BSides Idaho Falls 2025 - Track 2 Morning

Name: BSides Idaho Falls 2025 - Track 2 Morning
Uploaded: 2025-09-21
Duration: 1 h 48 min 41 s
Description: Watch the live stream of Track 2's Morning Talks from BSides Idaho Falls for 2025, broadcast from Room CHE 213.

BSides Idaho Falls1:48:4154 viewsPublished 2025-09Watch on YouTube ↗

About this talk

Watch the live stream of Track 2's Morning Talks from BSides Idaho Falls for 2025, broadcast from Room CHE 213.

Show transcript [en]

you'll see me as Solaris, not Solaris, as many have wrongly assumed. Um, that wasn't available on Xbox when I came up with this. And, uh, I didn't know about the Unix RS or the movie at that point. So, uh, I work for a company called Coalire. Uh, I work in their new division hex team. Uh, this is for defensive security services and I work as a threat hunter there. Uh, I graduated from USU earlier this year with a bachelor's of science in information systems. And my other education, um, I have yet to graduate from this university, which is my home lab. I refer to it as Orbit. I'm uh, eternally locked into paying tuition here. And,

uh, my death will likely be the only circumstance under which I successfully graduate. Uh, a few of the things that I currently use or have played with in this home lab. Um, I got tired of adding icons after this amount. So, I've done a lot of stuff in here. Learned quite a bit. Um, yes, I have pushed to prod and nuked everything multiple times. I'm actually currently rebuilding it after doing that last week. Uh, something else to note, I like memes. Does anybody else here like memes? I sure hope so. Um, I don't have quite as refined of a pallet as your regular Reddit visitor might, but I do find great joy in niche specific text with funny pictures. So,

this is a this is a classic one. Um, another good one that I recently found on LinkedIn of all places. Um, and then we have a cyber security chat for the security club at USU and, uh, this was posted recently. This one got me. Um there'll be a couple other memes sprinkled throughout the presentation. So presentations should be entertaining in my opinion. So uh a little bit about my entrance into cyber security. Uh a lot of people have really unique paths coming into this field. Uh my education path was definitely a little less than standard you'd say. Um but the pipeline that I ended up in seems to be fairly common these days. So, uh, when I first

started, it was because I enjoyed playing Minecraft and I wanted to host my own server. And once I started hosting my own server, then I decided that, you know, I didn't want to run it on my computer and I wanted to run it 24/7. So, I had to learn Linux. And then after that, I decided that I wanted a better machine to play Minecraft on. So, I built a PC. And then from there I decided that I needed better networking so that I could have my server externally accessible which and my old router couldn't do a DMZ. So and then we had to learn about Docker because I didn't want to install dependencies and uh yeah then the home lab rabbit

hole began and uh everything's racked on it now because I wanted it all in one place. So a little bit of context for what we're talking about today. Uh I'm going to deliver this topic through the lens of my experiences um with both my journey into cyber into the cyber security field and through my home lab. Um but in order to do that I need to answer a couple questions up front. So think about this for yourselves as I'm going over this. Um some of you may be interested in getting into cyber. Who here works in cyber security currently? Okay, couple of you. Everyone else interested in getting into it or Yeah. Okay, cool. So,

you guys need me to pause? >> Okay. Um, so for me, you'll notice on my previous slide on this one, there isn't anything like super security specific on here. Uh, you could argue that the my router with the DMZ is security specific, but like that's about it. That's really the only thing on on there that was security specific that I cared about. Um, and the reason for that is that I had this vision of what security looked like. Um, and that was my firewall was doing all the work. And as long as I kept everyone out, I was good, right? That's that's that's all you need, a good firewall. Um, that's that's foreshadowing. So mo most of us have a mentor or some

sort of knowledge source that we look to for guidance or that influenced us in some big way. Mine was one of our cyber security instructors at USU. His name is Scott Roberts. We refer to him as Scott Wizard. Um I enjoyed his classes because he was funny. He didn't BS around with it with like busy working in class. Uh he had some really interesting stories and experiences. And then he went and made us read books. Um, the book that I read though actually was pretty important. Has anyone here read this? Yeah. Okay. So, for those of you who haven't read this, if you're interested in Russia's cyber escapades, this is a really good place to start. If you're

not interested in Russian hackers, you should still read this. This, honestly, is what opened my eyes to kind of the the importance of security. like I didn't I didn't fully grasp the the gravity behind it before this and this book helped me see that what was at stake with cyber security is really the the entirety of the world. Um if it's digitally if it's digitally connected and even in some cases if it's not um cyber security is relevant to that system which is why it's important. So, the title of this talk, Castle Ops. What the heck is that? I I think it's a pretty cool title, right? Chat GBT definitely didn't help me with that. Um,

but what do I mean by this? You've probably heard of DevOps, secops, dev sec ops. There's a lot of different ops. So, what I mean by castle ops, the key point here is application. So I define castle ops as the application and assessment of layered security practices to one's digital data and infrastructure. I want you guys just to remember that ops stands for operations. So this is a process not a static structure. The real question to answer though um especially for everyone who chose to be here today, you know, is this applicable to you? And the answer I originally wrote this talk for like from a home lab perspective. So like this was for people that are running

stuff at home. However, now that I've spent some time in industry, um I've unfortunately realized that this is applicable to everyone. There are a lot of um companies like Burger King that don't pay attention to the simple stuff. So, I'll let you guys each draw your own conclusions on where this topic is applicable to you, whether it's at home or at work or or elsewhere. Uh keep in mind, every environment is going to be slightly different. So, if you're unsure where to start or how to apply anything that's discussed here, uh well, good news, you're in a good place to get some answers. This is there's there's a lot of smart people here. Um, so yeah, meet

meet people, ask questions. So we're going to go over some analogies. I explained what castle ops means kind of um, but it originates from an analogy that my instructor Scott shared in one of his classes. Uh, reading sandworm like like I mentioned helped me understand the gravity of cyber security. This analogy that Scott shared in this class though is kind of what actually hooked me on being interested in cyber security. That interest um made me shift originally from an IT like infrastructure focused career path to a cyber security one. Originally I wanted to do like server deployments and DevOps stuff and then I am now a threat hunter for a company. I did not see that lateral shift

occurring. Um, but there is a lot of overlap between the IT infrastructure and the cyber security stuff. And you'll you'll see why in just a second. Who here knows about medieval castles? Yeah. Okay. So, when you think of a medieval castle, what do you think of >> boat? Gate guards. Okay. Yeah. I typically think >> Yep. Big Yeah. Big walls. Yeah. >> Gates. Yep. Mhm. I always think of like Shrek dragons. >> Yeah. >> Yeah. There's there's there's a lot of cool stuff about castles. Castles are Has anyone like visited a castle? >> Yeah. They're like it's it's it's awe inspiring. They're these massive structures. I don't even want to think about how long it took them to build

them. What I find most interesting about about these things um comes from the analogy that my instructor shared. So the analogy um kind of pairs well with how I mentioned I originally saw security which was you know the firewall does all the work. So the kind of the classic security posture uh is security is your castle in the middle and a mode around it. That's it. Uh this analogy helped me understand not only how but more importantly why this is not the case. So, we're in class and I don't even remember what the topic was. Scott explains um that castles were designed to be these siege machines. They're incredibly difficult to take over. Of course, my

initial thought was like, okay, yeah, because it's hard to cross the moat. You know, you've got the walls, you know, very good perimeter. And then he mentioned something about spiral staircases and how those were a part of the security system. I never knew that. Clearly I didn't watch enough History Channel growing up. And so thinking about that, my my mind kind of shifted and I was like, "Okay, well that's not the only security system. Okay, what else is what else is going on here?" So I started doing a little bit more research just as as as a little added context. Um, like I mentioned, I was focused on holding the line and not anyone not

letting anyone through. I I felt that that was sufficient. Maybe that was the path that I took into cyber security, but I I think a lot of people look at still look at security like this. Very very perimeter-based. There are plenty of us here that know better, but this has been wholly in insufficient for a long time now. and many learners or uninitiated still see it like this. So that's why this topic is is still relevant. Um this quote goes right along with that. Security isn't just about keeping the bad guys out. It's about having options when they get in. I don't know where I heard this. Maybe I came I don't know. We'll we'll attribute

it to someone who who probably said something similar. So with these castles, there's there's the these are some of some of the main features. There there are a lot of the amount of uh research and information about these things like you could spend years learning about about these structures. Some of some some of the main things though is these was that six yeah six features that that that we'll talk about. Uh the most fascinating thing is that these stone structures, ginormous, very very expensive like the these things were monumental projects. They were designed to be hyper secure from the ground up. Almost every aspect of the structure was designed to make resisting and defending against attackers easier.

And that was all before the stones were even laid. So in the digital realm, we refer to this as secure by design. The other cool thing about these structures though is how the security features were layered. So they're designed to produce what is essentially stacking damage and failure of one feature didn't spell immediate doom because defenses were designed to work together. So going through these features, you know, the classic we have the moat and that's designed to keep the bad guys away from the wall. And then we have these little slits in the walls. Those are called uh loopholes typically for archers. This is so the archers can shoot the bad guys from inside the wall.

