Breaking In and Locking Down: From Hacker to Cyber Defender

Welcome to the Security Cocktail Hour. I'm Joe Patti. I'm Adam Roth. Adam, how are you doing today?

It's nice. It's beautiful out, 100 degrees.

Not quite 100 degrees, but it is nice out. And it is a good day, because today we have a guest who I know we're going to find very interesting. Jason Luttrell. Jason, how are you?

Hey, Joe. Doing great. Thanks for having me, guys.

No, glad you can make it. You know, Jason, we have a lot of fascinating, interesting guests. So we try to, you know, have like a wide variety of people, but you're cool. You're what, what we call an old school, hardcore security guy, which is like, you know, no, no lawyers, no marketing people or anything. We're going to talk about real security stuff. So that, so that's awesome.

I was cool once.

Yeah, well you like to think you're like hardcore and everything with this stuff, but I don't know.

I'm a softie. It's okay. You're a softie.

All right, so Jason, like I said, you kind of started out old school with like, you know, real pen testing, hacking. I think you said even a little dumpster diving too. Why don't you tell us a little bit about your background?

Yeah, I mean, so personally for me, I kind of got into security as almost a an accident, if you will. I always knew I wanted to do something in IT, if you will. My dad's always kind of laughed at the fact that I never ever worked in food service or anything like that. I was 15 and I said, I'm going to go get a computer job. And he goes, well, that probably isn't going to work out for you. You probably have to do something else first before you end up doing that. And then he was a little shocked and surprised that I walked into a new computer store at 16 and said, hey, do you need some help? And he goes, sure. And so I started helping him.

He wanted you to do something low paying and unpleasant, basically.

Apparently, yeah. A little character building. Maybe that's what's wrong with me. I don't know. But yeah, I helped run a... I built custom computers and ran a small little store for probably about four years and then worked in IT at a university while I was at Purdue. And again, I figured I'd do something with Windows administration, networking, something along those lines. But I ended up getting on with a company called Crow. And basically they see themselves and market themselves as an alternative to the big four. And I got in with essentially a risk management team there. And so we would get hired to do internal and external pen tests, network security assessments, different things like that. So yeah, that was my first three years out of school was them training me and then traveling all over the place to do all these different assessments. You know, so everything from, you know, hacking, you know, banks and hospitals and such from a lab and seeing what we could find from an external presence perspective and then, of course, documenting our findings and telling them what we actually had as far as findings was concerned. The internal pin, you know, what we called the internal pin test was a lot more fun because that was going on site. And we did everything there from typically the night before we would do some recon, you know, drive around, figure out what the building looked like, and try and find our way to Social Engineer Inn. So that's what got the heart rate going a little bit, if you will. You know, you had your get out of jail free card. Excuse me. And that was in case you got caught, basically, was to tell them that this was authorized and it was signed and all that kind of fun stuff. And then if we got caught, people have to make phone calls to verify that you are who you say you are and that kind of stuff. And dumpster diving was certainly a part of that. It was rather disheartening, I would say, to tell the truth. About probably 30 to 40 percent of the time, I would say, we'd find some really good stuff in the dumpster that people just don't shred things. You can imagine the type of things you find at a bank where the tellers are not shredding bank account numbers. All sorts of other stuff. We found death certificates and just all sorts of nonsense that you would never ever think would actually be out there. But that's the kind of stuff that we were finding on these pen tests. And then we used some of that information in some cases, especially figuring out who worked at that location and things like that, to try and social engineer our way in so that we could find a way behind behind the security essentially to find a conference room to sit in and plug in and start hacking internally and see how long we could take it before we eventually got kicked out or planted a Wi-Fi router or something like that.

I guess if you're going to jump into a big pile of garbage, it's a little more gratifying when it actually turns up something useful.

That brings up two points for me. Your life was so much more exciting than mine, Jason. I used to type at 13 years old into a database addresses so this computer store can send out things in the mail. And I got paid basically in video games. I think the first payment I ever got was Crush, Crumble and Chomp, which is a video game back like 40 something years ago. And the second thing is, oh my God, I remember about, I don't know, maybe five, six years ago, I could be wrong, When these guys were doing this authorized pen test on a guy to get out of jail free card and broke into a court. And when the police came, the police came like, we're arresting you. It goes, oh, we have a get out of jail free card. And then they're like, yeah, that agency does not have permission to do that. This other agency does. And they said they want you arrested. Do you remember that one? Do you remember that, Joe, or Jason?

I remember hearing about that. That's kind of the nightmare scenario, but I mean, that's a good segue to, especially when you're traveling and doing, I think most people learn to drink if they did it beforehand when they're doing that. So what do we have in today here?

Yeah, so my drink of choice is, those who will know me, know me well, is a gin and tonic. So mine, preferably the gin, is Hendrix. And then I know a lot of people say you need to use a cucumber with Hendrix. I'm not a cucumber guy, I'm more of a lime guy, so heavy on the Hendrix and then a good tonic, which for me is the Fever Tree.

Oh, you have like gourmet tonic? I got the Schweppes from the supermarkets, the cheap stuff, you know?

Yeah, I mean, the fever tree is expensive, but I will tell you, New Amsterdam's not bad. But the fever tree, the thing I found out about this is, I think it was during COVID, is we found out that you can order like a bulk set of these bottles for dirt cheap on Amazon versus the grocery store. So I load up and go for the premium tonic, if you will. Awesome.

Well, nice. Well, cheers. Good to hear that. I'm going to have to get some quality tonic now. We always learn something new on this show, even if it's just drinking. And to our wonderful audience, if you're learning something and enjoying yourself, please help us out. Like, subscribe, share. If you're watching on YouTube, if you're on Spotify, the other platforms, please follow us, leave a comment. Tell us what you like to drink, how you make a gin and tonic. Leave us hate mail. It's cool.

Or send us gin and tonic. We need engagement. We need gin and tonic. You can send it to us, too.

