.

64
00:03:16,020 --> 00:03:17,680
I have an in-house app, right?

65
00:03:17,680 --> 00:03:20,460
So there's an app they can go to to purchase things from my store.

66
00:03:20,460 --> 00:03:24,300
Is that something you would help me with if I was worried about somebody getting everybody's

67
00:03:24,300 --> 00:03:25,300
credit card information?

68
00:03:25,300 --> 00:03:26,300
Yeah, absolutely.

69
00:03:26,300 --> 00:03:29,060
First, I would try to get a better understanding of your application.

70
00:03:29,060 --> 00:03:30,820
How do you process credit card information?

71
00:03:30,820 --> 00:03:32,140
Do you do it in-house?

72
00:03:32,140 --> 00:03:36,140
So that would put you under PCI compliance or do you outsource that through Stripe?

73
00:03:36,140 --> 00:03:38,140
So that would probably be one of my first questions.

74
00:03:38,140 --> 00:03:41,880
Do you run credit card information in-house or do you do that through a third party service

75
00:03:41,880 --> 00:03:42,880
like Stripe or PayPal?

76
00:03:42,880 --> 00:03:43,880
Okay.

77
00:03:43,880 --> 00:03:44,880
All right.

78
00:03:44,880 --> 00:03:48,420
So the third question I have for you is what is your least favorite thing about your job?

79
00:03:48,420 --> 00:03:51,860
Because I don't care how much you love what you do, there's always going to be something

80
00:03:51,860 --> 00:03:54,420
that you may not enjoy quite as much.

81
00:03:54,420 --> 00:03:59,740
That one's a little tricky because I've found a way to make the hard things easier to do.

82
00:03:59,740 --> 00:04:01,260
It's not that they get any less hard.

83
00:04:01,260 --> 00:04:02,500
It's just that you get more used to it.

84
00:04:02,500 --> 00:04:03,540
It's kind of like going to the gym.

85
00:04:03,540 --> 00:04:09,300
I would have to say the things that I like least is probably reporting and probably having

86
00:04:09,300 --> 00:04:12,420
to balance meetings with the engagement work.

87
00:04:12,420 --> 00:04:17,620
When you're more on like that junior or mid-level, you primarily focus on the actual implementation,

88
00:04:17,620 --> 00:04:20,000
the actual hands-on keyboard engagement work.

89
00:04:20,000 --> 00:04:23,380
But when you get to my level, you have to do a lot with client calls and interactions

90
00:04:23,380 --> 00:04:27,300
and then you're pushing the technical side of the business and saying, okay, here's how

91
00:04:27,300 --> 00:04:29,340
we're going to build standards around our reporting.

92
00:04:29,340 --> 00:04:33,700
Here's how we're going to build standards around our pen testing pipeline or our sales

93
00:04:33,700 --> 00:04:36,220
pipeline from the technical side.

94
00:04:36,220 --> 00:04:37,460
Here's how we do our scoping.

95
00:04:37,460 --> 00:04:40,980
Right now, one of the big projects that I'm taking on is writing vulnerability templates

96
00:04:40,980 --> 00:04:45,260
so that my juniors and people underneath me can take those and it makes their report writing

97
00:04:45,260 --> 00:04:46,260
process easier.

98
00:04:46,260 --> 00:04:51,700
The reporting and having to balance the client conversations with the business work and the

99
00:04:51,700 --> 00:04:53,060
engagement work on top of it.

100
00:04:53,060 --> 00:04:54,540
So a lot of responsibilities.

101
00:04:54,540 --> 00:04:59,120
I think an interesting thing I'm just going to point out is that in my conversation with

102
00:04:59,120 --> 00:05:04,960
many different kinds of technologists, it is incredibly common to hear that sometimes

103
00:05:04,960 --> 00:05:10,680
it's exactly that reporting and to some degree, client interaction that falls on the less

104
00:05:10,680 --> 00:05:13,240
enthusiastic side for them.