Uh the location was super important. A lot of times it' be built on cliffs or bluffs or on hills so that you can see what's coming your way. This is so the bad guys can't rush the wall. And then we have the gate that was to enable pretty much maximum bullying of the people as they're trying to get through the wall. And then even once you get through the wall, you've got the courtyard. Okay, you made it through the wall. Well, now there's more walls and you're surrounded on all sides by those same walls that still have holes in them with archers shooting you. So, this was to make the bad guys regret breaching the wall. And then you've got

the spiral staircases. These were um designed ascending clockwise. So, if you if if let's say you're in medieval ages, most people are right-handed, right? So, you're trying to swing through your right hand while going up the stairs and you have to swing against the column in the center of the staircase. Not very easy to do. Meanwhile, the guys that are defending have the wider part of the step to stand on and they can swing down at you. If you were a left-handed knight, you know, in in these rare scenarios, you'd be pretty useful. But the rest of the time, yeah, these these these sucked. So these these features uh we call defense and depth. So this is planning

for designing each of these defenses to to work together. Um and then we also refer to the layering of these so that they overlap as complimentary controls and we're going to talk about those. So obviously there isn't a onetoone translation for the cyber security realm from castles. This analogy kind of falls apart once you start getting in deep. Um but the general the general idea uh remains relevant. So, you've got the firewall. Uh, this is to keep the bad guys out. You know, that's probably the first thing you should try to do. And then we have uh traffic inspection. So, detecting threats, we want to make sure that the stuff that we're trying to keep secret is actually,

you know, not accessible by people that we don't want it to be accessible by. Um and then IM and MFA. So this is identity and access management. Checking who is accessing what to identify and deny access to the people that shouldn't have it. And then we have network segmentation. This is all about preventing threats or people that shouldn't be moving around from moving around. And then we have stuff like proxies, which basically allows you to hide services behind a central choke point. Uh making it harder for people to figure out what's there, how to get to it. There are lots of other tools, techniques, and strategies that are not listed here that we can use to build our

strategy to produce our own resilient siege machine like security system. So, we've touched on defense and depth and complimentary controls. Uh, but there's an important distinction between these two things. Defense and depth is all about having fallback layers. So, if one layer fails, you've got the next layer to to kind of pick up the slack. So, when you're approaching the castle, you've got the archer shooting at them, but then let's they they make it to the gate. Well, the gate has other security controls in place. Then you've got the moat, if they even got past that in the first place. Complimentary control is all about making sure that the layers work together so that there's no single

failure point or a cascade effect when one layer fails. So an excellent example would be let's say you have a really strong password policy. Does anyone here use like random generated passwords for stuff? Cool. Perfect. Yep. So lots of we call it entropy. You know having lots of mixed characters. It's really really hard to guess. And then let's say the next thing you have is a password manager. So that you're generating random passwords and storing them in a secure place. And then we have account locking. So if someone tries to log into the account multiple times, it locks. This is pretty pretty secure, right? So there's a big issue with this setup though. Can anyone tell me what it is?

Yeah.

>> Yeah. So, the big issue here is if someone gets your credentials, all three of these layers are irrelevant. So, what do we do to fix this? And Yep. Yeah. So, with with with just a couple tweaks, we can take that same example and make it significantly harder to get through. So we still have the same password policy but then we add MFA in. So now you have to prove you know who you are in addition to having that password and then let's say that we do only specific devices are allowed to access that login page in the first place. And then on top of that we can make sure to check that that session is allowed and

then log sessions that we deem suspicious. It's like couple couple tweaks. We're adding a a couple extra features here, but this is significantly more secure. Way harder to get through. Imagine being a thread actor and having to to try to get through this. It still happens. Um, but this is way harder. So, we've talked about defense and depth complimentary controls. That's how we set these things up. That's how we want to layer these things. I want to talk now about how to evaluate these systems and kind of perform a sanity check to make sure that they're viable. So, let's brainstorm a little bit. What does the perfect security system look like?

>> Yeah. Oh, yeah. Yeah. It that's the answer to a lot of things in in this field. It it depends um what some some some of your guys' ideas what if what aspects or what um I can't even think of what the word is what

>> Yep. Yeah. Yeah. That's that's Are you looking at my next

I'm afraid you've been looking ahead in my slide deck. >> That's okay. No, no, that's good. Um, like you there there are a lot of different security tools to use for stuff like this. Um, there are lots of like multiffactor authentication is generally uh when businesses think of security, it's like that's like the first thing like if we get this all of our problems are solved. Obviously, that's not the case. Um, like is there a perfect security system? Pro Yeah, pro probably not. Um, there's there's a lot of different ways to do it. There's a lot of different tools to use. So, thinking about all the different tools and methods available, uh, I divided some of the fundamentals

that that I could think of into four categories. The first category is identity and access. So, who can access what, when, and for how long? Uh, using multiffactor authentication, using uh lease privilege. Somebody doesn't need access to something, don't give it to them. And managing your secrets, using a password manager or a vault. The second one is the network and perimeter. We don't want to be perimeter-based, but this is still important. It's a lot harder to to track people moving around in your network if you're not keeping a perimeter in the first place. So, we want to minimize the attack surface and create choke points so that it's harder for people to get around. This involves network

segmentation, firewalls and reverse proxies or VPN and tunneling for remotely accessing things. Then we have system and service hardening. So, we want to shrink the vulnerabilities in our environment, reduce them where we can, patch and update uh boxes and services. We want to make sure that we're trimming our default configs. If we don't need Apache running on port 80, turn it off. Uh application security, you know, setting up the the login for for these things, integrating them with SSO. And then the last one, the last one is monitoring and response. So, we want to assume that someone's in our environment already. And then we want to be able to figure out when they got in, where they

got in, how long they've been in, what they're doing, and have a a response prepared for when that occurs. Also, backups and recovery. If someone gets in and ransoms us, well, we either have to pay money or if we can kick them out, put everything back the way it was, it's a lot easier to do that than it is to to deal with, you know, the people that don't really care what happens to our data. So, we could spend a lot of time talking about all these tools. Uh, I don't consider myself an authority on all of these. I've dealt with a lot of them. Uh, but we could spend a long time talking through each of these in depth.

So, I want to talk about a way to evaluate our implementation of these tools. And that is the CIA triad. Who here knows what this is? I'm hoping everyone. Yeah. Okay. So we've got confidentiality, integrity, and availability. So confidentiality is, you know, making sure that secrets stay secret. Think who's allowed to see it. Integrity is about making sure things stay healthy. Think, can I trust this hasn't been tampered with? And then availability ties in with accessibility. You know, there's no point in having a system if you can't use it. So can I access what I need? Can others access what they what they need? this is a classic uh it just pushed out this new

thing and now I can't do my job. We want to make sure that that's not occurring. So uh you'll want to keep this diagram in mind when we're evaluating systems or planning what tools you're going to be layering. A good system will be able to achieve good scores in all three of these areas. So to demonstrate this in action, we're going to do a couple scenarios. And I'd like you all to read the scenario, think about how it performs in each of these categories. And then I created a apparently this is called a radar chart. I was two days ago I I I learned that and I've created a radar chart for how I think

each one does so we can kind of compare notes. So the first scenario, a company stores its only system password in a computer sealed in concrete and buried in the ocean. This is like the classic example that I always hear at school. Someone will walk me through how this performs in each of these categories. What do we what do we think? Yeah. >> Yeah. Yeah. What what do we think about integrity?

Yeah. Yeah. Yeah. You could you you can make an argument either way. So either it's not getting touched, so it's going to just stay the way it is forever. But we also don't have a way to check it though. So you could argue either way. I said exactly that. So high confidentiality, high integrity, no availability, unless you've got some crazy good dive team that goes down there with a USB stick or something. Um the next one this is like this this is normal like this this we we look at this all the time. Does anyone go to Starbucks and do work from there or something similar? >> Not on the Wi-Fi. Yeah, that's that's that's smart. So like what how does this

one do in each of the in each of the categories?

So yeah, exactly. I I said confidentiality zero because any pretty much anyone can look at your traffic. Integrity, I mean the the network's running if you can connect to it and availability is maxed out because everyone can connect to it. But that's kind of the problem. So this one, a company creates 10 backups of all systems, servers and workstations or whatever else they have every day. There is no downtime, but there are no health checks run on the backups and they are not encrypted. >> Thoughts on this one? got a lot.

>> Yeah.

Yeah. >> See, this this is where things start getting a little bit more complicated. You can make an argument for all three of these categories here. Um, ultimately it is going to depend on on the environment. Uh, what what what the needs of the company or your home lab is. Um I said this so pretty good confidentiality but you also can't really verify that it's remaining confidential and the more data you have the more exposure you have to theft and leaking uh integrity >> I mean you could run integrity checks on every single backup when you create it that's a lot of work though so if we're just backing them up and just throwing them in cold storage we don't really

know if those backups are any good or if they're consistent uh availability. I mean, at least one of them's going to be available right? >> Hopefully. >> Yeah. >> Yeah. Yeah. Like I said, like we we we could always this either way. And I I I like that point. Yeah. We we don't know if we don't know if it's going to be available or if it's going to work. We we hope that it would.

>> Yeah. Yeah. Exactly. Yep. Yeah. And that would that would be a great a great way to to look at this and and then make adjustments. >> Thank thank you. >> So what about this one? >> Critical application is patched automatically the moment vendors release updates. Sometimes the patches break features. >> What do we think? >> So yeah again it it depends depends on the system.

Yep. Yeah. We're placing a lot of trust in in those vendors, right? Yeah. So, again, this this one's a little a little a little bit harder. You could argue it I pretty much any direction in in any of the categories. Um, I said integrity is decent. You know, when it's working, um, and when those vendors are pushing good updates. Uh, confidentiality. I mean, >> you're you're patching you you you patch vulnerabilities quickly. Um, but we're also not confirming that those patches are actually patching things. And then availability. Well, I you don't know if your system's going to go down when it patches or not. So, there are definitely some improve. How would you improve this? That's

honestly the better question. How how would we improve this? Yeah.

