Building Better Developers, Episode 635

Welcome to building better developers, the developer podcast, where we work on getting better step by step professionally and personally. Let's get started. Well hello and welcome back. We are continuing our interview with Nate Sheen. We have been talking about software and actually just overall security, how to make your organization, your software, your products, everything about your business a little bit more secure. And a lot of it is about just doing the right things. You don't have to go that extra mile necessarily. It's just doing things in a logical manner in a way that follows some of those, you know, essentially those best practices that are out there. Simple things like not having a password that is password or password one, two, three, or something along those lines. And we're going to continue in our discussion, talk about some of these things you can do to help make sure that you are as much as possible, not a target. So let's get right back into our discussion with Nate. So what do you do? Because I know, I know these happen sometimes when you say, Hey, let me see your documentation, your processes. And they say, what are those? They don't really, because some of these places, they don't really, especially if they've outsourced a couple of things, they don't really maybe know what they have. So how do you start that conversation basically with them? Okay. Well, say, Hey, I want to see your documents. And they say, I don't have that. Or what are those? Well, that's fine. You probably don't have them. This is my approach. I say, I have an eight page questionnaire that I go through. Okay. I'm going to ask you a lot of questions. If you don't know the answers to the question, we're just going to say no. Okay. And I get a lot of nos. Say, okay, so I'm going to give you an assessment and I'm going to give you some procedures that you can use now. Okay. Here's a password procedure. Here's a policy on passwords. Here's a clean desk policy. Here's a, you know, here's a policy on how you connect to the network. Here's a work from home policy. And we're just going to produce those as a part of the assessment. Here's the opportunity. Here's the policies that you should consider implementing. And the policy is only as good as if somebody actually does it. So really, you know, it's the why behind what we're doing. Like, why are we doing this? Well, this is what the policy says. This is why we did the policy to protect ourselves from it. And what that really does is kind of makes you less low hanging fruit. We're really trying to help our clients not be low hanging fruit anymore because hackers going after the easy hits. You know, they're going to go after the companies that are really easy to hack. We're trying to make you less hackable. We're going to try to make you less exposed. So the less exposed you can be, the harder it is for the hacker to get you in there. Well, that's a good point. Is that, I mean, it's a, in a sense, I guess, like a security by obscurity or something like that. Is it one of those where you're just trying to take yourselves out of the primary line of fire and the farther you can get away from it, then, yeah, if they want to come after you, they're going to come after you. But does that does that in itself a big benefit to you? Because now you've you sort of wiped out maybe some level or some grouping of hackers that are just probably not even going to mess with you. Well, yeah, let's put our let's put our black hat of hacking on for a minute then, Rob, and think like a hacker. So if you're talking, we're talking and I'm talking small businesses, this can relate to a little bit larger businesses too. And I want to cover like big enterprise too in this. But talking to small businesses was just typically my focus for that. It's sales prospecting. Okay. So I'm going to go out there on LinkedIn and I'm going to use sales navigator as a hacker to pick, let's say, let's go after small medical offices that have 20 employees or less. Right. And I'm going to go after them all. Right. And I'm going to pick a geographic area, Syracuse, New York, and I'm going to hit on, you know, hit all of these offices with phishing emails. And maybe I get tend to respond with something and now I've got 10 to work with on that. Okay. So that shows me that 10 were not as aware for some reason of phishing. So now I've got 10 prospects. I've moved them down my funnel a little bit. And so now I'm going to like try to engage with them. I'm doing some research on them, trying to learn who do I actually need to talk to to get some money out of here? You know, who do I actually need to send the executables to, to put some ransomware out there? So who's the IT company or who's the IT manager? Who's the best, you know, most likely. So it's probably going to be a doctor. It's probably going to be an office manager and operations, somebody with those titles. We're going to start looking at that and trying to get into that organization and keep moving it down the funnel with them because they're low hanging fruit because they responded to my phishing email. And so that's really where I say with the small organizations, if you can get yourself aware, if you can get your software to a place where instead of you just responding to everything, you forward that email to your cybersecurity, your MSP and you say, is this a scam? You know, should I be worried about this? What do we do about this? You know, and getting you to not respond to half of those requests or any of those requests at all, you've just won because a hacker is going to move on because you're still in their automated system at that point. So they're not even like really looking at you. As you start moving up a little bit larger businesses to enterprise, now you're more of a score. Okay. So now we're a little bit more sophisticated. So if you look at sales organizations, I worked in