WEBVTT - Smart Talks with IBM: The Good Hacker: Hacking Businesses before Criminals Do 0:00:04.400 --> 0:00:07.800 Welcome to Tech Stuff, a production from I Heart Radio. 0:00:11.840 --> 0:00:14.480 This season of Smart Talks with IBM is all about 0:00:14.600 --> 0:00:18.480 new creators, the developers, data scientists, c t o s 0:00:18.560 --> 0:00:23.280 and other visionaries creatively applying technology in business to drive change. 0:00:23.800 --> 0:00:26.680 They use their knowledge and creativity to develop better ways 0:00:26.680 --> 0:00:30.280 of working, no matter the industry. Join hosts from your 0:00:30.320 --> 0:00:33.880 favorite Pushkin Industries podcasts as they use their expertise to 0:00:33.960 --> 0:00:37.480 deepen these conversations, and of course Malcolm Gladwell will guide 0:00:37.520 --> 0:00:39.839 you through the season as your host and provide his 0:00:39.920 --> 0:00:43.000 thoughts and analysis along the way. Look out for new 0:00:43.040 --> 0:00:45.480 episodes of Smart Talks with IBM on the I Heart 0:00:45.560 --> 0:00:49.159 Radio app, Apple Podcasts, or wherever you get your podcasts, 0:00:49.360 --> 0:00:57.640 and learn more at IBM dot com slash smart talks. Hello, Hello, 0:00:57.760 --> 0:01:01.720 Welcome to Smart Talks with IBM podcast from Bushkin Industries, 0:01:02.080 --> 0:01:06.479 I Heart Radio and IBM. I'm Malcolm Globwell. This season, 0:01:06.520 --> 0:01:10.840 we're talking to new creators, the developers, data scientists, c 0:01:11.040 --> 0:01:14.120 t o s and other visionaries who are creatively applying 0:01:14.160 --> 0:01:18.679 technology and business to drive change. Channeling their knowledge and expertise, 0:01:19.080 --> 0:01:23.520 they're developing more creative and effective solutions, no matter the industry. 0:01:24.280 --> 0:01:27.720 Our guest today is Stephanie snow Cruthers. Snow is a 0:01:27.760 --> 0:01:30.800 hacker alias, and it's how we'll refer to Stephanie for 0:01:30.800 --> 0:01:34.080 the rest of this episode. Snow is the chief people 0:01:34.120 --> 0:01:37.800 hacker for x Force at IBM. She gets paid to 0:01:37.840 --> 0:01:41.640 hack into her client's businesses before criminal hackers do in 0:01:41.720 --> 0:01:46.160 order to test her client's information security. In today's show, 0:01:46.160 --> 0:01:48.280 you'll hear some of the more creative ways Snow has 0:01:48.280 --> 0:01:53.320 persuaded people into sharing confidential information. She also talks about 0:01:53.320 --> 0:01:56.680 the state of cybersecurity and what businesses need to do 0:01:57.040 --> 0:02:01.480 to keep their data protected. Snow spoke with economics journalist 0:02:01.480 --> 0:02:05.400 Tim Harford, host of the Pushkin podcast Cautionary Tales and 0:02:05.480 --> 0:02:09.280 a longtime columnist at the Financial Times, where he writes 0:02:09.320 --> 0:02:13.639 The Undercover Economist. In addition to publishing several books on 0:02:13.680 --> 0:02:16.799 the topic, Tim is also a BBC broadcaster with his 0:02:16.919 --> 0:02:20.840 show More or Less. Okay, let's now get to the 0:02:20.880 --> 0:02:27.400 interview with Tim and Chief people Hacker Snow. Before you 0:02:27.440 --> 0:02:31.320 tell me what achieve people hacker is, what is hacking 0:02:31.520 --> 0:02:34.639 to you? I think if you ask the average person 0:02:34.760 --> 0:02:38.000 to close their eyes and envision a hacker, they are 0:02:38.040 --> 0:02:42.160 going to think of someone in a dark room with 0:02:42.200 --> 0:02:46.720 a black hoodieon and all the screen text behind them. Right. Um, 0:02:46.760 --> 0:02:50.520 But to me, a hacker doesn't even have to be technical. 0:02:50.680 --> 0:02:57.280 It's someone who finds creative solutions or just different ways 0:02:57.360 --> 0:03:00.720 to break apart something to make it work a unique 0:03:00.760 --> 0:03:04.680 way that maybe it wasn't intended to do. Whether that's computers, 0:03:04.840 --> 0:03:08.000 people devices, it could be a number of things. Right. 