Matt Barnett is a nationally recognized expert on physical and cybersecurity, incident response, identity theft, and digital forensics. His expertise is backed by decades of combined information security and law enforcement experience. As a certified forensic analyst, Matt conducts various investigations for clients in the public and private sectors. It is with his technical competency, professionalism, and strategies, that he is able to protect his clients from threats and cyberterrorism. Education is at the forefront of Matt’s passion in the security industry. He has been asked to speak at various information security conferences, has served on the advisory board for the Information Security curriculum at Delaware Technical Community College. Because of his expertise and recognition in the field, Matt is consistently regarded as the go-to cybersecurity expert for NBC in Philadelphia. As a seasoned interviewer, he has made countless appearances on the news as well as on web and podcast shows. With his arsenal of applications, strategies and procedures, Matt is able to assist clients in achieving better cybersecurity.
He hijacks BarCode and we get into the Art of Physical Security engagements, SEVN-X, the ideal skillset of a physical security assessor, readiness techniques, and of course a few scary stories from the frontline. He also reveals why yoga is critical, and it’s not for the reason you may be thinking.
SYMLINKS
LinkedIn
Facebook
SEVN-X (Website)
SEVN-X (YouTube)
Dallas County IA Incident
Square/Box breathing
SECUREWORLD PHILADELPHIA
ISACA ATLANTIC CITY
H.O.P.E. NYC
007x on NBC 10
75 Day Hard Challenge
The 48 Laws of Power
Cannon Bar – Seattle WA
DRINK INSTRUCTION
007X MARTINI
3 oz Gin
1 oz Vodka
1/2 oz Dry Vermouth
Lemon Peel
In a cocktail shaker, combine gin, vodka, and dry vermouth. Shake well and strain into a chilled cocktail glass. Garnish with a large piece of lemon peel.
CONNECT WITH US
http://www.barcodesecurity.com
Become a Sponsor
Follow us on LinkedIn
Tweet us at @BarCodeSecurity
Email us at info@barcodesecurity.com
This episode has been automatically transcribed by AI, please excuse any typos or grammatical errors.
Chris: Matt Barnett is a nationally recognized expert on physical and cybersecurity, incident response, identity theft, and digital forensics. His expertise is backed by decades of combined information security and law enforcement experience. As a certified forensic analyst, Matt conducts various investigations for clients in the public and private sectors. It is with his technical competency, professionalism, and strategies, that he is able to protect his clients from threats and cyberterrorism. Education is at the forefront of Matt’s passion in the security industry. He has been asked to speak at various information security conferences, has served on the advisory board for the Information Security curriculum at Delaware Technical Community College. Because of his expertise and recognition in the field, Matt is consistently regarded as the go-to cybersecurity expert for NBC in Philadelphia. As a seasoned interviewer, he has made countless appearances on the news as well as on web and podcast shows. With his arsenal of applications, strategies and procedures, Matt is able to assist clients in achieving better cybersecurity. Matt first off, welcome the barcode. Secondly, how the hell did you get into your man? That’s what I want to know.
Matt: Well, I mean, just got to put in the facetime with the owner, I helped him get into blackhat a few years ago, just gotta keep it going.
Chris: Damn. And I’ve warned them about people like you!
Matt: That’s true. Dangerous, friendly.
Chris: We’re working on a user awareness program here and it doesn’t appear it’s working.
Matt: It’s not working.
Chris: So, Matt. knowing you personally for a while now, I know that you carry a very unique and special set of skills.
Chris: I’d call it a hybrid of social engineering/ physical pentesting/ technical expertise. How do you classify what you do, because I don’t want to misclassify it. And also, how did you initially get into it?
Matt: I think it all, it really does kind of sum things up. The cybersecurity field has become synonymous with the physical aspect of security, it’s “Hey, get paid to break into computers”.
