🔥 How Hackers Can Protect Your Business | AI Risks & DEF CON Secrets🔥

Show Notes

What if the hackers are actually the heroes?

In this mind-blowing episode, host David Mauro sits down with Matt Toussain, elite military cyber warrior, DEF CON speaker, and Founder of Open Security, to reveal how offensive security and real-world hacking tactics are helping businesses reduce risk, fight cybercrime, and stay ten steps ahead of threats.

🎖️ From serving in the U.S. Air Force as a Senior Cyber Tactics Lead, to becoming a NetWars Champion and SANS instructor, Matt shares battle-tested insights and introduces Sirius — the groundbreaking open-source vulnerability scanner that’s changing the game.

🚨 Whether you run a business or just want to finally get serious about cybersecurity, this episode is PACKED with unfiltered truth, practical strategies, and behind-the-scenes access to the front lines of cyber warfare.

Takeaways

•  Matt Toussaint's journey from military to cybersecurity is inspiring.

•  DEF CON is a great platform for new voices in cybersecurity.

•  Penetration testing is crucial for identifying vulnerabilities.

•  Real-world examples highlight the importance of cybersecurity.

•  Sirius is an open-source vulnerability scanning tool.

•  Organizations often overlook basic security practices like password management.

•  The Colonial Pipeline incident serves as a cautionary tale.

•  Effective remediation is key after penetration testing.

•  Cybersecurity is a constantly evolving field.

•  Networking at events like DEF CON can lead to valuable connections. Password management is a significant challenge for organizations.

•  MSPs often lack the resources to provide adequate security.

•  Outsourcing IT can lead to increased tech debt and security risks.

•  Incident response requires a deep understanding of the threat landscape.

•  Nation-state actors pose unique challenges in cybersecurity.

•  Prosecution of cybercriminals is complicated by international law.

•  Geopo

Growth without Interruption. Get peace of mind. Stay Competitive-Get NetGain. Contact NetGain today at 844-777-6278 or reach out online at www.NETGAINIT.com  
 

Have a Guest idea or Story for us to Cover? You can now text our Podcast Studio direct. Text direct (904) 867-4466

🎧 Subscribe now http://www.youtube.com/@cybercrimejunkiespodcast and never miss a video episode!

Follow Us:
🔗 Website: https://cybercrimejunkies.com
📱 X/Twitter: https://x.com/CybercrimeJunky
📸 Instagram: https://www.instagram.com/cybercrimejunkies/

Want to help us out? Leave us a 5-Star review on Apple Podcast Reviews.
Listen to Our Podcast:
🎙️ Apple Podcasts: https://podcasts.apple.com/us/podcast/cyber-crime-junkies/id1633932941
🎙️ Spotify: https://open.spotify.com/show/5y4U2v51gztlenr8TJ2LJs?si=537680ec262545b3
🎙️ Youtube (FKA Google) Podcasts: http://www.youtube.com/@cybercrimejunkiespodcast

Join the Conversation: 💬 Leave your comments and questions. TEXT THE LINK ABOVE . We'd love to hear your thoughts and suggestions for future episodes!

Chapters

• 0:00: Introduction To Cybersecurity And Matt Toussaint
• 5:49: Behind The Scenes At DEF CON
• 8:36: Security Best Practices For Small Businesses
• 12:03: How Offensive Security Helps Business
• 18:30: The Colonial Pipeline Incident: Lessons Learned
• 23:31: The Role Of Vulnerability Scanning In Cybersecurity
• 28:00: Common Security Pitfalls: Password Management
• 32:11: How Hackers Help Business Reduce Risk
• 34:53: Incident Response And Real-World Breaches
• 38:35: The Complexity Of Cybercrime Prosecution
• 44:20: The Role Of AI In Cybersecurity
• 48:01: AI Risks To Small Business
• 53:01: Challenges Of Detection
• 56:38: Entitlements Management Vs. Access Control

Transcript

 

🔥 New Episode 🔥 Host David Mauro interviews Matt Toussain, founder of Open Security. Matt is the Founder of OPEN SECURITY and a SANS instructor, gaining experience in cyber and leadership as an elite military offensive security leader, serving as a Senior Cyber Tactics Development Lead for the U.S. Air Force.

Matthew is a DEFCON, RSA, and DerbyCon speaker, a NetWars Tournament of Champions Grand Champion, and recipient of the SBA Veteran-Owned Small Business Award. His expertise in vulnerability management, threat intelligence, and DevSecOps makes him a sought-after voice in cybersecurity. 

Catch the full episode! https://youtu.be/ON0_4QaSqU4?si=Fk6pPpuFGix0hYzb

We discuss: 

• How Hackers Help Business Reduce Risk 

• Cybersecurity Best Practices For Businesses 

• How Offensive Security Helps Business 

• Behind The Scenes At Def Con

• Challenges Of Detection

• Incident Response Planning,

• Managing Vulnerabilities On A Budget

• The Importance Of Penetration Testing

• Password Management Best Practices,

• The Colonial Pipeline Cyber Attack, 

• And Introduces Sirius, A New Open Source Vulnerability Scanning, And 

• Military Service To Cybersecurity 

🎯 Perfect For:

• SMB owners & MSP leaders

• IT & security professionals

• DevSecOps teams

• Anyone serious about vulnerability management and cyber resilience

🎧 Like this? We Really want subscribers so Please Subscribe now! https://www.youtube.com/@cybercrimejunkies/featured

Find more: 🔗https://cybercrimejunkies.com

🎙️ Apple Podcasts: https://podcasts.apple.com/us/podcast/cyber-crime-junkies/id1633932941

🎙️ Spotify: https://open.spotify.com/show/5y4U2v51gztlenr8TJ2LJs?si=537680ec262545b3

🎙️ YouTube Podcasts: http://www.youtube.com/@cybercrimejunkiespodcast

Topics: how hackers protect your business,how hackers help business reduce risk,AI Risks To Small Business,security best practices for small businesses,how offensive security helps business,cybersecurity best practices for businesses,Challenges Of Detection,detection best practices,password management best practices,the importance of penetration testing,the colonial pipeline cyber attack,DEF CON,Colonial Pipeline,AI in cybersecurity,detection challenges

Speaker 1 (00:00.174)
All right. Well, welcome, everybody, to Cybercrime Junkies. I am your host, David Morrow. And in the studio today is a very special guest, Toussaint. And Matt is the founder of OpenSecurity, a SANS instructor. Gained experience in both cyber and leadership as a senior cyber tactics development lead for the United States Air Force. He's a DEF CON RSA and DerbyCon speaker.

a NetWars Tournament of Champions Grand Champion and a recipient of the SBA Veteran Owned Small Business Award. His expertise is specialized. It's general in cybersecurity, but also very deep in vulnerability management, threat intelligence and DevSecOps, which makes him a very sought after voice in cybersecurity. Matt, welcome to the studio, my friend.