0:03:08.040 --> 0:03:11.440 We see food hackers, we see life hackers. That's absolutely 0:03:11.600 --> 0:03:15.280 a type of hacker. Yeah. And my my mother, I think, 0:03:15.320 --> 0:03:18.280 would have described herself as a hacker before she died. 0:03:18.320 --> 0:03:21.239 She loved to take apart computer. She had loved to 0:03:21.280 --> 0:03:24.400 take apart software. She just wanted to know how everything worked, 0:03:24.440 --> 0:03:27.119 and when she put it back together again, it sometimes 0:03:27.120 --> 0:03:29.360 worked how she wanted it to work, rather than her 0:03:29.400 --> 0:03:33.000 it was originally designed. But how was it that you 0:03:33.120 --> 0:03:36.480 originally became interested in in this strange craft of hacking. 0:03:37.120 --> 0:03:40.200 I actually got involved and figured out I want to 0:03:40.240 --> 0:03:42.080 do this a little bit late in life. I was 0:03:42.120 --> 0:03:45.560 in my mid twenties and I went to the world's 0:03:45.640 --> 0:03:48.680 largest hacking conference, which takes place every year in Las Vegas, 0:03:49.440 --> 0:03:52.160 and went with a group of friends and my husband 0:03:52.320 --> 0:03:56.040 and I had honestly no interest at all. I wanted 0:03:56.080 --> 0:03:58.080 to go to Vegas and sip drinks by the pool. 0:03:58.480 --> 0:04:01.080 But they got me a pass too attend this really 0:04:01.080 --> 0:04:04.080 cool conference and we sat in on the first talk 0:04:04.120 --> 0:04:07.840 and it was extremely technical. They were going through step 0:04:07.880 --> 0:04:11.840 by step about how to reverse malware, and I fell asleep. 0:04:12.480 --> 0:04:16.839 I completely just zoned out. It didn't make sense to me. 0:04:17.200 --> 0:04:19.280 So I got up and I started wandering around this 0:04:19.440 --> 0:04:22.000 huge conference and I found what was called the lock 0:04:22.120 --> 0:04:25.880 Picking Village. I was very confused by that, like, why 0:04:26.200 --> 0:04:28.840 do people want to pick locks? I mean, there was 0:04:28.880 --> 0:04:31.640 a there was an obvious answer to that question, but okay, 0:04:32.440 --> 0:04:35.279 that's very true. So in that point in my life, 0:04:35.320 --> 0:04:39.040 it did not like click at all. And so I'm 0:04:39.080 --> 0:04:41.200 walking and someone's like, hey, do you want to learn 0:04:41.200 --> 0:04:44.400 how to pick a lock? I said sure, and so 0:04:44.440 --> 0:04:47.119 they sat me down and taught me everything. And there's 0:04:47.160 --> 0:04:50.359 something magical that happens when someone picks a lock for 0:04:50.400 --> 0:04:52.240 the first time, Like you can see it in their 0:04:52.240 --> 0:04:54.920 face where it's like, wow, that was really cool and easy, 0:04:55.000 --> 0:04:57.960 and then the oh shit, I just picked a lock, 0:04:58.600 --> 0:05:02.080 and they're envisioning every anything in their life that's protected 0:05:02.120 --> 0:05:06.200 by locks. Right, file, cabinets, their door, things that protect 0:05:06.200 --> 0:05:09.040 their children, like all these things that you have locks 0:05:09.120 --> 0:05:12.880 to protect and you just picked it in seconds. Um. 0:05:13.040 --> 0:05:15.560 So that was the most eye opening moment for me 0:05:15.640 --> 0:05:19.919 that really launched me into this career and thinking that 0:05:19.960 --> 0:05:22.880 I could do it for a living. Well, there's I mean, 0:05:22.920 --> 0:05:26.480 it feels like a long gap between that, or big 0:05:26.520 --> 0:05:28.800 gap at least maybe not a long one between that 0:05:28.880 --> 0:05:31.880 initial spark of wow, I can pick a lock. This 0:05:31.960 --> 0:05:35.640 is this matters to realizing there's a career in this 0:05:35.920 --> 0:05:38.200 and I might actually be good at this career. So 0:05:38.880 --> 0:05:40.640 how did you figure out there's a there's a job 0:05:40.760 --> 0:05:42.560 being a hacker, and how did you figure out that 0:05:42.600 --> 0:05:45.640 you actually might be good at doing that job? So 0:05:45.760 --> 0:05:47.880 once I was at that conference, I had met so 0:05:47.960 --> 0:05:50.559 many different people who explained what they do for a living, 0:05:51.040 --> 0:05:53.320 and again, at that point in my life, it felt 0:05:53.400 --> 0:05:56.760 like that shouldn't be possible, right, people are getting paid 0:05:57.240 --> 0:06:01.240 money to break into client's network, into their computers and 0:06:01.279 --> 0:06:04.080 all these things, and it's still it didn't add up. 0:06:04.160 --> 0:06:07.799 But what for me really stood out was another village 0:06:08.000 --> 0:06:11.360 at the same conference staf Con called the Social Engineering Village. 