Matt: I somehow translated that into paid to break into building. And it’s funny because we offer all these recommendations in the cybersecurity world about how to fix things. And somehow, we just had to become the expert on how to fix things in the physical security world and it’s totally tangential.
Matt: One of the things I just find ironic is we’ll sell you a bunch of products to fix cybersecurity issues. We don’t really sell you a bunch of products to fix physical stuff. There are very few cybersecurity companies that are selling cameras and alarm systems, they all sell SEIMs and endpoint detection.
Chris: So, you’re saying manufacturers of alarm systems should partner with security vendors.
Matt: I mean, that’s the thing, it’s like the guys that are out there selling security solution tools are offering assessments to test your cybersecurity and then offering a product to fix it.
Matt: You don’t really see, the Sloman Shield guys out there selling physical security system assessments. So, I always found it interesting that we’ve gotten lumped into the cybersecurity world. So, you find that there aren’t that many experts in what we do. Because it’s where does that training come from? Where does that knowledge come from? Well, some of it comes from just being naturally gifted at, doing this kind of work. You’re in a world where you lie to people for a living and you’re constantly looking at the world with through the lens of somebody who is trying to break into places all the time.
Matt: I can’t walk into a bank or walk into a Target without looking at how the exit sensors are configured and who’s watching what. And so, it really is kind of an interesting way to look at the world that makes a good physical security tester. But, to that end, how did I get into this. I didn’t know physical security was a thing when I started down the cybersecurity journey and my first day, first week, first month, as I’m kind of onboarding and learning actually got partnered up with a senior consultant that took me on a physical security engagement. I kind of had no idea what to expect. And so, I’m shitting my pants. I’d probably been doing it a grand total of a month at this point.
Matt: I didn’t even own a set of consultant clothes, let alone know how to blend into a corporate environment. So, I felt pretty out of place. But it was just funny because this guy is so calm under pressure. Johnny Cool. Nothing’s bothering him. I’m looking around, and everybody knows we’re not supposed to be here.
Matt: Everybody’s looking at us like ready, and we are one phone call away from going out of here in handcuffs. We ended up in this stairwell and it was kind of a funny situation because you had to badge into the building, but then once you badge into the building, you had to badge into the different levels within the stairwell.
Matt: So, we had gotten in, but we were trapped in the stairwell. We not only couldn’t get into the building, but we couldn’t even get out of the stairwell because you had to badge to leave the stairwell. I’m pretty sure that’s against fire code. So, we’re stuck in the stairwell, and if we’re down at the bottom and people are coming out of the second floor to go downstairs, we have to act like we’re going up the stairs and try to catch the door and we missed the door.
Matt: Then, we hear people coming up the stairs. We go down the stairs to try to get the door, and we played this back-and-forth game probably 10 times. And finally, this guy comes out and you can just tell the guy meant business. Looks at us as says “what are you guys doing here”? My buddies totally cool under pressure. He’s like, “nah, we’re here from Oracle, man. We’re just doing a database upgrade. It’s cool”. He’s like, no, “it’s not cool. You’re gonna have to go check in at the front desk”. And I’m like, oh, well, that’s it. Guess we’re going home. So, we go out the stairwell and he’s like, “alright, I’ll meet you back at the car.”
Matt: And before I can look back over my shoulder, he follows somebody else into the building. I thought we just narrowly escaped death or certainly a prison cell and he’s right back in the building. And that audacity just kind of stuck with me and I said, alright, well, I guess that’s how this game’s played, but he put it in good context. He says, “what have you got to lose?” Getting shot is not great. Getting tased is also a distant second, but also still not great. But at the end of the day, you push the limits as far as you want to, because the worst thing that’s going to happen is somebody’s going to tell you no, and you flash your Get Out of Jail Free card, and all is right with the world.
Matt: Take chances and be bold is the takeaway.
Chris: Yeah. So, it’s like robbing a bank with no repercussions.
Matt: Yeah, exactly. You just don’t get any money if you actually pull it off.