105
00:05:13,240 --> 00:05:18,040
Like the farther they get away from the actual hands-on kind of working with technology,

106
00:05:18,040 --> 00:05:21,400
you know, there's an inverse relationship to how much they're enjoying what they're

107
00:05:21,400 --> 00:05:22,400
doing.

108
00:05:22,400 --> 00:05:23,400
Yeah, absolutely.

109
00:05:23,400 --> 00:05:25,520
Let me, all right, I'm going to tell you this about myself though.

110
00:05:25,520 --> 00:05:28,600
So it's not the writing the report that I have a problem with.

111
00:05:28,600 --> 00:05:33,300
It's everything I find, I get this little happy chemical that says, yay, you found a

112
00:05:33,300 --> 00:05:36,620
finding and then immediately it goes to, you're going to have to write that up now.

113
00:05:36,620 --> 00:05:39,420
So you don't even get the full dopaminergic experience.

114
00:05:39,420 --> 00:05:41,620
You just get to have like a false high.

115
00:05:41,620 --> 00:05:47,980
It's like a quick high and a quick low and I'm just like, I was on a, I was on an assessment

116
00:05:47,980 --> 00:05:52,500
recently and I was investigating what I thought was going to be one thing, very likely to

117
00:05:52,500 --> 00:05:53,500
be a finding.

118
00:05:53,500 --> 00:05:56,900
And then I wound up finding six other issues around it that I wasn't even looking for

119
00:05:56,900 --> 00:05:57,900
at that point.

120
00:05:57,900 --> 00:06:01,400
Every single one of those are now new findings that I have to document and so I have to sit

121
00:06:01,400 --> 00:06:06,920
and spend a whole day writing a report when, you know, usually it'll be, ideally what you

122
00:06:06,920 --> 00:06:10,600
should be doing is documenting and reporting as you're going through and you're finding

123
00:06:10,600 --> 00:06:11,880
the findings.

124
00:06:11,880 --> 00:06:16,480
But if you find a lot of them, then you have to essentially dedicate a whole time to time

125
00:06:16,480 --> 00:06:19,960
block and say, okay, this is the period of time when I'm going to do the assessment work.

126
00:06:19,960 --> 00:06:22,000
This is the period of time when I'm going to do the report writing.

127
00:06:22,000 --> 00:06:24,400
And so that really takes me out of it.

128
00:06:24,400 --> 00:06:25,400
Okay.

129
00:06:25,400 --> 00:06:29,180
So what then, going to our next question, is something that you love about your job

130
00:06:29,180 --> 00:06:32,820
where you get to have the full experience of the high.

131
00:06:32,820 --> 00:06:35,460
What is a high you get that doesn't crash?

132
00:06:35,460 --> 00:06:37,000
I get to break things.

133
00:06:37,000 --> 00:06:38,220
That is my job.

134
00:06:38,220 --> 00:06:41,460
Can you give me an example of that?

135
00:06:41,460 --> 00:06:43,500
I can only talk a little high level.

136
00:06:43,500 --> 00:06:44,940
Everything else that I have is under NDA.

137
00:06:44,940 --> 00:06:49,140
Again, my job is to break into companies and tell them how I did it.

138
00:06:49,140 --> 00:06:56,960
So it's really fun to talk to a company and say, hey, I changed my user ID from a two

139
00:06:56,960 --> 00:06:59,840
to a one and now I got access to somebody else's user ID.

140
00:06:59,840 --> 00:07:03,600
Anyways, I wrote a little script that just keeps guessing all these different numbers,

141
00:07:03,600 --> 00:07:08,860
you know, go up one, two, three, four, and now I enumerated a hundred thousand user accounts

142
00:07:08,860 --> 00:07:11,480
and here's all of their database information.

143
00:07:11,480 --> 00:07:13,980
And you just had this right here for me to exploit.

144
00:07:13,980 --> 00:07:16,960
So you enjoy stopping the hearts of CEOs.

145
00:07:16,980 --> 00:07:19,820
My favorite thing is stealing data.

146
00:07:19,820 --> 00:07:22,180
I love stealing data.