Absolutely, it's a pleasure to be here. Thanks for having me on.

Yeah, great. So tell us a little bit about yourself. Generally, where did you grow up and did you always know you wanted to be a hacker?

Absolutely. No, I didn't. So I'm a military brat. grew up all around the world Portugal Germany Japan in the US I consider myself an Alaskan because I did go to high school and such there for a while

Speaker 1 (01:16.279)
Interesting.

That same kind of story held true for me for a while because being a military brat, my family has got a very long history of being military as well. My sister was army and then Navy where she met her husband also in the Navy. I'm married to Green. And so I went to the US Air Force Academy because it was expected and I was going to be a judge advocate general or an air force.

Oh yeah, in the Jags you were going to pursue like a law career within the mountains. I was. Yeah.

You're supposed to go in for a couple years and do Air Force stuff and then you can apply for JAG school. I actually did do that and I got into JAG school. You're not really supposed to then say, nah, just kidding. But that was my story.

They don't like you jumping around, right? They don't want you like, you know, going, thanks for opening up all these doors. Now I'm going to different.

Speaker 2 (01:59.751)
Absolutely. Yeah, that is very much my story.

Why was that? Why was that? I ask? Cause I, I, I pursued law in the beginning, did that for a number of years, was a prosecutor and stuff and got into risk management and from there found cyber decades ago and have been in it ever since. Why? What, either.

Absolutely. So I was at the Air Force Academy and you're supposed to do a couple years in the Air Force doing whatever other career field it is. And originally I was planning to do intelligence in the Air Force and I was specifically a foreign area officer specializing in Arabic and Chinese and very different than cybersecurity, right? so cybersecurity had just come out when I was there. It wasn't actually a career field in the past. It had been communications for the longest time. And so I figured, you know, I do like this computer stuff and I had joined the cybersecurity competition team at the Air Force Academy. We went to national,

to cyber fence competition a couple of times. And I just really fell in love with it. So I figured, you know, if I have to do this broadening experience for a couple of years before going to JAG school, may as well do something that I love. And that's what got me into cybersecurity in the early days. Then I started working with the Sands Institute. I became an instructor and a course author for their material. And the rest is kind of history.

That's phenomenal. Well, I mean, every industry has events and has conventions and the cybersecurity hacking community has their own and they've had it for a very long time. One of the largest one is really Defcon and then you get the vendors involved at Black Hat and some of the others. But tell us about, you know, what can you share about

Speaker 1 (03:36.226)
some of the presentations that you've done at DEF CON and share for people that might not know what it is, kind of what your experience was like and why it's important.

Speaker 1 (03:54.478)
Come join us as we go behind the scenes of today's most notorious cybercrime, translating cybersecurity into everyday language that's practical and easy to understand. We appreciate you making this an award-winning podcast by downloading our episodes on Apple and Spotify and subscribing to our YouTube channel. This is Cybercrime Junkies, and now the show.

Speaker 2 (04:33.294)
Absolutely. Well, I mean, I the first takeaway for the listeners is that you should apply too. When I went and I spoke at Defcon, I was actually a senior in college and I had done research for about a year and I didn't think that we were going to get accepted, but I did submit a presentation to Defcon. We were releasing a tool called Subterfuge and lo and behold, they accepted it. So there I am. Is this scene from college? Absolutely.

Really? Wow! Very cool!

And so there I am barely 21 on the DEFCON stage in front of 1400 people in the Air Force because we went to the Air Force Academy, right? And so my boss, Alexander B. man, I forget what his last name is, but he was the head of the NSA, right? So he's in a room next to me and I'm in front of hackers, more hackers than they are in his room. And it's the most titillating experience, I suppose, out there at all. Now this is on the Internet. I got really nervous in middle of presentation, ended up coughing for a bit.

So anything that could have gone wrong effectively went wrong, but it ended up being a really fantastic experience in any way. And I highly recommend that other folks do it because the thing is having been on CTF or CFP, excuse me, review boards, and that stands for call for papers. So these are for talks and such. Having been on a few review boards now, I can tell you with lot of experience that the folks that are looking at review boards are always interested in getting new blood into cybersecurity. There are so many events where you see the same people, the same names communicating over and over again.

And while that might be fantastic, maybe they've got a lot of experience delivering a presentation and they can be entertaining. At the same time, having a new voice or having new voices is really, really powerful to share around in the information security community and get new perspectives. So I highly recommend kind of first off that you take advantage of whatever your local cybersecurity events are, if there are B-size conferences, or if you look to one of the more national or international events like DEF CON, Black Hat, RSA, submit a talk.

Speaker 2 (06:23.284)
because you might just get accepted. And I have found in my experience that there is no better icebreaker than getting to talk to a whole group of hacker friends during an actual presentation. And then after the fact, chill with them, hang out and have a good conversation afterwards too.

Yeah, and you learn so much there. Like they have all the different villages. They have car hacking and village this that like every every possible, know, almost anything that's made can be hacked essentially, unless you can tell me otherwise, I would trust your opinion. But it seems like almost every piece of technology made is is which always amazes me because whenever

somebody has a box that's going to cure cybersecurity. I'm like, I can't wait to see that thing at DEF CON and have everybody blow it up, right? Like they'll be like, well, we found this vulnerability, that one, et cetera. So it's, it's, it's so fascinating to so many people. There's so much wisdom there. Excellent. So tell us about open society, open security. know about open.

Absolutely. So open security is my cybersecurity firm. I founded it back in 2014 when I was still in the U S air force. And so I made the quote unquote mistake in the military of becoming an officer. And if you're an officer, you're a manager. And so I wanted to do all of this hands on keyboard hacker stuff. That's why I joined the military and I wasn't getting to do as much of it as I really wanted to. I was doing a lot of project management and team management and such. And so I asked my commander at the time,

Can I go off and do off duty employment and start up a business that does cybersecurity work on the side so that can keep my skills relevant and that I'll be able to take that and experience it with my team? They were, yeah, they absolutely were. In fact, they were more okay with it. I had some colleagues in the military who also looked at me and they were like, we wanna do that too. And so they jumped on and joined on as well. And by the end of it, I was in the military and we had like five or six of my colleagues as penetration testers working within the organization.

Speaker 1 (08:01.133)
Okay with

Speaker 2 (08:20.436)
And that's kind of how open security got started.