a lot of sales organizations. So typically you have your small businesses are kind of more consumer based or even your consumer based sales people. And they're usually like, you've got like 15 or 20 people that are really dedicated to that. And they really go after just kind of anybody. Like they're just, they're cold calling all day long. They're really, really healthy. And then typically you've got an enterprise guy, maybe one or two, and they're really going after scores. If they're going after fortune 500 companies trying to sell them something you don't have as many as the other ones. So they're going after fortune 500. So if I'm still the black hat and I say, Hey, you know what? I'm going to look at fortune 500 banks. I'm going to Wells Fargo and chase, and I'm going to fifth third. And I'm going to try to see if I can make good with their IT managers. It's going to take a long time. Like I'm going to create fake profiles on LinkedIn. I might even like, like this stuff can get really nefarious espionage stuff. Like I might be going to networking events with them. I might be showing up in chat rooms. Like I might, you know, be sending them stuff in the mail that I might work on that thing for years before I get a score. So anytime I hear a company that has anything north of a hundred million dollars in sales a year that gets hit, I say, they have a score. They've been working on that one for a while. Like they've been there for a while. I just was consulting on one very large one. You know, they always call us after the fact rather than having this prevented, of course, they must have been there three years trying to get in there. And ultimately it was apathy on the part of the IT manager is what happened. It just didn't implement the controls they should have implemented, unfortunately. So I guess that kind of gives you the spread. The thing is they haven't realized the small businesses. There's probably more people dedicated to your space than there is on the enterprise side, but the enterprise side, they're a lot sneaky or a lot more nefarious. They're working a lot harder on it and you're a big score, but there's just, there's probably 10 times the amount of people chasing you and 10 times the organizations chasing small business. So that's why it's such a huge deal because they're running it like sales organizations on the prospecting phase. That makes sense. And that's a great explanation, sort of an example of what some of these hackers do and how it isn't just somebody sitting in a basement somewhere randomly typing passwords or something like that. It can get very complex and it's in itself. It may be a black market thing, but it's its own business. It is, like you said, it even models traditional business organizations to some level where it's like, it makes sense. You're going to put more resources towards something that you can, that bigger fish kind of a customer or target in their case. One of the things you said all the way at the beginning that actually is a good little question to ask you, your definitions is what would you, if somebody asked you what's a white hat versus a black hat hacker, how do you distinguish the two or how would you describe those? Yeah, so I'm a white hat hacker and I'm more of a social engineering hacker. It's more of my specialty personally. So a white hat hacker is somebody who knows how to hack and uses it for good and the black hat is the one who uses it for bad. So we do a lot of the same things. So I can get into your systems and tell you where your vulnerabilities are and then help you fix those problems. Whereas the black hat is going to get into your system and extort you, hold it for ransom and that's how they make their money. So personally, I'm more of a social engineer. So I'm more of an internet troll. Maybe that's a little bit better of it. So that's my dark days that I used to be an internet troll. So I just went around because I just wanted to annoy people as a much younger person and just dumb things that didn't really necessarily hurt anybody. But it's more like social engineering, fake social media profiles, fake chat handles just to do it. And you're more sophisticated hackers who are trying to like to brute force or trying to get into some of these protocols or run through there. I didn't like that as much. I like talking to people more and it's amazing when you can get into conversations with people, what they'll tell you and they'll just let you walk right in and do stuff. And it's a good skill to have, have really good skills, have really good communication skills and you can use those just as well for bad as you do for good. No, I choose to use them for good. And I can learn a lot from people by just getting out there and talking to them and they'll share a lot of things with me because it's that art of establishing trust with people. And so I'd say that I personally just really recognize that I can very quickly establish trust with people, establish a baseline, some common ground with them very, very quickly and help them where a black hat would find that common ground, establish trust, and then just totally destroy that and wreck their lives. And so that's kind of the difference in using that power there for them. Some of my colleagues who are more on the technical side, they just really love to dive into the code. So I'll dive into the code some, but it's not my favorite thing to do. And they're just trying to get through protocols. You may never even talk to them. So it's kind of that scary side where you'll probably have teams. You're going to have teams of people where they're going to, you're going to have somebody like me that's really good at communicating and chatting. And I really, you know, I'm super aware of it. I get into these weird conversations from people that we meet through social media and stuff. And I'm like, this guy's a social engineer, black hacker is what he is. And this is