DP741Final

Welcome to Building Better Developers, the Developer Nord podcast, where we work on getting better step by step professionally and personally. Let's get started. Well hello and welcome back. We are into a new interview. We're going to be speaking with Tyler Ward today and we're going to talk about security and security best practices. Developer security is one that we have now talked about a couple different times. Tyler's got a little bit different take. He's got a little bit different background, but it's again a lot of areas that we probably don't think about as much. In particular, we've got a really good story about how he got into it and really focusing on security awareness. And then he's going to follow up and talk about a lot of what he's seen in the last years or so of security evolution and where we need to be maybe thinking about this a little bit better as we build out our team or even build out our applications. But I'm not the expert he is, so let's get right into our conversation with Tyler. We have a new guest today. We're going to be speaking with Tyler Ward and we're going to talk about cybersecurity. This is a guy that has been doing it for a while in a lot of different areas. So I think we're going to basically dive right in. I'm not going to steal his thunder. I'm going to let him introduce himself and just buckle up, get your pencil and paper and get ready to figure out how you can be more secure. Welcome to the show, Tyler. And why don't you give us a little bit of your background and what brought you here? Yeah, thanks Rob. I appreciate it. So for any industry veteran that's been in the game for 15 to 20 years, usually at introductions, there's a big sigh because we've just been through so much. But I love what I do. I just started out by saying that after 17 years, I still am super passionate about what I do every day. I think that it's an awesome mission and happy to be fighting the good fight. So just a little bit about my background. I've been into cybersecurity and the technology field for 17 years, going on 18 years now. I got my teeth pretty young in cybersecurity and there's actually a funny little story about that. So if I flash back to when I was 17 years old, I was going into my senior year of high school and working for my parents' business to save up enough money to buy my first car. My parents, they owned an asphalt ceiling business. So they had asphalt ceiling and very dirty business, much different than the business that I'm in today. But I worked the whole summer, super dirty jobs like when the micro dirty job show, I'm surprised that that job was never on there. I was always looking for it. But I managed to save up enough money throughout that summer. It was around $4,500 that I saved up. So I was rich. It was a ton of money for a 17-year-old and I wanted to buy my first car. So I made the money, went on eBay, picked out my first car and it was a Toyota Celica with Lamborghini doors that, you know, butterflyed up. So super juvenile stuff and ended up Western unioning my money to a criminal gang in Romania and never saw my car. So the way that they did it was very simple, you know, even back then before, you know, phishing and cyber attacks were really a thing. Cybersecurity wasn't even really a field back then. It was just, you know, hacking, maybe you would call it. And they set up a fake eBay landing page. So when I clicked on the link, it brought me over to their version of eBay and gave me the instructions on how to wire the money. And it looked totally legit for unsuspecting 17-year-old. You know, everything seemed to be fine. My father did caution me at that point. He's, you know, basically said to me, are you sure you're sending your money to the right place? And the confidence of a 17-year-old just, you know, went right through, blasted through the doors and I never saw the money again, reported it to the FBI. And their response was what kind of piqued my interest in the cybersecurity of, yep, we see this all the time. You're not alone. There's not a whole lot that we can do for you. And that's all that happened from that. So from there, I went into the Air Force and started to work, Air Force in the technology sector and into the cybersecurity sector, spent some time overseas. I spent about a year over in Afghanistan, spent about eight months over in Djibouti, Africa, which is right next to Somalia as an enlisted guy working cyber operations for them. So I did that for a little bit and got out of the Air Force and went to work for some of the intelligence agencies out of the Northern Virginia and D.C. areas, bounced around the country working for them, cyber operations, doing really cool stuff. And after that, I started to work for private companies up in New York, building out cybersecurity programs within MSPs and building out cybersecurity consultancy services for really for other organizations. And at a point in 2017, I took a step back and realized that I really want to do my own thing. I want to build my own business. And that's the journey that I set out on in 2017. And I've been running Creedence Solutions Group ever since. And we're a full service. Full service is a weird term because there are so many things in cybersecurity. So we do not do it all. There's lots of different specialized firms. But the areas that we really focus in are penetration testing to where customers have us hack into their environments. And then we show them how we did it. Virtual Chief Information Security Officer or Fractional Chief Information Security Officer and then manage detection and response and incident response. So coming in with an organization has either a data breach or a cyber attack. We go in there, clean it up for the customer, sherpa them through that process. So it's a lot of fun. Personally, I've done around 200 cyber incidents in my career, ranging from small to large ransomware attacks to insider threats and spies with inside of companies and rooting them out. So lots of cool stories. Lots of cool