What I Have Learned as a Hacker

Our first keynote speaker is a US military veteran, a YouTuber and the founder of TCM security. Let's welcome with a big round of applause the most sought-after cyber security content creator and instructor, the hacker by trade with more than 400k YouTube followers, the cyber mentor aka Heath Adams. [Applause] Namaste. How are we doing? I was told to say Chem Cho. Ah, there we go. Thank you. Thank you. Uh, for five minutes there, I got to feel like Brad Pitt. So, I appreciate that. Uh, never have I felt that in my life. So, I really appreciate the warm welcome. Um, today we're going to be covering what I've learned uh from my keynote. My name is Heath Adams and I

appreciate you all being here to to see the keynote. Uh before we begin, special thanks to uh the besides uh Omdabad for bringing me here. Uh for Depend for answering the phone at 3:00 in the morning when I was going through customs and they did not want to let me in the country. Uh he was he was clutch there. And for Nikquil for taking me out and showing me hospitality as well. So uh thank you to the team. Thank you for having me here. I really do appreciate it. So briefly uh quick who am I? Um I am the CEO and founder of TCM security. Uh primarily my background has been in ethical hacking though uh I turned into

a teacher just by doing YouTube videos and really fell in love with that. So um we are kind of a dual-headed organization that does education and does cyber security consulting. So today's talk is going to be a little bit of background of of what I've experienced I think in both. Um, and if you want to follow me on social media, I'm on LinkedIn mostly, uh, YouTube and Twitch occasionally. Uh, and then the the websites that are down there, I've got, uh, depending on what it is, consulting, academy, or certifications. So, uh, very briefly, why this talk? Uh, I had a really hard time figuring out what I wanted to talk about because when they they give you a keynote, they just say,

"Hey, come come talk at our conference." And they don't give you any direction. Uh so I I didn't know if I wanted this to be motivational or a technical talk or something in between. So um what I kind of decided was I kind of wanted to cover the lessons that I've learned in the last few years of being in cyber security. Um both as a hacker and a student and then also as a business owner. Uh and I think that the lessons can be valuable all around. So, it's going to kind of cover some of the uh some of the things I've learned and then we'll talk in advice towards the end. So, okay, starting here. So, uh as a hacker

and a student, what I've learned is that you will never know everything, but you'll likely want to. Uh probably a lot of us in this room are overwhelmed or have felt overwhelmed by cyber security. Um especially if you're thinking about the the world of hacking. Uh there are so many different unique fields that you could specialize in. You can get into network hacking, web hacking, mobile hacking. We've got a drone hacking village here, which is really cool. Uh there's car hacking. I've seen airplane hacking. There's all kinds of different things that you could specialize in. Um and in this field, we have the desire and the passion if we're we're truly in love with the field to study because

cyber security changes every single day. there's a exchange vulnerability going around right now which is uh pretty common right so we we have new attacks new vulnerabilities and then we have to figure out defenses for those and we're always constantly studying so there's always that desire in us to want to learn everything and there's just no way that we're going to do that um it's okay not to specialize if you are somebody that's interested in a lot of things not interested in one particular thing I think that's okay u me personally if I had a choice I would probably do network pen testing for the rest of my life and nothing else. But uh there are days

where I'm needed to do web app pent testing or there's days where I'm needed to do social engineering and I have fun doing that as well. Um I'm not an expert in any field by any means. Um I just am a kind of a jack of all trades and I I think that that's okay too. I think there's a lot of pressure on us to you have to be really good or you have to be the best bug bounty hunter, the best network pentester, best hacker and that's that's not true. You can get by being being okay and being competent. And I I think I'm proof of that. Uh lastly, it's important to find what

makes you happy and then use that to stay motivated. So for me, I choose things that I'm studying and I'm interested in once we get to a baseline. We'll kind of talk about that a little bit later, but um like I wouldn't go study something. I could take an example when I was um first starting out in cyber security and my manager said, "Hey, you need to go do this AWS training." And I had no passion at the time about cloud security. Uh, so when I was forced into a training that I didn't want to do, it was kind of like pulling teeth. I I didn't have any interests and I I really didn't have any motivation to