147
00:07:22,180 --> 00:07:26,660
When I was a kid and I saw the movie Hackers and also a lot of cyberpunk anime, I was a

148
00:07:26,660 --> 00:07:27,660
really interesting kid.

149
00:07:27,660 --> 00:07:31,300
I just love the idea of being able to break in, steal a bunch of stuff and then walk out

150
00:07:31,300 --> 00:07:32,840
and nobody noticed that you were there.

151
00:07:32,840 --> 00:07:36,520
That translates into my professional career where I just really love stealing data.

152
00:07:36,520 --> 00:07:39,460
It's fun to talk to clients about that and say, hey, here's all the information that

153
00:07:39,460 --> 00:07:40,960
you have on your system.

154
00:07:40,960 --> 00:07:43,580
Let's talk about how to keep it protected.

155
00:07:43,580 --> 00:07:48,320
So if somebody was looking into doing this themselves, what is the one practical thing

156
00:07:48,320 --> 00:07:52,600
you think they should do in order to enter this industry and be successful?

157
00:07:52,600 --> 00:07:54,960
I would say embrace self-study.

158
00:07:54,960 --> 00:07:59,260
One of the challenges with penetration testing and security as a whole, it's not as difficult

159
00:07:59,260 --> 00:08:01,200
today as it was when I first started out.

160
00:08:01,200 --> 00:08:05,640
There's a lot of learning resources, a lot of free resources online, but it's almost

161
00:08:05,640 --> 00:08:09,440
like reading a book on how to run a marathon.

162
00:08:09,440 --> 00:08:11,480
It's not going to help you past a certain point.

163
00:08:11,620 --> 00:08:14,700
There's going to be a lot of tutorials and the tutorials are good.

164
00:08:14,700 --> 00:08:19,140
It's a good place to start, but you really need to start practicing on your own.

165
00:08:19,140 --> 00:08:21,060
And so you go to certain resources.

166
00:08:21,060 --> 00:08:24,580
Right now there's the, I recommend Live Overflow on YouTube.

167
00:08:24,580 --> 00:08:26,740
I recommend John Hammond on YouTube.

168
00:08:26,740 --> 00:08:30,500
Of course, my own channel, NetSec Explained on YouTube, a lot of great tutorials talking

169
00:08:30,500 --> 00:08:34,540
about different perspectives and the thought process and the methodology that people go

170
00:08:34,540 --> 00:08:35,540
through.

171
00:08:35,540 --> 00:08:40,220
Once you get a solid idea of what a methodology is, something that you can copy, then start

172
00:08:40,220 --> 00:08:41,440
doing some of this on your own.

173
00:08:41,440 --> 00:08:44,880
You can get hands-on experience through Try Hack Me, through Hack the Box.

174
00:08:44,880 --> 00:08:47,700
You can even go for certifications like the OSCP.

175
00:08:47,700 --> 00:08:52,560
And so those teach you practical skills and usually they'll have a practical evaluation

176
00:08:52,560 --> 00:08:57,980
where here's a server, here's a Kali Linux box, break into this system, have fun.

177
00:08:57,980 --> 00:09:00,940
And so it's this struggle where you learn the most.

178
00:09:00,940 --> 00:09:04,580
So for people who are just starting out, that's part of the game.

179
00:09:04,580 --> 00:09:07,880
Sometimes you have to bang your head on the keyboard and see what falls out, but at the

180
00:09:07,880 --> 00:09:09,980
end of the day, you do need to practice.

181
00:09:10,520 --> 00:09:14,680
All right, so final question is, do you have any community groups that you're involved

182
00:09:14,680 --> 00:09:15,680
with?

183
00:09:15,680 --> 00:09:18,440
Any side passion projects that aren't related to what you do professionally?

184
00:09:18,440 --> 00:09:20,120
Anything you want to share with our listeners?

185
00:09:20,120 --> 00:09:26,480
I recommend for anybody to join either their local 2600 group or their local DEFCON group.

186
00:09:26,480 --> 00:09:28,160
There's one in every major city.