Yeah, you know, that's the other if there's anything I miss from kovat, which is not very much It's that at one point like, you know, people were just mailing us shipping us liquor constantly All those virtual meetings they're like no more bars, but virtual happy hour, you know, I had a whole closet full of stuff I felt like I was at it.

I was on the airline. I had like 60 different small little mini bottles and

Meanwhile, I load up on the industrial size Hendrix bottles to get, of course, the most value, right? That's what's most important.

So that's why I get the- Well, I didn't buy the small bottles, thank God.

It makes sense.

Yeah. That's even better value, Adam, when you don't actually buy anything.

Good play. Do you remember years ago, I'll just segue to one thing, when we worked together and then we had a company sending us bottles every holidays?

Like, you know three or four bottles from one company Yes, and as a matter of fact, I'll tell you a funny story. There's a little bit of a digression but During the covert thing, you know, we collected stuff we got so much from you know from vendors and of these virtual cocktail hours and everything and There was one of them. I had a lot of stuff with who I was not only friends with but Not only the business with but I was friends with them too and during one Episode you talk about what we're drinking. I'm like, yeah, I got some bottle bourbon here. Someone sent it to me I don't know who and it ended up it was these people who I'm also buddies with who got They were kind of teasing me, but they came gave me a bad time and they like, you know sent me in the mail I got a picture of myself with the caption saying like oh, yeah some guy sent this to you. So I So again, my friends from Eversec, I'm sorry. I know, it was you. Thank you very much. You're very much appreciated. And this is not a sponsorship or anything, just a thank you to my friends.

Well, it's not a sponsorship either, but I'm still using that, I forgot what it was, that sound thing. I won at a contest, so I have a lot of Eversec stuff in my house. I've won a lot of contests.

There's a lot with them. Yeah. Oh, wow. But so Jason, yes, so you didn't just do, that's why I said that's cool. That's old school stuff. You didn't just do the old, oh, hire you and scan your website or whatever and find something wrong and do a little report. You did the thing where like, you know, you'd start from nothing and say, physically break into the place, go and plug in some bad stuff, really get in, like, almost like, I hate to say like movie stuff, but that's kind of cool stuff they do in the movies when they show it, right?

Yeah, I mean, the whole premise, of course, was to prove, you know, because I mean, you know, and this was like, I've been in security for 20 years. So, like, this is the type of thing, you know, 20 years ago, People didn't, like with the media that we have now and all the stories we have, all the different hacks that we have and some of the crazy hacks that we have now, even supply chain hacks that people kind of thought was a pipe dream kind of deal. Like everybody, for the most part, everybody kind of seems to be a little bit more wise to everything now. They kind of know what the realm of possibility is. 20 years ago people didn't really think that. So we were working in some cases with banks and hospitals where the IT guy who didn't authorize the audit, this is more the CISO or in some cases the CEO who would authorize this. They're authorizing it but then they're not telling anybody in IT. or maybe one person that this is happening. And a lot of those people in IT think this is crazy. Like there's nobody that could ever break into the bank. No one ever would walk in and plug in a Wi-Fi access point and try to hack us. And a lot of it was just to prove that it was absolutely possible. Like my favorite one was a bank that we walked in in the South and he wanted us to go at the data center. And we're like, man, why are you wasting our time? You want us to go to the data center and do all this? And he goes, listen, just try. Do your best to do what you need to do. So we were driving around at night at the data center. It was not really well lit. And we actually ended up with a rental car on a golf cart path accidentally.

And Jason, I assume when you say data center, I'm talking a real data center, not like a closet in the basement in the corner or something. The real one, the building with the security. OK, so that's it.

Actual bank data center, which I'm guessing they don't have anymore these days. But 20 years ago, in the middle of the Deep South, that's where we found ourselves. Found a few entry points at night, and so we kind of knew what we were going to do in the morning. We didn't really think we'd be able to get in. We were able to kind of see that they had kind of a man trap with a gate at the front and things like that. But what we noticed is they had a job board behind the security gate inside. So you had kind of your man trap, and then once you got authorized through that gate, then the front desk was behind that, and they had a job board there. So we said, well, hey, why not send somebody in there and tell him he's looking for a job? and he'll just stand there and take some notes at the job board and then see what happens. So we send somebody in, he's looking at the job board, he's taking notes and making nice talk with the friendly receptionist, and about 10 minutes later, she disappears. She goes somewhere and just leaves him. And that's when he kind of looks around and he's like, yes, this is it. Takes off down a hallway, finds a conference room, finds a closet and plugs in a wifi router, plugs his laptop in and just, you know, gives us a call on the phone and goes, Hey guys, I'm in. And immediately sets up access for us. And we start hacking all sorts of different stuff in the bank, you know, and, and it, you know, we weren't, you know, we, we tried to go low and slow, of course, at first, just to, to not raise any alarms. And then after several hours, we would really ramp it up. And what was surprising at that point too was sometimes they would see you once you really ramped things up and then there were other times that they wouldn't know anything happened until someone had domain admin. Which sadly, that still happens today somehow.

Just so everyone knows for the audience, a low and slow attack basically means it's when you go in, you don't just do this massive scan or make a lot of noise on the network because you might get caught. You do things very slowly, lightly, you touch a few things. Stealthy. Stealthy. Thank you. That's right. That's right. But I guess you progressed beyond that. They can't see anything.

I have a clarification. When you say bank data center, was it owned by the bank or was it owned by a third party? It was owned by the bank. You know, I've had this conversation with somebody that Joe knows, I don't want to say the person's name, and we argue, right? He's like, Adam, I'd rather be at home hacking into my underwear, you know, getting access to something than doing a physical pen test. And I'm like, physical pen tests? Don't get me wrong, both are very good, and they have their own use cases, but getting into a place raises a lot more concerns physically than a remote pen test. Again, they both have their own use cases, and I love the idea of doing a physical pen test that becomes a cyber pen test. So, that's my feeling.

Adam, are you sure that wasn't that James Bond movie where Q tells Daniel Craig, I can hack in my underwear more than you can, I don't know, break into sunglasses?