Yeah, you you could also pay the intern to go read the patch notes. How much do we trust? Yeah, that that's that that needs its own radar chart. How much how much? >> Yeah. Yep. That too. Yep. We've got we've got a number of of of these going on there.

>> Yep. So yeah, lot lots lots of different ways you could do this. >> This one uh an employee helps colleagues by sharing their own credentials so nobody gets locked out. >> Yeah. This this is like >> Yep. >> Yep. This is like >> Yeah. Yeah. Exactly. Yeah. Exactly. Yeah. This is like every IT management's worst nightmare. >> I >> Yeah. So, we the passwords are just out there for everyone. Integrity, we don't know who's doing what. It could be any of a number of people logged into that account >> and then but availability there's no downtime for it fixing people's accounts. You just they'll just log in with their co-workers. So, >> so obviously these are pretty broad

scenarios. Um, and like like we talked about, there's you can make an argument for all three categories in a lot of different scenarios. >> What's nice about this triad though is it can be used to drill down pretty much as granular as you want. >> The ultimate goal is to max out all three categories. Uh, but there will be times where that is not financially or technically feasible. >> That's okay. Uh like I mentioned earlier, we have multiple overlapping layers. So the shortcomings of one don't bring down everything else. >> So a little bit of application now that we've laid the groundwork for why this is important. Let's take a look at what should actually happen in practice. Um

does anyone have any experience applying this? >> Yeah, I I believe it. So there's uh >> Oh, I've got Okay, I've got 10 minutes. So, we'll we'll kind of shoot through these. Um >> Perfect. I'm going to use I'm going to use those. Uh so, I'll I'll just jump into some examples that um from my home lab. Uh there's not a ton of info in here, but I'm open to free pen testing. So, from my home lab, I talked about how I got into networking because my router can do a DMZ. Uh, here's my original VLAN map. Uh, for reference, I had to explain this to my uh my test audience last night. The orange is my secure

VLANs. Those are the ones that I that I want to keep an eye on. The purple ones are ones that I like trust, but they're they don't need to be super secure. And then these ones are ones that I don't trust. Any initial thoughts on this? >> What do people think? How how does this map on the on the CIA triad? >> Top center. That's one of my roommates. >> Yeah. So, I had two of my roommates had VLANs. You'll notice there is not a roommate too. And that's because they didn't have any wired devices. >> No, this So, this this was this was back at at Oakidge. This is this is before I was

>> Yeah. Oh, he wouldn't even be on the network. >> So there's there's nothing like inherently wrong with this, right? It's very security focused. >> So >> So recording

Yeah. Yeah. Yeah. Yep. Yeah. So, the problems that I ran into this with ran into this setup with um it doesn't really become clear until you take it in the context of my network. I had like 14 devices. >> That's it. >> Yeah. Yeah. So, and I have nine VLANs. This I I actually cut off some of the VLANs that I had originally created for this. I think I had 12 at one point. Yeah. Uh little little unwieldly. I did not consider the firewall complexity. This is like super simplified. I got to the point where my firewall rules were stepping on each other and I had no idea which one was applying to what I was

trying to do and why I couldn't connect to a certain device. You could say that's just a skill issue. Probably right. I didn't know what I was doing then. But the point is that this wasn't maintainable for me and it failed the availability check in the triad. So to change it, I changed it to this. What do we think about this one? Yeah. So it's I it's way simplified. Um is it perfectly secure? No. No. No. No. VLAN map is um but for my use case this walks a good balance. So and I've got lots of other options to secure it. So the next one and I'm I'm just going to fly through this. My home lab I

originally started with one device running Ubuntu and then I switched to a rack mounted server running uh Proxmox which is a hypervisor and then I was running multiple virtual machines on that. Well, then I decided that I needed to split those into multiple devices. And then we ended up here where I have eight different servers running um because you know high availability that's important, right? So I had two NAS, I had eight servers. I was trying to do a cluster with some of them. Um you know, I needed a quorum so that I could the devices could decide who was running what. I don't even technically have a quorum here because these were the only two control planes. Don't know

what was going on there. Um, I'm one guy. I've got 12 VLANs and eight servers. Um, needless to say, this was not manageable. So, on the CIA triad, in theory, this is like threes across the board. Um, in practice, it was zeros because majority of these devices were just idling because I never had time to set them up properly. So we we we we need to think about you have the setup you know you think about the theory you know how good you want it to be but you also need to consider what's actually realistic here and so I ended up having to go back to form and now I have one server it runs Ubuntu that's it

uh you could argue that this is less secure because I have one point of failure now I would argue the opposite direction because I'm actually able to maintain this I'm pretty on top of patches um and when something goes is wrong, it's really easy to triage one device. The most secure system ultimately is going to be the one that you're actually able to keep on top of. So to conclude, um we talked about castles are cool. Uh perimeter security is not sufficient anymore. Uh defense in depth and complimentary controls. Uh layering defenses is necessary for a good system. uh the CIA triad we use that to evaluate how systems are actually performing and then we did some evaluating the final

point that I want to make is that castle ops is a process once you have the system set up it's going to continue to evolve you have to maintain this this is not a static structure like castle is that's where the analogy falls apart you'll need to constantly evaluate and reevaluate your security system because threat actors are changing their tactics all the time uh especially with AI now attacks are faster, cheaper and significantly easier. So you can leverage AI as well. Um we want to we want to keep things updated. So hopefully this presentation has given you some ideas what to think about, what to look at moving forward. Uh thank you for coming. If you have any feedback on

this, I would love to hear it. This like I said this is the first talk that I've given. Um and if you have any questions on things that I've done or anything that happy to answer them. Uh, thank you and have a good rest of your day at Bsites. [Applause] >> Okay. Yeah. Does Does anyone have any questions? >> Yeah. to your uh background. I know you said you never thought you would end up being a

>> skill set. >> Yeah. So, um I when when I originally applied for that job, um like I looked at the job description, I was like I am not qualified for this like even a little bit. Um, and actually the reason they hired me was because I had demonstrated my ability to learn. Um, and I was able to bring a lot of uh related background from like the system side to the threat hunting. So, because I understand how a lot of those systems work, I know where their weak points are. I know what to look for. Um, and that's that's what's been valuable for me. >> Yeah. Thank you. >> Yeah. >> How did you demonstrate your ability?

>> So, my >> Yeah. So, the the home lab stuff, um, write stuff down as you're doing it. That's that's what I learned. I learned it a little late, but being able to show like on my GitHub and on my LinkedIn, just showing like, hey, this is what I've been playing with. Um, and then when you get into interviews, um, they'll ask questions about stuff. You be like, oh yeah, I've played with single sign on. I've got it running in in my lab at home. Um, I know that this is a problem you're going to run into. Uh, you have to think about the different types of SSO and all that. And I knew that because I'd played with it

at home. Yep. So document it. It's a pain, but it's worth it. >> I used to joke that my home lab would one day pay for itself, and it has more than done that now. So very worth it.

>> Cool. Thanks,

I don't know.

>> Authentication. >> Yep. They're almost always built to somehow provide a water. >> Yep. They always try and incorporate because if you're under siege, >> you need to be have

like, okay, what aspects of the castle do I train

both working right now. >> So Jordan, >> microphone for you.

Thank you. Oh my gosh, they're beautiful. >> Talk about upgrades in technology. This is amazing. Let's see. Recommendation. >> Thank you. >> Top button. >> One, two, >> work.

Like so. >> How's that sound? Check. Check. Mic check. Check. One, two, three. Welcome everyone. Thank you for coming. This is not the talk. >> One, two, one, two. Good. One, two, one, two. Check. >> Sweet. Thank you. >> Is the silver screening >> here? Look right here. >> Yeah. Good. Mostly. >> Mostly good. It's underneath the shadow of your polo button. Works for me. Got 10 minutes then. Seven minutes. Is this your water bottle, sir? >> It is. >> Here, I got you.

Any

last wishes before your immemorial? >> Pardon? >> Oh, you got to click the play button. >> Well, okay. What did I do with the clicker thing? Back to you. >> Uh, definitely not right there. >> I left it right there. >> Yeah, first time. Sorry. This is my first public speaking engagement in >> good September of 2025. >> Nice. Try this. There we go. There we go. We got your pepper picture on there. Pretty happy with that. Good find. By the way, >> we heard the camera tracks us. We're curious what happens if we purge at the same time. >> We were trying to one. >> The better looking one or

>> Excuse me.

Huh. Interesting. >> Weird. >> How are sir? >> Okay, I found a limit. Got it. >> Good. Oh, that's phenomenal. Yeah, what a great idea.

>> That's crazy, actually. >> Yeah, I know. We have been doing this a long time. My I have bags under my eyes. I don't sleep. I've got anxiety and mental health problems like

Embrace the suck. >> Oh, that's awesome. That is incredibly well said. If only it were so simple. >> That is awesome. Thank you,

Anybody having trouble finding work in the cyber security field? >> Yeah, >> it's a beast out there. >> It is tough. It is tough. Tough tough and >> not. >> No. Right. And I think I guess there's a a myriad of problems If if you look at like local businesses like small, medium, large, all all the businesses in all our communities are short of cyber security staff. They haven't got to the point where they're willing to acknowledge the need. I don't know. It's it's wild out there. >> Yeah. uh million dollars for an average hack, 280 days, residual like threat actors in your environment. Um business operations down, a tarnished image. Um yeah, >> stock price might still go up though, so

if yeah, if you're publicly traded, you'll be fine. >> Use it to your advantage, right? >> CISP. >> Oh, yeah. We've got a slide for you. You may not like it, but we've got it. >> Yeah, sure. Any >> Okay. Right now. >> I see green. Oh, >> got it. >> Good. Is there a wall where the video ends? A line. >> Sure. Okay. Is it okay? >> You want me over here by this thing standing close to my >> brother from another mother? >> This >> kind of feels awkward now. >> It does a little. >> Uh, it's blue. I think >> Do you want to see us hug? >> That's fair. >> Good. Perfect. Thanks. Yeah. Yeah, we

appreciate it. We've done this one before, so I think we had an hour for it, but we'll get through it. Don't worry. >> We can incrementally get faster if we need to. So, >> yeah, no problem. >> No problem.

