13: Security Suplex with Phillip Wylie

Chris Glanden 01:42

I am here with Phillip Wylie, Red Teamer, Seasoned pentester, ethical hacking instructor and founder of the PWN School Project, which offers free pen testing and ethical hacking education to the public. Phillip, thank you for your time, and welcome to BarCode.

 

Phillip Wylie 01:58

Thanks for having me, Chris. It’s an honor to be joining.

 

Chris Glanden 02:02

So, you’ve certainly taken an unorthodox path into cybersecurity. I’m very interested in hearing your story. Where exactly did your journey begin?

 

Phillip Wylie 02:12

When I graduated high school, I graduated back in 1984. Computers were in the school but IT and cybersecurity definitely wasn’t even on the radar, and when I graduated, I didn’t know what I wanted to do. I was a powerlifter. My friends said, “Hey, you’re a big guy. Why don’t you be a pro wrestler”. 

 

So, I thought that sounds kind of fun. So, I went to wrestling school and wrestled for a few years, I was wrestling, I wasn’t able to make you know, enough money to support myself off of wrestling. So, I worked as a bouncer at a nightclub. That was my main job. So, I did that. So, I end up getting married and 88, and I needed a better source of income. 

 

So, I worked various different jobs. It was more conducive to married life. I worked as retail sells, worked in restaurants, did manual labor and all that stuff, and I really didn’t like any of it, and those jobs really didn’t provide insurance and benefits that you need with a family. So, I want to go into grade school and learning CAD, and got a job as a CAD draftsman back about 94 or so. Then I found out about sysadmins during that time, because the companies I worked for didn’t have dedicated IT, and based on what the sysadmins that were consulting for our company were making…. They were making about twice as much is what I was making. 

 

So, I taught myself how to build computers eventually took a Novell NetWare CE certification course learn about the Novell NetWare Network Operating System, which was the main one, before Microsoft really took off before Microsoft created their own directory services Active Directory is a little harder to manage. So, most companies were using Novell directory services for their directory services to manage their environment and their users and all that. 

 

So, I did sysadmin work for a little over six years found out about security, moved into security in January 2004. Did network security for about a year and a half, and then the company hired a C [phonetic 04:23] so he came in, he had a better idea of what modern security organizations were like we were all doing network security, all doing firewall and intrusion detection, and that sort of thing, and when he came in, he divided up into different sections and unfortunately got put into application security, and through application security. That’s how I learned about pen testing by using different web application vulnerability scanners, and when I got laid off from my job in 2012, I went to work as a consultant, forming pen tests, worked in consulting for about five years really got tired of all the travel and when to work for a bank doing pen testing got out of the consulting part of it. Spent a while at the bank and then went to work for a company doing Red teaming, leading a Red Team, and then the more recent job, I got more education side of things. I had been teaching at a community college, and the opportunity came up to work for a company that creates educational content for the US military. So, I focused more on the educational side of things. So that’s where I came from and how I got here.

 

Chris Glanden 05:30

That’s an awesome story, and you mentioned wrestling.

 

Phillip Wylie 05:35

Yeah, cuz I was wrestling in the NWA or WCW is originally NWA, and National Wrestling Alliance and they retitled like, World Championship Wrestling, or World Class Wrestling, which one it was, but WCW were the Road Warriors, Ric Flair, and all those people. That’s where I got my start. But I did also wrestle locally in the Dallas area, through the wrestling here local. So, both nationally and local, but it was televised professional wrestling.

 

Chris Glanden 06:07

Nice. Very, few people can reach that pro level, that’s quite an accomplishment. Now, I hear about this story about wrestling a bear.

 

It was while I was wrestling, because I was working as a bar. I mean, not a bartender, but a bouncer at a nightclub, and since I was a local guy, and was a pro wrestler, they had this wrestling bear coming in, they would do special events, you know, the nightclub would run, bands like on Thursday through Saturday night, but it really wasn’t worth the mouth to pay the bands to have them on Sundays. So, they’d have different events, usually less expensive. So yeah, they decided to do this event, bringing this wrestling bear instance, I worked with my club and I was local guy. They asked me if I’d wrestled a bear. 

 

So, they took some of my wrestling promo pictures and pictures of the bear, and create picture. These posters and put them all over town to try to help bring in people for the event, and it wasn’t only me, they got to wrestle the bear, anyone who wanted to wrestle the bear could wrestle the bear. So that’s how that happened. It was interesting thing, and it’s funny how it’s helped me more in my professional career, giving some people something to remember me by then it did in my wrestling career.

 

Chris Glanden 07:26

That’s insanity. That’s something that I’m sure you carried over into your cybersecurity career.