Chris: I mean you do, but not the amount that you’re going for.
Matt: That’s true.
Chris: So, was it that particular instance then that hooked you?
Matt: It was.
Chris: Was it primarily the challenge that came with it?
Matt: Yeah, and I think it really kind of spoke to this like inner desire I’ve always had to being a movie star and acting. You’re acting, you’re breaking into buildings.
Matt: You’re pretending to be somebody else. It’s a very cool thing to do in my opinion. You do get these questions, like, can you turn it off. For example, you get in a fight with your girlfriend and she’s like, “are you social engineering me?” The fact that you even know what that means tells me that I’m set up for failure.
Chris: So, after gaining experience with performing these physical security engagements, what would you say are the skill requirements needed for someone else who may be interested in this line of work? Is it physical? Is it technical? Mental? What are the key attributes that someone should possess to be optimally successful in this field?
Matt: I think the easiest way to answer your question is just to say, “yes.” It’s being able to blend all of those things, it’s knowing that you have all these tools in your tool belt, you have technical capabilities for when you need technical. Social engineering skills for when you need to talk your way through a problem, and cybersecurity skills for when you need to hack your way through a problem.
Matt: Getting through a building is no different than solving any other puzzle or maze. You start at one point; your target is another point. Along the way, you’re going to run into brick walls. You’re gonna run into cubby holes. You’re gonna run into people and blockers all throughout. So, it’s knowing what to pull out and when, and a lot of that just comes from experience.
Chris: Experience in those different areas?
Matt: Yeah. Experience doing a physical security engagement. For example, your first stop is going to be what to say to the front desk receptionist.
Matt: You’re going to have no idea and you’re going to fail at the front desk. Then the second one you do well now you’ve got a story for the front desk. So, you’re going to come in, you’re going to get past the front desk, but you’re going to get to the it room and you’re not going to know how to get through the door.
Matt: So then now you’re two parts of the puzzle and then the third time…so you kind of build on and take with your bits and pieces from each prior engagement.
Chris: So, okay. You figure out what works typically, and then be able to tap into that the next time.
Matt: Yeah, exactly. And there’s variations.
Matt: So, if something works, you can continue to keep it in the tool belt, even if it doesn’t 100% translate, some variant of that might say you keep the skills.
Chris: You have to be fluid, or you have to be flexible in your approach.
Matt: Like a Yogi.
Chris: A Yogi? Oh, someone that does yoga. I just always called them yoga practitioners.
Matt: Yeah. There you go.
Chris: What did you do prior to getting into cybersecurity?
Matt: I was in regular IT. I was kind of a generalist before I focused on cyber. And then before that I was actually in law enforcement.
Chris: Oh, wow. Okay. What were you doing in law enforcement?
Matt: I was a patrolman.
Chris: Did that experience as a patrolman help prime you for the physical security side?
Matt: It’s certainly imparted discipline, like any good academy or bootcamp will, and it’ll force you to do things that you don’t like to do. And it will teach you and prepare you to be mentally tough. So, while shooting your way out of a problem might not come up in this line of work, certainly being able to be cool under pressure and thinking through things methodically or logically, is the skill that I took away most from that.
Chris: How about quick decision-making skills because I’m sure in that position you’re faced with unexpected situations that you have to quickly react to.
Matt: Yeah. You never know. One of the things they tell you in the academy is that every conflict that you’re involved in as a police officer is an armed conflict because you bring a weapon to every situation.
Matt: And so, you’re constantly protecting that firearm because if anything happens to you, that firearm now becomes a public domain and is up for grabs. So you constantly have to think about what’s going on around you and have situational awareness. That situational awareness almost directly applies to physical security.
Matt: Am I going to set this alarm off? If I set the alarm off, who’s coming? If I run into this person, if I say the wrong thing, if I do the wrong thing, If I park in the wrong place… all of these things have repercussions. I think the one thing that it may have taught me the most is being able to think through a situation, especially under duress and to come up with some salient thoughts or coherent thoughts rather.