187
00:09:28,160 --> 00:09:33,760
So you can just Google, you know, if you're in Atlanta, Georgia, Atlanta 2600, Atlanta

188
00:09:33,760 --> 00:09:34,760
DEFCON group.

189
00:09:34,760 --> 00:09:38,160
Surround yourself with like-minded people, people who are interested in growing and developing

190
00:09:38,160 --> 00:09:39,160
skill sets.

191
00:09:39,340 --> 00:09:40,340
You'll learn a lot from them.

192
00:09:40,340 --> 00:09:43,660
You'll also have a lot of crossover between people who are starting out brand new like

193
00:09:43,660 --> 00:09:47,820
you and people who have been doing this for years because we remember where we came from

194
00:09:47,820 --> 00:09:48,940
and that's how we got started.

195
00:09:48,940 --> 00:09:51,180
Phoenix 2600 is one of the groups that I'm part of.

196
00:09:51,180 --> 00:09:55,900
I also do a lot of stuff at DEFCON, so I'm with the AI village and we do a lot of things

197
00:09:55,900 --> 00:09:56,900
at DEFCON.

198
00:09:56,900 --> 00:10:01,660
Last year we had the world's largest generative AI red team event in coordination with the

199
00:10:01,660 --> 00:10:03,820
White House and pick an AI company.

200
00:10:03,820 --> 00:10:07,540
Nvidia was there, Google was there, Anthropic was there, OpenAI was there.

201
00:10:07,540 --> 00:10:09,100
They're the creators of the chat GPT.

202
00:10:09,100 --> 00:10:14,080
The third group that I'm a part of that I would recommend people hop into is take a

203
00:10:14,080 --> 00:10:15,080
dance class.

204
00:10:15,080 --> 00:10:20,240
I know it sounds weird, but a lot of engineers focus and double down on their engineering

205
00:10:20,240 --> 00:10:21,240
side of things.

206
00:10:21,240 --> 00:10:23,840
You know, the tech side of things, but you really need to develop some of the social

207
00:10:23,840 --> 00:10:29,400
skills because that a lot of people will say is the hardest part is not just the hard skills,

208
00:10:29,400 --> 00:10:32,560
but the soft skills and being able to communicate with people.

209
00:10:32,560 --> 00:10:33,720
Take a dance class.

210
00:10:33,720 --> 00:10:35,520
It's going to take you out of your element.

211
00:10:35,520 --> 00:10:39,300
It's going to get you more exposed to people who aren't, you know, super techno nerdy like

212
00:10:39,300 --> 00:10:43,660
yourself and it will make you a little bit more of a well rounded person.

213
00:10:43,660 --> 00:10:47,860
So personally, I recommend looking for either something like country swing or West Coast

214
00:10:47,860 --> 00:10:48,860
swing.

215
00:10:48,860 --> 00:10:51,320
Those are really easy to pick up or salsa, which is also really easy to pick up.

216
00:10:51,320 --> 00:10:52,880
That's excellent advice.

217
00:10:52,880 --> 00:10:55,660
Well thank you so much for taking the time to speak with us today.

218
00:10:55,660 --> 00:10:56,660
Absolutely.

219
00:10:56,660 --> 00:10:58,540
Thank you for having me.

220
00:10:58,540 --> 00:11:02,740
This episode was recorded at the Advanced Cyber Systems Lab at Gateway Community College

221
00:11:02,740 --> 00:11:04,220
at the Washington campus.

222
00:11:04,240 --> 00:11:08,940
The ASCL is a tech hub open to the general public where you can use a 3D printer, record

223
00:11:08,940 --> 00:11:13,780
a podcast, practice advanced tech skills on one of our servers and more all free of charge.

224
00:11:13,780 --> 00:11:16,920
If you don't know how to do any of that, but you'd like to learn, there's plenty of people

225
00:11:16,920 --> 00:11:17,920
here who will teach you.

226
00:11:17,920 --> 00:11:20,960
So come on by and stop into the ACSL.