 

Phillip Wylie 07:33

Yeah, for me, what really helped was… You know, this all came out of powerlifting. being competitive, being goal oriented, I was always setting goals for myself. Back earlier on is more related to powerlifting things that really didn’t help me career wise, but that transferred over to my career. So, when I worked, we are consulting, we had billable hours, so I made sure to make my schedule where I could be as billable as possible, just other things I’ve tried to do my best in…. So that’s just kind of carried over and other areas, I mean, from powerlifting to my professional career, you know, I’m not the best at what I do, but I try to be the best I can, and try to really do good at the areas. I’m in one of the things I kind of learned too, is getting older, it’s kind of back when I was younger, I could compete and open divisions in powerlifting. 

 

So, I was competing against people, you know, quite a bit younger than myself. But as you get older, that’s kind of hard to do, you start, you know, your strength is not as good as it once was. And, and you have to take into consideration, and the same thing with working in the offensive security field. There are younger people coming up, and they can put in more hours stay up later, because that’s easy to do when you’re young, it’s more difficult when you’re older, and I kind of learned that my place is probably better fit as a coach and a teacher. 

So, moving into those roles have actually been better for me working in those roles. There may be other pentesters but I think, you know, it’s easier for me to be one of the better coaches or teachers. So that’s where I kind of settled in and accepted that age and people need mentors and coaches and teachers.

 

Chris Glanden 09:14

Did you have any mentors when you entered the industry to guide you, or did you lean on self-study?

 

Phillip Wylie 09:21

It was self-study, myself and some other people that I knew when I was getting in, getting started which share resources. Back when, in my powerlifting days I had mentors back then, because when I first started powerlifting, the, the guys that ran the own the gym, where I worked out at, they coached me and so I had mentorship there and you know, a lot of the lessons I learned from powerlifting carried over, you know, people think it’s a meathead sport, but there’s a lot of discipline and things that you gained from sports. I mean, even if you’re in it for a little while you learn you know, teamwork you learn work ethic, and that sort of thing in setting and working to achieve goals.

 

Chris Glanden 10:04

Really, you’ve been in the industry then for a while now.

 

Phillip Wylie 10:07

2012 since I started pen testing. But as far as just pure security, I started in 2004. But I started as a sysadmin in 97. So overall, I’ve been in IT and security for a little over 23 years, and most of that’s been security related with the last over 8 and a half years in offensive security.

 

Chris Glanden 10:29

Got it so heavily focused on the pen testing and ethical hacking side. 

 

Phillip Wylie 10:33

Yes. 

 

Chris Glanden 10:34

How is the practice of Pen testing changed and evolved into 2021 versus when you first got involved? from both the toolset and a mindset perspective?

 

Phillip Wylie 10:44

Yeah, it’s interesting. One of the biggest changes was the amount of people in the field doing pen testing. Because what I got started in 2012, was really before, I’m not sure PCI was a requirement, then people weren’t doing pen test towards that. It might have been if you think actually, PCI was just getting started, because I remember one of the first or one of my first solo network pen tests was for PCI, but it really wasn’t that big of a requirement, and most of our jobs weren’t focused on PCI. But as the need for PCI grew, more companies needed pen testers. 

 

So, the biggest thing I saw was; it going from contractors and consultants to people having their own internal resources. I remember when I was starting out, like in the local Dallas, security and hacker community, I would go to meetups and it’d be like wire follow the guy that runs and founded Dallas hackers associate Association, it’d be he and myself, and maybe one or two other people that were pen testers, and now it’s amazing how it’s grown. So mainly, the way it’s grown has helped. The learning resources is helped a lot. There’s been a lot of great resources. Over the years, when I was getting started out, there was some resources, but there weren’t as many free resources. You know, when I was getting started out, you had like Got Milk splat blog, you had horrible own age movies has some stuff out there. So, you didn’t have all the blogs, and now it’s just amazing. All the free stuff and blogs out there and learning resources. 

 

Phillip Wylie 12:14

You know, when I started out, I had the offensive security stuff, because one of the first courses I took was the OSCP course to learn how to hack. I knew how to run vulnerability scanners. But I know the first thing about hacking, so I took the OSCP to learn how to hack. I was taking pen tester Academy’s content back when they were getting that back when they were still security tube, and then like eLearn security, those were like few…. Sam’s was out, but I couldn’t afford that out of my own pocket. But a lot of the educational stuff has been helpful. Here lately, and then tools have evolved medicine plates become a better tool Kali Linux has become more solid. There’s competition for it out there. Now with Parrot OS, which is a good competitor, a really solid platform. 

