Episode #7 - Jeff Man - Cybersecurity Evangelism
February 21 2021 Filed in: Gula Tech Cyber Fiction Show
Jeff Man is a cryptologist, network penetration tester, PCI Assessor, and an evangelist for the cybersecurity industry. I met Jeff when I started working at the NSA in the mid 90s. Jeff and I speak about the current state of the cybersecurity conference industry, attracting more people to this career field and different types of cybersecurity audits and risk modeling. We also drink some good bourbon.
Ron Gula: [00:00:00] Hi there. It's Ron Gula with the Gula Tech Cyber Fiction show, show. Today we have special guest and my really, really good friend, Jeff Man, Jeff, how's it going?
Jeff Man: [00:00:16] It's going great, Ron. Thanks for having me.
Ron Gula: [00:00:18] Jeff, you've got a couple dubious honors. You're one... You've actually known me longer than my wife, Cyndi.
Jeff Man: [00:00:24] Yeah.
Ron Gula: [00:00:25] And you-
Jeff Man: [00:00:25] I don't if that's an honor, but it's just an historical fact. [laughs]
Ron Gula: [00:00:27] Yeah, yeah. Wow. Yeah, I said that the wrong way. You also invented cryptology. Single-handedly right?
Jeff Man: [00:00:33] That's right.
Ron Gula: [00:00:33] You started encrypting-
Jeff Man: [00:00:34] Back, back during the civil war.
Ron Gula: [00:00:36] [laughs]
I've been looking forward to have you on our show and thank you very much for coming on. It's an honor for me to kind of do this. You helped me get started in cybersecurity. I wish everybody who was going into cybersecurity had a chance to have somebody like you get them up and going. We're going to talk a little bit about that.
Jeff Man: [00:00:52] Mm-hmm [affirmative]
Ron Gula: [00:00:52] But for folks of the show who watch, who don't know your background, how did you get here? How'd you get involved in cybersecurity?
Jeff Man: [00:00:57] Yeah. People like to ask me that all the time. How did you get your start in cyber? First of all, I don't really, uh, uh, recognize the term cyber back when I was getting started in it, it was called information security. In fact, it was called communications security and, uh, I haven't kept up with the evolution of the terminology necessarily. Um, but, um-
Ron Gula: [00:01:19] W- what are we on right now? It's information warfare, information security, information operations, cybersecurity.
Jeff Man: [00:01:23] Cybersecurity. Information assurance [crosstalk 00:01:26].
Ron Gula: [00:01:26] I forgot that. Yep.
Jeff Man: [00:01:27] Um, but I, I mean, I kept my teeth. My, my first adult job was working for the department of the Navy. I happened to work for Naval intelligence and, uh, uh, at the time I was, um, um, just sort of on a whim sorta at my mom's beckoning, cause she worked for HR, uh, at this Naval, uh, facility that I worked for. She said, "Hey, I hear people are going to work at that, this place called NSA. They're hiring." I'd never heard of NSA. I grew up in Maryland and I'm a lifelong resident and didn't know that no such agency existed.
So I'm like, "Oh, okay. Um, you know, I'll, I'll fill out the application, the SF171 or whatever the form is for government employment. So I filled it out. Um, back in those days, correspondence was all by mail. So I got a letter saying, "Hey, we'd like you to come in and take some aptitude tests." And so I, I went up and took a couple days worth of various types of aptitudes skills tests. Uh, there might've been a psych exam mixed in there somewhere, um, but scored well enough that they hired me.
And it was back in the, in the days it was during the Reagan administration sort of in the waning days of the cold war where, you know, one of the strategies, if not the key strategy of the US government was to outspend the Soviets, and which Reagan was doing a great job of doing. Uh, so I started, uh, I was one of the a hundred people that particular week that I started at, at NSA and they were hiring pretty much 90, 100 people a week back in, for that, that era.
So I started at NSA, um, as a cryptologist, uh, I actually went to work in an office. It was in charge of paper crypto systems, which is when you hear, learn about the history of cryptology and you, you see stuff that they did in the revolutionary war and the civil war.
And to some degree, you know, world war one and world war two, that's kind of crypto that I grew up on. Um, it was right at the beginning of laptop, computers, desktop computers, even, not even networking as much as, hey, there's a computer on my desk. So one of the early projects that I worked on was, uh, helping to figure out how to take a manual process for cryptography, which is called a one-time pad and a semi-automated instead of having a paper pad where you had to write down your message character by character at a time.
Ron Gula: [00:03:54] Yeah, you're... So you're under fire, right? Bullets are over your head and you're calling it an artillery strike-
Jeff Man: [00:03:59] Well-
Ron Gula: [00:04:00] ... And you don't want to do it over the clear.
Jeff Man: [00:04:01] The, the first thing I did wasn't even that as much as it was, uh, people that were called caseworkers that were working with people that were, uh, in the field, let's say, um, in fact, I was just watching, uh, there's a, a Netflix series that just-
Ron Gula: [00:04:17] Spycraft.
Jeff Man: [00:04:17] ... came out, Spycraft. So if you want to... You see what I'm talking about, go watch Spycraft.
Ron Gula: [00:04:21] Which, which episode is, is that in?
Jeff Man: [00:04:23] Um, it was the second or third episode.
Ron Gula: [00:04:25] Okay. [crosstalk 00:04:26].
Jeff Man: [00:04:25] And there was one secret codes and writings.
Ron Gula: [00:04:27] And the thing you have is called the what, what did you develop?
Jeff Man: [00:04:30] Well, I developed a, a, a one-time pad that was not only on the paper pad, which would be out in the field, but was on floppy disc with a computer program that would do the encryption and decryption on the fly. What I also did was one of the customers we had was the US special forces. They use one-time pads when they would deploy their teams to the field.
And rather, and, you know, they'd carry around packs of 20, 30 pounds of paper [laughs] or however many they needed for the mission. And, um, uh, similarly their base stations, their communication stations, they weren't using, uh, one-time pad, but they were using a paper tape and I was working with them to automate that process.
So I-I was... There at the dro- ground floor of NSA producing software cryptography, which was unheard of at the time. Um, the other thing that you're alluding to is in my work with special forces and the one-time pad, I came up with, uh, a little cipher wheel that I just designed for as a cheat sheet for myself, uh, to help me with the, essentially the algorithm for encrypting and decrypting using their version of the one-time pad.
Um, and they used a, a substitution table called a visionary table, which is the alphabet, um, you know, you know, like a table and alphabet down the row, alphabet across the top. And then in the in-between, it's the reverse of the alphabet 26 different opposites. So the first one is it starts with a Z and then the second road starts with Y and continues on and loops.
Um, they would memorize these three-letter combinations that this thing performed, uh, creates and I wasn't going to memorize it. So I was like, "Ah, I just learned about cipher wheels. They used to use them in the civil war." I came up with one that used their table. Long story short is they, they liked it so much that we ended up producing like 15,000 of them and distributing it to all the US special forces groups and, uh, as near as I can figure out they were still using them, or they still had these little wheels available for about 20 years.
The, the latest I've heard that they were around was 2010. I was producing them in, in and distributed in the late eighties. Um, so among the special forces groups, uh, uh, a- anytime I happened to meet somebody that's ex special forces, I asked them if they ever heard of this thing, it turns out they called it the whiz wheel. So if I asked them about the whiz wheel, they're like, "Yeah, I remember that." And then I tell them, uh, I invented it and they usually buy me a drink. [laughs]
Ron Gula: [00:07:14] Well, that's awesome. So, um, speaking of drinks, what are we drinking today?
Jeff Man: [00:07:18] Hey, speaking of drinking. Yes. Cheers.
Ron Gula: [00:07:20] Cheers. Cheers.
Jeff Man: [00:07:21] Um, Uh, I'm drinking, we're drinking a bourbon, that's called Uncle Nearest and Uncle Nearest, I just found out about in the last few months, Uncle Nearest was a, a person that lived in Lynchburg, Tennessee. Happened to be African American. I'm pretty sure that he was a slave and, uh, he was a master whiskey distiller, and he is known in that region as being the person that taught Jack Daniel, how to make whiskey. So, uh, his ancestors, uh, found the old family recipe and started a business and, and named their whiskey Uncle Nearest. So his ancestors actually owned this distillery until the story of Uncle Nearest, the man who taught Jack Daniels, how to make whiskey.