stories. Yeah. Yeah, that's that's actually hilarious. My son, my eldest son was I think he was 19, because I think it was when he was in college. It was his first experience. It was very similar. It was it's a little bit different model, but it's one where they hired him for a job and they sent him a check. And then it was basically like, hey, we're going to send you a check and then you need to pass this on to it's basically yours. Supposedly, just like, you know, sort of just like moving money from point A to point B and we give you a little bit of a cut. And he's like, oh, this is going to be great. And I'm like, that doesn't sound quite that good. And he's like, no, I think it's OK. And sure enough, you know, they sent him something and he wrote a check to go wherever he dropped it in the mail. Or I think he ended up I'm trying to remember how he did it, but I think he dropped in the mail, but he was able to stop the check before they paid it, but realized that it was one of those where they just they wrote him a nice big check and he's like, cool, I got a check. I deposited it. I turned around and that was a deal. The deal is like, oh, you have to turn it around within 24 hours or something so that you could, which is just long enough so that you think you have it in your bank, but you don't. And you get whacked for all kinds of little fees and stuff like that. And he did get he got away with I think it was only he had to do something to do like an emergency stop to the checks. It was like twenty five bucks or fifty. But that was better than the hundreds that he was going to be out. And that's like those things are are really common. Are there more common than, you know, like you said, from what the FBI said, there are probably more common than you would think. And so it sort of gets us into one of the areas is what do you what do you see in the realm in particular over your career? Because I know security is one of those it's always always moving, always shaking. There's always new stuff. What do you see in the world of like just security awareness itself and being able to try to just like get ahead of those things so that somebody like you when you're 17 year old, you've got something you can go to and say, hey, these are things to watch out for. Here are some of the flags that you need to look for to keep yourself safe. So I will say that, you know, the kids who are growing up now, they're they're a lot more informed than I was. You know, there's just there's so much information out there for them that they have a little bit of training, you know, going into it. Anybody with young kids or, you know, teenagers know they're pretty tech savvy when it comes to scams and things like that, because they see so many coming through Instagram and Snapchat and they're getting these unsolicited messages all the time. So they've become a little bit more accustomed to seeing those things. And they're a little bit more resilient on those. But the field has evolved so much since I've been in it. It came from, you know, when I first started my career, the hacks that were going on, they were not very nefarious. You know, they were pretty benign. Some of them were even funny, you know, with like, you know, war dialing and hacking into phone lines and, you know, snooping on people's conversations. And it was more of just a joke. There were a lot of hacktivists out there that hacked for a purpose, not generally for financial gain. Now it's really all about financial gain. And we see, you know, a wide range of attacks from AP theft. So accounts payable theft is a huge one that we see where, you know, business A and business B have this, you know, email relationship with one another. They have this business arrangement. And one of the companies owes the other, you know, a check for two hundred thousand dollars in outstanding payables. And an attacker gets in the middle of that email chain and they change the accounting and routing number with a bill for a bill that is actually due. So the company makes makes payment on that bill and the money is gone. And we do see that a lot. Businesses are now evolving to have, you know, two person checks in place to make sure, you know, kind of that two key nuclear weapon, you know, check before any money goes out above a certain dollar amount. But we still see it a lot in small businesses. And I always tell people, it's like, you know, even if you're a two person company, you're just getting you're just getting the wheels off the ground on your startup. You are a target. You know, you're funded. Maybe maybe you have money already, but you are a target even to we see a lot of wealthy individuals, so high net worth individuals who are, you know, high targets, high value targets for attackers as well, because those high net worth individuals, they don't have the security infrastructure built up around them. And, you know, a lot of times they get duped into these scams as well. Yeah, there's a lot and you see enough big ones on, you know, out on the news and stuff like that. And you see some very big, big names are usually attached to those where they got they got sucked into it. Or now with particularly, you know, actually before before we started recording, we talked a little mentioned a little bit about AI. And it seems like that is the to a lot of people, that's like the next wave of how things are going to be hacks and things are going to be done and some of the deep fakes and stuff like that. Have you started to see that already? Do you see where that that next wave is coming or is that one of those things that's still a little bit out there in the in the future? We've seen we've seen in certain places. So there are new techniques that attackers are using to. So back, you know, a little while ago, it was it was, you know, a manual coding effort to change the formats of malicious executables that you as a malware malware builder were building. Now it has become exponentially easier with different types of code, you know, programming tools that incorporate AI to change