 

So, all the community really helped a lot. One of the things I’ve seen different with security, and maybe it’s the evolution of security, is back in my sysadmin days, you had some of these gatekeepers or people that were job security… 

 

Phillip Wylie 13:15

I’m not going to let you know what I know, I’m not going to teach you or share this with you. Because that I’d be replaceable, you know, I want to make more money and all this, and it’s kind of evolved, at least in the security world, where people are sharing and helping others out, and that’s some things it’s helped the industry, but the tools have improved. You got more people writing tools at one time, they were less, less security tools out there less hacking tools, but it’s become a lot more. There’s competition that makes the existing tools, better tools, just like burp suite, a commercial tool. But a OWASP ZAP is a free version of a similar tool, and it’s forced Port Swigger to keep creating a better product, and the competition is helping and you know, there’s a lot of bright minds in the industry. These different boutique pen testing firms and security researchers that keep creating these great tools. I mean, it’s really, really evolved a lot, and a lot of things even like sans courses have evolved, and they offer just about everything that you could think of as far as like educational content for offensive security or even blue team.

 

Chris Glanden 14:24

Definitely, and one of the things I’ve noticed, and maybe you can attest to this is over the past 10 years, just seeing the development of more CTF’s?

 

Phillip Wylie 14:32

Yeah, that’s definitely true. CTF’s are helpful because teaching and trying to help people get into the industry, things I recommend for them to do CTF’s hack the box by hack me those other different you know, ball have to download the vulnerable VMs bug bounties are good option, you know, because at one time you didn’t have the bug bounties, but you had all these other hacking sources, but people can actually get experience. You know, with pen testing performing bug bounties, and while I was going through a job change, not too long ago, one of the companies I was talking to a consulting company, they were telling me, we’ve been able to more easily find people do webapp pen tests because of bug bounties. So those things are helping him in hack the box. I’ve seen people that did nothing but focus on hack the box for a year solid, and then sign up for the OSCP course, and get by with 90 days lab access and pass the exam first time around getting the hands-on experience. The books are great, but you got to get the hands-on experience, and yeah, that’s really good options. Even back to the CTF thing, National Cyber League is a CTF competition for schools. I think they allow High School into it, but it’s mostly college, and so those competitions; people will compete in those competitions, and that company will share with employers the ranking so they see someone is rated at this, “Hey, I’d like to talk this person. They can connect them and they can get a job. 

 

So, it’s helping people get jobs”. You have some CTF’s conferences, have offered people jobs. I knew someone from the local community. That’s a really great pen tester and a hacker and does really well CTF he got offered a job by Raytheon because he was able to solve their CTF like in a matter of an hour or two and it’s supposed to be like a two-day CTF it should take someone two days to solve it. But he found an eau de [phenotic 16:35] in the CTF and was able to solve it pretty quickly, and he got offered a job. So, this the CTF and that sort of thing. help people get their foot in the door easier than if they didn’t have it? 

 

Chris Glanden 16:48

Yeah, great hands-on experience, and it doesn’t hurt that organizations like bug crowd and Hacker One offer nice payday two with that. I’m sure that drives a lot of involvement and public interest.

 

Phillip Wylie 17:04

Yes, that’s one of the things that I was a blood crown ambassador for a while back when I started shortly after I started teaching and then founding PWN School, I became one of the first ambassadors and end up getting ambassador of the year, and part of it for me was I’ve been telling my students to do CTF and bug bounties. 

 

So, I wanted to learn more about that to point them in the right direction, guide them a little better, and yeah, the cool thing about bug bounties, one of the things I love is I’ve seen people in other countries that don’t have the opportunities that we have here in the US. They’ve been able to make a good living for themselves. I’ve seen people have bought cars that they wouldn’t be able to afford otherwise, they’d been able to buy brand-new high-end laptops like a MacBook Pro, Alienware, some high-end gaming laptop, and Bill provide for themselves. There are some people that just make a living off a bug bounty, they’ll do it so many months out of the year, they’ll take a break and just enjoy life and then go back to it and make money. 

 

Phillip Wylie 17:59

I mean, it’s a very lucrative business, but you have to put in hard work, and you have to spend the time to get good at it. It’s not like anyone’s going to sign up and make a living, you have to work hard and put in effort, and the thing I compare bug bounty to, when you compare it to traditional pen testing. It’s like hunting for gain, and hunting for food. If you have to hunt the feed yourself, you’re going to be more successful because you have to do it to survive. If you’re doing it for game, then you’re not going to do as well. 