do anything. And then when I took time for myself and started studying things, the things I was passionate about, I really blossomed and excelled and um I used that to motivate myself. It's little little bits and pieces of things that you can do and there's sometimes things that we we have to study that we don't want to study. Uh there's parts of hacking that maybe we have to go through. Like for me, buffer overflows, I didn't want to learn how to do that, but um I learned how to do it. I went out and started teaching it and it made me more comfortable with it. But it was one of those things and the hurdles that

you had to get over in order to kind of move to the next step and be successful. So you have to find what makes you happy, what makes you motivated. And you have to stay motivated and keep studying if you want to be successful in this field because it will leave you behind if you do become complacent. Uh because of all of this, it is very very easy to burn out. Um, many of you just came up to me and talked to me about the uh the post I made recently about uh stopping the PMPT live and that was because of burnout. There's just too much going on at once for me to successfully maintain everything. So, uh

it came down to a point for me where I was running a pentest company. We're running YouTube channel. We're doing uh live streaming and creating content for that. And I also have relationships to manage, friendships to manage. And when you start to notice things falling apart on that aspect, you really have to realize uh you know you're burning out and where to stop and when to stop. So um and also because of this we are often uh we often have imposter syndrome. Like I think everybody in this room has probably experienced imposter syndrome and I'll be the first one to tell you I still experience imposter syndrome. Um it it goes away as you get better but it

I don't think it ever truly goes away. You always if you're the personality type that's in cyber security you always want to learn more. And with that, I think comes a little bit of imposter syndrome. Um, and it's easy to want to give up. It's especially in the world of social media where you see everybody's successes posted, but not everybody's failures. Um, it's easy to say, "Oh, wow. That person is just getting bounty after bounty and they're getting 50,000, 100,000, and I'm sitting here and I can't find anything." Um, or or they're getting jobs and they're getting offers and they're excelling in their career and I can't find even an interview. So it's it's very easy to see the successes

on social media and not see the failures behind them and want to quit because of that. And uh as a hacker I think the world would be significantly safer with these three things. Uh if we use stronger passwords uh if we use multifactor authentication and if we re receive periodic security training. Um, and I'll cover this here just a little bit briefly because I realize I'm preaching to a uh a security crowd, but I did find this while perusing Netflix and I think it's a fantastic watch. So, I'm going to show this really quick. Password. It was our It was our first password we can nostalgically remember and we used it for everything. Every time we joined another business, can I

have your password? Yes, you can. That is my special word. And then companies started getting quite rude. You would put your password in and it would go weak. Who are you? My special word. And they're like, I'm sorry, but the internet has become very popular. We need to strengthen your password. And businesses would insist we must have from you a capital letter. I'm sorry. We will not be accepting passwords anymore unless it contains at least one capital letter. And we all momentarily considered our options before deciding to capitalize the first letter of our password. And for a period of time that was fine, but the internet became even more popular. And then businesses started saying, "I'm afraid you cannot join

unless you have at least one capital letter and at least one number." Again, less than half a micro seconds consideration before we collectively decided you shall be getting the number one in the end of my capitalized password. And for a period of time, this was acceptable until a whole new unexpected and exciting dawn emerged. a world of special characters. We didn't even know what they were. And businesses would say, "We need a capital letter. We need a number, but we will also require a special character." And we clicked on the button, "Please, can I have some examples of these special characters which you now insist upon?" And we perused them. There they are. I had no

idea these characters were so special until all of our eyes stopped upon the exclamation mark. You're kind of with me, which we then put at the end of our now capitalized password just after the one. And it's at this moment that everybody at the London Paladium is thinking, I should probably change my password. Do that tomorrow. You need to think of another special that changed. Okay. So, not only has this been all of our clients, this has probably been all of us at one point in life. um even when we give character passwords of 12 or 14 characters, people are still going to pick dictionary words, put a one and an exclamation after it and call

it a day. Um so that's that's a constant struggle that we deal with and we deal with uh getting companies to enact multifactor authentication and we we deal with uh with a lot of these issues where it's just constant user training is required and um as a as a hacker what we see on the the pentest side especially is if we're looking at uh an external pentest we're doing a lot of open source intelligence and we're trying to gather data and we're trying to use that against an organization um not so much internally though sometimes but when we get internally we start looking at passwords from different types of vulnerabilities that are there as well. So if weak passwords