I just broke, I just brought that up. Stop. But it wasn't, it wasn't, it was, I'm just going to give you the initials and I'm not going to say the name. It's DM. Are you thinking?

Yes, I'm thinking. I'm not, I'm not getting it.

We worked with him. All right, we'll talk later, Joe. We'll talk later. Sorry. He said that, but the point I'm making is we had these conversations when I worked for you, and we're like, people don't... Oh, him? Yes.

Oh, I know who you mean.

Okay, sorry. We don't block our jacks. We don't put locking mechanisms. We don't do physical layer stuff. We don't have a... Even though 802.1X, for those who don't know what that is, we don't block MAC addresses. We can spoof MAC addresses. Everything is about layers of security whether you're using cameras to detect motion or other things. We should know these things and That's it's very scary when somebody can physically get into that think of it this way the last thing I'll say is imagine somebody breaking into your house and Getting into your underwear drawer into your drawer where your jewelry is and looking for things It's that bad when it's happened to a corporation in my mind. I

Well, also, Jason, let me say now that, I mean, we kind of know, but like the technique is, you'd have someone, you know, get into the facility, but he's not there to park himself. Like you were saying, he's there to drop something so that the rest of the team can get in. He goes in, gets out, but then you guys... have to have your way in. That's the idea, right?

Yeah, generally. Although I would say, Joe, that the majority of times we were able to get in and stay in for half the day. Really? We'd find an office. And we'd generally go in at 8.30, 9 o'clock, 9.30. And we would watch strategically to kind of go, OK, well, like another example, someone shoulder surfed in. Like he went to the back, lit up a cigarette, stood there, had a fake ID card that was just blank. So he kind of blended in. He's got an ID card. hopped on the phone, right, he's on the phone having a fake phone call, you know, having a smoke, finishes his smoke when he notices someone holds open the key carded door for him, and they just, oh, go right in, no questions asked. Finds an office of somebody that happens to be out, finds a, you know, if we wanted to be a little more brazen, we would hit up a conference room or something like that, you know, and eventually, of course, you know, then they'd find us and usually someone would question us, although, you know, some people don't like confrontation and they just say, hey guys, we've got the room, like, oh, sorry we're here working with and then you drop the name of the IT person they're oh yeah you're here with so-and-so okay cool no checking no nothing it's it's all about you know they just they just inherently trust and we don't want conflict and that's one of the worst things you can have from a physical security standpoint anybody watching this if you get a chance google the movie sneakers where they break into the location

and they create a level of anxiety that the person does not want to confront them anymore and buzzes them in. Whether you're wearing a tool belt, carrying a set of pizza, or showing a fake badge, a lot of these techniques really do work because people don't question people that create a sense of urgency. So, think about that.

Okay, so Jason, something I always wanted to ask, but I guess I never got around to asking. You know, a lot of people who are into, you know, computer security are inherently like, you know, computer people, whatever. Some are very shy, some very social. Not the kind of people you would think of who are going to do that kind of thing. I mean, which to me takes a lot of guts. I mean, it takes a lot of chutzpah presence. I mean, are there more the guys who specialize for that? and live for it, or do people learn it? I mean, there are some, they're just like, they could never fathom doing that. They're always out in the van or something.

Yeah, you know what's interesting is when I first did it, I was scared out of my mind, because here I am, just coming out of college, they're training me to do some of this stuff, and yeah, I was unbelievably timid about that. But it was more of the thing like, at Crow, they rotated us in and out, right? So some weeks I'd be doing pen tests, some weeks I'd be going into the bank as a friendly, and doing a network security audit, network security assessment on all sorts of different, some weeks I would be doing the external pen tests and doing social engineering that way, whether it was sending fake emails with a link or calling people up asking them for their password, which was ridiculously easy, that type of stuff. But you got to sit there and watch the people that had done it for a while and then you go, oh, all I'm doing is just, I'm just lying. and being a good actor, essentially, but I'm actually helping people, right? Like there's this conflict there a little bit internally. But it was kind of scary in that once I did a couple of them, I found it to be pretty easy and not real scary, you know, for that matter. I was only almost arrested once.

I was just going to ask that.

So, you know, there were a couple of times where people were like, oh man, we almost called the cops on you guys, like that kind of thing, right? But then, you know, we had to get out of jail free card and we were very friendly once they, once they caught us, you know, then we fully complied. We didn't try to get out of it or anything like that. It's not, you know, you're not trying to do anything like that. But yeah, there was one time and it was probably nine or 10 o'clock at night. We're in the Midwest and we're dumpster diving and finding all sorts of crazy stuff because this bank office shared a building or shared the building with, all sorts of other people, lawyers and all sorts of other stuff. And it turned out all the data that we found, none of it was the banks. It was the lawyers and everybody else that was... Oh, God. Thrown away all their stuff.

Did you send the bill to them?

We should have. We should have. Someone from the bank knew... I think, if I remember correctly, I think the bank was the landlord and the bank was literally going to go over to the lawyer's office and say, hey, we just did this audit. Here's what they found. Just thought you'd want to know. Do you remember in Sneak...

Do you remember sneakers where they broke into the bank and then the next day he comes in to get the check? He goes, well, it's a living. And then the woman was typing the check up back then. She goes, not a very good living. That's right. Yeah. So I have one more question, Jason. Yeah. Was was there a certain type of person? It could be gender, I don't know, because I've seen online on LinkedIn where women seem to have an easier ability to do this than men. Women are considered, and I'm not saying it's true or less threatening, men are more accommodating, because most of the time it's men that are confronting the women, and the women are like, oh no, I'm okay. Is that true or you don't know?

It's 100% true. The success of the women that we had on the team of doing pen tests and, for example, calling for passwords, I mean, it was way over 50% for the women. And she was good at it. And she just has a nice soft voice and just very disarming and was able to convince people very easily. And she was, you know, you know, these girls were great at it. Meanwhile, as guys, you know, or some random guy calling on the phone and yeah, it's just a, it's, it's funny how it's just, it's just a very different presence kind of thing, I guess I would say that depending on who you're talking to and who's actually making the request can make a big difference in the success or failure of that operation.