0:06:11.880 --> 0:06:14.760 And when I walked in they were actually placing live 0:06:14.920 --> 0:06:19.960 phone calls to people to try to elicit information. And 0:06:20.000 --> 0:06:22.800 so I'm sitting there in the audience listening to how 0:06:22.800 --> 0:06:25.719 these people were doing it. I'm like, wow, Like, I'm 0:06:25.760 --> 0:06:30.760 a people person, I've done cells. I could absolutely do this. Um. 0:06:30.839 --> 0:06:34.039 So from there, I talked to a bunch of people 0:06:34.120 --> 0:06:35.880 that I just met, like my goal is just to 0:06:35.960 --> 0:06:38.960 meet people and ask questions at that point, and found 0:06:39.080 --> 0:06:42.040 every book I could on the subject matter, went home 0:06:42.160 --> 0:06:45.279 and practiced and taught myself, and actually went back and 0:06:45.320 --> 0:06:48.359 competed in that same competition three years in a row, 0:06:48.720 --> 0:06:50.760 and I went on my third year, which was huge, 0:06:50.800 --> 0:06:54.280 but that really was able to propel me into this 0:06:54.440 --> 0:06:57.920 career and where a company actually saw me placing these 0:06:57.960 --> 0:06:59.920 calls and asked me like, hey, do you want a job, 0:07:00.040 --> 0:07:02.880 And that's that was my first job. It was super exciting. 0:07:03.880 --> 0:07:07.000 In three years, Snow went from amateur hacking enthusiasts to 0:07:07.160 --> 0:07:11.160 hacking professional. Companies started to pay her real money to 0:07:11.240 --> 0:07:15.880 test their information security. But remember, Snow's line of work 0:07:15.960 --> 0:07:19.720 isn't just limited to email servers and data networks. She's 0:07:19.760 --> 0:07:23.440 a people hacker. Instead of trying to bypass a firewall 0:07:23.840 --> 0:07:27.720 or cracking a password. She uses what's called social engineering 0:07:27.760 --> 0:07:30.840 to trick users into letting her into systems where she 0:07:30.880 --> 0:07:34.520 doesn't belong. In her work on what's called a red team, 0:07:34.800 --> 0:07:39.120 Snow explains how hacking, the technical and the human come together. 0:07:39.480 --> 0:07:43.400 So a red team is a group of offensive security 0:07:43.640 --> 0:07:46.440 or hackers. So IBM on our x fource team, we 0:07:46.520 --> 0:07:50.040 have a whole team dedicated to our we call adversary simulation. 0:07:50.080 --> 0:07:52.240 But our red team and how it works. As a 0:07:52.280 --> 0:07:55.800 client comes in and says, these are our crown jewels. 0:07:55.880 --> 0:07:59.120 We want to make sure you cannot access them. We 0:07:59.360 --> 0:08:03.720 spend trying to access them, and along the way, we 0:08:03.800 --> 0:08:06.240 have tons of meetings with our clients and giving them 0:08:06.280 --> 0:08:10.200 status updates and where we are. Um, but it's it's 0:08:10.200 --> 0:08:13.600 a very long engagement to try to get access to 0:08:13.680 --> 0:08:16.880 the most sensitive things that our clients have. So how 0:08:16.920 --> 0:08:19.280 do they brief you, I mean, and how do they 0:08:19.320 --> 0:08:22.120 brief you in such a way as to not give 0:08:22.160 --> 0:08:24.960 away the stuff that they're trying to not give aways? 0:08:25.000 --> 0:08:27.560 If that makes any sense. Yeah, So, so they stay 0:08:27.600 --> 0:08:30.600 as high level as possible. They might say, um, let's 0:08:30.840 --> 0:08:33.640 let's use I P for example. Right, they have this 0:08:34.120 --> 0:08:37.320 their secret sauce that if their competitors get or anyone 0:08:37.320 --> 0:08:40.520 else gets, they can pretty much copy their business. And 0:08:40.559 --> 0:08:45.840 so that information probably lives on something that's very secure, 0:08:45.960 --> 0:08:49.240 in a couple of documents that hopefully limited people have 0:08:49.280 --> 0:08:52.600 access to. Yeah, so a certain a certain soft drinks 0:08:52.640 --> 0:08:57.559 secret recipe for example, mentioning no particular brand names. Yes, exactly. 