Appreciate you all coming. Appreciate you all supporting Bides. We've tried to sponsor these across the US. If uh you run a bides and need sponsors, give us a call, email, try to be there. >> The other side of that is if you're employed, maybe ask your employer about sponsoring. Besides, >> if you're an entrepreneur and looking to start a job, a business today, managed services is a great place to start. There a lot of talent in the room. Could solve a lot of problems. >> All right, we're right at 10 o'clock. So, we'll go ahead and get started. Um, this talk is called sustaining the hack for long cyber security. I'm really excited about it. We did our voting on

it. Our speakers are >> Dale. Close enough. >> All right. Senior penetration. security and senior penetration at security also. So we'll go ahead and get started over here. >> Thank you. >> Everybody warm. >> Thanks. Appreciate it. >> If there's acronyms we say that you don't understand, uh interrupt us. Be collaborative. We appreciate questions. It's it's better to interact. um you'll get more out of the slide deck and so will we. >> So, let's get started. Um our boss is John Strand. He's pretty well known in the industry. Uh he does say a couple things. When Jordan and I first started getting involved with uh community interactions, uh he said one thing that kind of stuck with us and he said,

"People aren't there to see you. They're here there to see or to hear what you have to say." Um so, consequently, here's a slide about uh me and here's a slide about Jordan. Uh, practically speaking, if you want more information about us, you can go Google us. Uh, no, if you Google Jordan's name, though, you'll probably get a photographer first. So, >> yep. Who offered me 1,500 pounds for my email address? >> I was like, no, I'm good. I like it. >> First name.ast name is a great Gmail email address, even if it's worth uh money. So, anyway, moving on from then. >> So, I have a doppelganger. So does John Strand. And if you're unaware, uh it's

not safe for work, but he does look really good in underwear. >> He does indeed. And we definitely tell him that as much as we can sometimes. So, uh, if you're aware of Jordan and I, we do these talks pretty often and about lots of different subjects and >> somewhere around 50 now, 55. Not to not to humble brag, but um, we do like sharing and that's why we've reached this like plateau of uh, a ton of public speaking engagements. >> So, every time to kind of tr make it sane for us, we try to wrap all of our talks around an executive problem statement. um that comes from, you know, business speak and it it's kind of

silly, but it kind of helps us figure out what we're actually going to talk about today. And um for this talk, we we acknowledge a couple things, right? And and the first one is that the world needs cyber security professionals and not just people coming out of college that are, you know, that are in cyber security and and want to do the next cool thing. Like that is awesome. We we want you to do that, too. But we need this this weird unicorn thing where and what we mean by that is I don't really know how many cyber security professionals are coming out of college right now. Um a lot what we do know is

the department of labor statistics puts some the number somewhere around a million for the total number of cyber security professionals in America. That number is weird because it includes a lot of things and we'll talk a little more of that in a minute. But of those million uh there are a certain number that are bravely pushing the entire industry uh sometimes to their own demise. And that's what we're going to talk a little bit about today. Uh the world also needs these uh unicorns that are pushing the industry. They need them to survive and thrive. And that's that's really what the state is talking about is how painful that is. And we're going to tell you a couple stories about it.

uh these unicorns, they they need to be able to handle these things that you might be familiar with in college or you might be familiar with in a previous employment. It's things that it's the unsaid things like stress and burnout and self-doubt, things that >> sleep. >> Sleep is is a huge one. Um the high pressure situations, you know, if you're doing incident response, those ends up being really high pressure and things like that that no one actually talks about when they're saying you should join cyber security. No one's going to tell you the lack of sleep that you might have to be kind of leading that industry as it goes along. So, one thing

we want to make clear uh is that this we're going to talk about it it's not advice. Um you it may sound a lot like advice and you can treat it that way if you like, but more specifically it's going to be a story about Jordan and I and how we got where we how we got here um today and more along that why when you Google our name you're going to find things about us related to cyber security. uh and you know put that into perspective as you're looking for jobs as you're working in the industry not just you know you might be a sock analyst reading through logs and if that is what you want to do and you love

doing that awesome but there is more and we talked with a lot of students yesterday about well how do I break into cyber security and um frankly at at this realm unfortunately I think I'm a bit removed from the process of job hunting that I don't have a great experience about that uh but what I can say is it's all about networking at this point. Um it's you know using AI to generate resumes and HR using AI to filter those resumes and uh investment firms just looking to make sure that a company always claims that they are hiring makes this industry of trying to break into it and getting a job actually really difficult. So we're going to also again

this is not advice this is going to be a story about what we've done and what might work for you. So, a couple things with that. Um, before you, ones that are job hunting, the ones that are in college right now, the ones that are currently employed right now, um, before you isn't a journey, is a is a journey. Uh, and you you have some choices to make in that this journey is is constantly evolving. So, I guarantee you the path that Jordan and I chose, what it's not identical, but it's similar, is going to be completely different for you. this none of this might even be applicable, but you might have some things that you find

interesting about it. You must find your own path. Um it is true if you're coming out of college, you kind of have an idea of what your opportunities are. We'll talk a little bit as someone mentioned it before the talk that uh you know you're someone wants to be needs a CSSP with 10 years of experience just out of college, right? Obviously that can't happen, but the reality of it is when you go to job hunts, some of those requirements are also flexible. So keep that in mind. What's interesting about this is I mentioned there's like a million of us uh in America there about that number keeps growing up right but >> in in some relation to the cyber

security field right it could be you manage logs you >> data parse you are a cyber security professional you are adjacent to cyber security this this is a big number a million is a big number so it encompasses a lot of cyber security related tasks >> like I don't know that the guy that runs the HVAC for a building because he has to secure the building HVAC controls. Does that make him a cyber security professional? Those are great questions that Department of Labor Statistics probably doesn't have a great answer for, but something to consider, right? I don't really know how many of us there are and I don't really know that anybody does. >> Systems administration probably falls

into cyber security at this point. Pretty much everything. Network management, you're you're in cyber security. Everything now is pretty much related to cyber security in some way. >> When you look in the industry, um especially if you're in college right now, you might have these kind of heroes in your mind. Um, and there are some big names just they kind of end up being lore um for us and giants uh in the industry. And when Jordan and I started kind of this we I I kind of fell into a cyber security role more or less and I didn't know who these giants were in the industry and I've been constantly learning them. And what's interesting is

once you get involved with it, and we'll talk more about this later, those giants are actually people that you will meet because even though there's a million of us, there's that million is a really not very big number. Um, so what will end up happening is you'll not only meet those giants, but you're going to stand on their shoulders. And there's a thing about that. um when you stand on their shoulders, you realize that you're really high up because there's been a lot of people before us that have made a lot of strides in cyber security to push the industry and you can't fall behind. However, you can if you stop trying. The second you look down, you start falling.

The second you stop researching, you stop pushing, you're going to fall behind. And that is wild. There's not a lot of industries that are so dynamic that the minute you take a week vacation, you now have a week's worth of work to get caught back up with the industry and that's cyber security. So, choose wisely. There's there's traveled paths and I can give you an example of a traveled path. Uh coming out of college, you might join uh become a sock analyst. Great. You'll be compensated. >> Yes. Security operations center. Thank you. So, a sock analyst. >> Great question. Cyclonist might be responsible for uh seeing the logs come in from an organization, the security

logs, identifying anomalies and then researching those anomalies to determine if there's a threat, right? That is a valuable skill to be able to have. It is a valuable role in the organization. Um some organizations will treat that as an entry- level position. But on the other hand, you have to have very skilled professionals doing that work, right? So is very skilled professional the same thing as an entry- level position? Well, there in lies the crutch of cyber security right? >> 10 years of experience to become a junior sock analyst, right? >> That yep, >> something like that. >> I have to know Windows SIS log and uh data sources from network devices. >> I'm curious who in cyber security right

now that is employed, right? Um who feels really comfortable in the work that they do? >> Couple, right? So, I might argue a guess that you're on this very traveled path. It's pretty safe and it's it's compensated well and you'll be fine. Um there's security in that. Uh it's safe. There are other paths though. There's unexplored paths and they kind of define the edges of securities. So when you talk about zero days, um typically it's not someone in the sock sock analyst that found the zero day, right? It's a different role entirely. Sometimes it can happen that way. If the sock analyst did find it, they probably found it working in the evening because it wasn't

their primary role at work. it was something they were doing on the side. And then there there's something else entirely. So you've got these these paths that are traveled. You kind of have a clear idea of what your career is going to look like. And then you've got these other things that like yeah not many people are doing this. Pentesters as an example. There's not many pentesters. >> We said there's a million cyber security uh jobs in America. >> Probably 10,000 pentesters maybe. >> So when we talk about those giants, a lot of those giants are pentesters or were pentesters because they are kind of leading that way. There's also this like pathless place and that's really

interesting. That is where an organization might create a job for you that has never been done before at that organization and how do you get there and and there's no map for it. Um there's only your will to like find it on your own. Um and we've had a lot of people do that. Um the best examples I can give that aren't even necessarily college students that come out of it. You've got BHIS who we work for um has hired people that don't have a college degree and they are some of our best pentesters. Like their goal is just to break things and they have an immense amount of of scientific methodology in their head but also curiosity.