Ron Gula: [00:08:03] That's awesome.
Jeff Man: [00:08:04] Yeah.
Ron Gula: [00:08:04] So that's the black history month portion of the show or as our previous guest, uh, former NASA, Mr. Charlie Bolden said, American history month. He, uh, was really, really adamant about that. So, uh-
Jeff Man: [00:08:15] Definitely when it comes to whiskey.
Ron Gula: [00:08:16] Um, there we go.
Jeff Man: [00:08:17] So anyway, NSA, I was there for a couple of years. I moved on to an office, it was doing fielded systems evaluations, and that's when the internet started picking up. And I was with a small group of guys that we started learning how to break into the, into the computers and the networks just within our office. That's about the time you showed up on the scene. Uh-
Ron Gula: [00:08:37] [inaudible 00:08:37] next guy. W- what's a computer? What's Unix?
Jeff Man: [00:08:39] [laughs]
Yeah. You weren't quite that bad. Uh, but, uh, we, you know, the, we reorganize, we removed into a what was to become the first center of excellence for computer and network security, the snack. And, uh, we moved to a different building at a different location and we dubbed our office, the pit. And we were just trying to be cool and geeky and nerdy and, and hacker like, and [crosstalk 00:09:07].
Ron Gula: [00:09:07] It's a good example of-
Jeff Man: [00:09:08] ... that we built, tried to build.
Ron Gula: [00:09:08] It was definitely a good example of marketing because there was a bunch of unmarked just numbered doors.
Jeff Man: [00:09:13] Mm-hmm [affirmative].
Ron Gula: [00:09:13] And I-I guess if they were numbered, they, they certainly weren't named, but, um, we called ours the pit and it really is just a room like any other room, but, but that was fine.
Jeff Man: [00:09:21] Yeah. So, uh, as legend has it, uh, since we are written up in, uh, in a book, the, the, called Dark Territory, if anybody's interested, written by Kaplan, I believe it's the author's name. Um, but you know, we started, uh, coming up with a methodology for performing what we call it a vulnerability and threat assessment, you know, trying to break into networks and, and do it the way the bad guys would do it. And then turn around and say, "Here's what you need to do to, you know, shore up your, your defenses, fix your network, fix all your holes and vulnerabilities. Um, you know, like the way, like we'd seen it on movies like war games or sneakers-
Ron Gula: [00:10:02] But without, without the cool theme music [crosstalk 00:10:04] no John Williams theme music.
Jeff Man: [00:10:05] Yeah. Although we did use a, I remember on my laptop, uh, at the time having the, the remake, uh, reboot of the Mission Impossible theme. So the Tom cruise movie edition, I-I I used to have that when my laptop would boot. It would play. Anyway so, uh, I went from there, uh, uh, lots of long stories associated with that, but I went from NSA out into the private sector in 1996. I've been there ever since doing primarily, uh, consulting and advising and trying to teach my customers, my clients, uh, what this thing called that we now call cybersecurity is about, how to do it, right. How to do it within the, within the auspices of whatever, uh, compliance regime they fall into and so forth.
Ron Gula: [00:10:50] But s- speaking of that, you know, if I met a, a brain surgeon who was also an architect-
Jeff Man: [00:10:56] Mm-hmm [affirmative].
Ron Gula: [00:10:57] ... you know, that's not that dissimilar from your background in that, because you came out of the DOD doing the DOD methodology, DOD risk framework, DOD compliance, but now you're an expert in PCI. You've been doing, you're a certified QSA monitor, which that's, that's like a real-
Jeff Man: [00:11:13] Assessor.
Ron Gula: [00:11:13] Assessor.
Jeff Man: [00:11:14] I refuse to respond to [crosstalk 00:11:16].
Ron Gula: [00:11:15] That's, well, we'll talk about the differences here in a minute-
Jeff Man: [00:11:17] ... talk about the difference.
Ron Gula: [00:11:17] But, but PCI, as much as, you know, security experts can say, "Oh, look, they're, they're very much the same."
Jeff Man: [00:11:23] Mm-hmm [affirmative].
Ron Gula: [00:11:24] There are really two different worlds, you know? So, so w- what kind of PCI work have you been doing and what is PCI just again for our listeners?
Jeff Man: [00:11:30] Sure. PCI stands for Payment Card Industry, and it is a, uh, it's a, it's an umbrella term for, um, a collection of security standards associated with anything that has to do with, uh, taking credit cards, debit cards for payments, for goods and services. So if you stop and think about all the different types of companies that are out there, all the different types of businesses that there are in the world, and, you know, most companies exist because they're selling something and they accept payment if they accept credit cards as a form of payment, they're supposed to follow, uh, at some level, or to some degree at this set of security standards called the PCI data security standard.
So it really, uh, envelops just about every corner of society, because there's just about, you know, I-I can't think of, uh, an industry that doesn't at some level take credit cards, or has some touch or involvement in credit card payments and processing. So, uh, one of the things that, uh, that has always, uh, drawn me to PCI is that, is that the fact that it, it, it's, it's just pervasive. It's everywhere. Whether people realize it or not, a lot of people think of it, "Oh, it's just retail." I said, "Well it's not just retail, it's gas stations, it's convenience stores, it's hotels, motels, restaurants, but it's also local government."
You know, how do you pay for your f- you know, license, driver's license or your new, uh, you know, plates, uh, uh, you know, license plates for your car? How do you play, pay any licensing or fees? Utilities? Uh, I mean, a lot of things are done online these days, but most of these companies allow [laughs] you to pay with a credit card.
Ron Gula: [00:13:20] So I have a PCI question.
Jeff Man: [00:13:22] Sure.
Ron Gula: [00:13:22] So a lot of times when we talk about cybersecurity, we talk about the three basics, right? You have confidentiality, keeping stuff secret, you have integrity, like don't change my secret and then availability. Uh, don't, you know, make sure I can get to my secret when I want to get to my secret.
Jeff Man: [00:13:38] Right.
Ron Gula: [00:13:38] And PCI I've heard a lot of people say is really just about protecting the credit cards. In other words, the confidentiality and the integrity of the credit cards, but availability they don't really care about, which means you could, you know, l- launch a denial of service attack against E-bay or an eCommerce site and PCI in some ways doesn't care about that-
Jeff Man: [00:13:58] Right.
Ron Gula: [00:13:58] ... because the credit card is still safe, still the credit card, even one big problem. Is that, is that true?
Jeff Man: [00:14:04] It's, uh, for all intents and purposes, it's true. Uh, and, and it's more, but it's a little bit more nuanced than that. Yes, it's mostly about confidentiality, keeping data safe, and, and, and it's a particular type of data. It's the credit card number? It's the debit card number. It's the security codes associated, you know, if you ever do an ecommerce site and you have to type in three or four digits that are printed on the back of the card, that's the security code.
So it's mostly involved with that. And it's in, it's really not even, um, associated directly with, uh, using that data to commit fraud. It's, it's all about the theft of the data and it, and it, the Genesis of it was really because in the early days of internet security and in the early days of the bad guys, trying to figure out how to make money, uh, it was very lucrative if you want to look at it from a business perspective to steal credit cards and then to use them to commit fraud, or to sell them to other people that would commit fraud.
So the PCI data security standard came about to try to help all the different companies that are the, uh, where the payment card information is originating into the system and getting onto the internet, which is primarily merchants and retailers. It was a way to try to get them to protect, uh, against the theft and the loss at the data. I would argue though, that if you think of our entire industry, uh, of cybersecurity, uh, 80 or 90% of what you hear about and what people talked about and the products and the tools and the solutions that are out there are really focused on the confidentiality.
So I don't think PCI is unique from that perspective. Integrity comes up, I think, second and availability while it's historically been a nuisance to be subjected at what's historically called a denial of service attack. Lately it's become the malware attacks where they, you know, they lock up your system and encrypt all your data and want you to pay ransom, to get, get it back. You know, the, so availability has become much more of an issue because the bad guys have figured out how to monetize it. But in the old days, 20 years ago, it was mostly about the theft of data and, and, and the value of the data that you can steal and then turn around and resell. Agree to disagree?
Ron Gula: [00:16:26] Oh, no, I think that's well said. I think that's well said. So part of, um, one of the reasons we're, we're going down this road on PCI is you also worked at Tenable Network Security for a bit and was very happy to have you help us out there, but you came in as sort of a PCI subject matter expert-
Jeff Man: [00:16:43] I did.