how malware looks and feels to antivirus systems. So that has definitely changed and made it faster. You know, attackers have gotten faster at doing that. Also on the phishing side, it's very easy now for individuals who do not speak English or their their first language is not English to craft extremely well crafted phishing messages as well. So we've seen that, you know, you know, the traditional, hey, look for grammatical errors in emails that say they're coming from your CEO to now we we see email messages and phishing messages that look exactly like how somebody would speak or type an email. So the voice, I stuff is definitely coming around. We have heard stories about that before to where, you know, like yourself, you're on the Internet all the time. You can record somebody's voice, chop it up and make an AI recording of whatever you want that person to say. And those are being used in certain cases. We've heard of some where they're fake kidnapping and ransom cases. You know, we have your your daughter here. We're going to put her on the phone and it sounds exactly like somebody's daughter or somebody's son. So we're definitely seeing that. And that's the scary part. However, we also see AI being used more professionally on the tools side to recognize threats before they become a real problem. And I would say the sector that we've noticed at the most in is in the threat detection and response category and endpoint detection. So your traditional antivirus and being able to identify threats on computer systems or intrusion prevention and detection platforms, they're becoming very, very, very advanced because of AI. Yeah. Wow, that's cool. Yeah, because that is that thing is just being able to get those those patterns and those those discrepancies in the patterns to say, hey, maybe this is something to take a look at or this is this looks like this is a you know, this looks like this is some sort of pattern that's an attack and not just, you know, somebody stumbling across a keyboard or something like that. Exactly. We talked I talked recently to somebody that does they do AI, they do it for call centers and they've got the AI that they've got for the voice AI will stutter, it will pause, it'll do all kinds of stuff that the old days you'd hear like the clack clack clack clack on a keyboard or something like that, that it would do to make you think that there was somebody on the other end. And now there's enough stuff there that it's getting very difficult. And particularly when you've got somebody that's just a voice, you're used to there being like a little extra pause or some things like that, that it gives it plenty of time for the system to go calculate what it needs to or look up the information it needs to things like that, that that make them very difficult to spot these days. Yeah, it's it's it's really hard to tell where AI is going generally. So and it and it becomes, you know, overwhelming when you think of AI, you know, as a general subject. But if when I look at specific sectors, you can see the specific use cases, you can start to predict where certain things may be going, where those dominoes may be falling in certain sectors. General AI and language models, they're kind of driving everything right now. You know, the larger language models are driving most AI products that are out there. Most AI products of value. You see a lot of them on the sales side and they have actually become quite good in the, you know, the sales side and the lead generation. You see tons of tools out there doing that stuff now. Yeah, that's where it's I guess that's where it's always it starts with something very big in general purpose. And it in a sense, it's a little bit it's a little easier because you have, you know, you've got a dictionary and you've got all these all this data so you can figure out how somebody speaks or what is the context around it and those kinds of things. So you can you can grow from words to sentences. But then that next phase, when people start looking at it and say, hey, we can take this, in particular with data, there's data has just grown exponentially. It feels like every year for quite a while. And so when we get something that we can point some of these systems at that and actually start trying to actually analyze it from a from an AI point of view, I think we're going to see some some big improvements there. Yeah, the thing about AI that I would say worries security professionals the most is, you know, like you said, we have all this data that's out there and you have companies and, you know, innovative organizations who want to make the most of this data that they have or this data that they've acquired, but they're utilizing tools that have not been vetted out. You know, and a lot of companies, you know, I think it was Apple and Samsung and Google, when chat GPT first made its big splash, they had to put kind of an APB out to their entire company and say, hey, do not put sensitive data into these tools, we have no idea where it's going. And once it's out there, it's basically public domain. So we have to be really careful about what we're putting into these tools, not just not from an anti Skynet perspective. I get it. You know what I mean? We've all seen Terminator and we all have that inherent fear that AI is going to take over the world. Let's put that aside for a second. I just focus on data security, the tools that you're using, AI or non AI tools, you have to vet those out for your organization, understand where you're putting this data into. And we see that a lot with organizations who they have this new product line that they're building and it's rooted in chat GPT. However, you know, putting confidential customer data into AI tools that you do not own, and you have no idea who is looking at that data is probably a bad idea. This is where the legal comes into play and the privacy agreements and all this kind of stuff. So it can get really complicated. So I just warn everybody, be really careful. If you have a project that's going on right