 

So, bug bounty people, and this is not always the same, the same thing, but it forces you to work harder, because if you’re doing a pen test, you’ve got 40 hours to complete this pen test. You get in a try to get it done. But with a bug bounty researcher, if you don’t find bugs, you’re not going to get paid. So, there’s a little incentive to make you work harder.

 

Chris Glanden 18:46

That’s a great point. A lot of these freelance pen testers are really targeting the big payday, because that’s what they rely on. It just seems like you’re swimming with the sharks at that point. I mean, I’m sure there’s really top-level professionals that target those platforms, what could you speak to on that?

 

Phillip Wylie 19:03

Yes, as far as that goes, it’s just going to depend on you know, you know, how quickly you will get paid, and one of the things too, that the companies are offering. Bug crowd started implementing this last year, they got their next gen pen test, and basically, what they do is they perform a penetration test during a bug bounty. So, you’re not only having the bug bounty running, you’ve got someone performing a pen test against that application, and other companies do that as well. The Synack Red Team product, they do like a crowd sourced contest, and also, like cobalt core or Cobalt.io. They provide something to where people sign up like on Synack or Cobalt, you’re performing pen tests and Cobalt a little more familiar with they pay 15 $100 for 33-hour pen test or 30-hour pen test. 

 

So, you get paid you perform the pen test, you’re going to get paid and sometimes that’s a better option if you need guaranteed money. Because with the bug bounty stuff, it can be tough to compete, because whoever finds the bug first is going to get paid, you know, does the good write up where if you’re working through like a snack, doing a bug crowd, next gen pen test, or a Cobalt pen test you can get paid. So that’s where a lot of people are going to focus, and with a bug crowd, I know there if as you progress, you are involved in their platform, then you get invited to private bug bounties, which sometimes have better payouts, there’s less people on it, and then you get invited to their next gen pen test. 

 

So, part of these pen test platform, I mean, bug bounty platforms, the more time you spend, the better you do, the better opportunities you get. But yeah, the one thing is just getting the experience starting out bug bounties may be a good way to go. Because like cobalt, you have to go through, and Synack you have to go through these technical challenges where you perform like a pen test against the target to get selected to do those pen tests. So, you have to pass that. 

 

So, you may need some training upfront, they may require, you know, practicing with your hack the box or doing bug bounties to learn as you go and get that experience, and when you get that experience, you know, far as getting like a full-time pen test job, you’re able to explain how you perform a pen test how you’re able to detect certain types of vulnerabilities and exploit them. So, these are things that you can use on a pen test interview,

 

Chris Glanden 21:30

Then in addition to the training platform, I’m sure pen testers need to focus on what they’ve learned, and the rudimentary aspects of it. But would you say there’s a level of creativity also that’s needed to become elite?

 

Phillip Wylie 21:45

Oh yes, you need some creativity, and one of the things I’ll say about offensive security, and there’s other areas that require creativity, but offensive security does require creativity, especially when you’re someone that’s discovering [inaudible 22:03] you’re doing something that someone hasn’t done before. That’s why it’s a [inaudible 22;03], or at least on that specific software, or technology that you’re hacking. 

 

So, it takes some creativity, and as you build that experience of doing different types of hacks and learning different technologies, you’re able to apply that creativity. So yeah, it is very creative, and honestly, how I even found out about the bug bounty community is I learned some good pen testing tricks for some of the bug bounty people. One of the first ones I followed was like Jason Haddix. See, he was at bug crowd for many years, and he’s a bug Hunter, and saying some of the techniques These are things are transferable to webapp. pen testing, because you know, bug hunting is web app pen testing. There’s just more bounty per bug found opposed to getting paid for the pen test itself. But those are really good places to learn.

 

Chris Glanden 22:52

Definitely. You mentioned a lot of great techniques and great training and learning platforms, are there any that you would advise for someone that is looking to get into pen testing?

 

Phillip Wylie 23:05

I would say as far as training vendors, the ones I recommend, and this is no specific order. Sans is created by people that are in the industry that have like consulting backgrounds. 

 

So, it’s not just someone purely academic, and they do a good job of keeping their stuff up to date. eLearn security, which was recently acquired by INE last year, they have some good learning materials. Pen tester Academy has some good content pen tester Labs, and like your pen tester Labs and pen tester Academy are going to be a little less expensive. Your sans training is going to take you know, usually, you know, your employer is going to pay for it, because that’s 3800 for a three-day class and 70 $200 for a 6-day class. But you know, these are the things if your company will pay for it. Great, that’s good to ge, and then the INE or eLearn security stuff is good, too. But it’s, you know, some people getting started out may not have the budget for that. But like your Pen tester Academy of pen tester lab, they have like monthly subscription and they’re a little more cost effective. Port Swigger has a really good free training because the one of the creators of burp suite, wrote a book, and also, that was based on teaching you how to use burp suite, but teaching you web app pen testing. Instead of updating that book, they put it all online on their Web Security Academy, and it’s totally online lab, totally free, and it takes you from beginner level to advanced. So, a lot of people that are bug bounty, I see a lot of recommendations there on that. 