So let's back up just a little bit. I love hearing that, how people can serve the country and still create something that they're passionate about, build a business here in the United States. Fantastic. Penetration testing to a degree vulnerability scanning, but especially Red Hat, know, penetration testing that falls under like offensive cybersecurity. And you just explained to the listeners high level, we've done it a hundred times, but I just want you to kind of explain like,

why that's so important, especially to the SMB community, and how it differs from Blue Team. We don't have to get into Purple Team and all the other stuff, but just high level, just to set the stage.

Yeah, and I can even share a story about this, in fact. So my organization, Open Security, we were penetration testing firm, but we do all types of cybersecurity work, mostly on the offensive side, which effectively means that we're wearing the hat of the malicious criminal hacker, but for good purposes in order to identify what's going on with your environment and can we fix things before a malicious actor comes in and breaks everything for you. And so one of the penetration tests we were doing was actually for a film studio. And that's one of the things that's so cool about penetration testing.

is you might be penetration testing some organization or some system, some application, and then you go off to the theaters a couple of months later and you actually get to watch the movie that you just helped to protect. So it's really, really fantastic. And this movie was actually over a billion dollar IP, which I know kind of shortens the number of movies that it could be, but absolutely tons and tons of people have seen this and having been able to be part of that is super duper cool, but they needed a penetration test. And the reason why they needed a penetration test

Speaker 2 (10:02.86)
was because they were worried that somebody might hack into their environment, steal the movie and release it on pirate bay, which that year had actually just happened to HBO. So when I tell a story, I like to refer to the company as not HBO because they're not HBO, but they reached out to us for a penetration test because they didn't want to be HBO either. They wanted to stay secure. And the reason why they needed a penetration test as opposed to let's say a vulnerability assessment, because they weren't looking necessarily for problems to fix because they already had some defensive strategies in mind. They had

conversations controls, thought that their movie data was always offline and it wasn't connected to the network. They thought that they had these security mechanisms in place and a vulnerability assessment is meant to see if those are there. But a penetration test is a little bit different with a pen test. The objective is to prove the art of the possible as in can I tell a story by which your organization actualizes its risk and something goes catastrophically wrong with a penetration test? We're not looking to tell as many stories as possible. We're looking to tell as many stories as we have the time to do.

So a penetration test, very focused vulnerability assessment, much broader and a vulnerability assessment, trying to stop those stories from being possible before we even know what those stories are with a penetration test. We're trying to identify what those stories might be more of a story.

Yeah, okay. I didn't mean to interrupt. That was excellent. So this bigger organization, and they clearly have a lot of cybersecurity controls in place. I imagine they've got a lot of threat hunting in various sectors. So they're there, they've got eyes on glass 24 seven, and you guys were still able to get in undetected.

So I wish that that was true. They had very little cybersecurity and we absolutely dumpstered their organization's security. was very, very quick. In fact, they weren't thinking about cybersecurity at all. Yeah. So they scoped the penetration test to be one week. And so I'm on Wednesday getting together with my team and I'm like, Hey everyone, we've got some progress. We've got some code execution. That means that we got control and we took access of some systems.

Speaker 2 (12:04.168)
But we didn't have the movie data and we had two choices. We had the choice of either going after the entire network and getting everything. You see this often with ransomware campaigns where the attacker extorts your access to network back to you, or we could have gone after the movie data itself specifically. And so because of our scope being so short, what we actually decided was, you know, we could get all of the access, but instead of getting all the access, let's focus on just the movie. This organization, they just weren't thinking about cybersecurity at all. They saw HBO get hacked and they were like, maybe we should have somebody check us and

It went well for them because we found the things that the attackers did not, but they needed the penetration test for certain.

So, and then you presented your findings to them and then they went and they shorted it up. They went and they were able to close those open ports or however it was that you guys got in and then were able to escalate privileges or move around.

Absolutely, yeah, we escalated privileges through a number of different ways and they absolutely remediated those problems after the fact. But one of the things that's so interesting about remediation, and we see this with vulnerability assessment and vulnerability management as well, right, is we do a penetration test, we've got findings for you, but what do you do about those findings? How do you actually fix it? In many cases, the actual vulnerability is perhaps a feature. And so in this case, what we found was that they had a track management system for the movie. And that effectively allowed people doing post-production of the movie to upload short clips, know, short clips of a minute.

five minutes apiece to the track management system. The director who was a famous person, I can go in and see and identify, know, a actually, you know, go around the river bend. We want it to open up to a big world to show the viewer, know, yada, yada, yada, whatever cinematographers do. And the thing that they didn't realize is that if you have all of the clips of a movie and you put those clips together, what do you have? We've got the full movie. And so what they had actually made the mistake of is that they had assumed that their security was greater than it actually was. And so we found a user who had reused their password from their local system onto this portal.

Speaker 2 (13:56.6)
and we just logged right in, there was all the movie data.

Okay, so I was just talking to a group about this earlier today. you were able to because of, was it a stolen credential or a leaked credential or just password reuse? you were able to, did you socially engineer them to get it or were you able to just find it on the dark web or how?

find it. Yeah, absolutely. We're able to find it inside of the network. So we got access to a system through exploitation of that system. We escalated privileges on that one, found an administrator credential, use that to move laterally to some other systems. And on those systems, we found some users, we were able to pull their credentials actually in plain text. So we didn't actually need to crack the credentials or anything like that. From the LSAS process, local security account subsystem service with a tool called Mimikatz. After we pulled that password with Mimikatz, they had reused that password from their Windows operating system onto this web application.

And so we just use that and logged right in.

It's unbelievable. mean, we went on the dark web, found a whole bunch of various stolen credentials, session cookies, all that stuff. And it's like when they access things like that, they could literally log in from the outside as opposed to even having skill sets like yours to manipulate and exploit vulnerabilities.

Speaker 2 (15:16.078)
Absolutely, that's what happened to Colonial Pipeline in fact, a credential stuffing attack against their VPN gateway.

Yep. Unbelievable. So walk us through high level, walk us through how attackers would have done something like colonial pipeline. I don't want to go down the rabbit hole too far, but just from a business owner's perspective, like why it's so dangerous when people get credentials leaked or they reuse passwords, it's because it's, it's available on the dark web, right? Like it, it works. mean,

The ones I've seen, it works like Amazon, except for Bitcoin instead of a credit card. And you can buy access into these places. It's frightening.

absolutely. We call those initial access brokers, in fact, on the criminal side. So for a lot of adversaries, they don't actually work necessarily alone, even if they're not necessarily directly partnered with other groups. So you might have adversaries who only go around trying to get initial access, and then they sell that access to other attackers that then might be doing ransomware as a service, or they might be in part of ransomware groups. Colonial pipeline wasn't actually a story of that colonial pipeline.

was one specific group, a dark side group going after the organization itself. But it's also a really interesting story because what a lot of folks don't realize is that that group never got access to the operational technology environment of Colonial Pipeline. That means they never got access to the real pipeline. They only got access to the IT systems inside of their environment. And so what the attackers effectively did is they went on the dark web, quote unquote, though you really didn't necessarily need to go on the dark web, but they were looking for breach data. And there are a lot of different sources out there.