exist in an organization overall uh it really doesn't bode well for them. So I'm going to give a couple examples of just what that looks like before we start going into the the business side of things. Um so here is an example of a recent engagement that we did where we were doing some um some OSENT on a uh a company and we're looking at people. Uh this website's called the hashed. It is a database of breach credentials and breached information that's out there. So anytime a breach is collected uh these websites collect them and then use that and store them in databases. So um what we were after is figuring out if the person had ever been involved in a

breach that we were targeting. Um, and we we look at while we don't attack personal email accounts, we still look at personal email accounts because we want to start gathering data. And if you've ever watched a crime show where they like start pinning up like the pictures and the newspapers and they start drawing the red string and and going from there, that's kind of what this is like. Um, all we did at this point was just search a person's name and their name was unique enough to just show up with some results. Um, we only had four results in this instance and you can see that we had an AOL.com email address and then that third one down is

actually their email address for their uh their work. So, uh, thennet is their work email. So, first thing we need to do is start tying this together and say, okay, well, who does this belong to? Does this AOL belong to them or are we just chasing a dead end? And we can see the phone number that was in one breach actually ties in to the same phone number of another breach from a different email account. So now we know that the phone number belongs to the same accounts and we know that those are tied together. Uh we can take different items that we find in breaches and search databases for them to find more information. For example, I could take

the phone number and then search that phone number in the database to see if it exists and belongs to any other records. In this case, it didn't, but it's still something that we would search for. And then we would take the uh the work email address, search that. And we'll also take the personal email address like the AOL.com email address and search that. And in this instance, we find 11 records. So we go through there and we start looking at the records. Well, now we start finding passwords. Before we didn't have any passwords. Now we can tie and associate a password with an individual. Um we could take that password if we want to and actually search on that password and

then we start finding more information about people. Uh in this instance, you can see that they have an AT&T.net for their email address as well with the same password. The password was unique enough to be able to identify that person. Uh so in this situation now, we went from just having a name to having multiple email addresses. And that red string that we start tying just becomes wider and wider as we start looking at different different emails, different passwords, different phone numbers, addresses, IP addresses. This thing even has uh car VIN numbers in it. So there's a lot of different ways you can track down people. Uh we could take this and we can use this to log in. It's called

credential stuffing. Try to log into devices and uh VPN, email, whatever it might be by looking at these passwords and maybe password patterns that exist within this uh and just abusing human behavior. Uh we can also just spray something like winter 2021 and just break into your Outlook again. So weak password, no multiffactor authentication kind of gets you into into these areas. And this is what we see when we break into organizations. I would say we're still breaking into 60 to 70% of the organizations that we pentest externally. Um, and it's through a combination of weak passwords and uh, I would say more companies are moving towards multifactor. But they're not either setting it up correctly. So,

we're able to bypass that or they're setting up things like push notifications and then we can do what's called MFA fatigue where we just sit there and push a notification to a phone till somebody says, "Yes, leave me alone." Um, and that gets us into their accounts as well. Uh, we can do pre-texting and I think a lot of security training falls short with u with social engineering and what fishing looks like. Like this is an example of a fishing email that we would send out as opposed to uh the fishing emails that you might see in some of the the examples that are out there and training. um they're usually like misspelled words and yeah like those are

like the basic common ones to to catch on to but it starts becoming well what happens when the domain name looks almost incredibly the same or is the same with a letter change that you can't tell the letters change um what if they know information about your organization like in this one we knew the uh we knew that they had certain network IDs certain passwords certain formats that we can abuse um on top of using urgency so we say hey we need this completed by Friday you got to get it done. It only takes a minute. Don't worry about it. We'll send this out at like 6:00, maybe when they're eating dinner. They don't check the email address. They don't

really care. They just say, "Okay, I'll just enter this in, get it done with a minute. I don't want to upset anybody." Um, and this is more of what a successful fish looks like than kind of the examples that we see online. So, it really becomes training users to identify things like that. Uh, of course, having policies in place, but, uh, really social engineering, weak passwords and MFA is, uh, the most common way that we get in. And I think that's the most common way most hackers get in. So, uh, preaching to the crowd, but if there's some things I could change, that would that would definitely be it. Um, so as a business owner, I'm

going to switch over to this. Uh, unfortunately, what I've learned is most organizations don't care about their security. Uh, until they've been hacked, which they'll call you and say, "Hey, I've been hacked. What can you do?" And now they've spent uh who knows how much on ransom when they could have just paid uh a fraction of that for security consulting or for proper IT implementation uh or until they've been forced to. So if an organization has insurance tell them or has a client tell them or has uh compliance tell them then they come around for an engagement or for security consulting. And I would say unfortunately that is the majority of what we see. Um not the minority. But

