Skip to content

Ep. 47: David Kane of Ethical Intruder

Interview by Jonathan Kersting

Podcasts
Summer of 50 PGH Tech Stories

Ethical Intruder is focused on evaluations that reproduce vulnerable paths a hacker may take at a business. Tactical ethical hacker teams conduct simulated malicious breaches & real time reviews of client business applications and web accessible entry points. David Kane tells us how Ethical Intruder produces findings that help businesses to understand where they are most vulnerable and provide appropriate asset protecting countermeasures. Plus he talks about increased cyber risks during COVID-19 and working with Carnegie Mellon University's Information Networking Institute.Summer of 50 PGH Tech Stories is powered by Comcast!

Transcription:

We're winding down our Summer of 50, Pittsburgh Tech Stories with Comcast. I can't believe it's like September now and we're we're on the homestretch to our 50 stories. And one story that we had to tell was a story of Ethical Intruder. And David Kane because these guys are doing some really great work out there. When it comes to all things cybersecurity, they're our go to people at the Pittsburgh Technology Council on so many levels like crazy things coming up in the middle of the day, we get Dave a call, he tells us not to worry or to worry and tells us how to guard against it, to him being part of some of our biggest events, providing support that way. And when when these folks are over the years have got to know Dave and what he's doing. I think it's transformative work, especially through the whole COVID thing as well too, because there's been extra attacks going on out there. And once again, Dave's been our go to guy and providing us thought leadership around this. Even things like using zoom in different different meeting platforms, and how to be safe on them. So Dave, welcome to the show today. So glad to have you here. Plus you got some really good Great news. We're gonna talk about later that I'm really excited about you guys working on a cool project over Carnegie Mellon. I think it's completely rad. And I can't wait to get to that. So welcome to the show. Dave, how you doing today?

I'm doing great. Thanks, Jonathan for having me on. It's great to always get to talk to you.

Likewise, man, your company is so cool. I see if I actually had any sort of computer skills, which I do not. If I had just some I would want to do it you do because you get paid to hack. I think that's neat. That is so cool. Tell us about Ethical Intruder kind of key services that you guys put together these days, and share so high level I mean, we are a services only company. We don't sell any products. We're just trying to make sure that hackers can get in three areas that we focus on. Our is penetration testing, as you mentioned, being an ethical hacker with permission getting paid to break into systems. And then we build cybersecurity and compliance roadmaps to meet business obligations that people have to grow and maintain their business and We focus, as you know, while on phishing and social engineering to get people that, you know, change their behaviors and not have a user be the reason why they're gonna, you know, be susceptible to the company being attacked.

So those are sort of core services.

If there's one thing I've learned over the many, many years, the tech Council and interviewing folks in your industry, and it comes down to in this day and age, if you're running a business, even if you have to have a cybersecurity plan, you have to have a roadmap, you can't wing it anymore. You can't say I'll do it next year. It's like if you don't have some sort, and I think you need a professional for this, I don't think you can just go online and take a couple tips and tricks. I think he'd be partnering with a company like like ethical or to make sure you're safe and locked down. What are your thoughts on that?

Yeah, so no, those are good points. I mean, first of all, going online and trying to figure this out yourself is definitely better than not doing anything. But, you know, we run into a lot of companies that just they don't have a chief information security officer or a dedicated cybersecurity team. And that's where it's really helpful. Or if you have a team to complement it and bring somebody in. And you know, it's interesting, there's always this sort of mantra that compliance and security has a cost, but there's also a cost to not doing it. And now the bigger too. So now that COVID said, you know, it just seems like companies are starting to, you know, realize a little bit more that they have to focus on the actual business risk, and that the unexpected, as we've seen, can happen. So going out and helping to build a framework or a program around security is really, you know, key for companies to survive.

Absolutely. You know, speaking of COVID obviously, attacks are up and they're being more clever and they're using that as a cover in order to get you to click on stuff and and everything like that. Tell us what are some of the new things that are happening since COVID has started six months ago? When I say that like what like Oh, man, crazy. So So a couple things have happened. First of all, one of the major changes for organizations but those who do We have a security program that they need to now look at. And for those that don't becomes really important is that the corporate boundary has changed, right? So it used to be the corporate boundary was protecting your users while they were at work inside your four walls. And sometimes you would have a telecommuter or work from home policy that you know, but now everybody's working from home, which means your boundary for your operation really has expanded and trying to figure out how to move security in that direction has been a huge opportunity and concern for businesses and also has been a huge opportunity for the hackers, right, because they now realize, you know, people are I think, you know, a couple months ago or a month ago or however long ago, we were talking about the, you know, the Twitter hack, right. And, you know, that ended up possibly, you know, being an insider threat, somebody getting into somebody at home and epilady and sort of what they knew. And then the other big thing that we're seeing in COVID, of course is a huge rise in social engineering phishing COVID related attacks, and that the key for that is that, you know, this is this is behavior, right? Everybody thinks that phishing and social engineering is either, you know, have HR do it because it's about training or have it do it because they're breaking into our systems. But the bottom line is, this is human behavior. And, you know, right now everybody is, Hey, you know, a new heatmap came out showing all the cases in Allegheny County or here to see what school district has, you know, and people are just not thinking about it and clicking and entering credentials. And so I think between the boundaries changes, and then everybody's sort of behaviors changing dramatically. That's, that's what, you know, we're seeing hackers and malicious intruders sort of focus on

Absolutely, it's under the cover of this where you people are like the guards kind of down in some ways because they just want information and all of a sudden, like, no, keep your guard up. Don't click on So I mean, one of the coolest things you did was a few months ago, you put together this really nice piece that kind of overviews all of the virtual meeting platforms and kind of went over the pluses and the minuses and, and we've all become so sophisticated on using our platforms now, which has been kind of cool. Has there been any changes in security? So I know originally, security was a big issue. And it was mostly because people weren't setting their, their, their platforms up properly. They they weren't putting all the lockdowns on but what's what's changed? Or has anything changed at all with some of the zoom in teams and so forth? Yeah, that's a great question. So you're right. I mean, you hit the nail on the head. I mean, at the beginning, a lot of this had to do with people were using zooms. It was great. It was coming to Pittsburgh. That's awesome. And I think people just didn't understand the functionality and the controls within this great tool that was free for people to use for all of us that are sitting at home right now.