Chris: Yeah. Be aware of the environment you’re in and expect a situation where you’re up against the wall. I bet that gets scary.
Matt: Yeah, I’ve had guns pulled on me. I’ve been in handcuffs. It’s gotten real a couple of times.
Chris: On that topic, tell me about a time where you didn’t necessarily get caught, but a time that was more of a situation that had you on edge beyond the stairwell experience.
Matt: Yeah, I would say that the stairwell experience is kind of the par for the course, it’s being challenged by somebody that works at the company, being challenged by people that work there is something that you get used to, and something that doesn’t really rattle your cage. Being challenged by law enforcement is a different kind of problem.
Chris: Yeah. Because cops don’t give a shit about your engagement.
Matt: Yes, and they also carry around a healthy dose of skepticism. They’re lied to constantly. Think about every time you’ve ever been pulled over for speeding. You’ve always got an excuse. There’s always a reason for why you were doing what you weren’t supposed to be doing.
Matt: So, for me to say, oh yeah, by the way, these burglary tools are here for a completely valid purpose. Yeah. By the way, breaking into this bank on a Sunday night at 11PM, this is all legitimate I assure you. This piece of paper that I printed out from my home printer with chicken scratch on it legit.
Chris: Anyone listening to this with intentions of robbing a bank, don’t do that. This is not an instruction manual for you. It’s not that easy!
Matt: No, absolutely not. And for good reason. It’s good to see the system work that way. I’ve had a couple of run-ins with law enforcement, and they’ve all been, they’ve all been stressful.
Matt: They’ve all been appropriately stressful. I mean that they approach the situation with all of their situational awareness and all of their skepticism and ready to do battle with a bad guy. And we walk out of it, shaking hands, friends, and they say “Hey, you’ve got the coolest job on the planet. I want to do what you do”. It is a great secondary career for former law enforcement. So, if you’re considering what to do next when you’re 25 and out, come talk to us. But one of the things that I like to mention is the Dallas County situation a few years back with the Coalfire guys.
Matt: That was a situation where we carry this Get Out of Jail Free card, which is basically a piece of paper that says: Hey, the client has authorized this testing. We are here pretending to be bad guys, but for good reason. And if there’s any question as to the legitimacy of that, you can call these people.
Matt: The premise there is that the person who authorized the testing has the authorization to authorize the testing. And in Dallas County, there was some confusion on that, where the guys had basically done a test at a courthouse and the local deputies showed up when they set the alarm off.
Matt: They said, “you don’t have jurisdiction to test this”. Well, the state had authorized the testing although the state didn’t have jurisdiction to authorize testing for a regional or a local district, at least as far as I remember. I’m completely going off script here by pulling this out of memory.
Matt: So, take it with a healthy dose of check but verify. But as far as I recall, the state had authorized the testing and the local county said, well, the state doesn’t have the authorization to grant authorization to test this building. So, you’re going to jail. So, these guys that were just doing their job, sat in jail for a weekend till they got it all straightened out.
Chris: So, they were verified. They acknowledged that they were supposed to be there, but due to logistics, they got locked up.
Matt: Yup. Exactly. Jurisdictional dispute.
Chris: That’s gotta be a one-off situation.
Matt: As far as I know it’s the only one, certainly that made kind of national news, but it definitely drew some ire from the community.
Matt: It changed protocols in a lot of ways. It certainly changed the way that I do my engagements. Especially in not stereotyping, because when you pick states like Texas and Alaska and some of the other ones that I’ve done recently, those are kind of known for being shoot first, ask questions later states. You’re breaking into a building in the middle of the night in the backwoods of Alaska, you never know who’s going to come out.