Ron Gula: [00:16:44] ... in a time when PCI, people who were subject to PCI had to use, uh, uh, companies like Tenable to basically get a vulnerability scan that said that they were, they were good to go. Right? So, um, you did... Started doing some public speaking at Tenable, but then that kind of set you up to do security weekly and speak at conferences, right?
Jeff Man: [00:17:05] Yeah. I blame you for all of it. [laughs]
Ron Gula: [00:17:07] I, I, if I can take credit for anything it's been, you've been on the road now. Well, not, we'll talk about COVID in a second, but-
Jeff Man: [00:17:13] Right.
Ron Gula: [00:17:13] ... how many conferences and podcasts do you think you've done to date? Like, let's just say like the last five years.
Jeff Man: [00:17:21] If well, in the last five years, the last year, not withstanding, so let's say 2014 to 19, uh, I guess I was trying to figure it out. I, it, I've averaged at least 20, uh, conference events, speaking engagements a year. So-
Ron Gula: [00:17:40] One or two a month, right? Two or three months.
Jeff Man: [00:17:42] One or two, yeah. Sometimes more easily over a hundred in the span of five years.
Ron Gula: [00:17:46] Any-
Jeff Man: [00:17:46] That's speaking engagements, podcasts, you know, I'm, I'm, I'm a, co-host on a podcast, uh, that I've been doing since 2015-ish. And I'm also hosting a, um, uh, a subsidiary, uh, show now, uh, that has been going for a little bit over a year. So in terms of co-hosting podcasts, several hundred, I've, I've been a guest on other podcasts such as this one. A couple dozen.
Ron Gula: [00:18:14] But you're on secure, Security Weekly, right?
Jeff Man: [00:18:16] Security Weekly.
Ron Gula: [00:18:16] We can toast to Security Weekly. Right? So hello-
Jeff Man: [00:18:19] Call Security Weekly.
Ron Gula: [00:18:19] Call Security Weekly [inaudible 00:18:21].
Jeff Man: [00:18:20] And Security and Compliance Weekly is my [crosstalk 00:18:22].
Ron Gula: [00:18:22] Excellent, excellent, excellent.
Jeff Man: [00:18:23] And we have a tradition on Security and Compliance Weekly. If I say PCI, everybody has to drink.
Ron Gula: [00:18:28] Well, then you're behind [crosstalk 00:18:29].
Jeff Man: [00:18:31] But I'm doing the talking.
Ron Gula: [00:18:33] That's right. Um, so yeah, there's a-
Jeff Man: [00:18:37] You know, when, when I went to work at tenable, one of the things you told me was you wanted me to go out and start doing conference speaking. I wasn't sure why at the time. Um, and I was, uh, you know, to be honest, I was a little bit nervous because I'd been away from the hacker security community. I've been heads down doing PCI for many years, where I'm a billable resources at a, at a company that gets its revenue from sending people out and billing hours. And they don't usually like you to go off to do a conference 'cause not only do they have to pay for you to go, but they also lose the revenue that you could be earning. So there's sort of a double whammy if you're in the consultant world that makes it hard to go to conferences and checks, unless you do it on your own [inaudible 00:19:19].
Ron Gula: [00:19:18] Yeah. So I, I, I felt that going to conferences was important. Again, this is pre-COVID-
Jeff Man: [00:19:22] Mm-hmm [affirmative].
Ron Gula: [00:19:23] ... because if you're new to cyber security, it sort of gives you that horizon of what you need to learn. And it exposes you to role models. Like, I'm sure you've met people who were like, "Jeff, I want to do what you do. I want to go here." But at the same time, it also provides an opportunity for mentorship. It provides an opportunity for like the vendor world, 'cause there's, there's innovation out there. And how do you know about the next Palo Alto before they're the next Palo Alto? They go to these things, provides a venue for research-
Jeff Man: [00:19:51] Mm-hmm [affirmative].
Ron Gula: [00:19:51] You know, even if it's vendor-driven or university or open, open source. Um, and it's just, and, and now when we have such a, um, you know, dearth of African-Americans and women, it's, it provides a place for them to come. And unfortunately we've had some cases with women with the me too, and with, uh, just sexual harassment and whatnot, but I've always felt like that was the best place to really, for the cyber industry to kind of reach out. So, um-
Jeff Man: [00:20:16] Well, I, I, I agree and I disagree because, uh, um, there are conferences out there within our industry that I would call a hacker conference and there are others that I would call a security conference, which the hackers typically call the suits or the, you know, the vendor conferences. So there's, there's different types of conferences. Um, uh, and I'm gonna make some broad stroke generalizations, uh, the larger conferences that tend to be more bringing the vendors for the big trade shows, the RSAs and the Black Cats of the world, um, which both have, uh, a lot of structure in terms of talks and seminars and panel discussions, tremendous learning opportunities, as well as being exposed to all the vendors and what's new and what's hot and, you know, what's trending and all that kind of stuff.
The, the hacker conferences tend to be more, uh, smaller, organic, although there's a couple big ones of those too, but the, uh, you know, the, the intent of the hacker conferences are, uh, more often than not designed to be local regional, let's get together because we're all passionate about this thing that we do, and let's get together and create a learning opportunity, create an at, at, an at atmosphere for networking and getting to know people.
Um, you know, you mentioned in terms of diversity in the, the challenges with, uh, African Americans people of color women, uh, people with alternative lifestyles, the hacker community, uh, tries to be open and engaging to everyone, to everybody. Uh, and I think they do a fairly good job of that, but, you know, if you stop and think about, you know, and, and the media is somewhat to blame and Hollywood's somewhat to blame, but this mental image that we have of what a hacker is, is usually a pale white guy, you know, hoodie that's in his parents' basement [crosstalk 00:22:26].
Ron Gula: [00:22:25] W- with bad posture and [crosstalk 00:22:27]. Yeah same type keyboard.
Jeff Man: [00:22:29] Yeah with lots and lots of screens. I mean, so the, you know, the, the, the stereotype isn't necessarily one that is attractive to people that don't fit into that.
Ron Gula: [00:22:42] W- what is the, this is what a hacker looks like movement, is it, is it a movement it's, it's really kind of a Twitter brand, right?
Jeff Man: [00:22:49] It's somewhat of a Twitter brand. And it grew out of a, a series of books that, uh, were first published. The first one came out, I guess in 2018, I think, or early 2000, it was early 2018. Time is at somewhat of a blur in this Groundhog day we live in. Uh, the book is called Tribe of Hackers and the author who's more of an editor, really, Marcus Kerry, um, he, uh, he, he had read some other book, tribe of something and thought, this is a great idea.
The premise is you, you get a set of questions, a short questionnaire, and you ask the same set of questions to people that are experts in the field and, and curate their responses and put it all together. So the original Tribe of Hackers book was, uh, I think there's 70 people in it. And, you know, leaders recognized leaders in the cybersecurity field that, that whether they call themselves or not are recognized as hackers, of course, that begs the question, what is a hacker?
So, uh, I think the premise of the book is, uh, and, and I think they did a really good job with it. Um, trying to demonstrate that a hacker is not necessarily that typical stereotypical person I'm stoked for a keyboard with the hoodie on. Um, there was a lot of, I mean, there was men and women in the book, people of different colors in the book, people of different, uh, religious affiliations.
Ron Gula: [00:24:13] You also had CISOs, investors, researchers.
Jeff Man: [00:24:16] People that are... Yeah. And, and, and yes, absolutely the diversity was, uh, equally as much different roles in different areas of responsibility within this field we loosely call cyber security, um, since I booked. And so that book came out, they put together a summit in early 2019 and got some of the people that were in the book together, down in Austin, which is where Marcus lives.
And, uh, put on a one day summit. I think they got 10 or 12 of the, uh, contributors. I was one of them. Um, and they passed out t-shirts, this is what, uh, hackers look like. But the, the point is a hacker can be anybody. You know, there is no stereotypical image of what a hacker is, a hacker. At least my definition of a hacker is somebody that's curious, somebody that's trying to figure out not how to break things, but how things work. How to make it better, how, how to improve upon it.