>> So how did we find this person and here's your five-year advice plan. One, uh hack the box, try hackme, uh bug crowd, get yourself registered on these platforms and and work toward learning how things break. uh register yourself for public GitHub. How we found this kid at 18 who didn't even want to finish high school but was one of the best coders on the planet. Marello Salvati, he that's bipiteleer for those of you who track GitHub. And uh he was just putting out the best code that all of our testers used on a daily basis. He took other projects, compiled them, put them together. We found him, made him an offer. He's 18, no college education,

but we found him online because he was one of the best coders on the planet. >> I want to make really clear that safe path is safe and there's nothing wrong with staying in that role. You will have employment as much as you want forever. >> Some paths lead to prison. So what we do is don't wake up evil because you know you could end up in jail. Federal wiretapping charges. Don't hack things you don't have permission to. This is why these platforms like try hackme and hackbox are are such great playgrounds. Got to go flex on your skills. The gentleman before us was talking about home labs. You have to like have some kind of lab to play in. Question

>> question. Are there specific platforms that you look at >> to repeat the question? Are are there specific platforms we look at and track when we interview people? Yes. We ask for what's your hack the box? You know what what's your rank? How many boxes have you owned? And and this isn't necessarily a given that we care. It's that we're curious if you're curious and GitHub, you know, share your code with us. Uh have an intern right now who's on track to get full-time offer. This intern sent me code and I sent that to someone else at our company. And then all of a sudden, there's this swirling interest in who wrote the code. So now

we've made an offer to the intern's roommate for a job because of this like code sharing that happens at our organization. >> If you do get an internship and they say here's your job, say but what else can I do? >> Um >> yeah, be hungry. >> Yeah, stay hungry. >> Yeah. Um by the way, that trailblazing going where no one has gone before is hacking. When you talk about zero days, you don't get zero days by rerunning the same vulnerability that other people came before you did. It's about finding them on your own. It's about going someplace that no one else has before. So, >> we have a a fun one fun story about

that. Uh I I don't want to mention the vertical directly, but we had a customer come to us. Very common. We've got a lot of relationships with customers in this industry vertical. I'm going to call it education. And we test and test and test and this is our third or fourth run year after year of testing with this company. And finally, they've hardened. They've taken all of our recommendations and they're locked down. And we're like, "All right, well, what can we do now?" investigate the software on these systems and we peel apart the DLS. We peel apart the code underneath and we find that vendor relationship with this education company is dicey at best. But

then we use their vendor relationship to shred the internal network. Okay. So now we have a zero day in code outside their infrastructure. We tell this customer, hey, we would like to report to them. They say you can't do that because we'll sue you. So now we've got CVEEs under the hood of our company that have lasted four years and we found another one. This is no joke on Thursday last week. Same vendor software package, different branch of software, same underlying fundamental problems. And we're still in a situation where we've reported it 10 times now to the company. It's not fixed. We can't through our third party relationship with the education institution say you have a CVE to report

to them. they have to choose to report. And so we're in this path now where all of our testers are looking through DLS during testing. So we have we've built this new chain to identify zero days in software because software is eating the world and it is vulnerable everywhere we look. >> Why can't they? >> Yes. >> We email them directly and get nothing. And here's the fascinating part. The company we've reported to 10 times came to us for a pentest to get us under NDA. This is no joke. This is every institution in I'm going to call it education field has this software across the planet. I'm talking about millions and millions of installations.

And it's vulnerable. Everywhere we look, boom, zero day. But we can't report. It's wild. anytime you you can reserve a CVE number without submitting a significant amount of details. Uh so oftentimes you'll have a CVE number that's issued that never seems to be published in a meaningful way. Um know that those are types of things that are probably meaningful but might not ever get published. So if you ever see missing CVE numbers, >> we have a question in the back.

>> Yeah. Yeah. Yeah. >> Not uncommon. >> So the comment there was that uh a very similar problem from this individual's perspective is that critical infrastructure services with known vulnerabilities and under NDA can't report, won't report, won't acknowledge. This is this is part of the problem where our adversaries have so many tools and so many packages to exploit networks and unfortunately you know uh in a capitalist market like the US threats of legal keep us quiet. So then instead we just keep breaking institutions and saying hey would you report that back to them that they should probably deal with this and then we keep seeing it and it's four years this is no joke. four years.

Every time we see it now, boom, boom, boom. It's like dominoes collapsing when we run into this stuff. These stories are >> correct. >> Correct. Yeah, it's fun. And then the company who owns the software came to our company to get us under NDA. So, we're under like layers of NDAs. >> Correct. And they won't. >> No. We did have one interesting call with the engineering team at that company where they wanted to see exactly how we had written up our exploit code and we're fine like we're an open book. We only want the world to be a better place but it's been ugly. >> We also don't care to get sued. >> Yeah. We don't get that that path one at

the bottom. Your results may vary. Don't mess with >> and in almost everything we do there's always this notion of like oh yeah and stay out of prison and oh yeah don't >> don't get the company >> don't get subpoenaed. Yeah. Um, your career is is a journey. Uh, but and you know the journey is also the friends you made on the way and and nonsense like that. Um, my background when I was going to college was I was going to be an organic chemist. I loved it. Every bit of it. I wanted to be an engineer. >> You wanted to go into the energy industry. >> I really didn't like working in a lab,

but I loved the physics of chemistry. Uh, and I did three and a halfish years and then had a family and you know, life happens, right? So, I did the other thing that I can do really well, which is computers. Uh and then turns out I even in high school I said I don't want to work with computers. Like it's not really my thing. Like I can do it. I'm good at it. I don't want to do it for the rest of my life. Um ironic. Uh so after I got the degree in in IT then I was like you know what I want to go into business. Uh and then I ended up getting

masters in business. >> It's interesting in the role that I have now um the piece that helps me the most is the scientific like ideology I got from the chemistry work and the business work. the IT degree I got I mean it helped me but I could have learned it all on the job too. So oftentimes the career career is is actually part of that journey. Uh so that career it it's not a sprint. It's really not. Um I worked for layman brothers. I don't know some of you the the uh older generation in the room probably knows who layman layman brothers is and what they caused around 2008. Uh I worked there around 2008. Uh and we were involved in like a

massive like economy crash. Uh outcomes from that is new Sarbain Oxley rules. Uh which was essentially you now must actually tell your investors what your posture is in the environment which means how many user accounts do you have? Do you have user accounts for employees that don't exist? >> Who touched this file in your financial record system? >> So again the process through this has been a long journey. Uh it's not a sprint and the key thing there is to always learn new things. My exposure with Sarbain Oxley started with layman brothers and kind of continued on. Accept side quest. When I said if you're an intern and they give you a job to do,

ask is there anything else I can do? Always be pushing for that. Strive to specialize. Uh and this is a double-edged sword. Um we've worked with individuals at organizations or our points of contact. You're like, "What's your role at the organization?" They say, "I'm in charge of email filtering." Okay, cool. Like that's good. um who do we talk about by about hypervisors and hypervisors in your environment say oh that's this person over here we go talk to them and like do you know anything about email filtering and they said no I only handle ES ESXi right that's all they do in storage and then you go to somebody else like no I'm just telco all

I do is void so yeah you can specialize uh in fact in IT specialization is where you got that niche job that did really well uh in cyber security you can't just specialize but you do need to specialize >> so it's a very broad set skills. >> It is you got to find a niche. Uh and the point here I'm making is that you you can't know everything, but you must know at least something about everything. Uh if you put yourself into a hole where you know nothing but Exchange, great. But you'll be doing Exchange forever, right? >> And then Exchange goes away and you got to do Microsoft online >> and get more certificates all because of

it, right? Uh we talked about this a little bit. Cyber security right now might seem huge. We talked about like this huge number, one million people in America. It's a lot. Um it's not. And here's the thing. We talked about those like safe career paths uh where you become a sock analyst and everything's fine. You're good. Uh but as soon as you break out from that and you start doing more, you'll find out that you're going to become the expert really quick. Uh because cyber security, not necessarily the job market, but the actual like realm of knowledge is so wide and there are actually so few people pushing in it that as soon as you push on something

you really like, you're going to become the expert really quickly. Really, really quickly. which means you're going to get published. You start putting effort in. You're going to get published. You're going to get those CVES. You're going to get this like your name is going to start getting recognized, right? You're going to be invited to present. And it doesn't take very long for that to happen. I mean, Jordan and I took I think the longest path to get here. Like you guys have the opportunity to like shorten that path way way more quickly than we ever did. After all, I worked for Layman Brothers. >> Yeah. Is this a good time? I had a crush

on a chick when I was 15 who spoke Spanish. So, I learned how to speak Spanish so that I could talk to her intelligently. This was a foreign exchange student by the way. And then uh when I went to college, I worked with a bunch of Mexicans painting, right? So I was on a paint crew and I was lead. So I spoke Spanish every day with these guys. And then HP hired me because I spoke Spanish. So I was a technical translator on their networking team. Then I learned how to networking. And then kind of grew into a managed services role. And now I'm I was employee 16 at BHIS. He was talking about specializations. There was