that doesn't mean that we shouldn't care about the organizations that come to us that are like this. We call them check the box organizations because that's all they're looking to do. Uh but it doesn't mean that we should treat them any differently when we're giving them an assessment. Um and unfortunately sometimes as well we are we're seen as the enemy when we are the pentester. Uh we have organizations that come through and they think that we are trying to make them look bad. We're going to get them fired and uh we are just there honestly to help them learn and help them improve their security. Uh but it's it's it's hard to uh get some clients to

realize that. So um you have you will have in your careers good clients and bad clients. You will have clients that think everything is your fault and uh will blame you for everything and you are their enemy. So, it's important to to know that going into the world of security, especially if you're working in consulting. Um, another lesson I've learned early on in my career was that no two clients are the same, even though they may appear so. Uh, every client has different goals and it's your job to figure those out. Uh, as an example, I was bidding on an engagement early on. I think I was still in year one of my business. And, uh, the

engagement was, um, there's two clients essentially. There's one client, client A and client B. Client A and client B were very similar, like almost identical scoping, IPs, same assessment, everything. Uh, so client A happened a couple months before client B, and I quoted, we'll just make a number. I'll say I quoted $30,000 for the for the engagement. Um, and they came back and they said, "Hey, we went with somebody else and I knew somebody at that company." And they said, "Hey, they ended up paying us $60,000 for the engagement." Um, so there was value there. if you come in too cheap, sometimes companies don't take you serious. And so, uh, understanding that or taking that, uh, early lesson, I

said, "Okay, well, when company B came around, I'm going to quote them $60,000. I've been here before. I know exactly what's going to happen." And, uh, they came in and they said, "You were double everybody else in your price." So, I was $30,000 over where I should have been. U, so that was really confusing for me, but it was eye opening because I realized that every organization has different goals. And that goes back to checking the box. uh company A wasn't looking to check the box. They actually cared about their security. They wanted to have in-depth uh assessment done on their organization. They wanted to make sure that everything was found that could be found within their time frame

and uh they wanted to take a methodical approach where company B wanted to pay as least as possible and they wanted to check a box and make sure that uh they could continue on in business with their compliance or their shareholders or whoever might be requesting it. So, uh, every organization has different goals. Um, it if you ever get into business, it's definitely your job to figure that out. But if you do get into consulting, it's important to know ahead of time even in the scoping process like what is what is the goals of your client and um how can you how can you adapt to the goals of your client? And lastly, uh competition is a good

thing both in business and in life. and we'll we'll get into the life aspect of it. But, uh, let's talk a little bit about Lamborghini versus Ferrari. And, uh, these are two of my favorite brands. And I'm, uh, I really like this story. So, um, back in the day, back in the 20s, Enzo Ferrari was a race car driver. Um, he started working as a test driver, eventually became a driver for Alfa Romeo, and he did that for quite some time. Um, I want to say it's better part of a decade. He was in 40ome races, ended up winning 10 or 11 of them. He was pretty successful as a driver. Um, but race car driving is dangerous

nowadays. If you can imagine how dangerous is now, you can imagine 100 years ago was very dangerous. Uh, once he had his son, he decided that he was no longer going to be a race car driver. Um, in retirement, he decided to start up a couple companies, one of them being Ferrari, which is the luxury car brand. Uh that leads into Fuio Lamborghini who was passionate about racing but he was not a racer. Uh he grew up as a tinker. He was a mechanic's son. He was a mechanic himself. Um he ended up going to school for mechanics and he went into the military. He was drafted into the military in World War II. Um he became a

prisoner of war in 1945 and was so good at mechanics that they kept him um to to do their work on the mechanics. Uh eventually they let him go and he started doing uh using that experience that he's gained along the way to start uh start a tractor company. So he was a uh he wasn't passionate about farming but he did do uh he built farming equipment and he realized that when he was working in Italy that uh the farming that was done out there the uh it could be done a lot cheaper like the you can modify the engine and use a different type of gas and save a ton of money. So he started up a company and eventually