There are municipalities like, you know, organizations that have trains, airports, and other things that do announcements, and it's usually a female voice, don't take my word for this, Google this, that's informational, and when there's more of an alert, more of a command, like, stand clear of the closing doors, it's usually a men's voice, next stop, you know, West 14th Street, you know, Think about it, look it up.

I never thought about that. You know, I'm thinking about the subway, exactly what you're saying. Yeah, all the rude stuff is a man and all the nice stuff is that female voice. Wow, I haven't played, I didn't even know it. You've been socially engineered. I've been totally socially engineered so well, I didn't even know it. Wow, that's impressive.

Yes, I did want to mention, so the one time I almost got arrested, When we were dumpster diving in that dumpster, we were kind of looking across. It's probably a couple hundred yards across. It was like a CVS or a Walgreens. Pretty well lit. And this bank building, this bank office was lit enough. We had our car there, but we turned the car off. It was a rental car, of course, because we didn't put the trash in it and all that kind of stuff. And we looked over there and we saw that people were looking over at us and were like, we better be ready, like someone's probably coming. And sure enough, here come the cops. They were ready to take me away because apparently, in the state that we were in, there was someone with my name that was wanted for some sort of warrant. And they kept like drilling me, making sure the ID was valid, all this stuff, asking me for my social, like all sorts of crazy stuff. And eventually they're like, okay, he's good. So that was a little interesting at that point.

But the funny thing was... Did you say to them something like, look, if that was me, do you think I'd get a fake ID with the same name on it? How stupid could I be?

Right, yeah. Yeah, it wasn't adding up on my end, but for some reason they were, you know, this town, that was probably the most action they had seen in quite a while. So they were a little interested in what was going on. Did you show them the letter? Yeah, so we showed them the letter, we told them that we had already called the bank, and then I think that guy actually drove over and showed up, if I remember correct. I don't think they were that far away, because we told them the cops were there. The interesting thing, though, is when we were done, no one from the bank was there at that time, but when we were done, the cops were like, okay, so the person that called us said you were putting stuff in your trunk. And we're like, oh yeah, and he's like, what'd you find? And so we started telling him what we found and he's like, oh no. So in the end, the cops are like, wow, that's cool you guys are doing that. Like, you know, stay safe out there, you know, thanks for what you're doing, you know, whatever.

Can I make a suggestion for the future? Yeah. Oh, I know somebody that did this, this is really bad, but not exactly what I'm saying. I know a person who had a friend who sold a house and they dug up the backyard and they put a skeleton and then they put the dirt over it so if the person ever dug up, what you should do next time you do one of these is put a Halloween skeleton in your trunk so if they do open the trunk and they see it, it'll be okay.

I'll call you to bail me out, Adam. It's fine.

No problem.

Seriously, that's devious. Yeah.

Well, but you know, like, there are people who actually have those hands hanging out of their trunks. Have you seen those? Yeah, I don't suggest you do that either.

That's funny, the first two times you see it, after that you're like, alright, alright, you know. Yeah, exactly.

Until you see their hands moving, because they have the moving hands now too.

Oh, that I haven't seen them moving. Yeah, they have that too now. That's creepy. You see, that's it. When I see these things sometimes, you're like, that is the pinnacle of robotics and our technological civilization. A prank.

Well, you know, it's funny. I was looking at LinkedIn, to divert for a second, and they showed the last 10 years of Boston Dynamics. And these, even though they look like robots, the actions and movements they take is eerily Real. So if you make it look like a human, and you give it the AI, and you have these robots moving like a human, you don't know what's going on. Maybe we'll have these Boston Dynamic robots do dumpster diving instead.

I don't know. I mean, I've seen those things. They're amazing. They do. They do all this stuff. All this jumping around to like, how do they do that in machine? And then you think to yourself, well, you know, unless you run in a circus, what are you going to do with those things?

Those are law enforcement and more for soldiers because they can. Yeah. I mean, I'm not saying they don't do other things with it, but. Those are more military grade, Joe.

Well, Jason, did you ever have a robot come after you? That'd be pretty crazy.

Thankfully, not yet. I hope that's a never have I ever, hopefully.

Wow. Well, that's some great stuff. That's really cool. But you've been out of that for a little while. You're doing some more different stuff now, right?

Yeah, the travel was difficult for sure. And so then at that point, I just made the rounds here in the Columbus, Ohio area where I live just going from, you know, from working for a bank to retail to medical, you know, healthcare. So kind of making the rounds from a vertical perspective, doing security engineering and things like that. The thing that I would say that the pen testing side always helped me from the aspect of never trust anything. If someone would say, oh, well, it's not a big deal that we've got this open web server internally. They'd have to get in and whatever. And I'm like, nope, nope, nope. You can't think like that. You can never assume that you're secure. You have to think worst case scenario, that if someone is already in, then what are they gonna be able to do? And that's what helped me be successful in that, I would say, is being skeptical and trying to help people understand that you can't have that level of trust in your own environment.

So I'm the opposite of that. I used to tell Joe every single day when I worked for him, Joe, you realize there's somebody on our network, right? Have no I have no empirical evidence that they are evidence, but I'm gonna assume that they are it goes to stop that And I because because we know in the back of my head that's always true but we don't want to say that out loud and my feeling is is Like look we talk about zero days, right? That's a vulnerability that's not been discovered that means pretty much everything has a zero day everything does and And everything's about layers of security. Are you using DLP or data loss prevention? Are you using micro-segmentation? Are you using a NAC, a network access? I mean, some of these things are more antiquated than others. Are you using a SIM? Are you using use cases? If you're not doing multiple layers of security, then you're pretty much leaving the door open for anybody to get in. And as much as I say that, we all still make stupid mistakes, including myself. We all, oh, did I close the door? Did I actually put a deny any things that we forget to do?