no specializations when there were eight testers at BHIS. We all did uh basically internal external pivots and web applications. That was it. That was our service offerings. BHIS 175 test or 175 people now. And we do all kinds of crazy testing like stop light infrastructure. Uh we'll test critical controls as mentioned in the back. Uh we do every kind of service imaginable. But I am specialized now. Like I'll stick to like three or four things because there's so many of us and there's so many things to know and so many things to do. After a while, uh, you're going to become that expert. And as soon as you do that, you are going to realize that that really

big labor market that was cyber security, all those jobs, it's not that big. It's actually pretty small. When you do that, you're going to find a couple things. One is that there is competition. And it's not just the competition to get a job. It's the competition of other people that are striving to also become those experts. And you're going to find some ego in that. And you're going to learn how to deal with people with ego. And you might even have your own ego to deal with. We're going to talk a bit about ego in a second and give you some advice on that or maybe it's just another discussion, another story about what we did. Uh

you're going to end up with imposter syndrome. Trust me, as soon as you start trying, you're going to be the expert in some portion of this. And as soon as you become the expert, you're going to look at yourself and be like, I'm not the expert. Are you kidding me? Everybody who came before me, they know more than I do. Yeah, but not about this thing that you're pushing on. You're going to become the expert, and you're not going to know that you are. And we the last time we gave this talk, this is a fascinating connection to this very slide that we had mentioned how small this industry is. So we had Egypt on staff for a while at BHIS who is the

iHeart Shells in Metas-Plate. Uh he was a metas-ploit dev. He came over, hung out with BHIS for a while, taught us a lot. We talked a story about him teaching us how to not necessarily be technical, but how to side quest. Like why not instead of playing Balders's Gate, spend 80 hours learning how to play chess. and he beat us all every single time at chess. He also had some ridiculous juggling skills. And okay, we told the story about Egypt. One of his friends was in the audience. >> It was wild. >> It is. And again, Balders's Gate. Uh you said chess. Yeah. >> Um why not cyber security research? >> Yeah. >> And there you go.

>> Egypt used to work here. >> I did not. H So the comment was Egypt used to work here. >> Seriously, >> why does this keep happening? I can't even believe it. >> And again, we said this this industry is small. It's perfect point, right? >> That is that is wild. >> Can't remember count the number of times we went to dinner with Egypt. So >> yeah, he was such a good guy. >> So how how do you get there? We kind of mentioned like you can be in these roles and they're safe. You can and if you have a cyber security job that is 8 to five and you're comfortable doing that and you love it, keep doing that. If

you're doing that 8 to five job and you're like, I want more, okay, we're with you. We we get it. Um, doing more is tough. Really tough. Um, know this. First off, your career, it might not define who you are, but it will define how other people see you. So, when I'm up here, you guys all have this idea of who I am now at this point, but it actually has very little to do with me. I know we're trying to break things as we're doing a talk. >> Uh, so here's the thing. If you want to do more, if you want to commit to being successful on that, you have to sacrifice. And there's no way around

that. It's it's unfortunate there isn't but you're not going to be able to do it working 8 to5. So with that said doing more it's not easy. Um it is constant learning researching hacking working reporting. Working reporting is like how we actually have a job and get paid. Um the learning researching and hacking is kind of like after 5:00 p.m. for us. >> I explain the job that we do as cyber security uh penetration testers as report writers. 60% reporting, 40% hacking, plus 25%ish on education, research, knowledge expansion, uh, middle of the night lab, testing, building, dev. It's this job does not leave us. >> We're going to pick on Egypt more, right? Because some of you may know

Egypt. He is one of the giants. We went to dinner with him several times. You worked here, right? He's one of the giants. Did he stop working at 5:00 PM? >> No. I honestly I doubt he ever did. >> Yeah. True, true. >> There's late nights, there's missed family time, uh, sleep deprivation for the betterment of everyone. So, you're sacrificing yourself to push the industry, right? That's tough. >> That is tough. >> Um, and if you're in a role that's uh billable work like Jordan and I, our our primary job is pentesting. So, we go in, we break organizations down, we break into their their systems, we break into their buildings, we steal their vehicles, we get to their banking

account, routing numbers, whatever it needs. We're getting paid for that, right? And that's important to remember is through all this that that's where it's at, right? That's how we're getting paid. That's how we are able to sustain our families. However, the invisible workload to get where we're at right now had nothing to do with that. A little bit to do with that, but it had more after that 5:00 PM time. Have you built any slide decks during business hours? >> Uh, no. >> And there are at least a hundred. >> Yeah. >> So, uh, yes. 8 to five. It builds your your your job security. So does everything you do afterwards. It also expands your horizon. So if you want to

be in those very niche roles, you have every opportunity to right now. Even if you're not employed, you have every opportunity to, but um, you got to figure out how to manage your time. Um, we had a a question. We were in the career village and someone said, "You guys do remote work." And it's like, "Well, BHIS is Black Hills information security. Uh, we both live near the Black Hills in South Dakota. There are maybe 15 employees in in the Black Hills area. Uh, I think BHIS is between 150 and 200 employees. So, obviously the rest of them are remote." Uh, and the question we had was, well, will we ever revoke the ability to work remote? It's like, we

can't. Where would where would all our employees go? Are we going to fly them all into the Black Hills? We couldn't. Um, but what that requires discipline, right? So if you're working remotely, that requires a lot of discipline. If you're working from home and your desk is five feet from your bed, takes a lot of discipline to roll out of bed in the morning and walk five feet and try to work. So manage your time. Try to do the best on discipline you can. All this those sacrifices, they're personal costs. Um it all basically comes down to your personal health and you have to figure out a way to honor thyself, whatever that looks like. Um we said you

need to go take those side quests, but you don't need to take all of them. Um, George, when John Strand, our boss, calls us and says, "Hey, I need you to do something." >> We don't actually say no very often. We kind of put it on our plate. >> Had that conversation with CJ yesterday. Yeah. >> I can't I cannot tell the guy no. >> And he doesn't understand how uh impactful his requests of his employees are, and he makes a lot of them. >> If you know Egypt and he says, "Hey, I've got a project for you." Do you say no? >> No, you don't. >> You do not. >> Not if you want to be moving along and

pushing the industry. But that said, build boundaries. Spend time with family before that next hack, which means that next hack might be at 11 pm at night. Uh, build and retain ethos. Also, don't go to prison is kind of where that lands as well. You can't do really cool stuff from Prisma here. All right. Um, you are all here. Uh, how many of you have talked together? I I hope that when you leave, everybody in here is like, I recognize that person because guess what? When you go to that next conference, there's a good chance you might see them. The industry is that small. Uh we had a lot of questions in the career village about how do I work at

BHIS and we say we are always hiring but we are also never hiring. Uh so they're like what do you mean? How do how do I work there? Then I'm like well first off you come to places like this and you meet us. You get in front of us and you tell us about all the projects you've done, all the things that you've done basically after 5:00 pm at night because that's telling us that you're pushing the industry. Not every organization is like that. Um there are pentest firms that want you to work 8 to 5. they will respect that personal time very well, but they're also not the ones that are pushing the community. So, find your

balance there. Uh, know that in all of this, um, social medias, uh, most people in cyber security don't actually like social media for obvious reasons. Um, a lot of people in in cyber security have kind of a distaste for being tracked and for uh, behavioral monitoring. Uh, that is what social media is uh, and control. So, we don't really like it. However, we have to manage our brand and we are the brand, right? My brand as much as is BHIS as much as is sometimes we get mixed up. People mix up Jordan and I. So maybe I'm Jordan, maybe I'm Kent. We also own a business together, right? So we're also managing that brand. I'm also

managing the brand that is Kent Eler. You are the brand. So what does it look like? Well, let's talk about the different skills you might have. Um, a great one to have is being personable. >> I hear >> that is a great >> that's called RZ. >> Turns out I'm also old. I've got like a maturity plus seven somewhere in there. Bet. >> Uh I did I did recently go to my children. I said, "Did you know Riz meant charisma?" They looked at me and they said, "What is charisma?" I said, "It's riz listening skills." Um listening skills is actually wisdom. Why? Because you learn by listening. So if someone wants to tell you a story, you might learn

something. You might gain some wisdom by listening. >> Um learning capable is an interesting one. In our industry, that means you're survivable. Uh if if you can't learn, this is a really really tough industry to be in. If you're not willing to learn new things all the time, if you're not willing to be hungry, it's tough. >> I would add something that we haven't maybe mentioned and may not be mentioned in any of these slides, and that is we often hire personality types. We're much more interested in who you are as a person and and how you share yourself with the world, right? We build our brand based on external relationships. And I also firmly believe that we can

teach you anything we you need to know about technology. Like you can learn how to break anything. Anyone in this room can break almost anything with minimal training. Um our anti-ciphon brand uh under the BHIS umbrella is all training, two-day training classes. And we have built a ton of niche topics now, but it also contains the fundamentals of how to break everything in the world. So when we hire, we hire your personality. We hire who you are. hire your brand and then teach you what you need to know about doing this job. >> Never be afraid to ask questions. Definitely not. Back to networking community. Why is this here a second time? Because it's that important. Um so

everybody familiar with 802.3 and 80.1x and 80.2.11. Those are networking protocols. Uh but we're also again talking about the socials. Um there's a great thing we want to ask here. How many people would write a letter of recommendation for you right now? Right? And it's we talked with someone last evening who said, "I only got the job I have because someone wrote a letter of recommendation for me." That's a powerful statement, right? Um those of you that are in college right now, hopefully is there a program chair in the room? >> Okay, good. Oh, >> couple instructors. >> Couple instructors. Okay, so um well, we'll apply to them as well. Um whoever your program chair is, make sure they

