Phishing For Answers
“Phishing for Answers” brings you insider knowledge from the front lines of cybersecurity. Listen in as we speak with seasoned professionals about overcoming phishing attacks, managing user training, and implementing solutions that work. From practical insights to actionable strategies, this podcast is your guide to strengthening security awareness across your organization.
Phishing For Answers
Red Team Tactics Uncovered: Building Skills for a Cybersecurity Future
This episode features Philip Wiley, a cybersecurity expert, who discusses the nuances of penetration testing versus red teaming, shares thrilling hacking experiences, and emphasizes the importance of addressing human errors in security. He provides insights into effective cybersecurity training and the relevance of networking for career growth in the industry.
• Understanding the differences between penetration testing and red teaming
• The significance of web app pen testing and its role in security
• Thrilling hacking stories that highlight the art of ethical hacking
• Importance of social engineering and user awareness training
• Addressing misconfigurations and hygiene as common vulnerabilities
• The role of AI in shaping future offensive and defensive security strategies
• Networking as a crucial element for career success and growth
• The need for awareness and understanding of security culture within organizations
Joshua Crumbaugh is a world-renowned ethical hacker and a subject matter expert in social engineering and behavioral science. As the CEO and Founder of PhishFirewall, he brings a unique perspective on cybersecurity, leveraging his deep expertise to help organizations understand and combat human-centered vulnerabilities in their security posture. His work focuses on redefining security awareness through cutting-edge AI, behavioral insights, and innovative phishing simulations.
PhishFirewall uses AI-driven micro-training and continuous, TikTok-style video content to eliminate 99% of risky clicks—zero admin effort required. Ready to see how we can fortify your team against phishing threats? Schedule a quick demo today!
Hello and welcome to another edition of Phishing for Answers Today. It's my pleasure to welcome Philip Wiley, our special guest today, for an episode where we focus a little bit more on the red team side of things. Philip, I'd love it if you could maybe introduce yourself a little bit and talk about how you got into cybersecurity.
Philip Wiley:Sure, and first off, thanks for inviting me to be on the show, joshua. I know we've been connected for a while and I don't think we've got to meet in person yet, but hopefully that'll happen sometime soon.
Joshua Crumbaugh:I think we may have been at the same conferences because I feel like we've been on the same schedule, but I don't know if you're like me at the same conferences, because I feel like we've been on the same schedule, but I don't know if you're like me. I often the only talk I go to is the one that I'm giving, and then I leave.
Philip Wiley:Yeah, okay, yes, typically I'm doing more of the, usually more of the lobby con after I speak. I like socializing and network with people, so that's typically what I do after or before my talk. So, yeah, kind of to get back on track and tell a little bit about myself. So I'm Philip Wiley. I've been in cybersecurity this past January made 20 years, been on the offensive side. For over 12 years was an adjunct instructor, taught pen testing at Dallas College, still teach workshops at conferences, passionate about helping people that want to get into cybersecurity and about offensive security itself, although my role I'm kind of an offensive security evangelist where I'm at, but I've kind of been that all my career as a pen tester, because a lot of times I think it's people underestimate the value or sometimes it's just a checkbox and I think people miss out on a lot when they do that. That mindset they're missing and putting their environments at risk.
Joshua Crumbaugh:Yeah, oh, absolutely. And you know, talking about people getting into this, I find that so often, at least from my perspective, with helping juniors sort of break in, it's really more of a confidence issue than anything else. Just, you know, encouraging them and letting them know that, hey, you know you do have the skills to break into this industry. So, no, I have a passion as well and anything you know that we can do to get more people in this industry. There's certainly still a skills gap and you know, and beyond can do to get more people in this industry. There's, there's certainly still a skills gap and, and you know, and beyond that, I just I like to see younger people learning about this career path a lot earlier and, and you know, just ingraining it. So you're on red teams 20 years. You must have a few favorite hacking stories.