Well, the mistakes of the forgetting things are one thing. That's one of the big things in security is trying to find everything and cover it. Because like we say, the bad guys only have to find the one thing. And like I've said over and over and over again, it drives me nuts when people know about stuff and don't fix it. That to me is really tough to justify. It's not my job. Because Jason, tell us as a pen tester, I've always said, if there's a weakness, if there is something wrong, A bad guy will find it. They will find it eventually. Don't think they're gonna gloss over it and no, no, no, they'll see it.

It's not my job. It's not my job. It's somebody else's job. That's what people say all the time, Joe. Come on, let's be honest.

Yeah, but they shouldn't.

And in many cases too, I guess I would say too, it's the basics. Everybody's so worried about all these different complex attacks and things like that, and they certainly happen, but man, in so many different scenarios, it's the basic stuff. It's the Colonial Pipeline attack from, what was it now, two, three years ago. It was a stale account that no one had used forever. Vendor account that was just sitting there and you know, it should have been disabled or deleted and instead it wasn't Attackers found it and logged right in like it's it's the basics.

Let's get more generic It's the physical attack on a bank that didn't unplug their wire to their jack. It's the It's the hospital that has a camera on the outside that you can physically unplug I'm not saying that the enterprise organizations don't harden the things more I but there's so many basics. It's the Wi-Fi with the guest account that's published on their website so you can connect and then traverse and move forward or elevate privileges just from that alone because other people are logging on with admin accounts on the guest network because it does both types of SSL. We know that's true.

Oh yeah, everything, if it's a problem, it will be discovered. So Jason, more recently you've been working on something that we've talked about a lot because it's really foundational and really important to a lot of the latest attacks too. Identity and privileges. So how did you get into that and what have you been doing these days?

Yeah, so after I made the rounds of doing security, you know, security engineer, security architect kind of stuff, I kind of had this Decision point in my career is do I do I move into management? in one of these, you know one of these companies and I had you know an opportunity to or I I was approached by a vendor, you know, and they said, Hey, you know, our solution so well, you've got a lot of background and experience and working with customers, like come work for us and manage this, this region. Um, and that's the route I chose. So I've been working from home for, I don't know, 10 plus years now, at least, um, you know, way before COVID happened and way before everybody goes, wait, working from home, like, what are you? What's that?

Trendsetter.

Awesome. And it was great. You know, at the time I had young kids, so we get to, you know, they get to stay in the hotel, go swimming and all sorts of stuff. And Daddy'd go off to work and meet with customers and do everything. Then we'd drive home together and it was awesome. Awesome for that stage of life.

Oh, you took them on the road with you and everything? Oh yeah. Oh, wow. You're a cool dad. That's awesome.

Yeah, it was great. I mean, they were young enough that we didn't have school to worry about, stuff like that. My wife came along. It was fantastic. So yeah, it was better from just the work-life balance overall. It was great. So I've been on the vendor side now for, like I said, I think 10 plus years. But about six years ago, I had a recruiter reach out to me and goes, hey, I've got this interesting company that I think you need to look at. You know, you kind of fit the profile for what they're looking at, but it's called Preempt. And wasn't really looking at the time, but I said, well, sure, let's, you know, how all those stories start out, right? Like, well, I'm not looking, but sure, I'll, yeah, we'll have a conversation. And basically what they were doing was they were, you know, at the time they were kind of marketing themselves as like an identity firewall. Basically with the premise of attackers are just logging in. And it was funny because at the time I was working at an endpoint company where we would have customers get angry because they're like, guys, someone clicked on a phishing site and they gave up their credentials and now the attackers are in and you didn't catch it. And after I kind of shook my head and tried to... You gave them the keys.

Right, right.

I tried to form a sentence that wasn't condescending and say, well, OK, have they dropped malware yet? Because if they haven't, I can't help you. And we saw a lot of that, right? I mean, one of the vendor companies I'd worked for was a phishing company, where we did phishing technology. And we would send out, you know, we would host a platform, essentially, where customers would send out phishing emails. And you'd see how high of a success rate you would have, and all that kind of stuff.

You sent them out, so everyone knows, this is one of those things you sent out for, like, testing. For testing. Test people, and then teach them. You weren't actually phishing people. Fully authorized. Yes.

Fully authorized phishing tests. And that was the point as I was talking to that recruiter and then talking to the folks at preempt where I said this one other time before in my career when Zscaler was recruiting me. The more I thought about it, I went, why doesn't everyone have this? And that was kind of the point where I said, you know what? I'm going to make the leap. I'm going to move into this opportunity. And so I moved into the identity side of security at that point with Preempt for a couple of years there. And everything was going pretty well. We were starting to really make some noise and starting to starting to sell really well, we had some good customers. We kind of rebranded and branded away from the whole identity firewall and basically just educating people on the fact that at preempt we were protecting Active Directory and no one really paid much attention to Active Directory. Everybody was focused on a lot of other stuff and once we started educating people that Active Directory was a nearly 20-year-old technology at the time, or maybe 20 years plus, and hadn't seen a lot of security improvements over the years. And you can still, you know, the fact you can still check a button to never have a password or check a button to go back to DES encryption that was old, you know, however many tens of years ago, that really started to make some noise.

Yeah, and so everyone knows Active Directory is the part of Windows, particularly in a big enterprise, that has all the identities, that has all the user IDs, all the passwords, everything about you that lets you get into things, all your privileges, and it's kind of what, when we talk about the bad guys getting in, and they get in and then they do stuff, that's like the first thing they're looking for, because that gets them everything.

And just to add also, you know, Jason and my, our path has crossed twice, and Joe, I Your path and your path crossed once with Jason, but I learned a lot from you Jason with the second time I passed across garden identity, which is why I was so excited that you were coming on the podcast because there's so much to learn about identity detection and prevention and Management people don't realize it's an underrated Technology that people really they never really hear about it But then the big thing to hear is about passwords, and they don't put two and two together. So I wanted to make sure I brought that out.