kind of the power of the wits. And I have to be, we have to be really careful ourselves of what information we give out to people. So it's pretty, it's pretty interesting to see how the two worlds converge. And it's kind of like a dance or battle of the minds when that happens. So do you do, what do you do to keep yourself up to date on some of the latest things that are out there in some of the ways to either tools that you can use from a white hat side or to, I guess it's more like, you know, gaps that you should look for where you see that there's black hats that are taking advantage of this and say, Oh, I didn't think about that. Here's another place that people need to secure themselves. How do you sort of keep up with that? Well, so there's some, there's some great ways that you can, anybody can go subscribe to CESA.gov, which is the Homeland Securities Division for Cybersecurity. I get daily notices from them every afternoon of what they know is going on. It's typically, you can submit stuff to them and then it's vetted through them and then they send it out. A member of the InfraGuard, which is part of the FBI and they include public utilities, IT managers, uh, most police agencies, private detective agencies like that. I would do networking, communication together, talk with each other to share information that's going on. I'm regularly collaborating with other like-minded individuals in the managed security space. There's a lot of continuing education that we do as well. So we go and communicate and do these trainings, see what's going on and then just do some simulated testing of our own to continue to stay aware of what's going on with that as well. So there's a number of different ways, kind of keeping those bulletins there too. We've got, there's some good training vendors in the space too. We just do a lot of virtual training and then we attend about two to three in-person continuing education events every year, which are also just a lot of fun with that as well. That, so there, I know there's a lot of people now because it is a, it is sort of a hot topic as well that will graduate, you know, go through school and they will study to be a security engineer of some sort. So what do you recommend, you know, think of somebody, particularly either if they're, you know, from scratch, they've sort of like just gotten out, they got just a very simple degree and they're, they want to get into, to do what you do, they want to get into the security side of IT. Where would, what would you recommend would be maybe some of their first steps or how they would, they might want to put things on their roadmap as far as their career is concerned? Yeah, I think cybersecurity and IT in itself is very much a trade type of job, just like, you've got your basic training you kind of go through, or maybe a military type of job. I don't know how to describe it. Military and trade are kind of similar in the fact of there's some classroom that you need to have. Like if you're going to become an electrician or you're going to become, you know, a police officer, there's some academy training you need to go through that know how to handle your stuff. You need to know some of those pieces, but you need to like get a mentor and spend a couple of years with them and go through that. So this is very much like, it's a trade job, but it's kind of closer to like a military trade job a little bit. It's psychological too in your mind. Like you need to make sure that you spend some time with somebody who's seen it a couple of times. And so that's kind of the fun part about my job. So the people who are working for me, like I'm like, yeah, I've seen this before and this is what we're going to do. And they're like, oh, and once I see them go through it a couple of times, all of a sudden they're training other people to do the same. I've been through this before, we can handle this. And then I have my mentors that I can lean on and say, oh, what the heck is going on? Everything's falling apart. And so you really got to get yourself on that roadmap of get a mentor, get multiple mentors, talk to peers, don't try to go it alone. You don't have all the answers. And pick a good mentor and pick more than one. Like I said, you could pick a black hat, you don't know. So make sure you know them and make sure you've kind of vetted them and really thought through that. Look at some pinnacles in the white hat space and really look at them and say, as somebody that I respect, you may not be able to mentor with them, but who are some of their people that are really following them closely that I can be involved in and go out and network with them? And so there's somebody listening to the podcast and like, I don't know what to do, more than willing for you to reach out. I absolutely can't mentor everybody, but I would be more than willing to be an earpiece or maybe that is something, maybe we just hit it off and it makes sense. But if just to have somebody say, hey, have you seen this happen before? What do I do? And help you through that situation. Because been around it, seen it for, we've seen some things, got some other people on our team, we've seen some things. I think that just communicating makes just the whole industry better together if we're working together as well. That makes sense. And that's sort of what I expected. It's just one of those that it's, you can do all you want from an academic point of view, but it really, a little different when you get out in the real world because it's just, it's not going to be as clean, it's not going to be as neat. So there's that experience is always going to be a big piece of being able to do your job well. Right. And academics are great. I had a conversation, I'm on an advisory committee for our local community college and they had said, what do you think is the biggest thing that the college needs to do? And I said, I think they need to talk to the businesses