Philip Wiley:Yeah, so just to make sure for clarity. So it's 12 out of the 20 years, so most of it's been actual pen testing. I've done a couple red team operations. It's mainly been on the pen testing side of things and a lot of times there's a lot of confusion between the two and used synonymously as pen testing, as red teaming, and my definition red teaming is adversary emulation. So you're going in, the control team knows the pen test is going on, it's not widely advertised like a pen test and kind of different goals, and so a lot of times people kind of get that confused and I think it's okay to use the terms interchangeably but make sure you understand the difference Because if you're wanting a pen test done for your company or Red Team operation, you'd make sure that you're on the same page as the consultant or whoever your internal resource is doing the assessment.
Joshua Crumbaugh:Yeah, and one thing I might add. There is you know, red team is by far not something to go to until you're a lot more mature. It's best to start off with a penetration test because you're going to get more coverage. You know they try to move very quickly but they're not worried about trying to avoid getting detected by your different controls in a pen test, whereas you know they try to move very quickly but they're not worried about trying to avoid getting detected by your different controls in a pen test, whereas you know in the red team they're going to really really test you much more, but they are trying to avoid your controls. So well cool, any fun stories that you know maybe a time you almost got caught or anything like that that really stand out that you'd like to share.
Philip Wiley:Yeah, one of my most fun hacks all time hacks was getting command line access to a Microsoft SQL server through SQL injection. So I was doing a web app pen test for this company back in one of my consulting jobs. So I was doing a web app pen test for this company back in one of my consulting jobs and I was doing my burp suite scans and noticed that it could be possibly vulnerable to SQL injection. So I used SQL mapper to validate. So I ran SQL mapper to look to see if it's vulnerable and, sure enough, they had XP command shell enabled and I was able to get command line access, dump the password hash and crack the password hash using John the Ripper. So hashcat was probably out in 2014. I just hadn't used it yet. But even with John the Ripper, I was able to crack the hash in like less than 30 seconds and the password was password, all lowercase and the number one.
Joshua Crumbaugh:I love it, and I can't tell you how many times I've seen admin passwords like that. I got domain admin over the phone one time and the guy's password was password one, but this one had an at instead of an A, so it was ultra secure, ultra secure. No, I love it. Actually, for anyone new or, I guess, newer to ethical hacking, getting a shell on a web app pen test is one of those almost holy grails, if you will, and so very few people actually have that as one of the things that they can claim.
Philip Wiley:I've had it happen a few times myself but that's a really big feat. Popping people are considering getting into like web app pen testing or network pen testing if they decide they want to specialize. You get less of those experiences where you actually get to get system access to that. You might get lucky enough to get data, which is still important, but some of the differences between the two because you know when it gets into the web app pen testing it's you know it gets into the web app pen testing, it's you know kind of less of the fun hacking type in my opinion yeah, I mean, well, I will say the networking pen testing really helped me with that.
Joshua Crumbaugh:uh, because I mean I I look back on it I I started in network pen and then moved into web application or application penetration testing later on and and you know, it was that experience, that background that made it to where I easily do how to go in and pop that shell. And so I do think getting you know the opportunity to look at both and sort of get your hands dirty on both sides really helps round out your, your skills as well.
Philip Wiley:I agree and that's one of the things too is a lot of times people that are doing infrastructure pen testing or doing network pen testing they kind of overlook the value of the web app pen testing because there's a lot of consoles and IT administration tools and security tools that are running on Java servers, java application servers.
Philip Wiley:So sometimes the way you get in is the weaknesses through those applications.
Philip Wiley:Because you know they're installed in a console, people really aren't doing a lot to secure it and it's one of the ways in. So some of some of the network pen tests I've done before was either Apache JBoss I mean Apache Tomcat or Red Hat JBoss Apache Tomcat or Red Hat JBoss Java servers having default credentials or allowing unrestricted uploads, where you could upload a malicious war file, which are war file which converts into a Java page and you're able to upload or actually upload your shell code or upload any kind of malicious type of payload you know like using Metasploit and so forth. But it's one of the ways to kind of malicious type of uh payload you know like using metasploit and so forth. But it's one of the ways to kind of get a foothold because you know some type cases, edrs and the servers themselves are pretty secure and it takes like a application weakness to get a foothold yeah, and I can't tell you how many times I still see those types of issues to this day.