Uh, I mean, I grew up always, I-I don't know where I inherited it or when it first started, but, you know, if somebody tells me this is how we do things, I am immediately thinking, "I wonder if there's a better way to do it. You know, I'm more of a process hacker maybe than break into computers, type of a hacker. Um, but somebody that's just inquisitive and curious and asks questions, "Why is it, why is, why is this the way it is? How did we get here? Uh, is there a different way? Is there a better way? Is there a more streamlined way?"
These are the types of questions I ask. And, and to me that's sort of a hacker mentality. Like, you know, it's not necessarily a lifestyle, but it's, it's a, it's a, it's a way that you view, view the world, it's the way that you see the world.
Ron Gula: [00:26:02] I really-
Jeff Man: [00:26:02] And that, and that spans different, you know, that can, I mean, it doesn't even have to be in the computer field, right? You can hack anything. If you have this mindset of how can I do this differently, better, how does it work type of.
Ron Gula: [00:26:14] And we're going to have the, um, cast of MacGyver on for an episode here, the new CBS thing and-
Jeff Man: [00:26:20] The original hacker.
Ron Gula: [00:26:21] Well, the original, uh, like, like, and there's, there's cyber stuff in it, which is kind of cool, but like a lot of the hacking is like, "Oh, I'm going to take some eggs in a bag. I'm gonna burn the eggs and then make a, make a hot air balloon. Right?" So that's, that's kind of a hack. So I'm looking forward to talking about them, but, but back to the Tribe of Hackers book, what I really like about that is our industry to date has done such a bad job of describing what it means to be in cyber security, right?
Jeff Man: [00:26:45] Right.
Ron Gula: [00:26:45] If we're in healthcare-
Jeff Man: [00:26:46] Right.
Ron Gula: [00:26:46] ... you could be a physician's assistant, a doctor, a brain surgeon, a nurse, and the general public all knows what that is. But, but the general public doesn't know the difference between incident response, a policy auditor, uh, uh, an IT patch management. I mean, you just go on and on and on. So what I liked about that book is it's a glimpse into what the field is.
Jeff Man: [00:27:04] Mm-hmm [affirmative].
Ron Gula: [00:27:04] I used to tell people, if you want to get into cyber read, you know, Cuckoo's Egg and read, um, um, Cliff Stoll, um, Cuckoo's and puzzle, puzzle-
Jeff Man: [00:27:14] Puzzle pals.
Ron Gula: [00:27:15] ... puzzle pals.
Jeff Man: [00:27:15] Yep.
Ron Gula: [00:27:16] And now I tell them, read Tribe of Hackers, 'cause at least a good and th- they've been, and then hats off to, to Marcus and everybody you've been in all three books, they've kept updating-
Jeff Man: [00:27:24] All four.
Ron Gula: [00:27:24] All for books, right? So, but that's the point. Our industry has done a bad job of like staying current, you know, so that, that's good stuff. So, um, so back on the conferences-
Jeff Man: [00:27:34] Mm-hmm [affirmative]
Ron Gula: [00:27:35] ... so then here comes COVID right? 2020 was tough for a lot of people. Um, all the conferences had to figure out going online or not. What has been the change because there's been an explosion, gee, in podcast people just starting podcasts and shows. Right? But, but what's, what's, what's been changed. What's changed out there.
Jeff Man: [00:27:54] Well, I mean, the, the big changes, m- most if not all the conferences have either had to cancel outright or figure out a way to do it virtually. And, um, there's... Yeah, I'm not going to name names because I couldn't name them all, but, um, a lot of the conferences have gone the virtual route in the last year and, and a lot of them are, you know, were and are hopeful that they could get going again with a real conference in 2021.
I think realistically we're still probably a year out for most of the conferences coming back in, I've even gotten to the point where it's like, it's like surreal. It's like, did they really ever happen? Did we use to do this? Are they ever going to happen again? Um, you know, you mentioned how many conferences or you asked me how many conferences I've been to as a speaker. I, I was at the point in 2020 where I'm like, I'm good. I'm ready for a break. I'm, I'm okay with this. I'm over it now, but it took me most of 2020 to like, get over the fact that I'm not traveling and going to conferences.
Ron Gula: [00:28:54] D- did you have to adjust to like talking into a camera and not seeing that audience feedback?
Jeff Man: [00:29:00] Oh, absolutely.
Ron Gula: [00:29:01] Yeah.
Jeff Man: [00:29:01] I mean, I, I spoke maybe five or six times in the last year at a virtual conference. Uh, at least one of them was prerecorded really-
Ron Gula: [00:29:11] And that's, that's tough because you're, you, you, you can't really say today, you can't say the news.
Jeff Man: [00:29:16] Yeah. Yeah.
Ron Gula: [00:29:16] It's, it's, uh, but, but it's, it's more convenient. You can create more content. I think we are hitting more people, but it's a little bit more impersonal.
Jeff Man: [00:29:24] We're hitting more people, but, uh, you know, the, the typical security conference, whether it's the big one or the small one, the regional one, the, the industry one or the hacker one, there's so much more than just the speakers in terms of learning opportunities, uh, uh, you know, they have different villages and s- in, in areas that are for capture the flag exercises, lockpicking villages, which I don't necessarily ascribe to you, but it's popular.
Ron Gula: [00:29:53] It's hacking.
Jeff Man: [00:29:54] It's hacking. Um, they have, they have, uh, people at many of the conferences that volunteer to help you, um, review your resume, do a mock job interview, trying to help people, you know, get not, you know, not, not just get into the field, but, you know, move around, move up in the field, uh, advance their career.
Ron Gula: [00:30:15] And a lot of conferences have a specific theme for, for women African Americans or even K through 12, you know, whether it's free attendance, these free mentorship things. So I, I, I think there's been some improvement.
Jeff Man: [00:30:28] Yeah. I mean, uh, there's definitely, you know, the collective has figured out how to put on a virtual conference, uh, and, and I've, I've been to one or two where, you know, you had sort of these virtual conference floors where you can scroll over to different areas and pop into a room that's like the real thing, but it's not the real thing.
Ron Gula: [00:30:52] It works for call of duty. I don't know if it works for learning cybersecurity.
Jeff Man: [00:30:55] Yeah. So, you know, long and short of it is it sucks. Uh, you know, I, as a speaker, um, I, I, I thrive on the interaction that I have with the audience. Just, you know, am I, am I making sense? Am I getting the nods of head of approval? Does it seem like people are understanding what I'm trying to say? 'Cause I think I have a tendency to be a little bit vague and people can't always tell where I'm headed type of thing. Uh, that's another hacker thing, when somebody is talking, you're all, you know, to me, I'm always like, where are they going with this? What are they trying to, you know, when you're trying to anticipate.
Ron Gula: [00:31:32] What's the big reveal, it's like a magic trick.
Jeff Man: [00:31:34] Yeah. Um, but even like, you know, how many people have their head in their phones or their laptop, which is fairly common these days, a horrible practice as an old timer. Um, but very common. Uh, you know, you know, and I'm looking, I'm looking at the audience trying to connect and engage in, in feedback. Part of, um, part of my shtick is, um, you know, in all my years of consulting, because I've, I've been speaking to people in large groups and small groups and various levels in organizations for 25 years. Uh, I like to think that... I'm told that I do a good job at it. So-
Ron Gula: [00:32:11] What-
Jeff Man: [00:32:12] I like to think that I do a good job at it.
Ron Gula: [00:32:13] What talks are out there that you're most proud of. Like can people go and see any recorded talks?
Jeff Man: [00:32:18] Yeah. There's uh, I, you know, I, I, I had, uh, I had someone tell me early on, I want to say it was Jason Street, uh, who is a popular speaker, known hacker, uh, great guy. Uh, he, he told me early on, "Don't come up with a different talk every time you speak, you'll kill yourself." He's like, "Come up with a talk a year." So I'm like, "Okay, that makes sense." So I don't have that many talks out there. Maybe a dozen, uh, most of them you can find on YouTube. Most of them you can find multiple versions of.
Um, and I'm an extemporaneous speaker, which means I just kind of talk from cue cards. I don't have a memorized speech. So every talk is a little bit different. Although overall it's the same. Favorite talks are, um, I have a talk that I called the art of the Jedi mind trick, uh, which is all about communication skills. The things that I picked up as a consultant over the years, what I think I was doing that worked and resonated with my audience.
Ron Gula: [00:33:21] How to get non cyber business people to do things, to protect their business and cyber.