Yeah, that the whole password thing, you hear the death of the password, you know, and different articles and things written like that. And that sounds great. It's a pain in the butt to actually implement and actually do it and do it well. You know, unless you're using Yubikeys everywhere and taking it with you everywhere where you might have to reuse a Yubikey. I mean, it's not easy. It's not cheap. So it's going to take a while.

Yeah, Jason. We had our first episode was Passwords Must Die, where we ranted on how we can't wait till passwords are gone. And I rant on that occasionally. And then back a couple episodes, someone Someone much more distinguished in the security field than I did kind of said get over it.

They're not going anywhere So we have another episode coming out as a follow-up to our first episode is you will die before pastors will die Yeah, I mean the whole thing with passwords I mean my whole stake on it is or my whole take on it is like if we can can educate people properly to use a password manager and to have passwords that are different for every site that they have. Don't reuse your passwords. Make sure your password manager is strongly secured, whether that's LastPass, one password. I know LastPass had a breach. Of course, the LastPass breach, they can't get in unless they have your master password, so don't make your master password a five-character or seven-character password. Make it 15, 20 characters, make it complex.

That's part of the issue that they were allowing some of that stuff at least for voice back.

Right, exactly. I would say there's ways around it. There are ways to mitigate that risk. But it's all about education. But at the same time, kind of pointing back to what I just said, people are lazy. They don't see the point in the value of actually doing that. And that's part of the problem. What are you going to do?

That's humans, right? So yeah, and that's funny because we have a short that's on LinkedIn and YouTube and we talk about, you know, password managers. My dad has been using a password manager for 20 years. He's been using a book that says password manager. The good news is you can't hack that password manager because I think it's air gapped. However, know, if you lose it, you're screwed. So, yep. It really depends on how you look at it and it's funny because when Joe, when I work for Joe and we're working at another place, we dealt with a different EDR company and that EDR company, the guy walks in, everyone has laptops and everyone has it and this guy has a notebook and a pencil and I turn around and I'm like, why are you using a notebook and a pencil? Because II formally worked at the NSA. I want to see someone hack this. So, you know, people have different use cases, different methodologies, but a password manager is important. Joe and I have had this argument about different password managers, which one's better. I personally think eventually every password manager will be compromised, but that's another story. So, you know, choose the one you want.

Actually, you want to have some fun? Jason, why don't we see if we can call up Adam's dad and like get his passwords out of him? What's his phone number? No, let's not.

My dad will say a couple, my dad, I think I treat my dad well. He'll tell you go F yourself probably.

Well, that'd be a good show. Well, I mean, I guess a couple of points I would say there is number one, you have to make sure that the password manager of your choosing is well secured, meaning tie Google Authenticator to it, tie some sort of additional MFA to it. They're all coded the same way. And if you log in from a different location or something like that, they make you type in your Authenticator code as well. So don't go with the most convenient, I'm logged in constantly all the time. kind of stuff. And then number two, written down passwords are amazing. Like we used to educate people, don't do that. And in certain situations, and actually thinking back to the pen testing I did, like back in the days we had Rolodex's, go look it up kids. You look under P for password, people would write their passwords down in the Rolodex under P for passwords at their desk.

Yeah, I got one better. The people that put the passwords under the keyboard in the doctor's office. And it's even better than that. The password is literally sitting on top of the monitor. Use this password to get in. I'm like, come on man. This is PII PHI. Come on.

Oh, no, it's fine Yeah, exactly like you can't you can't do that stuff at work But yeah, like in your dad's situation Adam at home like sure, you know throw it in a safe or something like that You know so that if you get broken into or something like that, it's a little a little harder to get or you know Hiding that kind of thing. But yeah, you know writing it down on on a piece of paper is is not the evil that it's made out to be

Well, if you do it correctly, like everything. And frankly, I guess I am a little disappointed. Maybe I was a little too ambitious. I thought passwords might actually go away. But it seems like you're reflecting a lot of the prevailing wisdom we're hearing lately. It's like, no, they're not going away. But handle them correctly and realistically, I guess, is the other thing.

Yeah. So I've seen a lot of places, they don't use passwords recently, whether it's logging into an app. Some of the banks, you might have a password, but a lot of them are kind of not getting away from that. They're like, open your app, it's a push to action. What number was it? 23, and you put 23. So a lot of the job apps I've seen that people use on LinkedIn, they'll turn around, they'll send you the text number, and you get in, and there's no password associated with it. So a lot of people are getting this push to acknowledge apps. So that's not so bad. But you know, the other way is people will compromise the endpoint meaning the phone. So if they really want to get in, and you're targeted, you know, they're going to get that information probably anyway.

Yeah, so let me ask you, along those lines, one of the new technologies is pass keys that's come up. And I know every time you go in, it's something with Google and some other places like want to store your passkey, want to store your passkey and everything. And it's something that removes the password. It makes things easier. I'm not going to go into the details of it. But, you know, we had asked someone back probably close to a year ago, are you actually seeing anyone using this? And the answer was no. What do you think? Are you seeing people actually using that or is it still not quite there?

So, I guess a couple of different points there that I think are interesting. Number one, I just upgraded my phone to iOS 18 which now has a passwords app built in to iOS 18. So, part of the problem to me is everybody wants to store your passwords and pass keys. Some people like me have a separate password manager that I paid for and I don't have it as part of my OS. I like having everything within the same ecosystem, but maybe not my passwords. Doesn't seem like the best idea to me. So a little segregation to duties there. But a lot of these password managers can store pass keys for you as well. But to me, part of the way I try to to live that out or consider those things as kind of in a twofold kind of way is number one, if I don't know exactly how it works, I'm not doing it. If I don't fully understand exactly how it works and I can easily explain it to someone like they're five, probably not going to do it. And then number two, if I go and do it and I start using pass keys, can my wife do it? Can I teach my kids to do it? Like, it's not the easiest, it doesn't seem like anyway, the easiest thing in the world to do and use on a day-to-day basis. And so for me, that's part of the reason why I haven't really pushed into the whole passkeys thing for all of my personal logins at this point.