now and you're looking to incorporate some kind of an AI tool, really vet out that tool, carefully examine it and assess that tool and that company who owns that tool to make sure that you are making the right move. Yeah. Yeah, that's definitely that next wave. I think people are now starting to realize that when they gave their, you know, they signed up on Facebook or Snapchat or yada yada, all the social networks and Google and all their tools and some of the Amazon stuff is that they get to touch all of that data. So it's not, you know, now you're sort of throwing it out to the world. You may not think it's make you're making it public, but in a sense, you know, you essentially are to some level there. So that's always good to be aware of what, who is it that's actually sitting over your shoulder while you're doing that. And tools are tough because they won't always be, it won't always be directly, you know, easy to determine that what they're using and where that data is going. So if you've got a tool that's pretty good in a reputable company, but then behind the scenes, they're, you know, shipping that off somewhere, then that can cause you issues. And that's, that's always been that it's not really the hackers and the Trojan horse type programs that at least not intentionally. So, but then somewhere along the way, you find out they, they effectively were because they opened the door for somebody else. You got, you got somebody respectable to open the door so that you could have your, you know, unrespecting application run on their services or touch their data at least. Yeah, exactly. And most, most security incidents and data breaches happen not because of a, you know, a hack that occurred or anything sophisticated, but just, you know, business growth, the business grew really quickly. They brought on a lot, a lot of new people. They had data in places where they didn't even know data existed and they made mistakes along the way. They left the doors open. So, you know, that, that is very common and we see that all the time. And we always encourage organizations that as you grow, you, you have to have a security program and procedures in place from the start so that you don't go from point A to point C. And now you're a larger organization with a ton of data and you have no idea how it's secured, where it lives, is it encrypted, who has access to it. You have to be really diligent along that entire path of your business to make sure that you're keeping this data safe because the ramifications are huge now. They're huge. We're seeing things from the SEC, you know, suing CISOs, organizations going out of business from ransomware attacks, you know, the public reputation damage lasts for a very long time. And, you know, nowadays, yeah, okay. I'll give, I'll give companies this, that nowadays, if you are in a, you know, a data breach situation, you're not amongst the few anymore. You're now in the group of many because most organizations of any significant size or scope have had some kind of security incident that has been public. So you're not alone, but it's still, it takes a long time to recover from that reputational impact. Yeah, it's, it is sort of funny now that you mentioned that is it's, it seems like it's, you're going to be on the, on the front page until the next organization has that happen and they take over the front page for you. But it's, yeah, I think people have probably forgotten some of the major breaches in the last, you know, even five or 10 years, there's some, there've been some huge ones and you've probably forgotten them because there's been so many since then. And it's like, and it's not like they necessarily are bigger, but it's just each one is, you know, a million or 10 million or a hundred million addresses and personal information were exposed and you never really know how much it is. You just know that particularly if you do any of these things that you scan for, you know, dark web existence, you find that your email, your phone number is going to exist there somewhere. Somebody's got it. You know, if you've been anywhere on the internet and then that's why you got to make sure you're like changing passwords, because your password is going to get exposed at some point. And you know, just it is, I think it's becoming, it is becoming much more. It's just like, it's par for the course. It's like, oh, okay. It's another data breach. Okay. I just got to make sure that I do the simple things like don't have a password of password and change it. And I've seen systems and this question actually, sorry, you did, you have you seen this as well from your side is I've, it feels like from a more of a consumer side, I've seen more systems where they do enforce password security. I've seen a lot more where it's, you've got certain complexities, certain size, a certain way it ages out. So you have to change your password every 30, 60, 90 days, something like that. Are you seeing a lot of that as well? Yeah, yeah, we definitely do. You know, a lot, lots of different organizations, they are implementing security complexity rules, but at the end of the day, a password is just a password. And once somebody has that password, if there's no multifactor authentication that's stopping them behind that, then, you know, a 60 character password is just as weak as a one character password. So always implement multifactor authentication anywhere you go on any service that you leverage, implement two factor, multifactor authentication, and don't use the same password across different services. Because when that happens, you know, case in point is you have a password for your email account that is also the same for your bank and your retirement account. And, you know, your Apple iCloud account and all of these different accounts, and it's the same password, the attackers only need to get one password, and then they're into all of your different services. And then it's very difficult to go through all of your different services, and have to make phone calls and change passwords