0:08:58.120 --> 0:09:01.000 So they might say, Okay, we have this secret recipe 0:09:01.240 --> 0:09:02.960 and we want to see if you can get it. 0:09:03.000 --> 0:09:06.199 They won't give us any details to where it's stored 0:09:06.600 --> 0:09:10.000 or any other information, but they'll just say go. They 0:09:10.080 --> 0:09:11.800 might have a couple of things that are off limits, 0:09:11.840 --> 0:09:14.840 but in general it's can we get this by any 0:09:14.880 --> 0:09:18.280 means possible. So a lot of social engineering is used, 0:09:18.280 --> 0:09:21.400 whether it's phone calls or emails, sometimes on site, and 0:09:21.440 --> 0:09:24.559 a good amount of technical hacking. Right if we get 0:09:24.600 --> 0:09:27.760 into one person's computer, can we move into another's? And 0:09:27.800 --> 0:09:29.840 then can we move into a server? And it's a 0:09:29.880 --> 0:09:32.760 lot of moving around and digging, but um, at the 0:09:32.880 --> 0:09:35.720 end of the day, we're pretty successful with these types 0:09:35.760 --> 0:09:39.760 of engagements. And you mentioned certain things being off limits 0:09:40.240 --> 0:09:43.680 because really the hackers that the bad hackers don't care 0:09:43.720 --> 0:09:47.080 what's off limits. And what is not So what are 0:09:47.080 --> 0:09:48.960 the kinds of things that people are the clients are 0:09:48.960 --> 0:09:52.000 saying that you're not allowed to do that, that's cheating. Yeah, 0:09:52.120 --> 0:09:54.600 So so we will see a good handful of times 0:09:54.679 --> 0:09:58.120 is do not mess with our executives, like don't send 0:09:58.160 --> 0:10:01.280 our CEO and email which a in bad guys do 0:10:01.360 --> 0:10:04.760 not have limits and they will absolutely continue to do that. Um, 0:10:04.800 --> 0:10:07.160 but we have to expect those unfortunately. But we will 0:10:07.240 --> 0:10:09.920 every once in a while run into a good handful 0:10:09.920 --> 0:10:13.440 of things. Or maybe they have another system that I 0:10:13.480 --> 0:10:17.840 don't know runs something sensitive, right, maybe it's a medical 0:10:17.920 --> 0:10:20.800 device company. They're like, okay, do not access this system 0:10:20.840 --> 0:10:23.280 because you know, people's lives could be on the line. 0:10:23.320 --> 0:10:26.280 So we won't even touch those types of systems. It 0:10:26.320 --> 0:10:28.240 really depends on the end of the day. What what 0:10:28.280 --> 0:10:30.120 they don't want us to have access to. Well, you're 0:10:30.160 --> 0:10:33.520 people hackers, so you're doing it with people. So so 0:10:33.760 --> 0:10:35.560 I mean what does that what does that look like? 0:10:35.960 --> 0:10:37.760 I mean is it is it literally phoning people up 0:10:37.800 --> 0:10:39.840 and persuading them to give you passwords or is it 0:10:40.040 --> 0:10:42.640 a bit more complicated than that these days? So I 0:10:42.840 --> 0:10:46.120 break down social engineering in two ways. You either have 0:10:46.240 --> 0:10:49.200 remote or on site. When you look at the remote, 0:10:49.280 --> 0:10:51.680 you're looking at a couple of different things. So the 0:10:51.679 --> 0:10:53.880 first one is what we call OSANT, which stands for 0:10:53.920 --> 0:10:59.240 open Source intelligence, and that's actually not actively hacking a person, 0:10:59.400 --> 0:11:03.680 but it's looking at their online accounts. Are they revealing 0:11:03.720 --> 0:11:06.480 information that they shouldn't be that an attacker could leverage, 0:11:06.520 --> 0:11:09.360 So that's that's one type of assessment. We have the 0:11:09.400 --> 0:11:12.000 fishing or voice fishing, so that's placing those phone calls 0:11:12.040 --> 0:11:14.679 to get information or maybe get them to do a 0:11:14.720 --> 0:11:17.360 task over the phone. And then fishing, and that's by 0:11:17.400 --> 0:11:20.800 far the