know your name. Um, if you're in a college and the instructors have office hours, utilize that time because when it comes time that you're looking for a job, what better person to write you a letter of recommendation than someone that knows what projects you've been working on and knows how well you've done on your research, right? Yeah. Go ahead. >> Okay. So, I'm program chair. >> I'm sorry if I gave you more work. >> I experience more. So, I'd like to add to that. Please don't be offended if I ask you to repeat to me who are you again? So that was the program chair if uh to repeat into the microphone here saying for those of you uh who who uh our

brains are ADHD brains dementia like the challenges of balancing all the things it's okay we may ask you to repeat your name. >> Yes. Um but expand beyond that as well you know have a relationship with your boss that's not adversarial because someday you might want a letter of recommendation from them. >> HR too people a lot of people struggle with HR. They're good people to maintain. >> It's weird. Would someone in cyber security gain from having a letter of recommendation from HR? Well, it seems weird, but when you start working in the industry, you realize that cyber security works really, really closely with HR for a lot of different things. Just manage those personal

relationships. And how do you do that? You build that list. Mentors, leadership, co-workers, um networking, right? Just have that occasional hi, how's it going? I'm we met last week. You might tell your program chair say, "Hey, oh, this is Kent again." Every time you meet him, just say your name. >> I write code for metas-ploit. >> There you go. Yeah. Egypt might say, "Hi, I'm Egypt. I write code for metas-ploit." Yeah, we know who you are. >> The beard gave it away. >> All right. He went on a physical test and did this thing that I had never even imagined possible. He was able to successfully tuck his beard into a suit and tie and hide. It was so brilliant.

And it was a medical institution where we had to be cleancut and look. It was amazing. We have so many stories about this guy. >> How much time do we have? I'm sorry. >> 17. >> 17. Okay, awesome. Um, remember when we talked about those giants that you will stand on the shoulders of? Others are going to stand on yours. There is no better compliment and also possibly uh no better way to create fear for you than other people standing on your shoulders because you very quickly find out that you become a keystone in the industry as well. And this is the way. This is how you push the cyber security industry. Um, here's some ideas for

entering on that. Avoid gatekeeping. Don't impede others from crossing into their own unknown unknown territory. Right? We said go blaze your own trail. Don't prevent other people from doing the same. Right? If you're on the sidelines saying, "Hey, I did my thing. Look how cool it is." Yeah. I don't know if you should do that. I don't know if you got it. No. Push them. Push them if you can. And in fact, not only push them, but pull them along as far as you can. And then when you feel that they're ready, then you push them off on their own. and they found their own way as well, right? Um, don't don't be the troll into the

bridge, right? And what I mean by that is ego can become a troll. If you trailblazed and you built a bridge and you want others to cross it, but when you if you stop at that bridge and you don't go any further because you don't want people to go further than you, well, that actually is holding you back. And guess what? The people that really want it, they're not going to listen to you. They're going to keep going. We need bridge builders. We need people to build those bridges and keep trailblazing. We don't need trolls to guard them. Don't gatekeep. Ego is definitely going to hold you back if you let it. Welcome in new talent.

You can certainly have uh if you are an employer, definitely look at those internships, right? Um if you are an employer and you're looking at internships, please make them paid internships. >> Yeah, not exploitative. >> If you are an employer and you do have >> Sorry for that terminology, but um >> paid internships only seem reasonable or fair. >> Uh mentoring is an investment. Yeah. Go ahead. question about >> the question was what about apprenticeships? Uh hard to differentiate for us but we have stuck to Okay, let me take a step back here. So I run our pro our intern program kind of the official version of our intern program and and what we've done is make

sure that the people in the intern program are in some way in an education setting. So whether they're in college, whether they're in a technical institution, whether they're studying something somewhere somehow, those are who we want into our internship programs. Now, as far as apprenticeships go, what we've done in the past is when we are overloaded and beyond our capacity to work, we bring people in as 1099s. And unfortunately, those are very tightknit and kept relationships with people like um Trusted SEC. We will hand them work if we have extra work. Red Siege, Tim's company. Um, it was 40 North before Chris Troner went elsewhere. So, we we aren't very good at apprenticeships, but that is an

interesting theory. I like that and I'll I'll run with that. >> Uh, if you are looking at those internships, um, again, we mentioned if you have an internship and you're given an assignment, ask for more. Ask for more. Uh, if you are giving an internship and someone asks for more, don't hold them back. that might be the best outcome you have that you might end up hiring that person because they were really able to show off your skill. Have curiosity and never stop asking, right? >> All right. Now, let's talk about money. >> We're professionals. Uh, ideally, we're making the world a better place by um hacking, right? Research, network development, hacking um is paid for by

our customers. Our customers are paying for us to tell them where their vulnerabilities are. Uh we kind of this thing internally we say we we hack for show but report for dough. Who likes in here likes writing reports? Technical writing. Yes. >> This guy hacks >> two out of out of 50. Right. >> This guy hacks. >> That's hack. Um the reality of it is that is a decent chunk of our job is writing technical reports. >> And that's because we don't leave behind an artifact of a wrecked network with all the stolen password hashes. We leave behind a report. Right? People don't care how cool we are at hacking. Our customers care how well we can explain

how they can fix the problems in their network, >> what policies they can implement, what procedures they need to change, what education they need to implement, updates in internal education, um additional FTEES. These are the kind of recommendations that actually have impact. We're here because our customers are paying us to be here. Our customers might not know, a couple of them do know that we're here today, but we're here because they're basically having our employment with BHIS. So you'll find out as you go to visit conferences, maybe you'll be invited to speak. Yes, you are being invited to speak, but the reality of it is you're there because you have a career and you're pushing that industry

as well. Uh customer advocacy. So when we work with customers, we're we're telling them about their vulnerabilities in their environment, but we also have to advocate for them. Um we commonly look at say a vulnerability and you have two ways of approaching it. You can either completely remove the vulnerability or you can somehow figure out what the appropriate risk related with it is. Sometimes those don't directly correlate, but I can give you an example. If you force a a user to change their password every day, um they're probably going to struggle a lot and they're going to hate it, right? If you require them to never change a password, you've introduced a vulnerability. I know NIS might say otherwise, but

we'll get to that too. Um the point here is that between those two thresholds is an acceptable value for doing business where it's profitable and it's meaningful. You can go one side where it's impossible for your employees to ever work and it creates so much friction that they can't get their work done efficiently and the other side of that is you introduce vulnerabilities. somewhere in there you have to do business. Uh so we help right. Um we had a c question about like what is the best CTF to like go and work on. Um there's a lot of them. Jordan kind of mentioned other ones early as well. You get to the point though when you are like in that

niche role that you've become the expert. Guess what the CTS you know what you really do is you go build it yourself and you're building a CTF for others because you want to teach them to do the same. >> Again I'm going to go a little bit faster here. Uh hacking. >> You're doing fine. All right. Uh, hacking reporting. So, again, we're pushing the industry. We want our organizations to be safe from vulnerabilities right? We get to all this and, uh, you know, when we talk about hacking, we talk about making malware. Uh, we Jordan mentioned Marello. Is everyone familiar with Silent Trinity? It's an interesting name because it's a piece of malware that was developed with BHIS. uh and it

got used in a state level attack and it kind of disrupted the scene about malware development >> including >> how did your state get involved in state >> well here's the thing >> we open source everything >> we open source everything yeah so not all organizations do some organizations will have zero days they hold on to uh we do have a zero day that >> weird >> that we we have unintentionally held on to Jordan mentioned a uh you know the education >> it's it's intentionally held on to it's ugly but it's intentionally held on to >> uh do I need to do something there to make that work. We good? >> Uh, yes. >> Dongle. All right, I'll unplug it and

plug it back in. See what happens here. >> So then, yeah, people like Marello come down and help us build code and the code he writes is open sourced and then it shows up in the news. Okay. Very explicitly labeled as a group uses Silent Trinity to take down some power company in I think it was Eastern Europe somewhere. Okay. And then in inside our company, we now have this new moral dilemma to solve. How do we how do we handle this situation where the code we are producing is being used to wreak havoc elsewhere on the globe. And the problem is there isn't a good answer. So ethically obviously sharing malware is probably a bad thing. However,

we don't know how to not do what we do to push the industry forward. So we have witnessed over the last five years EDR products get really really good at catching pentester activity >> uh endpoint detection response. Thank you. The question was what is EDR? EDR is endpoint detection response tools. So we have witnessed the like shape shifting of EDR from I could write a sample in an hour and bypass any EDR on the planet to they pick up pentest techniques really quick. Why? We emulate nation states stuff we see in the news constantly. We try to keep up edr products see what we do because we share everything. So now we have the industry

kind of we're trying to track nation states and we lose someone to crowd strikes R&D team. All of our techniques all of a sudden show up at every edr product across the globe and that is awesome. So we have a moral dilemma that we solve by continuously sharing. We just have to. So as we go through that um what you start end up here is is a loop. Um if you consistently and without rest hack research report hack research content creation hack meetings development mentoring hack re report research taxes hack hack research research meetings hack development content creation research hack report hack report meeting research content creation I need taxes in their place. Anyways something unexpected happens

after all of that. this thing called burnout. And and it it really is weird because it happens at the most inopportune times, yet everybody around you absolutely knew it was coming. >> They knew it all along. >> Oh yeah. Why? >> You ever have someone that says, "Hey, maybe slow down. There's a reason they're telling you that, right? >> It's time to go on vacation. Let's go." >> If they tell you that if you're feeling >> No, leave your computer at home. >> Um it's tough. Uh it results in degraded relationships, low quality work, loss of focus and attention to detail, health consequence. Um here's the thing. All of those giants have experienced this. Everybody that goes through this process