and regain access back into things. It becomes, you know, a logistical nightmare to do that. Yeah, yeah, it's just like if you get your wallet stolen, then you have to go call all your different card companies and cancel all your stuff that whatever happened to be in your wallet. That's the bigger, usually that is the bigger, you know, impact and pain point than actually losing the whatever cash was in your wallet or things of actual value. Yeah, you know, the attacks that are the new, you know, I would say the new newsfeed attacks that are really troubling for security professionals right now are the ones on critical infrastructure. We don't hear about them a whole lot, because usually when they happen, federal agencies, they get involved pretty immediately. And there's, you know, there's a lot of hush hush around those things. But there was one recently, where there was a local municipal water authority that was hacked into, and they actually traced it back to either a pro-Iranian cyber gang or a direct connection to an Iranian cyber crime organization, cyber criminal organization. Those are the ones that really scare us because we're dealing with human life. So when we're talking about hospital networks, critical infrastructure, water authorities, power authorities, electricity, you know, you name it, those types of organizations, when they're getting breached, and those are the main targets of some of these larger entities out there that have nation state funding, those are the ones that worry us because they can cripple our economy, and they can actually result in a loss of human life. And that's happened before, where emergency rooms have been completely shut down because of a ransomware attack. There is a code amongst thieves, though, I will say that. There have been cases before that attacker groups have hit a hospital, and they didn't realize that it was a hospital. And once they realized it, they gave the key back to the hospital. There have been cases like that before. So I will say that there is a little bit of honor amongst thieves, but those targets are really important for nation states, and we have to be very careful of those. Financial institutions as well. Disruption of finances is a very quick way to bring the United States big time problems. So we're always looking at those. That's actually an interesting one, especially because you've got that background of the military government complex as well, and so their security, that has always been something that it's felt like, and it's almost like it's common knowledge a little bit in the IT world. It feels like the government is not the most secure. The systems they have are not terribly secure. They very much have trailed other systems. Financial systems that used to be that, but I think they're getting better. Was that your experience, is it really the government systems were behind the times? And have you seen them at least trying to catch up as this has become a far more, it's gone beyond just little hackers trying to do things. It's actual other government agencies trying to bring you down an actual cyber warfare and things of that nature. Yeah, they're not the best, that's for sure. The inspector general reports that come out to the public, they always show either the DOD failed an IT audit or whatever department it is, whatever agency it has failed some kind of an IT audit. In general, they have problems just like most organizations. I will say that there's different classification levels. You go from unclassified to secret to top secret and then beyond that. And the higher you go up in that ladder of classification, the more secure these organizations are. So I will say that the crown jewels of these organizations and these top secret networks in these closed off enclaves, they're pretty good. They're pretty good. I won't say this, but the majority of breaches happening from those types of top secret networks are from internal leakers. So after Snowden, they clamped down on everything. I was working within the agencies while that whole Snowden thing had just transpired. So I saw that direct vice grip down on things once that happened and they realized, hey, insiders are a real threat and they will do the most damage. In general though, there are so many different government systems and a lot of them are disparate and detached from one another and legacy. So the security comes as a secondhand note on those types of things. But the higher you get in the importance of the data and the secrecy of the data, it does get tighter. So I will give them that. The IG reports that we generally see, they're not the IG reports about guarding the alien UFOs at Area 51. Now, I don't know that there are any over there. I've never worked at Area 51, so I'm just joking about that. But those inspector general reports that we do see, they're usually on those unclassified systems and those types of networks. They don't delve into the real specifics around those very secretive environments, but they do a very good job in those highly secretive environments. And we will pause there. Don't worry, we will come back next episode. We will be talking with him some more, get a little bit more into really answering that question that we were just wrapping up there about what is the current state of systems and security and awareness about those from the insiders as it were, those that are employees and those are developers and application team members. And how do we, as he sees it, see security and adapt to it? And are we properly preparing? So we're going to be ready for some good notes again next time. We will wrap it up in that next episode. But until then, go out there and have yourself a great day, a great week, and we will talk to you next. Thank you for listening to Building Better Developers, the Develop-a-Nor podcast. You can subscribe on Apple Podcasts, Stitcher, Amazon, anywhere that you can find podcasts. We are there. And remember, just a little bit of effort every day ends up adding into great momentum and great success.