Joshua Crumbaugh:um and so, yeah, I think that's a great one, and I know I personally used that exact method on more times than I can almost count to get that initial foothold and to gain access to more credentials that I can use to spread to more systems. So, yeah, absolutely. That I can use to spread to more systems so yeah, absolutely. So. Do you have any social engineering stories that throughout your career that maybe you could share?
Philip Wiley:Yeah, it was kind of interesting. One of the things some of the stories, or one of the stories I like to share, was one time we were doing this social engineering assessment or engagement, and my job was to actually do the pretext calling to call up the client and try to get them to go to the malicious website that we've set up, trying to get them to log in. So the pretext we come up with is we tried to push out updates to the systems but some of them may have missed it. But if you go in and log into the system, it'll tell you if you're patched or not and it'll patch your system. And one of the things that kind of helped me during that was my IT background.
Philip Wiley:So before I got into security, I spent over six years as a sysadmin and so working with people helping them with issues and stuff. So one of the people that I called to try to get them to log into the system to enter their credentials they were having email issues, a problem with Outlook, and it's something that I ran across a lot of times, so I was able to help them out with it. So they thought they were legitimately talking to someone on the help desk. So anyone wanting to get in this type of career when it comes to social engineering, some of those things, if you have a help desk, you know, desktop support or sysadmin background, any kind of it experience that can help you in those roles, because you're trying to play a specific role and that's even if, say, for instance, you were were trying to pretend to be a telecom employee working on someone's Internet connectivity. If you understand that area, you're going to do a little bit better than someone that's coming in without experience. Usually you're going a little bit more regardless than that person.
Joshua Crumbaugh:But if you worked in that area, you that I've been seeing happening a lot more in the wild with actual attacks targeting organizations. One of the benefits of owning or founding a security awareness and phishing simulation company is that we also have the button deployed to millions of endpoints around there and I get to see all of the different fish that are being reported and to what you just said about what makes you know somebody that's looking to get into this really good, having that background, understanding the processes and the procedures and the way these things actually work. We're seeing that in the wild, too, where the bad guys are trying to more and more exploit our existing business processes or complication or give over. So it's not just the the really obvious stuff these days, it's also stuff that understands your organization, the hierarchy and uh, and how your business is even potentially working, or at least how that works as a whole within the industry. Um, I don't know how much of the exposure you might get to that, but are you seeing any of that as well?
Philip Wiley:Kind of some of the things. Yeah, because my last pen testing job was like that ended at the end of February. But yeah, you see more of that. And also, as far as people trying to break in the industry, to kind of go back a little bit and cover some of that importance, as a pen tester, there may be times that you have to set up a, a phishing website, clone a website. So if you have that, that sysadmin or it background that you can, you know, put spin up some infrastructure or clone a website, and that stuff could be, could be helpful.
Joshua Crumbaugh:Oh, absolutely I. I mean, I can't tell you how many times, and not just how many times, but how many simultaneous running servers we would have out there doing a number of different tasks. So, yeah, no, being able to understand that basicothold, understanding how networking works, how to handle port forwarding and how to do things like SSH tunneling, all of those things are really critical. And so, yeah, those core skills around help, desk networking, it, are all just very, very valuable. I had one time or not really one, I guess there's a few different times when I've got the opportunity to work with people that came from a development background on pen tests, and they all brought a whole different group of skills and knowledge to the table that we were able to utilize as well. So it's not necessarily just one path there, but there's a lot of different technical fields that can absolutely help you in sort of going there. Anything you want to add there?
Philip Wiley:Yeah, one of the things I get a lot to hear people asking do you have to be able to code or script to get into cybersecurity or pen testing? And my opinion is you don't have to have it but it kind of helps you accelerate your career if you do have that skillset. And then also you mentioned some people that have the coding skills. That's a good way to kind of find your way in is find the area that you've got the most experience in. So if you've got experience development, in development, then application pen testing will probably be a better choice for you. If you've worked in as a sysadmin, network administrator or some other IT function, then maybe network pen testing may be a good way to get in. So that way you've got some experience in it and that's kind of like.