Speaker 2 (16:53.912)
for breach data, the idea might be that you have an account on LinkedIn and then LinkedIn gets compromised. Well, LinkedIn has a lot of passwords. All of those passwords might now be exposed and a hacker or a penetration tester emulating an adversary might go out, download that list of passwords. I see that you have a user account that is something like bob at colonial pipeline.com. And now I have your email address and a password that's associated with that email address, but for a different site.

If I then try to reuse that email address and password against your actual application, well, maybe that user reuse their password between the two. And if they did, you've just gotten access. And that's exactly what happened with Colonial Pipeline. The adversaries, once they got access, they moved latterly around the environment, but they never got access to anything more important than Colonial Pipeline's billing system. And they tried to ransomware that back. What a lot of folks don't realize is that Colonial Pipeline made the business decision to turn off the pipeline. They could have left it on.

They could have made none of that kind of geopolitical issues happen, but they wouldn't have known how much to charge.

they wouldn't have. Wow. So they would. my gosh. I just, had no idea actually. Yep. Well, this is great.

It was a pretty terrible story too because

Speaker 1 (18:05.224)
So they voluntarily shut it down out of like just cautiousness, right? But plus they had to shut down or they shut down the pipeline because they wouldn't know how to bill on it. Billing system itself was the one that was encrypted.

because they wouldn't know how to build.

Speaker 2 (18:20.822)
Compromised. Yep. And that billing system was not connected to the pipeline at all. In fact, like the story gets even more crazy. So the CEO of Colonial Pipeline, he came out and said, yeah, they got in with a password. That's already pretty bad. But I want to be clear. And this is a quote from him, like legitimately direct quote. I want to be clear. It was not a password 123 type password. This tells us a couple of things. It tells us sure that it wasn't a password 123 type password. But if the CEO of your company is trying to convince people that they got hacked, not because of a password 123 type password, what kind of passwords do we often see inside of that organization?

probably password 123 type passwords all over the place. So it likely indicates a much more catastrophic issue. And the second side of that is that the attackers themselves didn't want to break the pipeline. They got into the billing system and they were doing a run of the mill ransomware attack. They got paid in Bitcoin, but then they realized this was turning into a geopolitical hot potato and they left the ransomware payment in a US based Bitcoin wallet as opposed to exfiltrating it outside of the country because they were thinking, you know,

It can be traced in...

the United States, you have this one, have your win. We don't want to go to jail because we're not going to go to jail for some piddly, you know, $5 million in Bitcoin. That's a weekend for us. We're going to consider this a hot potato. And so the DOJ came out and they said, look, this is proof that crime doesn't pay. Beware hackers, we got the money back. But that is just straight up propaganda from the part of the DOJ. The attackers willfully left it in a US-based Bitcoin wallet because they didn't expect Colonial Pipeline to go nuclear on themselves.

But colonial did.

Speaker 1 (19:50.22)
had no idea and I wasn't playing at all asking about cloning a pipeline, but I just learned more in the last like two minutes than I have studying all of the case studies and everything about it. That's fascinating, Matthew. That's phenomenal. Yeah, it's a really cool story and it's one that everybody remembers. Holy cow. That's that is absolutely crazy. So walk us through. You just recently developed what is it called? I want to do it justice.

It is the engine, the Sirius vulnerability scanning engine. And Sirius is spelled like Sirius radio. Any relation? Any relation? No, just cool name.

cool name, it's related to the star. That's where Sirius got it too.

Of course.

Yeah, exactly. They don't have the star trademark. So it's Berkeley by. You know, if not, we'll get it anyway. Serious vulnerability scanning engine. So what is it and how does it differ from a lot of vulnerability scans, platforms that are out there?

Speaker 2 (20:43.214)
They don't have the StarTrader.

Speaker 2 (20:56.526)
Absolutely. Well, so first off, it's a general purpose vulnerability scanner. So you might see some enterprise tools like rapid sevens, next pose, attendables, Nessus or qualis that are, that are somewhat similar. And when I first made this tool and then I've been working on this tool for five years now, finally came out in beta this year. And then hopefully it should go into version 1.0 at hacker summer camp, maybe DEF CON over the summer. Hopefully we, we get in knock on wood. That'd be lovely. But so when I first made this tool, there was supposed to be no general difference between the commercial tools.

and serious. The biggest differentiator was supposed to be that serious is open source and it's free because of the penetration tester. I very much believe in scratching your own itch when doing projects. And as a penetration tester slash pen test firm, we've had so many organizations where we go in, we find some vulnerabilities, we tell them what to fix. And then we come back a year later to do their annual penetration test. And those vulnerabilities are still in place. And we asked what's going on. Sometimes you got organizations that just don't care.

Like is it cost? it, is it that they're not given the right advice? Cause I, I've seen that too. I've seen a lot of just general vulnerability scans. tell them there's 173 things to do. They kind of drop it in the lap of the client and the client, like, I don't know which one of these is important. Like they want to know which one our hacker is going to use to get inside. Like if, if the other thing just might be an inconvenience or might not be

being exploited. I'll worry about that one later, but like priorities these for me, right?

Absolutely. Yeah. And I think that if you're doing a penetration test, it's your responsibility as a penetration tester to highlight those kinds of things. Is there a meta-split module for this? Is there a MITRE ATT &CK framework tactic that this is associated with? Is it on the cybersecurity infrastructure security awareness, the CISA, KEV list for known exploited vulnerabilities? That is information that your penetration tester should be providing you. Unfortunately today, we do see a fair number of pen test firms just do a vulnerability scan and then deliver that as a report. That's really unfortunate.

Speaker 2 (22:56.478)
our tests, we are always delivering key findings that are triaged for importance. And so for most of our clients, they're actually not dealing with those massive number of vulnerabilities problems. They're dealing with a remediation issue. So they might be doing patching and they try to patch the vulnerability, but what they didn't realize is maybe that there was a registry key that also needed to get changed in order for that vulnerability to be patched. A famous one might be something like a print nightmare, for example, if you just did the patch from Microsoft, it wouldn't actually fix the vulnerability.

And so oftentimes we might come back a year later and find out that the vulnerability has either been partially mitigated or not completely or not fully mitigated at all. And how are they supposed to know? Because we have the tools, we've got the scanning tools, we've got the penetration testers, we're finding the vulnerabilities. What mechanism do they have to validate that their fix actually worked? And unless they're spending a lot of money to wrap a seven and with big enterprises, that might be the case. But for small mid cap firms like 150 million and market cap and below,

That is often not true. And so these organizations are finding themselves vulnerable for like a year with nothing to be able to do about it. And serious scanning exists to help close that gap.