 

So those are good platforms out there. There’s some good Udemy courses, like Heath Adams, the cyber mentor. He’s got some good content out there. There’re some good streamers out there like AppSec, John Hammons. So those are some good people to follow. [inaudible 25:03] from Hacker One, he’s got good content. 

 

So, there’s a lot of good free stuff out there. So, if you want to get started pretty quick, these people on a bug bounty platform, or like Ben, for instance at Hacker One, he’s trying to help people learn to get on their platform. So, there’s a lot of good content out there. There’re people for bug crowd that has still continued long since Jason Haddix has left. 

 

So, and one thing he’s, talk to people that’s been in the industry find vetted content. There’s a lot of stuff offered out there. Everyone is trying to make a buck or they’re wanting to create content, not everyone is an expert. 

 

So, I saw a book recently, and I won’t mention the book, but I was considering another teaching opportunity at the college level in the course book, they use kind of swayed me from working for them, because it was supposed to be this manual. This is what they’re using for their class manual for the Ethical Hacking course, and it was only like 63 pages, and the people who wrote the book had no experience in security. 

 

So, if you know someone in the field, follow people that that are industry experts, and get their opinions and get vetted content, you don’t want to waste a lot of time and money, trying to vet these out yourself, because I’ll have people from time to time will reach out to me and say, “Hey, I saw this deal on this platform, they got all their classes offered for X amount of money, and they asked me, and I’ll check it out, said, I will let them know what I think so that’s what you need to do vet those, because sometimes you can find this stuff pretty expensive, but you don’t want to waste a bunch of hours on something that you’re just going to steer you the wrong way.

 

Chris Glanden 26:40

Right, and you always hear about these script kiddies that are watching YouTube videos, and figuring out how to break into systems. From the ethical hacking standpoint, I’m sure you would definitely advise against just going to XYZ website and trying to hack in there. There is a level of approved platforms that you can do this with, and I just want to make sure that that line gets drawn.

 

Phillip Wylie 27:03

Yeah, definitely. Because there’s platforms on there, like hack the box, and these different platforms you can learn on and the bug bounties. So, there’s no need to put in your future career risk. Because if you get a felony on your record, it’s going to be hard to get a job. So, you want to be very careful with that, and you know, like crowd Packer, one cobalt, these other platforms Synack. Use those platforms, your Google, your Facebook, and Apple, they have bug bounty programs and making sure you’re following those closely. But I would say when you’re starting out, I would recommend going through a company that provides that as a service, that way they can educate you on the scope, what you should be doing and kind of give you some protection, because some of those provide protection against as you said, there’s been cases where people have done bug bounties, and the companies have come after them legally, after they found a bug. 

So, you had to be really careful. There’re so many resources out there, and people to get advice from I mean, like [inaudible 28:08] you know, follow him on Twitter. You know, if you have questions, ask those people ask the bug bounty community, they can kind of tell you the safe places to practice if you see something, ask someone, because there are people out there too, that may want to leverage someone’s hacking skills to break into their ex, their ex’s Facebook account, or say they’re wanting a pen test and get you to hack into something. 

 

So, people will try to take advantage of those skills. So be very careful, and one of the quotes I like to share with my students each semester and a talk I becoming a pen tester was from that first hurt and Spider Man Uncle Ben was telling, “Peter, with great power comes great responsibility”. So, when you get those skills, be careful. I mean, it’s like a weapon or something. If you’re into firearms, and you have that you need to be responsible, and the same thing with hacking skills, you need to be responsible for that. Because you can cause harm. You know, maybe someone does something illegal, you don’t get caught, but maybe you’re causing someone a lot of financial grief or someone’s information gets exposed and causing them trouble. So, with those skills, make sure you use them responsibly.

 

Chris Glanden 29:11

Yeah, I love that quote. I use that all the time, and so, you have some very notable certifications you mentioned, such as the OSCP, GWAPT and the CISSP. How valuable would you say that certifications are specifically for showing that someone has knowledge and skills and pen testing?

 

Phillip Wylie 29:34

It’s very important when you’re starting out the CISSP is not really important for pen testers, although it doesn’t hurt if you’re working for a consulting company, or trying to go to work for a consulting company. Your certifications are going to be more valuable your boutique pen test firms where people are just really good. Hackers and pen testers and ninjas. They don’t always require it but some of your more mainstream consulting companies like to have that because if they’re trying to get a contract with some big Fortune 500 company, they’re wanting to show these are the qualifications for our people. 