that led to massive wealth. He was very rich. Um he had a car for every single day of the week. Uh he had a uh a Mercedes, couple Alfa Romeo, a few Ferraris. Um and he started noticing that, hey, the Ferrari's quality is not that great for what I'm paying for it. Uh they were slow. They were supposed to be race cars. They're very slow. They were very heavy. Um and their their clutches went out a lot. Uh so to the point where he ended up going down to the factory to talk to somebody. He wanted to talk to the mechanics about the clutches. he had spent thousands of dollars in clutches. Um they would not

let him be there for when they did the clutch replacement. They wouldn't let him see anything. So he eventually just went to Enzo Ferrari himself and said, "Hey, um your clutches could be improved. I'm burning through clutches like crazy. This is not what a high quality car should be doing." Um and that led to him saying, "You may be able to drive a tractor, but you'll never be able to handle a Ferrari." Uh, and I can only imagine that Lamborghini probably looks something like this. Uh, so it took a total of four months from that conversation for the Lamborghini 350 GT to be released. Four months. Um, all it took was just one negative conversation to

spurn into some competition. Uh, and the 350 GTV was not a great car. They ended up redesigning it looking into something like this. Uh eventually this GT took off. So they released a 400 GT and then they got into uh the Mera and Sofur so far uh down the road. So they started getting into race cars and sports cars. And the reason I tell this story is because of the innovation that Lamborghini and Ferrari have had on the car world. Um, without that, without what had happened, there was not one company to push the other company. Um, who knows where the the company where Ferrari would be with the clutches if there was nobody to say, "Hey, your

clutches are bad. I'm going to go do something better." Uh, so competition is a good thing. Um, some of us don't like to compete and that's okay. But when competitors do come out, it's usually good for the industry because it drives innovation and drives creativity and uh overall is an improvement. Um, so taking that into kind of the what I've learned and the recommendations is that you should embrace competition. Um, if there's if there's somebody that uh you want to mark in your mind that you say I want to be like that person, I think that's okay. Like you you need to be realistic with your expectations and realize that you're not going to get

there overnight. Um, so that's where the yet run your own race comes into. If you're uh if you're striving to be a runner and you're running 10-minute miles and the person that you want to be your competition is running six-inute miles, uh you're not competing in the same class currently. Uh but you can compete with yourself and I think that's okay. Like if you want to um you know, if you want to compete even with people that are similar to you and be better and then improve, I think that's okay. Uh your goal should be to get better every day by just a little bit. It could be if you're running a race, for example, if your mile time improves to

959 from 10 minutes, then you just ran one second faster than you were the day before. Um, we don't see, again, we don't see everybody's failures. We don't know what it took or how many years it took for somebody to get to the point where they can run a six-minute mile. Could be genetics. Some people are smarter than others. Some people are more talented or gifted in certain subjects. It doesn't mean that you can't get to that point. Just realize that some people have other advantages and you'll have other advantages that other people don't. Uh so you have to just embrace yourself and run your own race, get better every day, and you can have

mile markers and milestones that are other competition and use that to improve yourself. And it's okay to not know everything yet still want to know everything. Uh again, we touched on this early on, but if you are in the field of cyber security, there are so many different topics that you will just never be able to get to. I have a backlog of training that is I can't even tell you how many courses long and there's so many courses that I want to do and I'm passionate about and I think I want to like study but there's just not enough time in the day to to do that. So you have to find the things

that um you're truly passionate about that you will wake up in the morning and you want to study. Um I think there's baselines in security. A lot of people focus on certifications and I realize this is coming for me as somebody who's a certification vendor, but I I think that you only need to go so far with certifications. Once you get into a baseline and you get to a point where you can get a job in a field, um if a certification helps there, that's fine. But when you start getting into like specialties and things that might really interest you and drive you, um there's not really like great certifications for exploit development or drone hacking or

car hacking, but there are there are trainings related to that. So, chase trainings, chase things that you want to know, chase things that will drive you to still stay passionate. And um again, you don't have to be a master of anything. If you want to be a jack of all trades, that's fine, too. Um but if you want to if you want to specialize, just do and chase what wakes you up in the morning. Um especially as you start getting into niche and advanced fields, you might find trainings for them, but uh certifications and other things don't really start to matter anymore. Um you should know that not every client is your friend. And again, yet we must