Jeff Man: [00:33:25] Well, essentially it's, uh, you know, if you've, if you took speech class in college, it's, uh, persuasive speech because, you know, in most walks of life, if people are talking, there's only two or three reasons why you're talking. A major one is you're trying to sell some... You're trying to sell something. You're trying to convince some, you're trying to convince somebody to buy something, do something different, take an action, your prime, to persuade them to change or do something.
And that's most of what the speech is in our, in our, in our world. The second category is teaching, you know, simply trying to convey information. Um, a third one, is it, it the third reason why we speak, especially public speaking is to, to try to lift people up and praise and just talk about somebody like that, eulogy at a funeral or a toast at a wedding type of thing, or somebody wins an award they want to talk about you.
Um, there's that, not that many reasons why we speak. So I, I had in mind that, uh, I'm just going to write down the things that I know that I've done and someday I'll figure out there's, you know, I'm not that smart. I'm not doing anything new. Somebody has already figured it out. There's probably academics out there that have names for everything. So I did the talk a couple of times and just talked about the different, um, uh, things that I did and I broke it into six or seven techniques or strategies for how to do effective communication.
Later on, I did it as a workshop and I actually did the research like, okay, "What do the college textbooks say about all this?" So I got all the, you know, the names for all the things that I'm doing. Um, so that's out there, uh, in a couple of different, uh, formats. Another talk, I do talks about what I used to do at NSA, you know, because I, you know, we worked at NSA, that gives us a certain pedigree within the hacker community. You know, people, people live in, you know, they're in awe of this because we're, we're from [crosstalk 00:35:28].
Ron Gula: [00:35:28] It's, it's really, I mean, tenable, co-founder doing all this kind of interesting. So I still get introduced as former NSA hacker, like that's most interesting thing out there because of that mistake.
Jeff Man: [00:35:39] Right.
Ron Gula: [00:35:39] So, but hopefully you can use that to, to educate people, right? That gets you a lot of interesting people. They, they take you more seriously [crosstalk 00:35:46].
Jeff Man: [00:35:47] It gets people to listen.
Ron Gula: [00:35:48] Yeah.
Jeff Man: [00:35:48] I, you know, and then it's up to me or you for us to say something meaningful that you know, that they're, they're going to take away and do something, but we, we at least have their attention at least for a small amount of time. Um, uh, so I, I give talks that, uh, uh, that just tell stories about what I used to do at NSA.
The first one, which was, I was at a ha- I was at, uh, I want to say it was a BSides conference. Um, and I went to the speaker dinner the night before I was talking to the guy. We had a good time chatting. And I asked him what talk he was doing. He's like, "Oh, I've been doing it like an intro to cryptography talk." I'm like, "Oh, interesting. I'll check that out."
So I went to his talk and he's talking about, uh, you know, manual crypto systems, one-time pads, ciphers, Caesar cipher, and all this stuff. And I'm like, "Shoot, I could give this talk. Not only do I know this stuff, I used to do this stuff." So I decided to give the talk. I talked about my early days of NSA and the cryptology that I did. And, um, if you remember before the HBO show, there was a comic book called Tales from the Crypt.
So I decided to name the talk Tales from the Crypt... Analyst. And I had, you know was, I was still at tenable at the time. Hope you don't mind. I-I-I used your, uh, marketing team to come up with a, a, uh, an illustration that was a mock Tales of the Crypt comic book to, to advertise this talk, Tails from the-
Ron Gula: [00:37:22] Long, long as I wasn't the skeleton guy-
Jeff Man: [00:37:23] [laughs]
Ron Gula: [00:37:24] ... um, I'm good with that.
Jeff Man: [00:37:25] And then the, the sequel to it, more Tales from the Crypt analysts was the story about how pen testing got started at NSA, Ron and I were part of the first pen testing or what we now call as a red team, um, group, uh, at NSA. We weren't the only hackers in NSA-
Ron Gula: [00:37:41] Right.
Jeff Man: [00:37:41] ... but we were the only ones that were on the defensive side, doing the ethical break in to tell you what's wrong.
Ron Gula: [00:37:47] So, so let's, let's talk about this. So, so frame, how do I know if my network and data is secure? Fr- frame that process with, with me. But you just took a drink. So you're, you're well-qualified to do this now.
Jeff Man: [00:38:02] I-I did just take a drink, you know, what we, what we thought back then, and, and what we, I, I'm saying we, but collect- the collective of us, all of us that came out of the DOD, uh, or many of us that came out of the D the, the, the assumption was, okay, you've got computers, you've got a network now you're plugging into the internet. Uh, so you're exposed in a different way.
You need somebody to come in and tell you, uh, what all your problems are. I used to when I was in my early days of being out in the private sector, and, and we were talking to customers that wanted to hire us. Um, they're like, "Yeah, we want you to break in, you know, we want you to do a pen test. We want..." You know, red, red team was not in our vocabulary back then in the, in the late nineties.
And I would always ask them, do you want us to discover, uh, all the different ways that we can get in? Or do you want us to just get in and see how far we can go? And, you know, can we get to like a, sort of like a capture the flag? Can we get to a particular set of data? Most of the time, I'd say 99% of the time they wanted, they wanted to know what all their holes were.
So, uh, okay. We could talk for hours about the definition of the pen, of a pen test and what it is and isn't, but at the end of the day, the, when we went into the private sector, we thought the way that you tell people what's wrong is you break into it and you take the time to find all the holes or as many holes that you can find for the timeframe that you've been hired for and, um, start from there. And, um, I-I regret to say, I think that ultimately that's just the wrong approach. I think that-
Ron Gula: [00:39:50] Why is that?
Jeff Man: [00:39:51] ... while it's fun and sexy and cool and gets lots of people, uh, the opportunity to talk about ways that they broke in to, you know, various organizations. At conferences, I don't think it's ultimately cost-effective because it was fine, it was fine at the beginning, but at some point I expected and maybe I'm naive, but I expected there to be an evolution where, okay, you're sort of past that first wave. You're, you're now on the internet. You now have your network. You've had people come in and rape and pillage and break in and, and, and show you all the holes.
But you know, the way you patch all the holes is, you know, it's not just going around and patching and plugging and sticking your fingers in the holes. Like you're the little Dutch boy, you gotta start building processes. You gotta s- you gotta build a program that says, that looks at how do these hole show up in the first place? How do we prevent them or minimize them from happening in the future? Or the reality is, you know, if you call the whole vulnerability. Vulnerabilities aren't going away, they're pervasive. They're a constant, they're always there. They're always being discovered.
And it's not simply a matter of, well, you find it, you patch it, you find it, you patch it, you find it, you patch it. There's gotta be a way to systematically programmatically process wise, build systems, uh, field systems that are, have some hardening, have some configuration, have minimal functionality. There's all classic stuff that we, we taught and learned 25 years ago, but it's still true today.
Ron Gula: [00:41:30] And technology has progressed like, so when we were doing this-
Jeff Man: [00:41:33] Mm-hmm [affirmative].
Ron Gula: [00:41:34] ... we could go to an air force base. We could go to a government agency and all of that network-
Jeff Man: [00:41:39] Mm-hmm [affirmative].
Ron Gula: [00:41:40] Would be, be literally behind one or two or three devices. And we could literally say-
Jeff Man: [00:41:45] Hopefully.
Ron Gula: [00:41:45] Oh, well even, but even back then there was a clear perimeter, right? So now you've got stuff at Amazon. You've got stuff in Salesforce. You might have a data center in St. Louis, which is different than your data center in, in, in Iowa. How, how can you even find all the holes with-
Jeff Man: [00:42:03] Right.
Ron Gula: [00:42:03] ... with stuff like that?
Jeff Man: [00:42:03] Well and you're bringing, you're alluding to what's an interesting, uh, reality is that, uh, you know, a big, a lot of us came out of the DOD and it wasn't just the two of us. And we were classically trained in InfoSec and we were classically trained in sort of the military DOD approach to security. Um, I believe to this day that there's no such thing as offensive security, security by definition is defensive. It's, it's, it's prevent, detect, respond, react, um, in, by his very nature, but, you know, nuanced discussion.
Um, but the, but the, you know, what we, the collective we, uh, preached as is ne- in, in the early days, we called it network security or internet security. It was, you have a network, you're plugging in to the internet, which is the great unknown. The, you know, it's the cloud. That was why we call the cloud the cloud because the internet was this vacuous unknown thing where evil people and things were.