 

So, the certifications are really going to help when you’re trying to get your foot in the door. But once you’re established, and then there, it’s not going to matter so much, it’s going to be a matter… HR is going through, you submitted to a job site, they’re looking at. Checkbox looking this certification that. Once you get into the field, and you make a name for yourself and start networking, then a lot of cases you can, you know, get referrals from your network, and you don’t require but starting out is definitely going to help. Otherwise, it’s going to be more difficult, then you’re going to have to rely more heavily on doing bug bounties and the stuff you do, like capture the flags and all those hack the box and that sort of thing to prove that you know what you’re doing to get in. But the certifications will make your life easier getting started out. It’s not going to be the end all be all your CEH that’s recognized by HR. It’s a god cert, so the DOD certs if you’re doing business with the government or working for the government, those can be helpful. But if you’re wanting certifications, they kind of prove that you know something, and your skills, then your SANS certifications, your offensive security certifications are good, and then some of the eLearn security IE certifications are becoming more well-known and sought after for jobs. I’ve actually seen some jobs recently where they were looking for some of the eLearn security certifications. 

 

So, getting started out you definitely are going to need those certifications, and I know a lot of good pen testers that have no certifications, and they’re just as good or better than a lot of people with the certifications.

 

Chris Glanden 31:43

Understood, and I really respect those certs like the OSCP, where you have the study, but then there’s also the practical aspect.

 

Phillip Wylie 31:52

Yes.

 

Chris Glanden 31:54

So, from an organizational standpoint, what would you say is the best way to communicate and prioritize your findings for the decision makers?

 

Phillip Wylie 32:03

Yeah, if you’re the person you’re reporting to, there should be like a, a list of contacts. So, someone you reach out to, and so like, if your internal pen tester, somewhere, the first people you’re going to reach out to is, you know, let your immediate supervisor know about findings, if it’s critical or high. Because you find those kinds of things, you want to report those immediately, because that’s just something waiting to be exploited. 

 

So, make sure you’re reporting it to your direct supervisor, and then anyone like an incident response team, that sort of thing, there should you should have some lists of contacts there, that when you’re building out these types of programs, make sure you’re including incident response, you know, even the people responsible for remediation, and get that out there. As soon as you find if anything high or critical. If it’s something you find like say it’s an eau de this something hasn’t been discovered before, then you would treat that as a critical you want those to be remediated soon as possible. Great advice.

 

 

 

Chris Glanden 32:59

I do want to hit on one recent event, which is the solar winds hack. I don’t know how familiar you are with that. But I’m curious to know, what will be the long-term changes and impacts after this vast breach of private and government organizations?

 

Phillip Wylie 33:16

Yeah, I didn’t dig a little deeper into that. But some of the things I’ve seen was like some default creds somewhere, and that sort of thing. So just making sure that that the software is secure, I think that there needs to really be some scrutiny on those applications, not only through your software development lifecycle. You need pen tests performed and even go out and get third parties, because it’s good to have your own internal pen test team. But when you’re using a third-party consulting company, or use bug bounties, then you’re getting someone else to take a look at your program, and it’s a report card to see how well you’re doing. So those need to be done. 

 

So, I’d say, a second set of eyes looking at it, and do things like, you know, make sure you’re requiring passwords to be changed that default credentials can be used a lot of that basic stuff, if it’s taken care of, you can eliminate some of these risks, but they really thoroughly testing the software, and do like some adversarial testing, like you Red Team related stuff, you know, sometimes if it’s a software company, they’re only focused on the software, but what if someone was able to compromise and breach that infrastructure and get in and get access to source code and, and modify it or something like that. 

 

So, I think you just need to make sure that you’re throwing look at everything under a microscope and cover all your bases. You know, like, for instance, companies that are relying on just PCI pen tests for their compliance. Make sure you’re testing the security if you’re secure most cases, you’re going to take care of those compliance. Check boxes make security the priority in compliance secondary to those.

 

Chris Glanden 34:57

Right and within the COVID era that we’re in right now, you do have organizations that are adjusting their infrastructure, you know, does that change anything with this approach,

 

Phillip Wylie 35:01

What it requires is you need to do make sure you’re testing some of your installs, you know, your gold image for your laptops and mobile devices, you need to make sure those are really secure. Because when you’re in the office, you’re on the network, I mean, it still needs to be secure, but you’ve got a higher concentration of people that are remotely connecting, make sure that you’re using something secure to connect like VPN, or some of the other secure authentication mechanisms and using multifactor, and not just SMS, you know, doing some secure, mobile communications and stuff, like I said. Test those images, a lot of times companies are pen testing, the CLI, sometimes maybe they’re just focused on the server. 