Well, I'll tell you, I'm kind of with you on that because I also use a separate, I'm a big Apple nut whatever, but... Yes, you're not. Yeah, I'm just a nut. But I do use a separate password manager because I do use Linux and some other things too. And, you know, I've got to say, the whole thing with passkeys is I've kind of, I might use them myself because they're, not that mature, but also I've kind of said why. The integration with the password managers, they're really nice. I mean, it's so seamless. It fills things out. It asks you, do you want to store this thing? And the ones, you know, now that have the, they'll generate the, you know, the two factor code for you and put it right in. There's no reason to use, not use two factor with that. It's so easy. It's seamless. Yeah, I know what you mean.

Password managers serve a really good purpose. I'll do a non-morbid reason and a morbid reason. From a non-morbid reason, You know, you can share the passwords with your family for certain accounts that you don't want to start creating multiple logins or you can't. So whether it's your Netflix, Netflix, please don't email me and share and sharing your accounts or whether it's something else. Now, the morbid reason is you die, you go away and you want your wife, your husband, your significant other to have access to your social media accounts and stuff that you want them to say, Oh, Adam's no longer here. Goodbye. Those are good things too. If you put your stuff in a safe with your password manager, at least they can get into it and get into everything. Not so bad, right?

I'm 100% with you on that, Adam. My wife, we have a death document. This is the document you go to if I get hit by a bus. It's one of the ways that I tell my wife that I love her and we talk about it and this is what happens if something happens because I've set all this stuff up and I need to make sure you have access to all this. And you're 100% right. I've done the same thing with my parents essentially being like, hey guys, I know you use a password manager. I need to know your secret key or whatever it is for their password manager, so that if something happens to them, I can log in then to their bank and take care of their affairs and things like that. Obviously, you have to have trust there and things like that, but I'm with you, Adam. You need to think a little bit morbidly, just kind of a, hey, in a worst-case scenario, How is this going to work out? We've seen the crypto wallets that go missing and stuff like that, right? Like that's not as morbid, but you know, that's a lot of money you're potentially losing access to. So you've got to make sure you have backups and have appropriate controls around that.

And it's funny, my dad, the same one with the password manager book, he has sent me no less than 10 times his updated documents for where he's being buried and what the access codes are. So I have to, I have, I store all my stuff in a, in a shared, um, drive and I have to try to figure out which one is the latest and try to chronologically put it. Had it been electronically done, it might have been easier, but everything's about management, version control, and how do you get access to it.

I keep setting up shared folders for my family, you know, whether it's my dad or my kids or the wife, whatever. I can't get anyone to use it. I go, don't they teach you about this stuff?

I mean, nuts. I mean, the good news is my wife and I had the morbid conversation about if I go away, but she's more about like, Adam, if I was to kill you today, how much money are you worth? Now she realizes, unfortunately for her, I'm probably worth more alive than dead, which is why I'm still on this podcast.

You see, that's smart. That's why I don't like life insurance. I don't want anyone to have an interest in me dying. You know, let's get real here. Come on. No, well, this is fun stuff. God, the time flies. We could really just go on for quite a while talking more about all this stuff.

Yes, Adam. So Jason, here's a good question for you. And I know Joe wants to know, Use your crystal ball. What do you see for the future, or what do you predict?

Preferably lottery numbers, but security stuff too is okay.

I mean, so to kind of fast forward, I was at Preem for two years. We got acquired in the middle of COVID by CrowdStrike, and I was at CrowdStrike for four years. And then I just recently left for an identity startup called Oleria. I like to say Oleria, shout out to Oleria. I like to say that I have a bad habit with startups. Startups are just, they're exciting. You're in charge of a lot of different things. Everything's changing every single day. You get to be valued and have input on a lot more things than you do at a large 8,000 person company like I did at CrowdStrike or insert other big tech company here. The things I'm seeing from an identity perspective is, like, everyone's trying to figure out how do we unify all of this together as part of our security program. Because identity for a long time was kind of this other thing that was done over here on the side, and it's not really security, right? It's the people that put in, you know, oh, so, you know, Adam's starting a new job today, so I gotta put Adam's name in, and oh, he's in this role, so I'm gonna add him to this. application here and this application here and you know and now we've got IGA solutions, identity governance and access solutions that try to spider out and create accounts everywhere with specific roles and privileges and things like that but they're immensely complex and the issue is like trying to manage all of that is just insanely complex. How do we make that, and obviously with complexity means more customization, right? Which is great, but the downfall of that is complexity breeds possible issues, I guess I will say, right? There's more opportunity for mistakes. There's more opportunity for over-provisioning and things like that. And so I think from a future perspective, I think I'm seeing a lot of people trying to understand how can we combine everything together, tie everything together to handle things like least privilege and privilege of giving people just-in-time privilege. Instead of having 200 admin accounts, I have three. And when I know that someone actually needs access to the system to do this specific action, they go get approval through a system, they get approval through that system and it's actually approved, their access gets elevated, they make the change, which is correlated with a change control, they attest that that action is done, and then their privilege sinks back down. So that way, when the attack happens, There's a lot less from an attack surface perspective.

You brought up a good point. So watch Joe's face turn red. This leads me to the physical security information management.

When Adam says PISM, that's a drink. We'll drink first, but I'm going to tell you why. His favorite subject.