Um, but we built our, our security programs, uh, around centuries old, uh, tactics on military, physical security premises, which was primarily build a secure perimeter, build layers of security, put your most sensitive, critical assets, deep inside the inner bowels of your whatever, and, and hope that all the layers of protection, protect you. That's how we build our networks. But as you said-
Ron Gula: [00:43:39] Now I can get to Amazon with a pass- password, right?
Jeff Man: [00:43:42] Okay. So we need to get over that.
Ron Gula: [00:43:44] Yeah.
Jeff Man: [00:43:45] Uh, there is no perimeter anymore. There is... We used to talk years ago, back in the early days about that crunchy exterior and the softer gooey middle. Um, and, and of course, if you could crack through that crunchy exterior as a pen tester, um, it was pretty much wide open. I mean, in fact, you, you, you worked for a company back in the early two thousands.
Ron Gula: [00:44:09] US Internet Working now part of AT&T.
Jeff Man: [00:44:11] Where my, where my company was hired to do such a, a pen test. We were given, we were given because of the frustration of the security officer at the time, I'm trying to get the attention of management to do the things and invest in the things that he knew needed to be done. He gave my company a carte blanche. You've got a weekend rape and pillage do as much as you can. I want you to just go as far as you can. No, [inaudible 00:44:36].
Ron Gula: [00:44:35] I think you got on my computer.
Jeff Man: [00:44:37] I got on everybody's computer.
Ron Gula: [00:44:38] Yes, yes.
Jeff Man: [00:44:40] And, and it's funny because ironically what we ended up doing, you know, and, and I was part of a team. And it wasn't just me. Uh, my team found a way to, uh, and this was probably 2000, maybe 2001.
Ron Gula: [00:44:54] SQL injection. Right?
Jeff Man: [00:44:54] We got in with SQL injection-
Ron Gula: [00:44:56] Is it before it was a known-
Jeff Man: [00:44:58] Before we called it SQL injection, we just knew 14, you know, port 1433, you could append the SQL commands and, and put commands in. And, and... So we got in. And once we got in, uh, you know, my job as part of the team was to kind of poke around and look around what, what is called today pivoting, uh, I've had to learn that the, the new term, terminology.
Ron Gula: [00:45:21] Lateral movement, leap frogging.
Jeff Man: [00:45:23] Lateral movement. But, uh, whereas the guys that I work with, they were all about, "Let's break in, we got a box." Back in those days, it's mostly Unix. We rooted, let's move on to the next one. And I'm like, "Let's see what's on this box. Let's see what we can learn from it." So in the, in the, in the, uh, under the premise of let's do everything and rape and pillage and get as far as we can, uh, we had got, we were in and we set up a, a reverse tunnel.
So we were in and could stay in and, and avoid detection and, uh, whatever intrusion detection, perimeter in tect- detection, uh, defenses, they had up, we were circumventing that, um, which is interesting in terms of your career path. But, um, um, I found a box that, that the name of the box was, uh, TMS001. And I figured out that, that was running something called, uh, the Tivoli um, management system.
Ron Gula: [00:46:25] It was, it was the solar winds of 1999.
Jeff Man: [00:46:28] It was the solar winds.
Ron Gula: [00:46:29] [laughs]
Jeff Man: [00:46:29] That's what I'm getting to, you're reading my mind. But, uh, we found the box that was doing the network monitoring for everything. And US internet working essentially was a cloud provider. There were a cloud hosting provider before we called it that. And, um, you know, I, I saw that box. I said, okay, that box sees everything. And it's trusted by everything. That would be a great place to upload a vulnerability scanning tool and just do a, a vulnerability scan of the entire network, which is exactly what we did.
And, uh, yeah, so it is the solar winds of 2000. That, that was the point I was trying to make. And, and it illustrated. And, and I know that your, your experience at US Internet Working is, is what... I know the talk's not about you, but that's what sort of inspired you to go off and write a better intrusion detection system.
Ron Gula: [00:47:21] Well said, I don't have to say that now.
Jeff Man: [00:47:22] [laughs].
Ron Gula: [00:47:23] Here we go. Cheers. Right?
Jeff Man: [00:47:24] Cheers. So-
Ron Gula: [00:47:26] All right.
Jeff Man: [00:47:26] So I really am responsible for most of your success.
Ron Gula: [00:47:29] So, um-
Jeff Man: [00:47:30] You should, you should buy me a cigar or something. [laughs]
Ron Gula: [00:47:32] I-I a future version of the Gullett tech cyber fiction cigar hour will be up after that.
Jeff Man: [00:47:38] [laughs]
Ron Gula: [00:47:38] So, um, so you do this vulnerability assessment, he does penetration te- what did you call it back then?
Jeff Man: [00:47:46] When we were at NSA, we called it a vulnerability and threat assessment?
Ron Gula: [00:47:50] Mm-hmm [affirmative].
Jeff Man: [00:47:50] Um, I think when I came out in the private sector, while we called it hacking and pen testing, I think a lot of paper on our statements of work, it was so probably called a vulnerability assessment, especially if they're asking us to find all the hopes, that's vulnerability assessment. We did have a couple of customers that were, no, we just want to see if you can break it. W- uh, one customer in particular, they had, um, they had gone out and invested in the, the premier firewall of the day, which was, which was the gauntlet firewall.
They'd paid for all the training to get, uh, trained on, uh, how to, uh, architect their network, configure their firewall for their, for their best protection. And they w- they were ready for us to give them a live fire test. So they hired us to do that. And I remember just doing some initial probing. Back in those days, uh, every system had a publicly [laughs] uh, reachable IP address, there wasn't net masking back in those days.
So if you had an, if you had a system on a network, it had an IP routeable address everywhere. So one of the things that the firewall was supposed to do was to protect the inside and the outside, but it wasn't based on address translation. Um, so I was, uh, doing a port scan. I was doing a, some sort of approach just to see what was a live system on their identified network space. I forget whether it was a class C or several class Cs.
And I remember running the tool, uh, and thinking, "My gosh, I'm, I'm seeing everything. I'm getting all sorts of responses. I-I don't, I'm not seeing any kind of blockage or, or any... I'm not seeing a firewall essentially." Long story short is they in there setting up that firewall, um, they, um... And back in those days, firewall rule sets were maybe 20, 30, 40 rule longs.
I mean, you know, we used to recommend no more than 20 rules, if you can believe that. Because I've seen, I've seen network appliances with firewall rules in the tens and hundreds of thousands these days. No, it's no wonder companies are vulnerable, but, um, uh, we, we determined, um, that their firewall rule set, the variable last rule, which was, you know, in theory, you know, once all the rules are executed-
Ron Gula: [00:50:14] Deny, deny, deny, right?
Jeff Man: [00:50:15] ... the last one is supposed to be deny, deny, deny. It was, uh-
Ron Gula: [00:50:17] Allow, allow.
Jeff Man: [00:50:17] It was allow, allow, allow.
Ron Gula: [00:50:20] Yeah.
Jeff Man: [00:50:21] Like, well, there's your problem right there. We actually, in that instance, we, we said, look, you don't need us to be pen testing you. We need to come in and let's take the available hours and budget that you have left, and let's, let's help you figure out how to rearchitect your network and set it up. So you're actually secure, not the way you think you're secure.
Um, that was actually one of my proud moments as a consultant was 'cause we had to brief, I think it was their CFO, uh, at the time. And he actually commented is like, "Wow, this is probably one of the most intelligent engagements we've ever had. It's unheard of for a company that's been hired to do something, to stop it and not just collect the money and just meet the, meet the terms of the contract, but you actually tried to help us." So they ended up being our customer for years after that. And that's the kind of stuff that I used to like [crosstalk 00:51:15].
Ron Gula: [00:51:15] And that's where I think the cybersecurity industry, we tend to be very preachy. We tend to be very thou shall do this, this framework, right? If you do this framework, you're going to be secure, follow these top 20 vulnerabilities, patch these, and you're, you're going to be good. We, we really haven't been good custodians to kind of let people go do it because it's just so easy to build insecure networks and secure software in, in, in insecure, uh, you know, websites and whatnot.
Jeff Man: [00:51:39] Mm-hmm [affirmative].