Philip Wiley:Whenever I got into to pen testing my background was, you know, over six years assist admin, uh, network security. You know had been through cisco, ccna, certification, mcse and all that. So all this this learning and background and experience I had made it easier for me to to land a job doing network pen testing. Of course I got to learn it easier for me to land a job doing network pen testing. Of course, I got to learn application pen testing as I went along, but it made a lot easier being able to rely on your past experiences, so that way you're not just coming in completely blind, because when it comes to hacking something, so you need to understand the technology before you can secure it, and understand the security and the technology to be able to break into it. So it's important to have those backgrounds.
Joshua Crumbaugh:Okay, so to switch subjects a little bit here, on the human element, one of my focuses has really been around how do we use social engineering as a form of good. Are there any sort of tricks, best practices, just tips, things that you've learned along the way that you found to help out with making training programs more effective or making fishing awareness more effective, any tricks at all that you might define as social engineering for good?
Philip Wiley:I think one of the things that's more helpful is actually show them how the attacks work, show what can happen simply clicking on a link, and that's one of the things too that I think kind of gets missed a lot with phishing campaigns nowadays. There's a lot of really great tools out there that you can do your fishing campaigns, but there's no payload, so you're really just testing security awareness. So if you have a payload, you're able to test what happens. If you know a true fishing campaign happens, someone's sending a malicious payload, you know, matt, whether it be malware or some type of ransomware, you're able to test for that.
Philip Wiley:But I think really just kind of showing technically how these things work and it makes it more interesting, because whether someone wants to be a pen tester or not, people always seem to be fascinated with hacking. So I think if you can show how those different types of attacks can be leveraged, you make it interesting for the person and it makes it a lot easier to understand why they should do these certain things. I mean, a lot of security awareness contains things, but they really don't go into enough detail. But I think if you make it a little more interesting, show them how things work. You know, do some kind of demos on how you could pull off a phishing campaign. I think it'd make it more interesting and kind of get through to them how critical it is to be careful whenever you know you're getting strange emails.
Joshua Crumbaugh:Yeah, I had somebody on on yesterday that was talking about using that sort of show them on. They were. Their example was a sysadmin that really didn't think that it could happen to them. It was, you know, it was just in Hollywood and it wasn't real life. And by showing that demo it really helped that sysadmin change our approach forever. And so you know, to that point I think that they're.
Joshua Crumbaugh:You know, one of the key things when setting up a phishing campaign, whether it's as part of a pen test or as part of security awareness, is really looking at and defining what is the goal of this. And you know, if the goal is to test security or things like that, then absolutely throw in that payload and those sort of examples. While you can't do them for everybody, if you can do them for a few people, they really do tend to spread like wildfire throughout the organization. In my experience, people talk and and it becomes instead of just this thing that's only Hollywood, it becomes this thing that's more real, particularly when the IT guy's like no, I saw it firsthand, it's real, it's not just Hollywood, and so it really does have those benefits.
Joshua Crumbaugh:But I mentioned that it's important to know what the goal is because I also feel very strongly on the other end of this that when it comes to phishing for security awareness, the last thing we want to do is exploit the user, and the reason is is because, at the moment that mistake is realized, they are uniquely susceptible to learning, and so if we can anchor that and have that just-in-time training, you get really good retention. Right then, and that's the only reason I'm really opposed to it is just that it's a great opportunity to get them to actually pay attention. But when you're doing a pen test oh man, and those things work for years the the word that spreads about that example. No, they were in my email, or they were on my desktop, or you know, they had a screenshot of me, you know whatever.
Philip Wiley:So, and sometimes the value of that is just even if, even if you're able to fish one or two people, just seeing what happens if it clicks, are there things that you can do, you know, to prevent. You know any kind of PowerShell downgrades or any type of tools to be executed almost in a purple team fashion, just seeing what's possible. That way you're able to. You know, even if you test one or two people, you can see what's possible and you know what to remediate to prevent any kind of you know mass effect on the whole enterprise?