Have things that integrate we have the things that get SSO. We have the things with the API's we have plenty of things out there that don't integrate whether it's your access control system to your to your business whether it's your camera system that doesn't integrate necessarily with your Controls on your network the more we integrate things the more we bring things into one pane of glass if somebody leaves an organization a lot of organizations while they might have a SSO the things that they don't have and part of HR part of you know decommissioning accounts or Somebody off-boarding. We don't have the ability to close everybody's accounts and sometimes those non-contiguous access or accounts you can move laterally from one to another because they might be integrated and Into the network, but the single sign-on is not and this is the this is the vulnerabilities that we have Thoughts

Yeah, I mean there's I've seen arguments both ways, you know kind of to your point Adam I mean there's you know, if you have SSO and you get a hold of an account now You've got access to all these different applications and you know, that's where When I was at preempt and then moving into CrowdStrike, that's where identity threat detection and response ITDR really started to become super heavy is how can you detect a bad login or an anomalous login, a login that's unlike one that we've ever seen before from this person, whether that's by some sort of a payload maybe, something in a packet that we see, or maybe it's just Maybe it's some sort of metadata that we've never seen for this person before, whether that's a GeoIP associated with a location we've never seen that person before, or maybe the first time accessing specific services on a system we've never seen that person access before, which could be an attack and could be bad, and it just could be that they just accessed that system for the first time. Who knows? And that's where the difficulty in that lies. And at the same time, you know, it's, I still think it's a good practice to have some, some non SSO accounts or some local accounts for break glass situations. A lot of people seem to miss, you know, again, from a worst case, a worst case scenario perspective, you need to have those types of accounts out there and put the controls on them. So, um, you know, that happened recently.

I'm sorry to interrupt, but that happened recently when certain SSO companies, integration companies didn't have the ability to function because they lost their connectivity due to some kind of outage, whether it was DNS or something else.

Oh, that's right. That's right. So everyone knows SSO is single sign-on, where you sign in once and you get access to all your stuff. And there are companies that provide this. He had one of them. When they had an outage, people couldn't get into their stuff. And that was not a good day for a lot of people. But all right. But we're looking forward to better days. We keep working on all this stuff. It's funny, you know, like we say, things move ahead and the prevailing wisdom and how we handle things keeps changing. There's a lot to keep up on. You know, people have some great ideas sometimes and they just don't work out practically. So we do something that does and we move on. So I think that brings us to last call. It's about time for that. And so, I mean, Jason, what are your final thoughts? I know we could go on with a lot of stuff, but how do you put it all together with this, or what's on your mind?

I guess I would kind of reemphasize what we kind of talked about before is when you're kind of going through your day-to-day from a security perspective, think about worst case scenarios. Think about shortcuts that people may have taken or think about, okay, let's pretend someone already has access to the system. Now, what can I go in and do? How can I actually go in and use and abuse the privileges that I already have? Because man, that's one of the biggest things I've seen in the last six years that I've been on the identity side of security is people are literally just logging in. And so then the question becomes, what privileges do they have once that attacker just logs in? How can you detect them? How can you box them in? And then how can you respond? You know, that's one of the hardest things to do is when people have access, you know, in many cases, of course, it's not just about, well, I'm just going to disable their account. Well, you know, that sounds nice, but what happens during the X number of hours that that session token is still active and I can still use my privileges, even though you disabled my account, if my session token is active, which allows me, you know, access, what am I going to be able to do? Can I quickly revoke that session token in some way, shape or form? to kick an attacker out. So just thinking through these scenarios, I think really kind of helps you understand what the controls are that you have in place today and what responses you have and the gaps that you might have, and then planning around that.

I think it's safe to say that what you're kind of saying, I'm not saying this is exactly what you said, but organizations should have tabletop exercises asking these exact questions How do you know you got to run through this you got to brainstorm? You got it. You got to prepare for the inevitable. I think Or treat it as inevitable and what type of plan do I have in place to combat that once it happens or what type of Procedures do I have to combat it the knee-jerk reaction always is like you said disable the account unplug the proverbial network cable and But sometimes it's not the best way because you don't get enough information. So you have to be experienced on your incident response or have a third party incident response company that knows how to handle this and direct you.

Yeah, and I mean, I would say a lot of my customers that I've worked with over the years, and especially from an identity standpoint the last six years, they're the ones that, you know, they move forward with, you know, the solution I'm selling, you know, other solutions that they're buying, and they're doing their own pen test. They either hire external pen testing teams, or if they're a large organization, have their own internal red teams. man, those are the customers that are successful because, you know, it's like this little game inside the company, like, oh, I know the red team is going to be doing a test here soon kind of thing. And then see what alarms and bells and whistles go off. And if they don't, why not? Is it an alert that we got in our system, but it didn't flag us for a specific reason? Like testing your own systems out and then tuning them to make sure that the next time that kind of thing happens, I'm going to be aware that something's actually going on and now I can take appropriate action when that happens. Those are the customers that are the most successful.

I was going to say, and that's great to hear from someone on the vendor side to selling solutions. It's like, you know, we always tell people, it's like, Yeah. Insecurity, you don't buy the thing and you're done and you're protected. There's a little more to it than that. There's actually a lot more to it than that. A lot more. This is complicated stuff. You got to know how to use it. You got to know what's right for you. There's a, you got a ways to go. Absolutely.

Yeah. Joe and I. Your final thought. My final thought is stop putting passwords in note files or notepad on your machine because they're always found. People always get access. People always elevate. You don't even have to have this identity protection system because the threat actors already know there's going to be somebody somewhere who's going to have a notepad that has the admin credentials that ends with one, two, three exclamation point and they're going to find it by searching the network and then they're going to find another way to elevate privileges. So stop putting your passwords on a notepad on your machine or on the network. At least keep it in a notebook password manager that's off the network where hackers hopefully can't traverse from the computer to the paper.

I mean the Windows notepad.

Yeah, the Windows notepad, I'm sorry. As of now, I don't think people can traverse from the machine to the paper notepad. I don't know if there's a TTP for that yet, but there might be soon.

That's Elon's robot, maybe. We'll find out soon enough. Okay, this has been a lot of... This is fun, hearing about a lot of this stuff. This has been some cool stuff. But Jason, thank you so much for joining us. This really has been a blast. You've done some very cool stuff and have some great insights. We really appreciate it. Yeah, it was great to catch up with you.

Yeah, thanks for having me, guys. I really appreciate it. That was a lot of fun.

Okay, thanks everyone for listening and we will see you next time. Take care.