more. And they were like, well, that's why we started the advisory committee. I'm like, yeah, I think so. That's great. Because there's a disconnect between what you guys are doing and what's actually happening on the ground. So we need to figure out a way to talk to each other. If you're a student getting a security degree or an information technology degree, in any way you're going to end up touching security, but just having that conversation, what is actually going on and understanding how it's going to function in your world, going to be so important. And it's like a science, it changes every single day. Once you've once you figure something out, the rules can change next day. So it's kind of exciting too. It's never going to be the same. It's not the same that it was yesterday, but there's still some basic tenants you need to know and kind of drill into your mind long term. Yeah, that's definitely, I think that's any IT related career is like that. You got to get your foundational in, but then it's never going to be a dull moment after that. You're always going to have something new, something to learn. You have to be sort of that lifetime, lifelong learner kind of an approach. Yeah, that's so true. So true. So we're getting close, sort of wrapping this up a little bit. And what is, yeah, really want to thank you for your time, but also is what are some good ways for somebody to reach out and connect with you or contact you or check out your, if they say, hey, we need to get somebody in to talk to us about doing an assessment. What are some good ways to contact you? Sure. So if you want to contact us about, you know, services and stuff like that, trustastoria.com is our MSP website. That's a great way for you to just see some of the stuff that we've done there. We've of course got all the popular channels for Astoria on Facebook, LinkedIn, Instagram, and TikTok. Those are in YouTube. Those are our channels there. I do have some more personal focused content as well. So I have my own personal public Instagram and TikTok where I talk about cybersecurity stuff or just stuff I want to nerd out about. I just did one about Dairy Queen today because I just want to talk about Dairy Queen because sometimes I talk about that stuff. So if you want to get to know me and just chat a little bit about that. Yeah. The long and the short of that is Rob, why does Dairy Queen give me a sandwich in the drive-through but can't give me napkins? It just doesn't make sense. Oh yes. I know I have a great sandwich, but the sauce drips on me and then I want a napkin. Okay. But I talk a lot about cybersecurity on there, but sometimes just technology in general. There's a couple of things around technology I just like to geek out about there. And so if somebody wants to connect with me and chat with me on there, of course, my LinkedIn, my personal LinkedIn, I talk a lot on there about cybersecurity and business, very connected with the business community and nonprofit. And there's a lot of things that I'm passionate about there about, I want to help people who not only business owners and IT people, rescue them from like our minds who just help your mental health. And I really believe that cybersecurity is just one way that I can add a tool to people and say, you aren't going to lose sleep about this. I want to make sure you not get hacked. So that's not the reason that you're unhealthy and mental wise. And so that's so important to me. So some great ways to engage with me. And I just love to chat with people. I'll jump on a zoom call with anybody anytime and we'll just chat, get to know each other. And it just networking is a big thing about it. I just like talking to people and meeting new people. So it may not necessarily lead to business for me, but I'm just a really big networker and that just brings everybody up. And I just love doing podcasts. I just really enjoy being podcast guest. I love your podcast here, Rob. It's just a lot of fun. I just, I could just talk all day and, and, and just to that, it's really what I'm passionate about. And you have a podcast as well, correct? Right. So I have the journey podcast. So we just interview, it's not, it's not cyber or tech focused. It's just interviewing business leaders about how they got where they're at. So that's really my focus on mental health of sharing your story as powerful and helping you talk about your life is so powerful to help and inspire and grow others in our network. And so very much enjoy doing that. Cause I just like to talk to people. I love, you know, I love just getting to know people and who they are. And I just, I like talking about tech, but tech is kind of like the conduit in the way that I can help the world. But I think that we all have a lot of value to add to the world, whether it's through tech, or it's just through having good relationships with people, but really just creating that realness of what's out there. Cause I recognize as like a social engineer, white hat hacker, how am I going to establish trust that I'm not actually a hidden black hat? I want people to really have the opportunity to build a relationship with me to say that they can that they can really trust me. And that's the only way we can do that is through these, these platforms that we've built to be able to do that. And I really believe that I want you to have the opportunity to get to know me. Cause if you're going to entrust me with your a hundred million dollar company, cybersecurity, you've got to take the opportunity to get to know me. And if anybody else isn't willing to do that, they're probably not the right person. And I might not, we might not match your company. And that's quite all right. I just didn't know it, getting to know people. It's just, it's just a lot of fun. It's just a lot of fun. I've got to meet people from all over the world. I'm doing some, I'm working on a couple of plans now. We're going to be doing some international