That didn't have have a platform and so there were some holes, right I mean, they went from smaller ish company to me Everybody uses. Yeah, there were some security issues. A lot of it was, and that's what our guidance was, which is understanding what's already in the tool that you can use, like having the waiting room and, and various components. But, you know, early on, as you mentioned, when we put this out, our focus really was when COVID had, we're not going to try to sell it, right. I mean, we just want to try to help people out. So we were doing, you know, guidances, we were doing free trainings, free fishing, we were even doing free penetration testing for people sort of on the front lines. And that really helped us to sort of sort of see what people were going through helping them to work securely from home, and to get a good feel on sort of where we need to shift and move forward. You know, from all of that, but we're really glad we were able to, you know, supply all that support and sort of help people out over this first initial couple months.

I thought it was pretty awesome. In the beginning, we were all kind of wondering and just having a guide from someone that knows this stuff. up inside now may help us make decisions set things up properly. So we thank you for doing that, Dave, for sure. So let's get even more fun stuff. This is kind of like some breaking news here. Ethical intruder, you guys are gonna be hanging out with Carnegie Mellon. Give us any details on what this is all about. It seems like you're up against some pretty tough competition to have students pick you as a project and right, you guys went out. So what's going on?

Yeah, so one of the master's programs, the i&i program at CMU, and they have a master's program and, and all the schools I mean, we you know, we have students from all the schools in the region that we've brought on, and we've sort of worked with everybody but these kids and these, these students, I should say, these young adults in the science master's program, I call them kids. Yeah, they are kids. They're like, you know, they're they're, they're like rocket scientists. I mean, these are the top of the top and they're really good. And so we were had been requested by CMU to be take part in their a sponsorship for their practicum program, which is basically a semester long program, where students can go on your project. And we were like, Okay, that sounds pretty cool. And we've worked with somebody out of that program who's just, just just phenomenal. And, you know, I had heard that, you know, some of the people that have been in the program in the past are like, Intel and Microsoft and Google, and I just sort of figured those were some of the companies that sort of anticipate now and it is a competition, right? So there's a pitch night. And basically what you do is you a lot, this is like a science fair, like you, you're all on.

And there's like 10 companies all pitching to the same students to be on on their program. And so I knew there was a word there were those cool, different companies. But what I didn't realize until we got the invitation for pitch night was that we were competing against Procter and Gamble, T Mobile, the NSA, NASA, the Department of Energy, I mean, these are all the big names, places to sort of work. So, so I'm sitting here thinking, Oh, I guess, you know, we're gonna pitch. I'm excited to hear what the NSA and NASA what their project is. And then on the other hand, you know, we have to try to promote what we're doing to get these kids excited. And so we go through pitch night, and then there's a break for about five minutes before everybody sort of goes to all these breakouts, and somebody texted me and they were like, hey, there's people in our breakout room already. So I was like, cool. Okay, we'll hop into our breakout. We'll talk to these students. Maybe they have a few questions before they hop over and talk to the NSA or, or NASA and they stuck around right. Now what we're doing is our what our project is, is where we use machine learning, to help automate the penetration testing process and provide additional insight for what we're doing and basically what we're doing and there's a few models out that are similar to this. We are taking vulnerability in analysis, we are feeding it into the machine learning into machine learning. And then mapping it to certain frameworks such as the mitre attack framework, other frameworks that are out there. And then we're we're This is a little bit different than some other projects is that we're trying to provide machine learning output for human learning. So machine learning. So now our our Yes, cool, right? I mean, it sounds really cool. And so it allows us to, you know, reduce false positives reduce the risk of just automating attacks, in help out with vulnerability management. And there's just a couple of sort of new cool things that we're doing that we don't think is out there in the industry. So that's our project and again, some of these.

So when did this kickoff?

You know, this week, so it's Oh my goodness.

I'd like to see like spring or something like that, but it's like this semester. No, it's like, it's like right now. Right? So I think we're having our kickoff meeting Friday because we have four students in it again from the i&i program, but these are like already, they are literally like seasoned professionals when they come out of the i&i program. And our faculty advisor is a new. He's new to the i&i program and CMU but he's it. He's a designated subject matter expert for the Department of Defense for cyber automation, right. All right, man. So we're super, super excited about sort of adding this to, you know, we can help post COVID or, you know, during COVID, you know, to really increase the efficiency of what we're doing so super excited about it.

I'm just double pumped for you guys. And that's why I was so excited to tell you a little bit of your story day because your ethical intruder and it's one of these companies that really makes Pittsburgh special, you know, the work that you guys do, the way you give back to the community working on kick butt projects like this with Carnegie Mellon so much to be proud of. Dave, thanks for hanging out with us. Same be part of our Comcast summer of 50 Pittsburgh tech stories really got a few more easy to tell. I'm gonna do after that.

All right, that was great being here. I was always gonna talk to Jonathan. Appreciate the time.

Transcribed by https://otter.ai