Ron Gula: [00:51:40] So, so let me ask you this. You've got all this, this experience from the NSA, from PCI [inaudible 00:51:46] what's your opinion of the effectiveness of things like the Center for Internet Security's Controls, the Internet Cybersecurity framework, e- e- even, even PCI?
Jeff Man: [00:51:55] Mm-hmm [affirmative]. So-
Ron Gula: [00:51:56] Does, does it influence anything for the better?
Jeff Man: [00:52:02] So, yes and no. Um, the, the... You've asked like three different questions here, so I'm trying to [inaudible 00:52:11].
Ron Gula: [00:52:11] We're drinking, so you can just riff and, and share, [crosstalk 00:52:14].
Jeff Man: [00:52:14] ... but, um, but I, I want to try to convey as best as possible. So, uh, you know, in the general category of what's the utility of compliance frameworks, regulatory frameworks, standards, um, what does CIS column, uh-
Ron Gula: [00:52:32] Bench- benchmarks.
Jeff Man: [00:52:32] Benchmarks, benchmarks. Um, and then there's PCI. I-I really put PCI in a separate category from everything else. Um, disagree with me if you want. That's fine. But, um, the, the, what you're asking highlights, what I think is sort of a paradox within our industry that I don't have a good answer for yet. And that is the belief that, um, that we preach and that we, especially from the vendor side of things, we sort of rely on is that well, security is best done with technology and is best done with automation and is best done with taking the human element out.
And, you know, the, the, the movie war games sort of touches on that back from the early eighties. Um, now it's manifested artificial intelligence and machine learning and are the robots going to take over humanity, but at a more practical level, it's the belief that in, in a typical organization, if you ask an individual, uh, what is their responsibility for security? Most people are not gonna talk about security, th- they, they have the attitude that it's either somebody else's problem, not their responsibility, or it's done for them by somebody else.
It, you know, if they're using an application, a service or utility, whatever it is that they're doing their business, they have a... And I think it's a reasonable assumption that the security of it is done for them. And if they're using it, it should be secure. That sort of flies in the face of what I have come to believe I learned as a classically trained, came up in the DOD, in the military and in the people that did InfoSec for a living, which was InfoSec and security data security is part of the culture and the fabric of the organization and everything you do and don't do it needs to be in relation to the ultimate security of whatever it is you're trying to protect.
That's a very long-winded s- way of saying that, um, uh, we have a problem, [laughs] uh, and we're not fixing it. And we're, and we're, we're reinforcing bad habits and behaviors. The other element of your question in terms of what's the utility of standards and compliance and things like that. Um, and I said, PCI is separate.
What I s- w- what I, I see PCI as separate because I've done PCI for the last 17 years, almost exclusively. So I am a one trick pony in that respect. I touch on the other compliance standards and regulations and things like that. As I look at them, what I see is, uh, very often, they're very comprehensive. They're very detailed. There's a lot of information there about this... If you're running this, this is how you need to secure it. If you're doing this, this is all the things that you should consider. And these are things that you should do to secure.
What I see missing in all of those things or where there's a presumption in all those things that there's somebody in the organization that understands security, understands all this like we do, and is making a judgment call on yeah, that, that applies to us, that doesn't... Not so much, we need to prioritize this, this not so much.
We're going to do these things, the, these things we don't need to worry about so much, even PCI, uh, presumes that there is a security expert that is advising you on how to interpret and apply the security standard. Within the PCI ecosystem that expert is the qualified security assessor, the QSA, which is the role that I've done for the last [inaudible 00:56:25] years.
unfortunately for PCI, uh, the way that the, the whole PCI thing is set up is literally 99% of companies that have to do PCI are not required to talk to a QSA. That's a problem. Uh, so the expertise, the advice, the interpretation that PCI relies on for companies to do the right thing is not available... It's available. It's always available. You have to pay for it. And if you don't have to do it, you're not going to pay for it. And that's the reality of the private sector. If you don't have to do it, you're not going to do it, which on the flip side is where compliance standards, regulatory standards come into play, where there's a lot of companies out there. And this is hard for people that do DOD military, national security, because it's the fabric, it's what you do.
But in the real world, in the private sector, um, some, you know, Home Depot, the CEO, when they were hacked a couple of years ago, he said, "We sell hammers, what do we care about it?" I mean, I heard that all the time. I used to work for women's clothing store. "We sell bras, why do we care about security?" So on and so forth.
Th- the attitude is why should we worry about this? It should be done for us. It should be transparent. It's not our problem. That's not our business. It's not a core part of our business. And that's sort of the, the conflict that still exists today. What compliance and regulation does is forces people to do the things that they should do. So there is a set of compliance and regulatory standards and regulations that have all the information. If you can interpret it correctly, but unless you have to do it, you have to do it.
And, and, and, and that's a good business decision. You're a businessman. Why should you spend money if you don't have to. And, and security costs money. That's, that's a glimpse of the conflicts that we're struggling with.
Ron Gula: [00:58:21] So I gave the center for internet security, some, some credit for simplifying. What they do is they, they've got, uh, different, different tiers and the first tier is very basic stuff. There's also organization. We, we've had Kiersten, uh, Todd, Todd on.
Jeff Man: [00:58:34] Mm-hmm [affirmative].
Ron Gula: [00:58:35] Um, she has, does the, uh, Cyber Readiness Institute and they, they're, they're like, "Look, focus on passwords, focus on patching, focus on fishing."
Jeff Man: [00:58:44] Focus on password. Wow that's a novel idea. We've only been talking about that for 30 years.
Ron Gula: [00:58:48] But you, we've been talking about it, but we haven't been effective talking to like the other 90% of the country or the of the other countries. So that's, that's good stuff. All right. So let me ask you, Oh, so let me ask you one more thing-
Jeff Man: [00:58:59] Sure.
Ron Gula: [00:58:59] ... before we wrap up. Two more things. So the comment you made about cybersecurity as somebody else's problem is a key part of something we've been doing here at Gula Tech Adventures, data care, right? Data care basically says, "Look, if you land anywhere in cyber you're, you're in the industry," right? And we do a job of saying, "Look, unless you're certified with SiSpa somehow you're not helping. That's a disincentive for, you know, minorities. It's a disincentive for anybody trying to join.
But the point you just made about cybersecurity as somebody else, it's because we've, we've named it. We've made a complex data here. How do you care for your data? That responsibility? We haven't done that. So how do you, how do you react to that?
Jeff Man: [00:59:40] Well, I think you're onto something and, and I agree with the, what you're trying to do in principle and, and, you know, we, we can discuss at length, the nuance differences in the way it manifests itself in different facets of our industry. But generally speaking, I agree with it. I mean, my art of the Jedi mind trick, uh, talk that I give on effective communication, trying to get people to understand why they should care about security and, and, and, you know, security at the end of the day is common sense to those if you think about it.
Um, it's, it's not rocket science, but it, it starts with, y- you know, you, you mentioned confidentiality, integrity and availability. One of the other little sort of buzz phrases, uh, that we talk about is security is about, uh, technology people in process. You know, so people process technology. And of course the whole vendor world focuses on technology, which is 90% of this industry.
And sometimes we touch on the processes and everybody likes to beat up on the people, you know, the hu- humans are the weakest link, the stupid users, the muggles, so on and so forth. Um, in my experience working with hundreds of different companies and organizations over the last 25 or so years, I have figured out, or I've observed that one of the problems is not... It's beyond that. I agree with that, but there's more to it than that.
I've gone into companies from a PCI perspective. "Hi, we're here to do credit card security, where you have credit card numbers, because you accept credit cards from your customers. We needed to protect that data." I would ask inane questions of various groups that I'm interviewing. "W- what are you, what are we about? What are we here? What are we doing?" An they'd be like, "Uh, I don't know, like, you're here, we're talking about the protection of credit card numbers, credit card data."
So I add, have added to that sort of people, process and technology. Uh, what I think is the starting point, which is purpose, decide what you're about, you know, uh, we're a classically trained in the DO, DOD where we're, we're protecting nation state secrets, uh, most top secret information, 'cause I, I used to have access to it. I was always kind of dumbfounded that when I would read something that was super classified top secret, I'm like, "This is somebody laundry list." And, and what I... No it wasn't, I'm just making that up as an example.