And then will you guys go and re scan after the vulnerabilities? if they say, Hey, we fixed these, absolutely do. Like, like, you guys do that? Or, is that at least done in the annual penetration test? Like either way you'll be able to verify for the organizations that it's done.

So it depends a little bit on what firm you're asking. For my firm specifically, we include with every penetration test, something we call remediation testing. So that means we might do the test and then say three months later, we come in and we can do another scan slash smaller test where we're validating that the remediation has been performed properly. But even then there are some potential downsides. For example, do you get a year's worth of remediation done in three months? For most organizations, the answer to that's not necessarily gonna be holistic.

Speaker 2 (24:49.516)
So we're really talking at that point about the highs and criticals, not all of the major and important vulnerabilities.

That's unbelievable. So in terms of the use of vulnerability scanning by penetration testers, can you walk us through typically how they're leveraged? Because there are two different things. And I think in the industry sometimes, I know in the industry sometimes, the vendors themselves mix those up. And there's a big difference between the actual human red teamers that will get in and the

scans that will provide certain vulnerability insights.

Absolutely. In fact, I used to teach penetration testing for the Sands Institute. And what I would tell the students in every class that I taught is run your vulnerability scanner first, because it takes a while to finish, and don't look at it until you're done with your penetration test. Why would I say something that's that crazy? It's because the findings that you're to get from your vulnerability scanner are really just by and large not actionable if we're talking about gaining access, moving laterally, escalating privileges, and direct exploitation.

A lot of the vulnerabilities you're get off of a general purpose scanner are more like hygiene, but they can also form a really good backstop for you as a penetration tester. So if you went in, you did a pen test and you missed something, that vulnerability scanner can be really useful for you. But this is actually another deficiency that is why we made Sirius Scan in the first place. Because I believe that as a penetration tester, you should be able to do your work through a tool that is vulnerability centric, which is to say that it understands vulnerabilities specifically and directly.

Speaker 2 (26:27.17)
Your vulnerability scanners that you might get off of the shelf, like Nessus, for example, which is a tool that we use at OpenSecurity, they just aren't meant for that. They're meant to like set, run a scan, and then you've got a pane of glass to then potentially work through. Do you have agents for your scanner? Maybe. Can you, as a penetration tester, use Tenable's agents to run commands on the local system to validate that a finding is a true positive or a false positive, to look for custom vulnerabilities or to do automation? No.

because those tools just don't give us that kind of capability at all. I believe that there's a significant need in the penetration testing world for a much more tactical vulnerability scanner. And that is actually one of the other things that has been a scratching your own itch kind of benefit of Sirius Scan, because it provides an agent, for example, that lets you do real penetration testing tasks through your vulnerability centric tool, that being a scanner in this case. But for most penetration testers using a general purpose scanner that's just commercial off the shelf, oftentimes we need to go much deeper than that tool will allow us to.

In your experience, what are some of the scariest things most businesses either don't realize or just assume take for granted in terms of their own security posture?

Absolutely. I would love to give a really cool answer like artificial intelligence or M365 copilot. But the true answer is something we all probably know, passwords. You see, I do a lot of incident response as well. And so I'm showing up to organizations that have experienced a breach. And honestly, the number of times that I've shown up and the password for a domain administrator user is like password 123 or something like that.

It's admin, right? It's always admin.

Speaker 2 (28:05.134)
The most shocking thing that I tend to find when I'm doing these instant responses isn't that the password is bad for an administrative user. It's how long that password was in place before an attacker actually found it. I was doing a instant response for a law firm a couple of years ago and they had an MSSP, which is a third party IT service provider. It was doing their IT provisioning and their security and they created a user account called Test3, added it to domain admin's group.

and created a password for it, password 123 with a capital P for complexity. That was in the environment for three years exposed to remote desktop and five years total before it was exploited by an actual intrusion set. That was absolutely astonishing to me.

Unbelievable. Why is that? Why are we seeing things like that? it that organizations don't know? Is it that I'm just curious what your feeling is or what your experience is?

Yeah, so with passwords, it's a difficult challenge for lot of organizations, particularly really big enterprises to solve. But I think that this problem has a couple different ways that it becomes actual or gets exposed. And in this specific case, it was the MSP, the third party IT service provider who made the mistake. And I got to be completely honest with you. If I'm doing instant response, it is probably for a company that's using an MSP. It's probably a company that outsourced their IT to a third party group. And it's not necessarily because it's just a bad idea to outsource IT or outsourcing in general.

it's because these outsourcing providers are really thin on the margins, like super duper thin, which means that they might have an IT professional who's responsible for many organizations simultaneously, and they've only got a very small amount of time in order to spend and give your environment attention. Beyond that, MSPs also have a lot of very fast rotation of their employee base, which means that there's not a lot of buy-in on the employee side with the actual ethos of the organization itself. All of these things together just mean that we're getting a lot of tech debt.

Speaker 2 (30:02.2)
people are being sloppy and what is more sloppy than a bad password?

Yeah, absolutely. And yeah, that's a good point. And what it also brings up clearly not in the larger enterprise, but in the SMB space, I really I hear business owners who aren't technical rely on a small MSP and be like, well, we've got monitoring and we've got this. So I'm so I'm good. And they they almost have a false sense of security or a false sense of stability because they're relying on somebody

that is just doing knock monitoring. Like they're just monitoring for the health and to be able to patch the device in the disk space. They're not monitoring for network traffic or anomalies or threat hunting, right? And they don't understand the business. The difference in partly is the smaller MSP is not trying. They don't want them to know the difference because they don't want another MSSP to come in that can do that.

that can also do the IT support, right?

Absolutely, you are preaching. All of these things are exactly true. I've seen so many MSPs mischaracterize what it is that they do. They will tell you that they are doing threat hunting. They will tell you that they are doing monitoring, but they're probably using the bottom of the barrel, cheapest EDR adjacent tool that's possible. And then maybe looking at it, maybe responding to alerts at best. There are some MDRs and some MDR vendors out there that can do a better job that

Speaker 2 (31:34.648)
tend to be very security focused explicitly, but for your average rental mill MSP, they might not even have a professional on staff who's certified in incident response or penetration testing, incident handling.

How many CISSP's are at the small MSP? it's, they don't even exist.

Right.

Right, exactly. Amazing. So what else is on the horizon? You plan on presenting at DEF CON potentially this in the coming months and walking through the rollout of Sirius Vulnerability Management.