most common social engineering type of assessment. That's 0:11:21.080 --> 0:11:24.880 the malicious email with a link or an attachment or 0:11:24.880 --> 0:11:27.480 even a conversation. And then we move into the on 0:11:27.600 --> 0:11:31.280 site stuff and this is my favorite. It's the most tangible, 0:11:31.320 --> 0:11:34.720 but it's actually breaking and entering, so it's trying to 0:11:34.800 --> 0:11:39.040 get access to clients, sensitive locations, and sensitive data. So 0:11:39.080 --> 0:11:43.160 those are the two um types of social engineering. Give 0:11:43.160 --> 0:11:45.360 me a little bit of advice, then, if if if 0:11:45.400 --> 0:11:47.800 you're trying to find a weakness, if you're trying to 0:11:47.800 --> 0:11:51.800 persuade somebody to do something they shouldn't be doing, what 0:11:51.840 --> 0:11:54.400 are the kind of things that you're doing. So let's 0:11:54.440 --> 0:11:58.520 just take the physical part for an example. Is tailgating right? 0:11:58.559 --> 0:12:01.560 That sounds so easy and so obvious, but it's the 0:12:01.679 --> 0:12:04.200 number one way that we break into buildings. It's just 0:12:04.400 --> 0:12:08.760 following someone who badges in, who unlocks the door, who 0:12:08.800 --> 0:12:12.319 has that access. We just follow them and people are 0:12:12.360 --> 0:12:14.680 trained all the time, don't let anyone fall, you, check 0:12:14.720 --> 0:12:17.000 the badge behind you, make sure people badge in all 0:12:17.040 --> 0:12:20.080 of these policies, but when it comes down to it, 0:12:21.040 --> 0:12:24.880 people are a little bit scared to ask to see 0:12:24.920 --> 0:12:29.880 the badger, to question them. It's rude for somebody. Yes, 0:12:30.280 --> 0:12:32.320 it's human nature to want to help, so that goes 0:12:32.360 --> 0:12:35.920 against everything that people are used to doing. So that's 0:12:35.920 --> 0:12:38.240 by far the number one way that that we get 0:12:38.240 --> 0:12:42.280 into buildings. Now I understand that before you got into 0:12:42.320 --> 0:12:46.440 this game, you were a makeup artist for independent films. 0:12:47.800 --> 0:12:50.920 Is there a connection between It seems like a stretch, 0:12:51.000 --> 0:12:54.400 but between being a makeup artist and being a people hecker. Yeah, 0:12:54.480 --> 0:12:57.200 you would think those those things absolutely don't go together 0:12:57.240 --> 0:12:59.840 at all. However, I've been pretty lucky, or I've been 0:13:00.040 --> 0:13:02.640 will to leverage a little bit of the makeup art 0:13:02.640 --> 0:13:06.199 and special effects to when we do the physical security assessments, 0:13:06.200 --> 0:13:09.160 so maybe we get caught on the first day, or 0:13:09.200 --> 0:13:11.480 maybe someone suspicious, so we don't want to go back 0:13:11.480 --> 0:13:14.079 and blow our cover, so we'll change our appearance as 0:13:14.200 --> 0:13:16.679 much as possible when we go back the next day. 0:13:16.679 --> 0:13:20.000 So absolutely something that I leverage all the time. And 0:13:20.200 --> 0:13:21.800 it's it's a lot of fun too. It just adds 0:13:21.800 --> 0:13:24.360 a little bit more to the job. It sounds like 0:13:25.400 --> 0:13:28.680 it's more creative than I would have expected a cybersecurity 0:13:28.720 --> 0:13:31.600 job to be. Oh. Absolutely. When you think of cyber security, 0:13:31.640 --> 0:13:33.520 you just think of someone sitting at a computer typing 0:13:33.520 --> 0:13:36.800 all day. That is not my job at all. Um. 0:13:36.880 --> 0:13:40.679 It's it's pretty amazing how much I could leverage creativity 0:13:40.760 --> 0:13:43.480 in what I do day to day. Can you give 0:13:43.480 --> 0:13:46.680 me an example, so I actually have a story, um, 0:13:46.720 --> 0:13:49.680 if you're ready for a breaking story, it's one of 0:13:49.720 --> 0:13:53.360 the ones that absolutely went wrong. UM. Our client was 0:13:53.640 --> 0:13:56.080 based out of the US and they had just opened 0:13:56.200 --> 0:13:59.880 their European branch to their headquarters in Amsterdam, and so 0:14:00.040 --> 0:14:02.840 they wanted us to test the building's