Joshua Crumbaugh:Oh, absolutely, and I think penetration testing is incredibly critical for any organization. I mean the penetration test. It helps to understand what your risk is and what you need to work on and improve, and so understanding those different elements helps you limit the breach, if it does happen. Okay, so let's say a computer system is compromised. Well, we want to make sure they can't move around on our network, we want to make sure they can't escalate their privileges on this computer, and that's you know.
Joshua Crumbaugh:The value in the penetration test is testing those things and telling you well, turns out, you can do this, or we were able to, you know, get around all your security controls by doing this or whatever it happens to be. Because the hackers are creative, and that's why you need a really good, creative, ethical hacker, like Philip, for example, or myself. But they get very creative and it's not just going to be the obvious. Well, they phished us and that's how they got in it's chains of attacks. And it could start's chains of attacks and it could start with fishing, but it could start with a million different things and they're going to chain them together. And the more you understand that risk, the more prepared you can be.
Philip Wiley:And, as you mentioned, by chain those risks together. It's not always critical or high vulnerabilities, it's chaining together several lows or mediums and it's not always a CVE. It's just different hygiene things like weak passwords or just different misconfigurations. It's not always just a specific CVE.
Joshua Crumbaugh:Oh, absolutely, and I can't tell you how many times that a couple lows and maybe a single moderate would turn into a critical. And I think that's the other thing, that your tools aren't going to tell you how these things can be chained together, whereas that ethical hacker can tell you, or will tell you, how these things can be chained together if they're good and they understand what they're doing. So I do want to make sure, or spend a little bit of time on a question that I'm very passionate about. I think I know where you stand on this. But for the audience, when it comes to those chronic clickers that every organization has, or whatever you might call them, but the people that like to click a lot on a lot of things what's your opinion on the question of carrot versus stick and I know it's not so simple as just one or the other, but let's oversimplify it if you had to pick one, what would it be and why?
Philip Wiley:Yeah, I prefer to reward people for good behavior instead of bad behavior.
Philip Wiley:Because you know, think back to when you're a kid you did something wrong and you're not going to tell your parents because you're going to get punished in whatever fashion, so you're not going to say anything. And same thing with people nowadays. It's even you know. They're worried about maintaining their jobs. They're worried if they click on the wrong thing are they going to get fired. You know what happened if they clicked on something that could lead to a breach. So I think, really rewarding good behavior, you know how a lot of companies will do these programs where if you're walking X amount of steps a day, you're eating a certain way eating healthy, exercising they reward you and it comes out of your health benefits that they actually come back and discount your benefits, so you kind of make some money off of it. So why not do the same thing with security behavior? Reward people for good behavior, kind of announce the winners each month to get people to strive to be more secure, make it a culture, instead of punishing people for doing the wrong thing.
Joshua Crumbaugh:I couldn't agree with you more. I agree that it's all about telling people when they're doing right and capturing them doing the right thing and praising them for it, more than it is about punishing. And one thing that was pointed out the other day on the show was that when somebody is forced to do something through, you know, through sticks, they're going to find ways around it. They're they're not motivated, they're not engaged, and so they're going to look for any way that they can cheat or get around it or not have to do it. And so when you use rewards, they're more motivated. They you can actually change somebody's behavior and make them want to learn. And when they want to learn, it's a whole different environment.
Joshua Crumbaugh:And and I think that's one of the critical things there was also this, this thing called learned helplessness, and it talks about that person that maybe is really proud of their ability to detect a fish, but they're not a technical person, they're just no scam is going to get me right.
Joshua Crumbaugh:And then, if you hit them with a bunch of really unfair fish like they use a bunch of internal information and there's no real red flags all of a sudden they start clicking, or they click a few times and they lose that confidence and they actually become less secure as a result.