That's certainly the goal. do have a talk out with Defcon. We'll see if they actually take the talk this year. They may or may not. It's a big, conference. There are lots of folks who put their name in. If the talk doesn't get picked up at Defcon, I might be able to deliver it at B-Sides Las Vegas because Hacker Summer Camp is kind of a confluence of all three, right? We've got Black Hat, we've got Defcon, and we've got B-Sides.

Speaker 1 (32:33.016)
That's fantastic. Let me ask you, so first of all, thank you for all your family service to the country. How did that experience shape you and shape the way that you see cyber threats? mean, clearly you got involved in the cyber arm, right? And you wanted to be hands on keyboards and you even started your own company while serving the country.

Like what? Like in the beginning, how did you how did you migrate over to over to cyber?

Absolutely. I migrated over to cyber through cyber competitions, honestly, when I was still at university, I got really involved with things like NetWars and CCDC. And I learned by doing hands-on keyboard with those kinds of challenges, a really, really great way, I think, to pick up techniques and such. But what's really interesting about the military work that I was able to do and then conflating that on the private sector side is some of the things that I was able to see in more classified spaces and then take action on outside of them. For example.

Yeah, you may

Speaker 2 (33:35.264)
I used to be one of the cyber battle planners for the Korean theater when I was in the military circa 2016, 2017. And when I left the military, I actually had an organization who's been one of our clients now for years, but we actually met them for the first time when they were experiencing their first breach. And so they got hacked by an adversary. The adversary ransomware them for 2.4 million. We helped them negotiate that payment down to only a million, only a million. But that's still, know, that's 1.4 in savings, which is pretty significant for the organization.

and we helped them get healed and more secure afterwards over time. But what was really interesting is that I was doing the incident response for them and the adversary is still on the network. I'm eradicating the compromise, looking for anywhere where they still might exist in the environment, trying to boot them out. And what I realized is that this just feels familiar. There's something about this that is just, it's just in the back of my head, something is pinging. And I realized that this is Lazarus Group.

And Lazarus Group is the intrusion set that is known for doing ransomware on behalf of the North Korean nation state. And they were the intrusion set that I was very specifically focused on when I was in the military. I knew who the FBI cell was that was responsible for that group. So I could call them up in Anchorage, Alaska real quick, get some threat intelligence live about what we're seeing with that group and then use that in order to combat them live and in real time on the actual environment. So that was a pretty fantastic opportunity and experience.

That's unbelievable. And Lazarus Group is the ones that are claimed for the famous Sony breach, which was our actual first episode years ago. Like, yeah, we actually did a whole case study on it because there's a lot of open questions there, like whether there were other players involved along with them. But clearly, I mean, that's, uh,

Are they considered an APT, an advanced persistent threat, or are considered just a nation state, or are those the same? I apologize for not knowing.

Speaker 2 (35:28.482)
They're not mutually exclusive, I suppose is probably the best way to it. So almost all nation states have multiple APTs that they run. And then a cyber criminal group might also be an APT. We in government spaces, not as much in the private sector, but in government spaces, we often put them in different tiers. And so we might call, you know, the U S cyber community, a tier one nation state. We'd also call Russia a tier one nation state. When I was the battle planner for Korea, we had upgraded them from a tier three to a tier two, but during the Sony breach, they were, they were still considered tier three.

amazing. Let me ask you this, why is it that people don't realize here in the states that the attacks that are coming in, let's say they get hit with ransomware and like they don't even realize they, we get involved in a lot of incident response and we do a lot of education upfront for organizations and one of the, we have a lot of discussions with business owners and business leaders and they

They don't seem to understand. They're always surprised. Why won't these guys get caught? Like, why won't they get caught? Why won't they be prosecuted? I don't understand. And I try to explain it's complex, but in general, they live in parts of the world where it's not it's not prosecuted. I mean, there might be a law in the book, but it's not one that like like in the Russian Ukrainian area, for example. Right. So long as they're not going to hit a CIS country,

one of the countries that were the former USSR and they're not attacking them, they're basically going to be left alone. So they could bankrupt an entire US company, get millions of dollars and nothing's going to happen. And they really struggle to understand that because here in the States, like that's, clearly illegal. So what's your perception of that?

I think that folks are looking at this under a lens that is really focused on our experience of criminality in our typical everyday lives. And that's just not something that exists from an international relations perspective. And I think that's the first thing that people need to recognize.

Speaker 1 (37:29.966)
So a geocentric view, we have a geocentric view of it.

Absolutely, because take for example my work in the US Air Force. I did what is likely considered cyber crimes on behalf of the US government and I'm hopefully that I won't get prosecuted by let's say the Chinese state or the Iranian state or the Russian state for doing that. In fact, after the, was it the Equifax breach? Yes, the Equifax breach. A couple of years went by, that happened in 2017. Yes, 2017. And then in 2020, 2021, we actually indicted the members of the PLA

in China who participated in that attack. That is something that terrifies me. And the reason it terrifies me is because I'm that same person, right? That is a soldier on behalf of the government doing a government's objectives. And we indicted them on a individual basis. That person can no longer go anywhere in the Western world, despite the fact that they are not a cyber criminal. There's a lot of things to really consider when we talk about international relations and cyber crime.

And that also includes intergovernmental trade relationships too. So I think the next one that's really interesting to kind of consider is the colonial pipeline breach, because we do have some degree of teeth here. Somebody went to jail for the colonial pipeline breach. The individual happened to step across the border in Poland, that is an extradition country, and they extradited the individual and he was prosecuted and is now in jail. The colonial pipeline breach though, as we all know, was very, very special. This is a breach that isn't just, you you're running the mill every day kind of breach that's happening.

This is a geopolitical issue that is actually causing like the president of the United States to have to take some degree of action related to it. And when those things happen, suddenly you realize that the FBI might have more teeth than we give it credit for. So I do think that we need to recognize at a government level that we accept this because the alternative is worse.

Speaker 1 (39:18.078)
That's a great point. I never really even thought about that because when we go after the individuals, right, we feel justified in doing it. But really, we're having our same individuals do it. Right. So we're having our law, our military do some of those same acts. Now, granted, maybe we're not doing it to bankrupt a company over there and take the money and maybe we are. Or maybe we are. Right. That's good.

point. Yeah, I like to think we're not. So it keeps my rose glasses very nice here on cybercrime junkies. Like I'm just like, I like being part of the good guys. But yeah, that's a really good point. What's that?

I'll just say that the CIA exists and they do cyber warfare as well.

Yeah, exactly. Like it's it's it's all it's all just war games. Yes. Yeah, that's a really good point. You know, I've never really even thought about that. Like that's a that's a very good point. And it's complicated, too. And you can understand why. Some of the foreign governments won't prosecute their own people, even should they damage an adversary's.

business, right? Because it's generating money for their economy. That money is spent throughout their economy, right? And otherwise, there's no active trade going on generally. And so they're able to generate the money that way. It's very similar to how some foreign states are funding other programs, right? They're funding various programs through cybercrime.