Ron Gula: [01:02:14] [laughs]
Jeff Man: [01:02:14] Um, but what I learned was very often what makes something top secret in the, in a DOD perspective is not the information itself. It's how we were getting that information. What we called methods and sources doesn't necessarily play well in the private sector, but what does play well in the private sector? And I don't think we've done a, a good job of communicating is what is it that you care about as an organization? Do you have data that's sensitive? Why? Are you needing to keep it confidential?
Are you needing to assure the integrity and the availability and so on and so forth? We don't talk about that. Uh, we talk about data classification and so companies say, "Well, it's open to the public or it's coming to confidential." We have, we have two different buckets.
In the DOD and we had multiple d- buckets. And not only was the, were the buckets based on, you know, the sensitivity of the data, but there was also a, uh, life expectancy. The example I like to give is, uh, if you're on a, if you're on a battlefield and we've all seen the different movies, and you're trying to call in an airstrike on the enemy position, the grid coordinates, GPS coordinates that you give to the people that are in the old days, it was going to be firing rockets or sending in bombers, nowadays it'd be drones.
But y- you know, the grid coordinates are extremely sensitive. You want to keep that, uh, information secret, uh, but you also want to ensure the integrity of it and make sure that, uh, you know, you're calling it in and not the opponents are calling it on your position. But that's, that's really, really important for like what maybe 20 minutes until the thing actually happens. We don't have that concept in the private sector of the life expectancy, uh, o- o- of the classification that did.
And that all ties to the purpose. And, and we haven't done ourselves any favors as a society by introducing, you know, in the old days, privacy data, for example, it was name, address, phone number, social security number, credit card number, bank account number. Now it's, uh, our GPS location because we voluntarily walk around with a GPS locator.
So somebody knows where we are every minute of every day, because we never put the damn things down either. Um, our, our, our viewing habits, our, our website habits, our, our browsing habits, you know, every... There's aspects of what we do that is, is valuable to some organizations out there that want to monetize it and take advantage of it, uh, that we never thought about. So we haven't done ourselves any favors by introducing all this new technology and all this new fangled stuff.
But at the end of the day, people process technology, but overarching, all that purpose, what, what is it you care about? What do you want to protect? Is it your reputation? Okay. What, you know, how much do you want to spend to protect your reputation? How much in the old days, you know, in the early days of me being in the private sector, we used to ask, "What do you want to pay to prevent showing up as a headline in like a newspaper, the Wall Street Journal, the New York Times. Nowadays would be like, h- you know, what do you want to do to prevent showing up? You know, having an article written by Krebs on security or something like that.
Ron Gula: [01:05:28] I think that's well said, all right. So as Gula Tech Cyber Fiction, we're going to close out.
Jeff Man: [01:05:32] Okay.
Ron Gula: [01:05:33] What are some examples of movie-
Jeff Man: [01:05:35] We didn't get to talk movies by the way?
Ron Gula: [01:05:37] Well, that's right. Here we go.
Jeff Man: [01:05:38] Okay.
Ron Gula: [01:05:39] What are some examples of movies, TV, books, whatever, where they got cyber security wrong, where you were sitting in your chair and you're just like, "Uh, no, it's not like that."
Jeff Man: [01:05:51] Uh, short answers, all of them, my, my, my favorite pet peeve, and it's not n- technically a security thing, but I watched shows like NCIS lately. And my wife and I had been binge watching The Blacklist, which seems like a script for queuing on. Uh, but that's another topic. Um, my favorite thing that I, that I see on all these investigative shows, and it's not technically a security thing, but if they get a fingerprint or if they get a picture of somebody and they're trying to look up the database, sorry, they always show a, a monitor with faces-
Ron Gula: [01:06:29] Yep.
Jeff Man: [01:06:29] ... scrolling across the screen, I'm like, "Oh my God, if they only knew how much that slows down the search capability, by doing all that extra stuff," it's the most unrealistic thing ever. That's my biggest pet peeve. Um, you know, the fact that you cut to commercial and you come back and you've got the answer. "Well, I had to break through 17 layers of firewalls [crosstalk 01:06:51]."
Ron Gula: [01:06:50] "It was a tough code to crack, but I did it from my keyboard."
Jeff Man: [01:06:53] Um, you know, the, the generically there's-
Ron Gula: [01:06:56] How about-
Jeff Man: [01:06:56] ... in all the shows.
Ron Gula: [01:06:57] How about most realistic? What's the most realistic hacking and cyber stuff you've ever seen in a movie?
Jeff Man: [01:07:03] Um, uh, um, I'm going to drop old school on you and I've watched all these movies recently, so I can still vouch for them, WarGames, which came out in the early eighties. It's not exactly the same today, but that certainly was a representative sampling of how hacking happened in the early days. And it was mostly just sort of opportunistic. Nobody had any ill intent. They were just trying to see where they could get and what they could do. Uh, the other new movie, all, you know, 10 years later, it came out in 92, but Sneakers, um, is, is realistic in the sense of, we sort of have this whole industry that grew up out of modeling what they were doing [crosstalk 01:07:46].
Ron Gula: [01:07:45] What's the quote, it's all about the data.
Jeff Man: [01:07:47] It's all about the information about the information.
Ron Gula: [01:07:49] Yep. All about the information. Yep. Yep.
Jeff Man: [01:07:50] Everything is all about the information. Um, more, more contemporaneous, it's, it's hard. Um, cause they all put that little Hollywood spin on-
Ron Gula: [01:08:02] Mm-hmm [affirmative].
Jeff Man: [01:08:03] ... anything that suggests I don't have any specific example, but you know, what is hacking, what is breaking into stuff. It's, it's sort of similar to the detective and police show types of things where, uh, there's a lot of leg work. There's a lot of research. There's a lot of investigative work that is implied, it's tedious and time consuming and not necessarily sexy. Um-
Ron Gula: [01:08:31] What I think is funny is some of these movies, what was kind of BS and fiction back in the day is kind of reality now. So I think we went to see the network, which has Sandra Bullock and there's a scene where they hack into the altimeter, the airplane flies into the ground, complete BS. But today that might actually be possible-
Jeff Man: [01:08:51] Yep.
Ron Gula: [01:08:51] ... which is really, really frightening. So-
Jeff Man: [01:08:53] I remember, uh, when we were s- when you had, I think you had showed up in, in the office before we became the [inaudible 01:09:01], we used to watch the X-Files. And one of these days I have to look up and figure out the episode. Um, but I remember watching an episode one time, um, where the premise of the episode was there was some super secret data that was probably about Area 51 or something like that. That was originally in hard copy and in a safe somewhere. And they were finding it that because it had been scanned, it was online. [laughs] I remember thinking [laughs] "That's so silly. Who wold do that?"
Ron Gula: [01:09:32] The, the reality winner episode of X-Files.
Jeff Man: [01:09:34] The, the, the super secret data. Why would you digitize it and put it online? That's crazy. And then of course, fast forward to today where it's all online. So, you know, so as a society, what's great about the internet is we can find anything, there's information about everything, whether you trust or not, whether it's reliable or not, that's a different story, but all the stuff that we used to dream about and think about, "If only I could remember this, if only I could do that." It's all there. That's so cool. The downside of it is it's all there.
Ron Gula: [01:10:07] All right. So your show on Security Weekly is what?
Jeff Man: [01:10:12] securityweekly.com is the main website. My show is Security and Compliance Weekly. We're, we're trying to, we're trying to bridge the gap that exists between the, the sort of hacker community silo and the everybody else that people that are just doing compliance work or auditing or assessing or GRC. What I've, what I've discovered is these, these, these silos don't necessarily talk together. They don't necessarily communicate or hang out with one another.
Each has really smart people and, and each are doing essentially the same thing. We're all about the same mission. So Security and Compliance Weekly is trying to bridge the gap that exists between two of the many silos that exist within our industry.
Ron Gula: [01:10:58] Awesome and you're on Twitter?
Jeff Man: [01:11:00] I am on Twitter. Uh, I originally got on Twitter to monitor my children when they were teenagers and I wanted to let their ki- their friends know this isn't just a friend. So my Twitter handle was Mr. M-R Jeff Man, J-E-F-F Man so-
Ron Gula: [01:11:14] Excellent. I'll put that in the show notes. Let's close out. Let's give a toast to, uh, everybody we worked with, and that we've been able, enable to get into this career. Thanks so much.
Jeff Man: [01:11:24] Thanks, Ron.
Ron Gula: [01:11:24] Thanks for this episode of Gula Tech Cyber Fiction.