Ethical Hacking with Brian Self

Ethical hacking may seem like an oxymoron, but having someone that you trust do a penetration test on your network may shock you. Our guest today has been helping people for 20 years to know when they're vulnerable, and he shares his stories and insights to help you keep your information secure. Today's guest is Brian Self. Brian is a certified Information Systems Security professional, ethical hacker, and professional speaker. He has the unique ability to take a complicated topic like network security and make it easy for a wide audience to understand. He has been in Information Security for over 15 years and in IT for over 20. He is a professional penetration tester doing offensive security, a compliance subject matter expert, an IT security architect, a security engineer, and a consultant in a variety of security domains. Show Notes: [1:10] - Brian shares his background and how he got into the field of IT and security including the story that inspired him to get into ethical hacking. [3:34] -In 15 minutes, a penetration tester taught Brian more about the system he was using than he ever knew was there. He was hooked from then on. [4:37] - Brian defines some common hacking terminology in easy-to-understand verbiage. [6:12] - In Brian's experience, many people tell him that they don't have anything of value that a hacker would want. He clarifies that everyone has something that can make them a target, including things you just don't think of as a vulnerability. [7:01] - In addition to white hat, gray hat, and black hat hackers, Brian explains the different teams of hackers called blue teams and red teams. [8:43] - For penetration tests that Brian does, he doesn't necessarily avoid getting caught. [9:29] - Chris shares his experience with a penetration testing company and the surprise of what they found. [10:52] - Brian confirms that Chris's experience is very common. There are a lot of old systems in place that may have been secure when created but haven't been updated. [12:21] - Brian describes one of his very first pen tests and the ease of finding vulnerability. [13:48] - For pen testers out there who are just starting, here's a rule of thumb, never tell how you got in until you're done. Brian explains why. [14:58] - If you are approached by someone who claims to have found vulnerability, like a grey hat hacker, Brian advises to be very careful and to get a legal team involved. [17:02] - Brian is motivated to help people understand security. [18:38] - Responsible disclosure is when a security researcher gives companies ample time to make changes to their vulnerability. Some security researchers disclose the information on social media. [20:33] - Brian suggests starting with the basics first before hiring someone to do penetration testing. Are you patching? If not, patch first. [23:04] - If you're starting from scratch, you can plan for changes in security. Consider who needs access to certain data. [24:21] - Chris describes the balance that needs to be found between automated systems and human error. [26:01] - Brian started learning social engineering when he had to convince someone to send him to an event to learn more. [27:10] - Brian highly recommends the OWASP foundation to continue learning about penetration testing and overall security. [29:14] - Chris admits that he has been nervous to attend conventions and explains his reasoning. [31:15] - Chris references a previous episode with Ed Skoudis and an experience he had with the Holiday Hack Challenge. [32:17] - Brian suggests taking classes, courses, and learning what you can. He says that if you take a course with Ed Skoudis, you are really learning. [33:09] - In regards to risk, Brian keeps two main points - the likelihood and the impact. [34:15] - Engage with the pen test team. Don't wait to ask questions. Leverage them while you have their time and attention. [34:55] - Make sure you have some proof from pen testers so you know how you fixed something without having to track down the pen testers later. You need a detailed report with priorities. [36:13] - There are some companies that are now specializing in fixing risks. Brian is cautious of this because of an apparent conflict of interest. [37:34] - It should be negotiated in your contract with a pen test to come back and retest. [38:38] - Brian describes how he became burnt out with pen testing. [40:00] - Many companies only hired pen test companies for compliance reasons. There are other companies who actually care about risk management. Brian explains that the types of testing he did varied due to the company's reason. [42:04] - What are the things that every security professional always tells people? Two-factor authorization is annoying but it is crucial. [44:01] - Chris and Brian discuss SMS two-factor authorization. Brian explains that for most of us, it is enough. But for some, it isn't. [45:47] - Brian says that passwords need to be as complex as possible and at least 15 characters long. [46:22] - Comparing two-factor authorization to a home break-in, Brian illustrates that something is better than nothing. [48:16] - Do not use the same password on multiple accounts. You need to have extra security for the accounts that are of value. [49:18] - If you're not going to take the steps for everything, apply it where you really need to, like bank accounts. [50:08] - Pen tests give companies a lot of assurance, but in a lot of cases it takes away assurance. [51:04] - A lot of times, security becomes a chore for a lot of companies. [52:30] - Brian shares a personal story of hackers contacting one of his clients in an attempt to gain access to her network. [54:07] - One major suggestion that Brian makes to everyone is to block out automatic image loading in emails. Thanks for joining us on Easy Prey. Be sure to subscribe to our podcast on iTunes and leave a nice review.  Links and Resources: Podcast Web Page Facebook Page whatismyipaddress.com Easy Prey on Instagram Easy Prey on Twitter Easy Prey on LinkedIn Easy Prey on YouTube Easy Prey on Pinterest Brian Self Speaks Web Page Brian Self on LinkedIn