Speaker 2 (40:59.342)
particularly the Koreans.

Yeah, that's exactly what I was thinking.

The and the Chinese? Yeah, very much so for the Koreans. For the Russians and Chinese, their focus has generally speaking been on competitive advantages for their companies when doing trade relationships with US companies. you might have a company that is conglomerated with a US-based company and they do work out of Hong Kong, where the Chinese nation state does cyber intelligence gathering against the US companies. So they actually come to the, like the, maybe the M &A meeting, knowing what the top offer might be ahead of them actually getting there.

So we do see kind of this business to government relationship across multiple different sectors. We see this in the United States, we see this in Israel, we see this with Korea and China and Russia, but the way that they actually make it look is very dependent on the actual organization of the country. Because Russia and China, they're just very comfortable in printing more money, but North Korea doesn't have that luxury.

Amazing. That's incredible insight. how do you see in an ideal world, a serious vulnerability scanning engine being rolled out in the community? Well, it'll allow it'll empower more organizations to leverage it because it's basic. It's going to be open source and they'll be able to. Will it just be penetration testers or do you think it'll be adopted by other organizations? Maybe the SMB or or

Speaker 1 (42:23.678)
MSSS, you know, MSSSP space. What do you think? Like, where do you want to see it go?

Absolutely. I've got two basic objectives, two basic communities, if you will. So I think the SMB space is the place where it can do the most good, which is to say that, like, if we take the Rabbit7 2024 vulnerability trends report, what we're seeing now over the past three years, two of those last three years, we've had over 50 % of the vulnerabilities that were discovered be like, used in mass compromise events, they were zero days at the time when they were employed by actual act hackers. And if we go back 10 years,

you had this really long period of time from when a vulnerability exists to actually remediate it before an attacker might stumble upon it and exploit it. So you might have months to actually take advantage of that and fix things, but we've seen the velocity of attackers just really, really decrease over time. We're actually doing an incident response right now for an organization that got compromised because of a firewall vulnerability or remote code execution flaw. And the attacker got in directly through the internet. This vulnerability got added to the C-SYKE-KV list the 18th of February, and they were hacked by it the 2nd of March.

So that's a very short window of time that they had to actually find the vulnerability and remediate it. The organization that was vulnerable and got exploited, no vulnerability scanner. Vulnerability scanner costs almost as much as a penetration test. Sirius could be that alternative option. And so I think that the place is there. But there is a second community and the second community is the hands-on operators. And I do think that by making it a much more tactical vulnerability scanner that we can support vulnerability assessors and penetration testers doing the actual good work.

That's fantastic.

Speaker 1 (44:00.91)
So both, so both the actual end user and then the practitioners. That's fantastic. Or used by other practitioners in the SMB space. Yeah.

That's right.

Speaker 2 (44:12.046)
Yeah, exactly. So like for end users, for example, the general purpose vulnerability scanners like rapid sevens and Qualys, they're really not made for small businesses. They're not made for mid cap firms. They're made for really large enterprises. And so the goal of Sirius, while it might be able to compete in the case of large enterprises and maybe you're a large enterprise, you've got internal penetration testers as well. And this might be a great tool for them. It's not really designed to run your full vulnerability management program. Like let's say insight VM by rapid seven might be.

But on the other hand, if you're an organization that's smaller and you don't have this massive multi-million dollar program in the first place, Sirius should be a really good stop gap that you can leverage as well.

That's phenomenal. So I have to ask it because it is something that everybody has. If it's plugged into the wallet, has it. So will it have AI and will AI components be like, you going to, are you going to have it like AI powered or how will AI play a role? This is really my question.

Yeah, I'm actually a big AI fan, which means...

So I. But I'm not a fan of the marketing where everything is really still the same but they are slapping the word AI on top of it.

Speaker 2 (45:27.608)
So Sirius is AI from the ground up, but I also, I completely agree. I believe in building things that solve a problem. And so what problems does AI solve for Sirius? The biggest problem that we have in the open source vulnerability discovery space is the data. Because if you look at Rapid7, it is a publicly traded company with hundreds of employees. And when a new CVE comes out, they do the research on that CVE, they produce a report and it goes into the scanner. There were 42,000 CVE numbers issued last year.

That's a lot of CVs. And so for the open source community to have, you know, support for just random people to volunteer their time 42,000 times per year, that's, that's rough. That's really, really difficult to actually pull off. And that's one of the reasons why prior to series, there hasn't really been a good tool there. I am using AI to support this specifically agentic AI that is retrieval augmented generated is supporting by retrieval augmented generation.

where it does search engine based grounding, do all of that research on new vulnerabilities. The moment that NIST issues a actual CVE, pulls all that information together, comes up with ideas for remediation of it, produces a full on vulnerability report, and that's the Sirius scan vulnerability database. I call that vulnerability GPT, but that's probably the most direct integration of artificial intelligence currently in Sirius.

That's great. That's fantastic. How are you seeing in the industry overall, not necessarily that you may or may not be directly involved, but you are connected with the industry deeply. How are you seeing AI being leveraged best by defenders, whether they're blue teamers? We've seen it a lot in log analysis. We've seen it in a lot of other aspects, but I'm just curious what, how are you seeing it?

I would say that I'm not seeing the greatest implementation of artificial intelligence by defenders today, but I have seen some really interesting ones. Are you familiar with a tool called Ghidra?

Speaker 2 (47:22.094)
So Gidra is actually an NSA tool for reverse engineering malware or binaries for exploitation purposes. And one of the avenues, if you will, in the artificial intelligence space that's gotten a lot of fire recently is called MCP or model context protocol. The idea there is if we have an existing system, how can we connect this system into an artificial intelligence model so that the AI model can control that system? And so there's now an MCP server for Gidra that lets a AI model fully do and control the reverse engineering engine on its own.

I'm expecting to see a lot more of this MCP style of integration. I would expect to see that coming out to Sims, maybe Elk Stack, maybe Security Onion into the future. We are seeing definitely a lot of development there. I would say the most common way that we're seeing artificial intelligence employed is for security research. So if you're writing a report, we see a lot of AI support there. If you're doing research on a specific kind of vulnerability.

replacing what your Google searches might have been in the past with more rag generated AI can be very helpful. Polar plexity AI can be very good for that kind of thing. And then the other side of it is how we're using it wrong. Because I think that if we're looking at artificial intelligence in the security world today, the most heavy implication of AI is not that we're using it to defend ourselves better, but that we now have to defend this new thing that our enterprises have just employed. M365 Copilot is probably the

biggest offender here because Microsoft is just shoving it down enterprises throats and enterprises are getting really, really significant compromise as a result of it. A friend of mine is working a compromise that an AI model disclosed some very sensitive information related to an executive and that's just because of M365 Copilot.