 

So, you need to make sure you’re testing these… The applications running on mobile devices, and then, you know, make sure you’re testing the, the client devices and the VPN setups, because like I said, sometimes people are only focused on the infrastructure, and the servers, but you need to make sure everything is in there. Make recommendations, make sure you’re defining secure remote connectivity, and that sort of stuff for end users, because not everyone working from home, you know, has it or security experience, so make sure you’re teaching them good. OPSEC and that. So, the more educated you can make sure in end users, the better, more secure, you’re going to be as well. 

 

Chris Glanden 36:35

Very true. I’m curious to know, in those situations where companies are limiting budget right now, where would you point them to properly allocate defense measures? What would you place a priority on at this point?

 

Phillip Wylie 36:51

As far as from my expertise. I would say that you’re needed to make sure your offensive security, that you’ve got a good program, there is not only pen testing, but your reoccurring vulnerability scans, part of your threat vulnerability management program, make sure you get those bases covers covering recurring scanning. One of the things too, is educate the people that are doing the work for you. Because if they don’t understand what they’re doing, then there’s a lot of things they can miss. Because if you’re running Nessus, qualis, or next pose vulnerability scans, there could be some manual tools that they’re using, you know, maybe educate your vulnerability scanning team to be able to validate some of those findings that they can help offload some of the work from the pen testers and then make sure you’re doing proper remediation, make sure you’re remediated. I’ve done pen tests before, where I did a pen test in January came back 90 days later to do a retest, the low level found finding that I discovered in January, now has an exploit for it, and it’s like, Hi. So, make sure you’re taking care of their mediation because you know, those lows are just an odd or exploit away from being criticals or high.

 

Chris Glanden 38:01

Yeah, absolutely. So, you founded the PWN School, which is an education and virtual learning platform. I’d like to hear more about that, and your inspiration there.

 

Phillip Wylie 38:12

Yeah. PWN School kind of evolved out of my classroom. Because the first semester I taught, the students were really enjoying the ethical hacking class, it was the only offensive security course that the college was offering at the time. Since then, like last year, I expanded into web app pen testing. So, they want to learn something else. 

 

So, I thought about getting together with them after hours on the weekends and teach them some other techniques and stuff, and I was prepared to teach this all by myself on my own, and this is kind of a thought on the back burner really hadn’t put a lot of effort into getting it moving. But there was a couple young college students in the community that they went to different college, they were going to have to transfer to the college I taught out to be able to take the classes, so they weren’t able to get in and time for the summer class, and I was really disappointed. 

 

So, this really motivated me to work on PWN School. Originally, it was going to be more just defensive, security focused. But as time went on, I seen the need for other areas of security. Not everyone wants to start out in defensive security, and sometimes that’s not the place to start. You may have to start out in other areas like an IT or SOX analyst eventually become a pen tester. 

 

So, we kind of opened it up to other areas, and there were two physical meetups. One was in Dallas, Texas and one was in Denton and Denton, Texas where I grew up and I got some friends that work in security there. There was no security community, no meetups, so that was one of the motivations for there, and it was my hometown, and then Dallas for the local community. 

 

So, these were like a meetup format and like around February of last year, I started streaming the Dallas meetups. So that way would be available to people that are not local, and recording those and put them on YouTube, and so, once COVID hit earlier this year, we otter I’ve been streaming, you know, phone school and I’ve been streaming my class for about a year now. 

 

So, it was easy to transition over just going to zoom and do that. So, it’s been mainly kind of a meetup format. Let’s see, I had Merrill Vernon. On this week, she told us about her path into pen testing, and Red teaming, she’s got a really impressive story, how she started out with really not much of a technical background, but really worked hard, picked it up and got into it. Then we had Chad Graham from the local community did a talk on digital forensics and incident response, he talked about like a ransomware attack went through almost a tabletop exercise format, showing us what he found asking questions to the audience. What do you think this means? Where would you look for this very interactive, and we’ve had someone do talks on sock analysts, that one of the things my goals that to do in 2021 is with my class, I used to let people audit my class, and basically, you get to take class for free, you just didn’t get college credit, and you know, that you can’t do enough with letting two or three people in. 