Joshua Crumbaugh:It's so important to focus on the positive and to build their confidence and to give them kudos. Is that the last thing we ever want to do is make people less secure than they were before they went through the training? Okay, so one of the things that I am always very fascinated about from a Pentest perspective is, while phishing gets the bad rap for starting almost every attack or every breach, it's really that's just the tip of the human iceberg, if you will. In my experience, it was the mistakes of IT that led to us getting full control of everything, and the mistakes of other departments, maybe, on how they would protect data, that led to us being able to get our hands at the sensitive data. What are some of those other common human errors that you've seen in your pen testing career?
Philip Wiley:Yeah, I'm kind of on the same page with you. Misconfiguration, so a lot of times it can be misconfigurations from IT, uh, developers or just individuals. You know, like password reuse A lot of times, uh, you know, trying to get a foothold from from external pen test. If you're not able to, or if you don't have phishing as an option, then you're going out and getting the different password dumps and doing like password spraying and that way to try to get a foothold in. And so usually it's more things around hygiene back to that, chaining the lesser critical type of vulnerabilities together. Just taking advantage of bad hygiene is one of the better ways for a threat actor or a pen tester to get a foothold.
Joshua Crumbaugh:Oh, absolutely so. Along those lines, one of the things that I like to ask every pen tester I get on this show about is if you were to pick a few different roles inside of an organization that you thought were the most critical to address when it comes to role-based training, what roles would you prioritize?
Philip Wiley:Yeah. So what I'd prioritize is your front desk people, because this is going to be one area that people are going to try to bypass Any administrators that are serving, you know, like CEO, ciso, cto, ctos, so forth, different C-level executives and focus on those, because those are going to be some targets that people are going to go after and a lot of times, with social engineering and phishing campaigns, unfortunately, some companies will ask that those particular people be removed, like the people that they're serving, and really they should all be tested as well, because these are going to be the people to go after, and if you're not including these people during phishing campaigns, social engineering, then they're not being tested, you don't know how they're going to react, and so that's just kind of overlooking a possible vulnerability ability.
Joshua Crumbaugh:I couldn't agree more. And those same executives are very or tend to be very high profile and very publicly visible, and what that means is that they're some of the most targeted users in the organization, which is that much more reason that they need to be included in that testing, because you know God forbid they start clicking on stuff we need to know. So we can, you know, go talk to them, figure out how we can help them be more secure, for sure. So, AI man, there's just so much that we can talk about with AI. Let's start with offensive. Have you played around with using AI for hacking yet at all?
Philip Wiley:Some some little bit with like scripts and I see a lot of value in it for, you know, phishing campaigns and stuff, especially for threat actors. That's a a prime way that threat actors are leveled up, because threat actors are not always English is not their first language. And then, depending on what country you're in, whoever nation state or whatever threat actor is using whatever, using generative AI to help up their game so they're able to produce more convincing documents and emails. That way it goes by a little bit quicker. So those are some of the things that I see.
Philip Wiley:What the really cool thing about like chat GPT and the different generative AIs is seeing how the creative minds of people in the offensive space have come up with different chat GPTs. Jason Haddix came up with some that are pretty good that he created through his consulting company. That makes it easier for, like, bug bounty and pen testing. So it's really interesting how that's kind of growing in that area. But one of the things I'm really kind of really looking forward to seeing is how AI helps with the defensive side, because everyone is focused on the offensive side, you know from threat actor perspective or you know from using an offensive security to protect organizations. But the thing I'm really curious to see is what happens with, on the defense side, one company I learned about earlier this year. They had created a co-pilot for blue teamers that they can go and use this co-pilot to help them in their day-to-day skills. So that's the kind of things I'm really looking forward to seeing. That, and any kind of enablement of AI within existing products to help make those better.
Joshua Crumbaugh:Oh, yeah, A couple of things there.
Joshua Crumbaugh:In terms of localizing content, we're absolutely already using that and we see it ourselves as a phishing simulation company, and what's interesting that we learned early on was that if we need to create you know, fishing simulations for you know people in you know, Asia, we are better off using Baidu's large language model it has those local colloquialisms.