cybersecurity training. That's really cool. I never even considered that when I started this business, I thought I was just going to do IT services for my little town. And now, you know, I've been to Africa and done some stuff there. And it looks like we might be able to go to South America and do the same thing too. And I just think they'll, those are pretty cool things that we're able to do. I would have never considered with this company with cybersecurity. It's just really amazing to see how that's changed. Chris Bounds Yeah, that's cool to have that kind of a growth where you're surprising yourself how well things have, or how things have turned out. And you end up in areas where you never even considered initially. And you're like, next thing you know, you're like, wow, well, this is, we're moving on, we're growing and things are going beyond where, you know, in a sense, you know, you want to, it's cliche, but beyond your wildest dreams kind of a thing. Yeah, yeah, it's really fun. I love the travel. So I was like, yes, I'd love to go to Brazil and do some cybersecurity training for people. So it's a lot of fun. So just, you never know where it's going to lead. And yeah, I could do a whole nother episode just basically about weathering the storms of business. So, oh, yeah, that's always a, you know, that's plenty of food for thought there and plenty to discuss about that. So I want to respect your time. So I want to sort of wrap it up and let you get back to your, you know, back to your day. You have any parting thoughts that you want to send out to people that have now been listening to you for the last hour, anything that you want to, you know, major points you want to leave with, or just even a thought for the day? Yeah, I would just say when it comes to cybersecurity, I know that's been the big theme of it. It's not something that you can ignore. It's, if you ignore it, you're going to be the low hanging fruit. And, but it doesn't have to be the most expensive budget item. It really should be something that you consider, that you focus on. But the moment you say that's too expensive, or it'll never happen here, you've already doomed your company for failure in that area. It's really the world that we live in. And so it's just a matter of recognize that it's something that you need, but it doesn't have to be the most expensive thing that you do if you get the plan in place and just make yourself better. It's kind of like studying finances or science or something like that. You can know it and you can get better with it. It's just a matter of find a partner who will really work with you and really take the time to learn you and help you get to a better place. So it's really passionate about making sure that people realize that they can be better, they should be better, and they just can't hide from it anymore. So I want to thank you for your time. Thank you for jumping in. And this has been a great discussion. I hope, and I hope people have been listening, have been taking notes along the way, because there's quite a few things there. And I'll make sure we get those links will be in the show notes for everybody so they can track you down and go listen to your, you know, want to listen to more podcasts, then go listen to yours. That sounds like an excellent one for them to catch up on and spend a little time with. Absolutely. I really appreciate it, Rob. It's been fun. Yeah. Anytime. Sounds great. Oh, thanks a lot. You have a good day then, Nate. All right. Thank you. Bye-bye. And we will wrap that one up. We're not done yet though. Next episode, we're going to come back, yet another interview and another one that will be, I think, something you're going to want to take some notes on and you're going to get a little bit out of it. I get something out of every one of these every episode. I hope you do the same. If you get half as much as I do, then I think we're doing pretty darn good. I will have those notes, those links out in the show notes. So if you want to get ahold of Nate, if you feel like, hey, this is something that we need to be more serious about, we need to get somebody in that can help us sort of assess where we're at and help us on the security side of our business, then I'm sure he would be glad to hear from you. As he said, he's also, if you've got questions about security, he's happy to just help out and try to essentially make the world a better place by having less options for the black hat hackers to get out there and do things. Hope it's also a little bit of a wake up call. There are some people out there that are, you know, bad actors, as they say, and they can spend some time and effort trying to break into organizations. So make sure that you do the, you know, the logical stuff. It's just like when you leave your house, lock your door. If you don't, and somebody is just happening by, or if they're keeping an eye out, the next thing you know, they may just walk right in the front door. And security issues are often like that. They end up just walking in the front door essentially, or maybe a side door. That being said, we'll wrap this one up. I'll let you get back out and go out and enjoy the rest of your day. And as always go out there and have yourself a great day, a great week, and we will talk to you next time. Amazon, anywhere that you can find podcasts, we are there. And remember, just a little bit of effort every day ends up adding into great momentum and great success. Please check out school.developineur.com. That is where we are starting to pour a lot of our content. We've taken the lessons, the things that we've learned, all of the things that make you a better developer, and we're putting it there. We have a range of courses from free short courses up to full paid boot camps. All of these include a number of things to help you get better, including templates, quick references, and other things that make us all better developers.