physical security to 0:14:02.880 --> 0:14:06.320 see if it's protecting their people and their data. And 0:14:06.360 --> 0:14:09.160 so some of the goals were to see if we 0:14:09.200 --> 0:14:11.720 can get insight past all the badged areas where we 0:14:11.720 --> 0:14:15.120 shouldn't have access and see if we see anything that's 0:14:15.120 --> 0:14:17.920 out of place or or maybe red flags or something 0:14:17.960 --> 0:14:21.000 that they should fix. So we always start with with 0:14:21.040 --> 0:14:23.240 our o SEN or open source intelligence, where we're going 0:14:23.280 --> 0:14:28.800 online investigating the location. We're working at Google Maps as 0:14:28.920 --> 0:14:31.960 much as we can. However, this building was so new 0:14:32.000 --> 0:14:34.120 that they weren't even on Google Maps yet, so we 0:14:34.200 --> 0:14:37.480 had a really hard time finding all of this information. 0:14:38.400 --> 0:14:40.360 We decided we just had to show up on site 0:14:40.680 --> 0:14:43.560 to to see what we can do. So I walk, 0:14:43.720 --> 0:14:45.720 I walk into the building and walk into the lobby. 0:14:46.120 --> 0:14:49.000 The second I walk in, the lady pretty much kicked 0:14:49.000 --> 0:14:50.560 me out. I didn't even get to open my mouth 0:14:50.680 --> 0:14:53.880 or explain why I was there, right out of the gate, 0:14:54.120 --> 0:14:58.320 just get out. And so for doing this type of 0:14:58.360 --> 0:15:02.440 an assessment, that was horrible. This client paid all this 0:15:02.560 --> 0:15:05.200 money to get me out there to test her physical 0:15:05.240 --> 0:15:08.440 security and here I am getting kicked out within the 0:15:08.480 --> 0:15:14.200 first five minutes. So that was awful. Security is pretty good, Yeah, yeah, no, 0:15:14.320 --> 0:15:17.920 they're their Their receptionist was on her game. Um, So 0:15:18.040 --> 0:15:20.320 I went back to my hotel room and like was 0:15:20.360 --> 0:15:22.800 banging my head against the wall, like how do I 0:15:22.840 --> 0:15:26.200 get in? I can't find information online. They're kicking me 0:15:26.280 --> 0:15:28.880 out before I'm even trying, Like I was just wanting 0:15:28.880 --> 0:15:30.440 to go in and see what it looked like because 0:15:30.480 --> 0:15:32.800 I had no idea what I was walking into. So 0:15:32.920 --> 0:15:35.320 I went back online, like, Okay, I have to I 0:15:35.360 --> 0:15:39.120 have to figure this out. And finally, out of nowhere, 0:15:39.160 --> 0:15:41.640 it popped into my head. Okay, it has to be 0:15:41.720 --> 0:15:45.840 someone that's not local, because I'm not from Amsterdam, and 0:15:45.880 --> 0:15:48.640 I have to leverage some type of position of authorities, 0:15:48.760 --> 0:15:51.680 some reason why I'm supposed to be there. And so 0:15:52.200 --> 0:15:56.000 I thought, investor relations. I am going to pretend to 0:15:56.040 --> 0:15:59.360 be an investor relations manager from the US and I'm 0:15:59.360 --> 0:16:02.960 going to the new site meeting with some potential investors. 0:16:03.480 --> 0:16:06.520 And so I called the receptionist. I spoofed my number, 0:16:06.600 --> 0:16:08.200 so I made it look like I was calling from 0:16:08.240 --> 0:16:11.680 the US location, and UM changed my voice a little 0:16:11.680 --> 0:16:13.840 bit and said that we have someone that's going to 0:16:13.920 --> 0:16:16.520 be coming on site tomorrow. Please give them whatever they need. 0:16:16.560 --> 0:16:18.520 They're going to be meeting with all these high end 0:16:18.720 --> 0:16:23.000 clients potentially, UM, so just make sure they're comfortable. The 0:16:23.040 --> 0:16:24.520 next day, I walk in and again I had to 0:16:24.600 --> 0:16:26.560 change my parents a bit because she saw me and 0:16:26.680 --> 0:16:30.560 she didn't that, and I she welcomed me, she got 0:16:30.600 --> 0:16:33.240 me coffee, she sent me up in the office where 0:16:33.240 --> 0:16:35.440 they had my name on the on the front door, 0:16:36.200 --> 0:16:39.800 and I was like, how can we help? So from 0:16:39.800 --> 0:16:42.360 there I was able to go through and complete my objectives. 