is going to experience this and they're going to learn from it. For Jordan, it's loss of sleep. >> Oh god, it's rough. >> So where do you go from there? Well, it's mental health, right? We said those sacrifices end up being like a personal health issue. Uh you need to strategize to sustain long-term cyber security career success. How do you do that? No, you need to know when to say no. If he just asks you to work on a project, don't say no. If he asks you to work on 10, say no after like the fourth one, right? Um recognize when to step back and and recharge. Um I did mention that if you take vacation, a week long vacation, it

means you might come back and have a week's worth of work to get caught back up to where you were. That is kind of the reality of it. Uh there's a myth of an always on hacker. Uh again, we're working after 5:00 pm, but we're not always on. We do get sleep sometimes. Find a balance. Um, for us, we'll say family comes first, but that means we're oftentimes working at 11 p.m. at night. Uh, no one to walk away from toxic environments, right? Uh, if you have someone in your life that is that has that ego and they're the troll under the bridge, you can either run over the bridge and trailblaze or you can just go

a different path and just avoid them. It's not worth keeping that toxicity in your life. It really does affect you. >> Uh, Jordan, you want to talk about this scientific study? >> Oh god, this was awful. So, this was UCLA's study of inbound students. I can't remember. They do I think they do it every year. They're inbound students. And so what we've witnessed over the last few years, I mean, it's apparent to everyone going into college and driving around towns now, there's more mental health uh available to us all, but most of them are full because all of us are struggling in some way with something. And so what we see here, uh I don't know

how much time you spending on your phones, how distracting are they? Um the apps, the algorithms, they're all designed to keep our attention, change our focus, u make things 100% they are manipulating you. >> Yeah, we're we're in a really dangerous place with our mental health like as a civilization. Uh the the constant streams of chaos through the media, um our apps, our algorithms, and it just shows up in in university studies of their students. Everybody is struggling with mental health. Like that's ultimately what this is. >> You say touch grass. Everybody says it. Touchcraft, do it. Go outside, get some fresh air. Um, and there is better networking opportunities than X, than Twitter, than Reddit, whatever. It's in

this room. It's definitely in this room. Go out, meet people, do it face to face. It's going to go a lot further for you if you're in this industry looking to make a name for yourself. So, some takeaways. Um, perseverance is key. You can stop, but as soon as you stop, you're going to have to make that path back up, right? Passion is important, but also requires balance and sacrifice. If you have all the passion, you have all the perseverance, you're going to end up burning out. you're not gonna get where you want to go. Um, staying on top means being continuously evolving, teaching and advocating, giving back. Um, you're going to become that giant.

Other people are going to rely on you. Uh, and it's not It seems scary at first, but it's doesn't take very much to get there in reality. Um, yeah. And the goal isn't just hacking things. It's it's for us to make the world a more safe place. That's why we do it. That's why we're up late at night. It's why we're here. Thank you. [Applause]

anything. >> Yeah, absolutely. >> No problem. >> Any questions? >> Yeah, go ahead. >> Yeah, not really directly related to your talk, but uh what is your view on the station and secure food on network devices like that is that becoming more more common in what you're seeing? Is that making persistence attacking? >> Those are complex attacks. Um and where we find complex tax most successful are state level at this point. Um if you think it was about 10 15 years ago now um there was a supply chain issue not supply chain like we think on GitHub now. Um supply chain where a vendor was manufacturing computer equipment and then sending it off to a dark site where

firmware changes were made >> that chips swapped >> chips were swapped and then it went back into the supply pipeline. Um that's kind of on that level and it it went unnoticed for years. give me physical access to your device and I'll talk to you about secure boot right >> not sure if we're allowed to say it was a state level attack so it was us but anyways um the the us not us >> so did we address the question I guess I'm curious at test I heard test >> you seen over the last few years is it is it uh >> I >> are you seeing more and more like a you know from your customers your customers

are you seeing their their general posture get a lot better in terms of uh this so the question is are are seeing shifts toward better security in the industry. Uh for organizations that can afford it, the answer is absolutely yes. Of course, >> the best thing for that, the best push for secure boot has been Windows 11. >> And I'll I'll throw in another here's here's my first marketing pitch. We teach another class called assume compromise. This is BHIS's pivot methodology. What we observe on that is we expose a couple of RDP servers to the internet. Okay? And we go look at those from a logging perspective toward the end of class. after you've exposed them

to the internet for two days, there's 80,000 maybe 100 thousand failed loginins from what used to be Russia proper. They used to not bother hiding. They have shifted their tactics in the last six months to proxy everything. So now like Russia has dropped off our threat map, but now they're proxying everything through US cloud services through compromised homes and networks and routers. Security will continue to be really bad. home users don't understand. >> There's a reason for that too. I'll interrupt you, but um we do another presentation and publish thing on on how you got hacked every year. Um and it's been >> working on that slide deck now, but does anybody want to guess how our we have a

lot of data that we go through when we do this? >> 850 reports last year. Okay. >> Okay. So, out of all those, what is the most common pathway for us to breach an organization? Anybody want to guess? and human. >> Yeah, it's people and it's credentials and those two go together. Fishing, social engineering, it's people and credentials almost every time. That is that's at least by the number the most significant. Um, then you can kind of get into the weeds and there's other things. Yeah, zero days are in there, but practically speaking, most organizations are managing their patching, right? So, they already have those kind of taken care of, >> especially ones that can afford pentest,

consistent annual pentesting. They're getting better. But I think if if you look at if you look around your town and you drive up and down the street, you got open Wi-Fi networks with PE, you know, point of sales attached. You got car dealerships with, you know, remote login cred, you know, portals to their sites who have never considered security. Uh you have oil manufacturers rigs. It's it's the failures and blind spots in security are obscene and that is not going to end unfortunately. >> Yeah. Go ahead.

basic level. >> This is a a great question. Okay, so let me repeat the question for the mic. The question is are are we suggesting that the primary under like underlying flaws in cyber security is knowledge, right? Is learning. Uh you want to take a swing at that one? >> Controversial? I'll say no. Um and yeah, so security awareness training is is very important, right? Um but there is a certain individual that needs to use a computer that you'll never train. >> Um and that is today's service industry a reality of just the service industry. Um and that's kind of >> it is our job. >> Yeah, it is our job to accommodate those users.

>> The the knowledge in this room could solve about 90% of the cyber security problems in this entire city, state, anywhere. You you pull this knowledge and and deploy it. We're like so much better. But unfortunately, the the industry is tiny and we're an echo chamber and we exist in this realm that right now is currently being ignored. Like which is shocking because what happens in the news every day, uh some company will call us every day, hey, I saw my peer get hacked. I don't want to get hacked. Can we get a pentest? Like we every single day we do not have to do outbound sales. We get a call every single day from somebody whose friend

got hacked or whose family got hacked and they're like, "Uh, maybe we should do this. Maybe we should take security seriously." >> Other questions? >> I got a comment on that. Home security people are cheap.

>> Yeah. >> Yeah. >> Oh, I got one for you. I installed a bird feeder that had a camera. Okay, >> it's great. It's so fun. If you're like stressed out, >> I installed a bird feeder. I put it on my IoT wireless, which is zero trust, right? Cannot leave my IoT network except to the internet. And the first thing I see is this little freaking bird feeder has firmware that is calling China for NTP. And I'm not even joking. It's very static. It's like a heartbeat. Block it. It immediately swaps over to Russian Federation. Pop, pop, pop, pop. >> It's a bird feeder. >> It's a bird. >> Is this a T-U like IP?

>> Yeah, something like that. Yeah, almost anything off Amazon. >> Firmware is embedded with call home. >> It's just like, oh my god, >> you know, the other side of the I know kind of home security. What are your options? Yeah, if you go to Walmart and buy the cheapest thing, it's doing the same thing, right? It's all part of that supply chain headache. Um there are hardware that that stays on prem but then you have to be in a role that you have to understand how to operate all of it and majority of Americans >> no they're not going to know >> and we do have another question here on the left >> I just had another comment

just this last year I talked to a different cyber security and one of the things that they had talked about is being aware of one of the things they mentioned in that class very easy target >> oh yeah that's Great. I can give you plenty of stories. >> This guy is one of our printer experts. He uh I've I've seen him rip credentials out of a configuration file. I've seen him use LDAP passback attacks. I've seen him compromise the like network call home account that's like you can write with this account to fileshares to DA and >> I probably know who >> we target printers. They're part of our methodology for that reason. >> I don't know if we have time.

>> Yeah, we're good. Okay. It's all right. >> Yeah, we're good. >> Awesome. Thank you. Thank you everybody. >> Thank you all. >> Appreciate you. Thank you. >> Thank you. >> Yeah. If you get the opportunity to talk stories, we can talk. >> Oh, yeah. Walk away with your electronics. >> If you have a large organization, state has kind of gotten in and they've got the roof somewhere. >> You guys, how do you probably one of our some of our employees. Yeah, >> I swear I swear I saw you guys there. >> It is possible. We travel like this is my 10th or 12th. >> Yeah, I appreciate that. Yeah, truly. Yeah. >> Thanks. Yeah, I'm I'm surprised they

picked a non-technical talk, but >> we submitted a couple. We submitted the why you got hacked last year, which is our report analysis, >> and that is a fascinating data set. The next thing that I want to talk about is >> Yeah. Or putting together the knowledge in this room and like starting a an LLC. That's like >> dude, >> to me it's a no-brainer. But I don't know how we reach outside

BSides Idaho Falls 2025 - Track 2 Morning

Related talks