So that's what I wanted to ask. So how is it leading? How is it becoming a vulnerability? Obviously in the beginning, when Gen.ai first became democratized or became popular, you saw, think it was Samsung, I forget, but it was one of the groups that like put the code right in the database to fix the bugs. And then people were able to just download the entire source code, right? And we're seeing that quite a bit.

Speaker 1 (49:32.162)
But there are a number of ways of keeping it more agentic and keeping it more isolated so that it's not leaving really beyond your firewalls for lack of a better analogy. Why are you seeing that that's not working?

Well, I would say that the problem is a little bit larger than that. For a lot of organizations, it's not necessarily that they weren't vulnerable before. It's that AI makes it much more likely that that vulnerability gets exposed. Take for example, like Windows Active Directory environments, right? Right. I don't know about you, but I've used SharePoint for years. I can't find anything on SharePoint, ever. It's the hardest thing to use if you're looking for documents. Yep, absolutely. You know what's really good at finding things on SharePoint? AI.

And so the most common by far, the most significant vulnerability that I've seen in enterprises is AI just made it so much easier to find data and you had an entitlements management problem. And so now you've got all of these users who are asking artificial intelligence, when is the next, you know, reduction in force board or is there a performance improvement plan coming out for certain people inside of the enterprise? These are not things that your average user community should have access to.

And if they do gain access to it, might even be an HR or a legal issue. In fact, it almost certainly is going to be. And that can cause some very significant problems for organizations.

but they're able to access all of it right in their instance of.

Speaker 2 (50:55.146)
always were. That's the craziest part is that they were always able to access this.

They didn't know how to access it, but they themselves didn't have the skill set to access it.

And AI does. Yep, that's exactly right.

yeah. And the Samsung example is more where something internal gets leaked outside of the organization. And that clearly is happening, not as much. We don't hear as much of it.

We don't. Our attackers are not really doing the AI thing very much yet. But interestingly enough, I also find this to be a problem for attackers too, because if I'm an attacker, I know the trend that we've seen, the M Trends report from last year actually really indicates this. We actually today have more attackers get in and extort an organization than we have get in and ransomware an organization. So everyone thinks like they get in and ransomware is the most common. Extortion only is actually more common than ransomware. It's 11 % in total.

Speaker 2 (51:48.11)
that are just extortion only as opposed to both or mix and matching of the two. And so if they can do extortion only, if they can monetize with nothing but data, imagine what capability M365 Copilot gives them to extract that data inside of your environment. It's crazy, it's extreme.

I didn't even think about it. Once they get in and they're generally undetected, then they can get in and leverage the organization's own version of Copilot to find all of those reports and stuff.

who needs lateral movement. And there's also no compensating controls or discovery controls on what the AI is communicating back and forth. So we have no introspection. goes right below the radar of all of our defensive tools.

And it's not going to. So let me ask you this. This begs the question. Like, why is it that. In your opinion, in your experience, detection is so hard for for these organizations now, it's going to differ. mean, the enterprise space is different. It's vast, more complex, but they also have a lot more resources, lot of SMBs, pretty vanilla kind of cookie cutter setups, but they don't have the protections that are the threat hunting.

But why is it that the detection is still taking so long?

Speaker 2 (53:08.024)
think it's twofold. First off, think that organizations that are doing everything right are detecting very fast. I think that the advantage is on the defensive side. I don't think that the attackers have the advantage anymore. But a lot of organizations are just not doing the basics. If your organization is a flat network on the inside, let's say you can ping from any system to any other system in your environment and it doesn't get blocked. That's a problem. And that is a problem that exists for most organizations and has for the last 30, 40 years. We are so focused on these really nice widgets, these expensive tools.

and they might do something that's nifty and fancy, but at the end of the day, our problems are all the basic ones. Like that AI thing we were just talking about, entitlements management has been a problem from a security-based perspective for 30 years. And if you would fix that already, then the fact that now there's new ways, new avenues to exploit that, like AI, doesn't actually provide any additional risk to the environment because we already did our due diligence. So I think most organizations today are just continuing to sleep on cybersecurity.

And the other side of it is that a lot of vendors are simply put, trying to make money and they are giving us not necessarily a false sense of security, but they're giving us this false bill of goods. They're telling us that if we pay them money, they will secure us when what really is the way to security is to know your environment, kind of, I'm gonna sunsue here, know thy enemy, know thyself, a thousand battles, a thousand victories, right? If you know your environment and you know what the actual risks are, then we're not dealing with a hundred vulnerabilities and wondering which of those matter.

We know what systems in our environment matter, and we know what the attack services that we actually care about. Today, most organizations don't want to hire or train individuals who do cybersecurity work. They want to pay a vendor to do it for them. And that's the primary problem that I see.

That was excellent. Thank you. What is the difference between entitlements management and access control?

Speaker 2 (54:55.362)
They aren't necessarily different. Entitlement management is a style of access control.

That's what I thought. Okay. It means like one user's entitlement to access certain records or certain documentation.

access control is maybe a superset

Okay, very good. I just wanted to clear my mind. I appreciate that. Hey Matthew, thank you so much for your time. Like this is absolutely fantastic. We will have links to your organization site, your LinkedIn, et cetera, and the show notes and anything else coming up on the horizon that you would like listeners and viewers to be aware of.

Nothing else necessarily coming up on the horizon. I'll be at RSA as well as DEF CON and if anyone finds themselves at Wild West HackinFest in South Dakota Deadwood this fall, please do hit me up. That's my favorite conference. So I'm there every single year and I like to hacker friends.

Speaker 1 (55:53.454)
guys do a great job. Yeah, that is fantastic. Well, thank you so much, sir. Thank you for all you do. Continue to do it. We will continue to watch you guys and report on your all your great work and great luck with serious vulnerability scanning engine. Very excited to see that rolled out.

Absolutely. It's my absolute pleasure to be here. Thank you so much for having me. And as far as Sirius goes, fingers crossed that it's gonna be a big thing. At the very least, it's been a learning opportunity and I have so much fun delivering open source work to the community.

Absolutely. Well, thank you for all you do. Thanks.

Speaker 1 (56:31.598)
Well that wraps this up. Thank you for joining us. We hope you enjoyed our episode. The next one is coming right up. We appreciate you making this an award-winning podcast and downloading on Apple and Spotify and subscribing to our YouTube channel. This is Cybercrime Junkies and we thank you for watching.