0:16:42.440 --> 0:16:45.680 But it's it's kind of amazing how much you have 0:16:45.800 --> 0:16:48.560 to leverage creativity and even kind of the on the 0:16:48.600 --> 0:16:54.880 spot improv sometimes to to actually complete these objectives. Yeah, 0:16:55.160 --> 0:16:59.280 improv was the word that springs to mind hearing that story. 0:17:00.640 --> 0:17:03.440 I would imagine that there must be some playbook that 0:17:03.720 --> 0:17:06.960 there's a bunch of things you try and then you 0:17:07.000 --> 0:17:09.679 have to improvise if the playbook isn't working. Is that 0:17:09.720 --> 0:17:14.600 playbook always changing? Is it? Is it this constant arms race? Constantly? 0:17:14.640 --> 0:17:17.879 It also depends on who my target is, right, I 0:17:17.960 --> 0:17:21.879 will change the way I ask questions, the way I 0:17:21.960 --> 0:17:26.160 set things up, just completely everything depending on if I'm 0:17:26.200 --> 0:17:29.600 talking to someone younger or older, or male or female. Like, 0:17:29.640 --> 0:17:33.440 there's a lot of things that absolutely adapt to whoever 0:17:33.520 --> 0:17:35.560 I'm speaking to at the end of the day, because 0:17:36.400 --> 0:17:38.640 people are different and I want to try to make 0:17:38.640 --> 0:17:41.840 sure whoever I'm talking to is comfortable and I can 0:17:41.880 --> 0:17:45.240 get them to trust me. And is there a collaborative 0:17:45.280 --> 0:17:48.800 process this kind of ethical hacking or is it very 0:17:48.880 --> 0:17:53.280 much a lone wolf. It's really both. It just depends 0:17:53.320 --> 0:17:56.320 on what the type of assessment is and there's a 0:17:56.400 --> 0:18:00.080 lot of variables. I prefer a team right, working with 0:18:00.119 --> 0:18:03.080 as many people as possible, because I might be looking 0:18:03.119 --> 0:18:06.640 at a problem from, you know, my perspective, but if 0:18:06.680 --> 0:18:08.879 I have two or three other people with completely different 0:18:08.880 --> 0:18:13.080 backgrounds and sets of experience, they're thinking about from another perspective. 0:18:13.160 --> 0:18:16.800 So the more we collaborate and work together, typically the 0:18:16.840 --> 0:18:21.200 more successful we can be as well. I'm curious about 0:18:22.160 --> 0:18:25.240 a day in the life of Snow. I mean, on 0:18:25.280 --> 0:18:29.760 a completely typical day, what is it that you're doing. 0:18:30.600 --> 0:18:32.639 So that's what I love about my job is I 0:18:32.680 --> 0:18:35.680 don't have a typical day. I could be one day 0:18:35.720 --> 0:18:39.840 waking up in Manhattan breaking into the building, and the 0:18:39.960 --> 0:18:42.280 next day I could be in my home office writing 0:18:42.280 --> 0:18:45.360 a report. Like It's all over the place, and that's 0:18:45.400 --> 0:18:49.600 what makes it super exciting that it's not mundane. It's 0:18:49.800 --> 0:18:52.119 constantly changed, and I love that it's like, yeah, one 0:18:52.160 --> 0:18:53.960 day I'm writing a report the other day, I'm breaking 0:18:54.000 --> 0:18:59.320 into a building in Manhattan. It's perfect. Absolutely. One description 0:18:59.320 --> 0:19:02.040 I've seen is that are like a secret shopper, except 0:19:02.240 --> 0:19:04.800 instead of being a secret shopper for a restaurateur or 0:19:04.840 --> 0:19:07.720 a chain store, you're a secret shopper for breaking in 0:19:07.840 --> 0:19:11.960 and stealing passwords. It is that accurate that I would 0:19:12.000 --> 0:19:14.639 I would say that's accurate. And if people are hiring 0:19:14.680 --> 0:19:18.040 you to probe their security and to find the weaknesses, 0:19:19.400 --> 0:19:21.840 have you ever come back and said, no, it's perfect. 0:19:21.880 --> 0:19:25.280 I got nothing I couldn't get in. So I have 0:19:25.440 --> 0:19:29.440 broken into over a hundred and thirty unique buildings. I've 0:19:29.480 --> 0:19:31.800 only had one of those buildings I was not able 0:19:31.840 --> 0:19:35.520 to break into, and that is because it was a 0:19:35.560 --> 0:19:38.760 small company in the middle of nowhere where everyone knew 0:19:38.800 --> 0:19:42.760 each other. It's not because necessarily because they had all 0:19:42.800 --> 0:19:45.920 these you know, expensive security controls that they had place. 