Joshua Crumbaugh:Or if we're in the Middle East, we're better off using Falcon, and so one of the things that we've done and I imagine that the bad guys are doing too are using these different models that are very localized to different parts of the world in order to get that language that much more dialed in. Another thing you were talking about some of the cool defensive capabilities, One of the things that we were able to do as train an AI or a large language model on the cognitive biases that are used, as well as just the general psychology utilized in phishing attacks, and used it to put or to create a email security appliance that's coming to market in 2025. I mean, I bring that up because that, to me, is the exciting part being able to have a computer understand things that it didn't understand before, where we were only limited to those technical indicators. But now we can look at other avenues of indicators that maybe are a little bit more reliable sometimes than the technical, which is so much of a moving target.
Philip Wiley:Yeah, it's going to be really interesting to see. Like I said, I think two people are more focused on the offensive side, but it's really going to be interesting to see what happens on the defensive side and I'm sure there's a lot of stuff in the works because, you know, if you go to RSA this year went to RSA you see a lot of stuff each year with its AI enabled.
Joshua Crumbaugh:I never even left the CSA's AI village while I was there, so it was all about AI this year at RSA while I was there. So it was all about AI this year at RSA, well, hey, so AI is really awesome from that defensive perspective and a little bit scary from the offensive perspective. What are you seeing as sort of the needs around education? Ai, to me, has definitely changed how we or at least increased the complexity of our security awareness training. What areas do you think are most critical in terms of educating users about AI?
Philip Wiley:Yeah, I think they need to be educated to use it safely. So if you're using a public AI, like open AI not your own LLM that you need to teach them what information to put in. So if you need to create a document, you're not putting intellectual property or personal information, company information in there. You're working around that, so teach them how to properly do it. So a lot of times, education is just one of the best things to do. If you've got people using AI, why not? You know, get them some training on generative AI, help them become better at what they do, because they're going to be better working, and then just kind of help build some security around that to show them how to do that securely.
Joshua Crumbaugh:Yeah, absolutely so way off the subject, but there's some really cool things happening in the world of technology right now, Everything from did you hear about the human brain that you can rent in the cloud over that was, I don't know, produced over in Europe?
Philip Wiley:No, I haven't seen that.
Joshua Crumbaugh:Yeah, so I guess some scientists in Switzerland they figured out how to put human brain cells into a cloud and to keep them alive. They only live for an average of like a hundred days. They're feeding them dopamine and literally shaking them, and it costs 500 pounds a month to rent the human brain in the cloud. But you know, it's also led to the advanced advancement of a lot of new medical treatments, and they're they're actually predicting that sometime in the 2030s we're going to pass the longevity escape velocity, which is really fancy way of saying if we have enough money, we won't have to die anymore, because medicine is supposed to get to that point where, potentially, somebody could live indefinitely. And so I think it really is very interesting sort of everything that's going on. Is there any sort of crazy tech news you've seen that that maybe you can share?
Philip Wiley:Yeah, I haven't really seen anything, but just kind of that whole idea of the medical side of things is it's kind of nice to have AI because you think you know one of the things some people may not think about is just if you think of big data, how big data was such a huge thing. Data analytics was so big for so long and some people working in the area were using AI and now it's more readily available and now people are able to take that data and do more with it. So you can just imagine all the data that's collected from any kind of tests. You know any kind of medical testing being done to be able to quickly diagnose people, because you know these doctors are overwhelmed with work and different other people in the medical field, so having something like AI to help them do their jobs better is is is great. Maybe that'll help lower the cost of medicine too.
Joshua Crumbaugh:Hopefully, yeah, and you know, I I think that along those lines it's it's not even just helping them do their jobs better, it's helping make sure that they have the information that they need between multiple different physicians, because, you know, somebody has like a chronic disease or something. Most of them have a ton of different doctors and they're going to different doctors for different things, and so I think that there's a lot of opportunity there around making sure that that doctor has all the information they need. But even in the early days of chat GPT, it was phenomenally good at diagnostics, and so I think that we're going to see a lot more of that in the medical field in the future. Well, any pet peeves? Before we wrap up here, one of the things I love to do is give all of my guests an opportunity to get on their soapbox, so feel free, fire away. What do you have for us?