treat them all equally. There are times that I will write emails and delete them that say very very mean things. Um but I don't ever hit send and that's I think what's important. So you need to make sure that um when you you need to learn how to navigate the field and it does take time of of understanding what clients want and what their goals and expectations are. And I think that starts early on with the the sales calls and scoping calls. So, if you're running a business, that's on you. If you're, uh, working on an organization, that's usually on the sales team, unfortunately. But, um, if you can get involved in that process or learn the

process and kind of understand what it is your client is about and what they're they're hoping to get, um, that will help. But, it also uh, it's also important that regardless if they're checking a box or regardless if they they want in detailed security testing, your your one week for both clients uh, should be the same. you should do everything in your power to to do what you can. Um, sometimes that makes a client upset. Honestly, we just had a client last month that wanted to check the box engagement. We found a ton of vulnerabilities broke into their network and uh he replied back when he got the report. It's like, "This is not what I

signed up for." And, you know, it it is it is what it is. We're still going to come in and do the same job that that we were assigned to do. Um, this is really important and this is kind of why I was talking about the passwords and the MFA and everything else is as a security professional, it's our job to educate those who are not. So, you might sit here and we are joking about the passwords and we're talking about MFA and a lot of this you probably already knew. Um, everybody here is all walks of life. Some of you are advanced security engineers. Some of you are looking to get in the field and that's

that's great. um we understand a lot of these concepts but there's a lot of people out there that don't and um this is the first talk that I've given in person at a security conference in a few years. Uh the reason being is that I've been talking at nonsecurity conferences and um I think that I'm more valuable. I can get up there and I can preach uh I can preach passwords, I can preach security, I can change people and then if those people can go change other people and they can take the lessons that they learned, then we're making the world more secure. Um, same thing goes to you. If you are a security professional, educate your

family, educate your friends. Not everybody knows what you know, so don't hold the expectation that they do. Uh, so educate them. Hopefully, they'll educate others and we can make the world a safer place by doing that. And lastly, taking breaks is not quitting. Um, it's important to know when to to take a break. Uh, a lot of us will get overwhelmed again with imposter syndrome, with burnout, with everything else. Uh, a break could be a 15-minute walk if you're having a long day. A break can be an hour of playing video games. It could be taking a week off. If you just got through a very hard certification and you need some downtime, take a month. Like, listen to

your body and know when you're ready because at a point you hit a curve that starts to be detrimental. And I talked about that earlier where it if you try to do too many things at once, you start to burn out. You start to affect negatively affect things around you. Uh, so understand your body, listen to your body, make sure that you're taking breaks when you need to. And, uh, with that, I'm out. So, thank you so much for having me. I appreciate you being here, India. Thank you so much. [Applause] Anyone has any questions for Heath? Hello, sir. Uh my first I have many questions but I'm going to ask very few of them obviously because of the time

constraints. My first question is to you uh like all of us are running a race right if that race is going on wrong direction. So what's the advantage in in this modern era there are so many so-called cyber professionals who don't don't know which path to follow. So in today's world what is the actual path for the hacking? Sure. Uh so if you could hear the question is uh what if you're what if you're running in the wrong direction right and what with with all the information that's out there how do we know what the right direction is. Um a lot of that comes down to due diligence in the sense that you need to

do your own research. Um because yes you're right there will be if you look up how do I get into hacking there will be five different articles on five different ways to do it. Um when I was first starting getting into cyber security I I did a lot of research. search. I looked up articles, blogs, Reddit, um talked to people and what I came to was a general consensus. What do most people say that I need to do? What are uh through my research, what are the certifications or training that's on uh what that's on like a job posting? What am I seeing mo most frequently? And um what not only that, but what is most

recent? Because we might find an article from 5 years ago that's not the same thing as what is happening right now. Uh so we need to take research and part of being a cyber security professional is knowing how to Google, knowing how to do some research and putting that together. So uh my advice to you is to just do your due diligence. Find a mentor if you can find even a community. Mentorship by community is very important. Um if you could find a group of people that can tell you a general consensus of like hey at least start here's your next step and then you can figure out the next one from there. Um you don't have to say I'm

going to go do XYZ all the way at the top. you can just start from the bottom and take it kind of lily pad to lily pad. Uh so yeah, it comes down to research and community. If you can find a mentor, even better. Mentors are definitely hard to come by, but hopefully that answers your question. Okay, so my second question to you is actually a statement. Can you please speak a little louder? Yeah. Okay. So my second question is to you. That's a statement given by the chief security officer of the uh Twitter. So it uh he says that it's hard to understand when your job depends upon not understanding it. It's so uh he says