 

So, I wanted to come up with a mentorship program. So, my ideas to expand homeschool, is to implement this mentorship program so people can sign up, they can get, you know, weekly lectures, and if there are different time zones, they’ll be able to watch the recordings, and then have some hands-on exercises and stuff for people to go through, and complete. I’ve talked to some other people in the community that are interested in helping out that work in other areas of security. So, to come up with more content that we can place online, or at least find references to other learning materials, and share those so people can learn. So that’s kind of the plans to expand it. My original goal was it to be more education oriented, and I want to get back to that focus and get that rolling in 2021 be less more of a just the virtual meetup and more, more of an educational opportunity.

 

Chris Glanden 41:58

Yeah, you are an extreme advocate for education, and that’s something I really admire about you. Most of the talks that you mentioned also are freely available online. So, I will work on locating them and get those posted to the barcode website, and then anything that you do in the near future if you want to shoot me a link for that, I’ll make sure we get those added as well.

 

Phillip Wylie 42:21

Okay, thanks. Appreciate that.

 

Chris Glanden 42:23

So, you’re currently living outside of the Dallas area. What’s the best bar to go to out there? What would what would be a classic Texas bar that you can think of that you would recommend to an outsider?

 

Phillip Wylie 42:37

Yes, basically kind of touristy kind of stuff. I’ve I haven’t been there personally. But I know people that go there is like the gas monkey. Yeah, they’ve got a pretty nice…. they even have like a concert venue, and then they have like a nightclub. That’s supposed to be pretty cool.

 

Chris Glanden 42:55

Nice. I got to check that out. I remember when I went out there. We used to go over to the stockyards. I can’t remember the name of the bar was like Billy Bob’s or something.

 

Phillip Wylie 43:06

Yep. That’s it.

 

Chris Glanden 43:08

Yeah, that place is massive.

 

 

 

Phillip Wylie 43:09

So yeah, if you want the traditional places that are not a little less, maybe touristy gas monkey. I wouldn’t say it’s probably touristy. But if you’re in Fort Worth the stockyards if you’re in Dallas de Belem, this, uh, arts and music districts, so a lot of bands kind of start out in that area. So, Dallas, you’d probably want to check out that area, because it’s pretty cool. Like, it’s like I said, it’s arts and music, and there’s a lot of like, startup incubator type places down there too, because there was a group called [inaudible 43:41] all day, that was a security research group they’d meet quarterly, and work on different bug bounties and try to exploit different hardware and stuff, and they met one of those shared office spaces over there.

 

Chris Glanden 43:54

And that’s where all the great ideas are formed. The seedy alleys and basement bars. Yep. So I guess when you go to a bar, what is your [inaudible 44:08] drink? You said you’re not really into beer or craft cocktails right now? Do you more go just for the atmosphere?

 

Phillip Wylie 44:14

Yes, more for atmosphere. When I do go when we go to conferences and stuff usually out of out of town. I got to go to some really cool bars in Austin last year. They were pretty unique and had a really cool vibe. One of them some kind of vampires’ lair, it was all dark and some candles was pretty cool, and another place was like a speakeasy. really classy cocktails nice vibe to the place, and there was a theme around all the drinks. It wasn’t just a drink, there was a story and the waitress would come out and describe all this tea. The descriptions of the drinks are really pretty cool. It’s a really cool atmosphere to the place.

 

Chris Glanden 44:52

Very cool. Well, I just heard last call here. So, I have one last question for you. If you opened a cybersecurity themed bar, what would the name be? And what would your signature drink be called? 

 

Phillip Wylie 45:09

I think with the Red Team mindset and kind of understanding the mind of a threat actor, I think a really cool bar would be the APT bar, and nicely not only a signature drink, but all the drinks would be named after APT’s or they wouldn’t have they could be fictional. They don’t have to be with all the Russian influenced APT’s then that covers your Moscow mules, you come with another name for that, your Black Russian, White Russian, you could give them different names, but I think just different APT themes, kind of back talking about the bars really had the atmosphere and the themes to that experience, I think you can really do that you can have like that experience for the drinks they be described. It could be something related to the regions that those nation states have those APT’s are in so I think it really and have like a kind of a cyber pop vibe to it. I think that would be pretty cool.

 

Chris Glanden 46:03

That would be really cool. So APT with ABV. You could almost rank those drinks by threat level. So, more ABV is a higher threat.

 

Phillip Wylie 46:18

You can have something similar to MITRE but for these, you know…

 

Chris Glanden 46:22

There you go. I love it. So, Philip, you are a true inspiration, and I really appreciate your stance on cybersecurity where it is today, and I wish you the best and please keep on leading the charge.

 

Phillip Wylie 46:38

Well, thanks for having me. I really enjoyed our conversation today.

 

Chris Glanden 46:42

Thanks, Phillip. Take care. 

 

Phillip Wylie 46:43

Take care.