Philip Wiley:So one of my big pet peeves goes back to that pen test where I got command line access through SQL injection. I was working as a consultant when I did that test and so when I wrote the report, sent it out to the customer, the customer came back and said oh, this is a development box, we're going to file risk acceptance. So I think risk acceptances are good, but don't use it to avoid risk. I mean, if you need time for budget and some certain things to be able to remediate, I can understand. But you need time for budget and some certain things to be able to remediate, I can understand. But you need to use those wisely because otherwise you're just knowingly accepting the risks which sometimes could lead to a breach. So you really need to do that wisely, kind of.
Philip Wiley:One of the other things too was back to the comments on the phishing campaigns. And you know, back to the comments on the phishing campaigns, you know like you guys offer and the educational phishing campaigns are needed, but I think people need to test with some payloads in those to kind of see you know what could be prevented if you're aware from what happens to be able to remediate any of the possible threat vectors there and then just with pen testing. Just don't treat it as a checkbox. People need to be compliant, but if you're only focusing on your PCI environment, everything else could be insecure and someone could. You know there's other data besides your cardholder data, this valuable employee data, you know. If it's a healthcare company, you know healthcare data, intellectual property this all needs to be protected. So we just really need to take more of a mindset of being secure, not really being compliant. If we're secure, then most cases you're going to meet the compliance.
Joshua Crumbaugh:Yeah, no, I agree. And to that point, one of my pet peeves is that so often I see compliance treated as if it's the finish line. And it's the starting line, it's the minimum set of standards that we have to have in place. And so, to what you said there, when we get secure and we worry about just being as secure as possible, compliance comes naturally, and rarely is there going to be a whole lot that you have to do to get into compliance if you're just doing best practices to begin with.
Joshua Crumbaugh:Well, hey, I really appreciate your time today. Any sort of final words or tips for the listeners before we sign off today? Before?
Philip Wiley:we sign off today. Sure, one of the things is I know a lot of people have been affected by layoffs and their people are trying to break in the industry. One of the best things you can do for your career is networking, and this is not just LinkedIn. When you connect with people on LinkedIn, go to different cybersecurity or different user group meetings and conferences and make sure to connect.
Philip Wiley:I see a lot of folks that get out there and I had someone that had a mentoring session with someone a while back that was wanting to build a personal brand. They liked what I was doing and wanted to replicate it, and one of the big mistakes they were doing is they'd go to a conference, give their talk. They were done, they'd leave, but you got all this opportunity to meet people and talk to them, and one of the things I always do when I've gone to conferences, I make sure to you know, say hello to everyone I know there, and it's gotten me opportunities to speak at other conferences because I saw someone from this conference attending this conference. Go talk to them, say, hey, we need someone to teach a workshop. Would you be interested in teaching a workshop?
Philip Wiley:But just get out there and network and this is really huge for for students just getting out in the workforce because this is not often, not always, emphasized in the college to do the networking thing. Because a lot of those folks you know, getting a job in a university or college is a little bit different than corporate America and so a lot of them may not realize the power of the networking but definitely need to do that while you're in school. You know network with the people you're in school with because they could be your next job or you could be their next job. So that's one of the closing words that I would like to share.
Joshua Crumbaugh:Yeah, and just adding to that, I would say networking is really critical to being good at information security in general, critical to being good at information security in general. I know it's an industry filled with introverts, but every CISO and CIO that I ever talked to really tend to push heavily on. We need to be out there talking to every department, talking to people, learning about how they do things, because that's where we find a lot of the risk is in those conversations and building those relationships with different business leaders and the organization. And so if you ever do want to get into management and even just to really excel, having those communication skills are so critical, and it's largely about learning how to convey these technical things in a non-technical manner so anyone can understand it. I agree, all right. Well, hey, it's been an absolute pleasure. Thank you for joining me today, philip, and, as always, everyone. Have a great day.