about the concern about the security. So how do you engage with the such type of company or is that a headbump movement for you? I only heard like half the question. I'm sorry. Could you would you mind repeating? Okay. So chief security officer of Twitter said that it's hard to understand when your job uh depends upon not understanding it. So how how would you engage with such type of company? Yeah, I think that's that's a great definition of of security is you're never going to know everything. So, what's important is to surround yourself with people that can fill in the gaps for you because we're all a bunch of people that don't know everything. Um,

but we all have our strong suits. Just like I said earlier, my strong suit is network pentesting. Um, if I want somebody to come in and do like a mobile pentest for our company, then I'm going to go hire somebody that does mobile pentesting. I'm not going to try to go go do all of that myself because I know where my strong suits are. So it it comes to understanding yourself and learning that and then also having a team around you that can fill in the gaps and fill in the needs. Um you know with Twitter we we've heard some good and bad come out recently. So um it sounds like maybe uh you know on

management they weren't filling in the needs of where where that was. Um so you know it comes down to a company level as well. There's only so much you can do as an individual if you're you know if you're not a manager you're not somebody that can bring in people that fill in those gaps. Um, but you you are good at what you're good at. You're good at what you're passionate about and it's up to management and a company to kind of fill in fill in where they can. So my last question is to you and it is kind of two-parted one. Uh, so what's your worst face bomb moment for a company? My worst what? I'm sorry.

Face bump moment like uh you see they are making a huge mistake. I'm not sure I understand the question. I'm sorry. I said, "What's your worst face bump moment?" Sorry. Oh, face bump. Face bump. Gotcha. Um for like uh organization security or just from like organization. My mistake. Oh, okay. Um yeah so the this week actually we just had a one of our pentesters, Joe Hely, he posted on Twitter of a finding that he found on a pentest. Um it was a VNC server that was unauthenticated. When you logged into the VNC server, LastPass was open. Um when you went into LastPass, it was the IT administrator and that was domain admin credentials sitting there. Uh so

that was that was our most recent face bump though we've had uh we've had quite a few. So yeah thank you. Thank you. Any other questions? Okay we I see one more hand over there. Can you please pass on the mic?

Can you please just stand up so it will be easier to Yeah.

Um hi TCM. So my question is to you is that um how like uh we can start our own security company like you have your own company and it's very successful and all. So if do you have any experience about it like Yeah. Um, so you you got to have a strategy. Uh, and you got to have kind of a niche. What's what makes you different? Um, what do you who are you going to sell to? Who's going to be your target audience when you first start your your company? Um, for for us, it was like I didn't have to do any marketing because like I was already somewhat popular on YouTube. Um, I was

getting to the point where companies were coming to the company I was working for and saying, "We we saw Heath. We want Heath to do the pentest." Um, and that kind of like light bulb pay. If if companies are willing to do that, they're probably willing to come to me directly. Um, so that my marketing strategy has always been inbound. Um, but if you're somebody that like doesn't have outbound or inbound marketing like that, then you have to start saying, well, where am I going to find clients? Uh, am I going to write a lot of blog posts and do SEO? Am I going to raise uh money and pay for Google ads and and

figure that out? uh am I going to start locally and start knocking on doors of of local businesses and start small gaining referrals and going from there? So, you have to figure out who who's your target audience going to be. Who's your target business? Uh maybe it's even a specialized business, right? Like maybe you go into banking or you go into hospitals or something. You can niche into a specialized area. Um you need to figure that out and then how are you going to differentiate between everybody else out there? And there's a lot of different things you need to navigate. Like you can't charge too much, you can't charge too little. Uh sometimes charging just

right is wrong. So you have to like figure out where are you going to where you going to separate. For us it's always been quality. Um we can say hey we've got all these referral letters. So you can ask any of these clients what they think of us. Uh and if you go out to social media or you go out to Google or you go out to like news articles, you'll see our name there. So we're reputable. We've got quality. You don't see negative things about us. and you can get to that point and then maybe you can start charging more. Um, so you just have to figure out and it's a lot of trial and error. I made a lot of

mistakes. I still make a lot of mistakes. So it really comes down to trial and error, figuring out what works best for you and where your clients come from, what your marketing strategy is going to be. So in the initial phase, how did you like get all the clients and all like uh uh they are all have always been inbound like we just just hired a saleserson for outbound for the first time but it's always been through through SEO and marketing. Um I will say that I've got a really good friend who owns a very successful cyber security company and uh they started with um taking very little salary. They landed a big client through