0:19:46.000 --> 0:19:48.280 It was just I stuck out like a sore thumb, 0:19:48.359 --> 0:19:51.160 and no matter what I said, they knew I wasn't 0:19:51.200 --> 0:19:53.840 supposed to be there. But it's kind of scary some 0:19:53.920 --> 0:19:58.520 of the very large organizations in these famous skyscrapers that 0:19:58.560 --> 0:20:01.960 I've broken into, where they've invested hundreds of thousands, if 0:20:02.000 --> 0:20:05.760 not millions of dollars into their physical security, but I'm 0:20:05.800 --> 0:20:09.280 able to get in right. That's kind of terrifying if 0:20:09.280 --> 0:20:12.439 you think about it. Whether it's brick and mortar hacking 0:20:12.880 --> 0:20:15.800 or using something much more high tech, it's all founded 0:20:15.840 --> 0:20:19.920 on the same principle, using deception to get what you want. 0:20:20.680 --> 0:20:23.800 To round out their conversation, Tim and Snow talk about 0:20:23.800 --> 0:20:27.600 the state of the global cybersecurity industry, where the art 0:20:27.600 --> 0:20:30.600 of the corn is headed, and how prepared companies are 0:20:30.720 --> 0:20:33.560 for any of it. Let's zoom back a bit now 0:20:33.760 --> 0:20:36.000 and and take in what you know the state of 0:20:36.080 --> 0:20:40.159 the global hacking industry if that's a phrase, or the 0:20:40.160 --> 0:20:45.879 global security industry, and what has changed in security and 0:20:45.920 --> 0:20:49.040 cybersecurity over the last few years. What are the new trends? 0:20:50.200 --> 0:20:54.040 So what's changed? I would say more of our lives 0:20:54.040 --> 0:20:57.720 are online and and that's kind of scary. Everything from 0:20:57.840 --> 0:21:02.440 your IoT lightbulb to your oven to IoT being the 0:21:02.440 --> 0:21:05.080 the Internet of things, so I just basically every everything 0:21:05.119 --> 0:21:08.760 has a web address now exactly, and so there's so 0:21:08.840 --> 0:21:12.000 much more of that now. It's just it surrounds us 0:21:12.080 --> 0:21:15.960 are are just our lives are online and with that 0:21:16.080 --> 0:21:18.760 much being online, that's just more that we have to 0:21:18.800 --> 0:21:22.320 protect or more that we have to worry about. Unfortunately, 0:21:22.960 --> 0:21:27.400 that clearly raises the stakes. I would have hoped there's 0:21:27.440 --> 0:21:31.440 also more awareness. People don't fall for the most obvious 0:21:32.160 --> 0:21:36.920 scams and tricks anymore. And do you think companies put 0:21:37.040 --> 0:21:40.480 enough emphasis on security? Is it a high enough priority 0:21:40.720 --> 0:21:44.880 at the c suite level? I wish I could say yes. However, 0:21:45.000 --> 0:21:47.520 it's all over the board. I've I've worked with clients 0:21:47.520 --> 0:21:51.520 who they put everything they have into stopping attackers, into 0:21:51.560 --> 0:21:54.359 securing their environment. I've seen some clients in the past 0:21:54.400 --> 0:21:56.560 to just want to get the check in the box 0:21:56.560 --> 0:21:58.760 that they did their assessments and they want to move 0:21:58.800 --> 0:22:01.640 on to something else. So unfortunately, it's a pretty big 0:22:01.760 --> 0:22:06.280 range of types of people who really have that security mindset. 0:22:06.720 --> 0:22:12.320 And I'm always reading stories in the news about breaches 0:22:12.520 --> 0:22:17.000 and they these security whiches, and they sometimes they sound 0:22:17.240 --> 0:22:22.480 very sensational. Sometimes they sound incredibly banal, like, oh yeah, 0:22:22.520 --> 0:22:27.640 somebody just stuck all the passwords online in plain text. Boops. 0:22:28.359 --> 0:22:32.760 I mean, is there a standard procedure for the bad actors? 0:22:32.960 --> 0:22:38.640 Is there a way that breaches happen like this? Not 0:22:38.760 --> 0:22:41.119 these days, just because there's so many different ways they 0:22:41.160 --> 0:22:44.399 get in. I mean, most of them are financially motivated. 0:22:44.440 --> 0:22:45.880