referral. They use that client to bankroll um learning how to do Google ads which is very expensive and takes time and they've done that and they also wrote like multiple blog posts a week but I swear anytime I Google something now they're they pop up on the first page of Google. So like I'll be searching for them and I'll say dang like how do you get here every time and they have spent years perfecting their marketing strategy to do that. Um, so there's different strategies and different ways to do it. And it could be that you just become word of mouth. Like you start with one person, say, "Hey, can I get a referral? I'll give you 10%

if somebody comes over or or whatever it might be." Like you'll have to figure out what works for you. And you might have to do some studying in other areas uh of just like other than just like cyber security, you might have to go take a marketing class or a Google class or SEO or something along those lines to really figure out. Um, so I've been through marketing. I've been through sales classes. is there's been a like I said a lot of mistakes and and lessons I've learned along the way um just by by failing honestly that's all thank you thank you uh probably we can take one more question so I had hi hat it's glad meeting you here

nice to meet you really I'm happy and uh I have a two questions for you the one is like how important uh the certifications for the entry- level professional uh the second question is uh do you have any plans in the future for the IoT related certifications in TCM? So the first question was how do you put a certification on your resume or how do you like market it to organizations? How important uh doing a certifications entry- level job? Yeah. So I think um for getting an entry- level job it's a it's kind of a mix. Um I so my path was I started in help desk. I somehow talked my way into a job. I didn't have any certifications.

um at my help desk job I got A+, net plus, security plus, just kind of the foundationals that um my research and what told me to go get. Um from there I was able to navigate that and land a networking job and just continue on like okay what certification do I need for the next thing. So if you're just looking to get in security it depends on what you want to do like what's your long goal and what might help you. Um there's no direct path into cyber security. Uh I know people who got into pentesting without having any IT experience. They just went and um got got degrees, got uh certifications, and tried very very hard to get in without

experience. It's possible. It's not easy. Um but if you're somebody that doesn't have a lot of IT experience, maybe you start with an A+. If you're somebody that's looking just to break into cyber security, maybe you work in help desk or network administration or CIS admin, um maybe you start looking at networking if that interests you. or you get a security plus and you go look at doing like a sock analyst or some sort of blue team entry level role. Um everything's kind of a lily pad, but there's no direct path. Again, it's it's what's going to keep you studying at night and what's going to or in the day or whenever and what's going to motivate

you to want to wake up and study again tomorrow. Um so that's that's really what the path comes down to for that. Um sorry I got longwinded. What was what was your second question? It's all right. The second question is uh do you have any road map on TCM for IoT certifications for IO IoT? Yes, not yet. Would love it but not yet. Um that that gets complicated and when you start to have physical devices like that um I guess simulating or emulating I was bad with the word but getting those on like a cloud platform isn't the easiest thing to do. So um getting a certification like that would require hands-on kind of hacking I think. Um,

and that's something that we haven't haven't gotten into that realm yet of perfecting. We're still trying to figure out the uh AWS cloud for just our exams and our environment. So, one step at a time. It's definitely on the drawing board. It's just not it's not imminent. Yeah, maybe I'm putting uh a request to you. So, showing the IoT expertise in the security. So, it's very difficult uh in the market. So, we don't have any certification. So, at least something has that we can show the expertise. I I agree 100%. Um, we had a client or a potential client a couple years ago that um, they said, "Hey, we have $200,000 to spend. Do you know how to do IoT

pentesting?" And I said, "No, but I'm going to go look and see what it takes." Uh, and there was no good training out there. Like you see some you see some at like conferences in other places, but it's one of those that's very difficult to to do. Um, I ended up signing up with one um, I won't say the name, but the the content was not good. The for the price especially, it was well over $3,000. um the just the the videos, the support, everything that was involved. Um you know, it just wasn't good. So, I agree with you 100%. There's there's a n if somebody's in here and wants to make a course and make stuff, there's a niche

right here for for IoT for sure. So, thank you. Happy to meet you here. Nice to meet you as well. We'll have to stop here. So, Heath, last year after your keynote, we wanted to show you the full house. So, today you're getting this view. You like it? Love it. This is awesome. Make some noise for Heath. [Applause]