Matt: It might not be a cop, it might be a neighbor. So that’s one of those things where I’ve started now reaching out to law enforcement in advance of arrival. And saying, “Hey guys, maybe you’ve heard of this. Maybe you haven’t, but this is what I do. This is, who I’m doing it for, please, by all means, if you have any questions, I’m happy to answer them, happy to meet with you guys beforehand, show you whatever documentation you need to see to feel comfortable with it”.
Matt: And everybody’s been really great about it. I wouldn’t say that those kinds of proactive efforts have helped a lot, but that’s just something that directly changed as a result of Dallas County.
Chris: When you do notify law enforcement, are they receptive to that? Or is it typically a conversation where you have to explain it, like, “look, I’m going to break into this bank!”
Matt: It is funny cause most of them have not heard of this. Or if you have to, you call into the non-emergency line at the police department and you talk to a dispatcher, and they’re like “What are you talking about?” and then I need to talk to a desk Sergeant.
Matt: Well, for what? Well, because I’m going to break into a building. Well, what do you mean? Yeah, so it’s funny but it’s also scary.
Chris: So, I’m going to virtually place you into a physical pentest. You’re at the FBI headquarters. It’s a late night, and I’d assume that it’s an ultra-secure facility.
Chris: You’re getting ready to go into this high pressure, high intensity situation. How do you personally calm yourself, get past your fear and adjust yourself mentally in order to walk into this type of situation and carry out that task.
Matt: Square breathing, yoga, and coffee.
Chris: Okay. Square breathing. Let’s start there.
Matt: So square breathing is a technique taught by the Navy seals to help keep your. Mind focused your body taking in oxygen and in general, reducing stress. The idea is that you breathe in for four seconds, hold it for four seconds, breathe out for four seconds, hold it for four seconds, repeat and see, breathe in this box, or square.
Matt: It helps to align everything. Gets you thinking about breathing rather than thinking about your nerves, you start thinking about, how to keep that cadence and keep that pace. You stop thinking about messing things up. The rest of it tends to go on autopilot. Like I said, I can’t stress it enough.
Matt: If you don’t rise to the occasion, you fall to your level of training. So, if your brain goes on autopilot, because your kind of focused on this breathing, it can really help. Execute a task rather than kind of get caught up in the notion of, “Oh my God. I’m about to break into the FBI headquarters.”
Chris: Yeah. And then yoga. So, I don’t do yoga, but I hear it helps with the calming aspect of things.
Matt: So, calming be damned. It helps with having to wait in a janitor’s closet for eight hours and not be a stiff corpse when you come out. That’s why you do yoga. I have hidden underneath a desk for eight hours.
Matt: When your phone battery dies, when you’re cooped up in a very uncomfortable position and you’ve got nothing but time on your hands you’ve got, you gotta be able to survive that.
Chris: Well, that’s another good point. This isn’t a nine to five job.
Matt: No, not at all. Not at all, but if you get in at nine and you have to wait until five for everybody to leave, then it becomes a nine to five and kind of the worst way possible.
Chris: Then you’re starting at five.
Matt: Which brings me to coffee.
Chris: Yes. That has to get you through.
Matt: It does. Yeah. And I’m a, I’m a big coffee guy like most people I think. You’re a creator, so you get it.
Matt: We all love our boutique coffee and I’ve got a little tiny grinder and a little arrow press, and I bring those on field jobs. Plugged the kettle into the truck and heat up the water and yeah, it’s a whole thing. But again, it’s taking your mind off of what you’re about to do, because if you think about it too much, you’ll crack.
Chris: So, you got to stay with your routine to keep your mind straight.
Matt: Just business as usual.
Chris: So, if I gave you a random target, let’s say it’s a random Target. How confident do you feel that you would be able to penetrate their security controls. What is your typical success rate? Is it a hundred percent?
Chris: Have you ever been on an engagement where you went home empty handed?
Matt: I’ve never gone home empty handed. There have been times where I’ve gotten through the first gate and not the second gate. There’ve been times where I’ve gotten in the building, but not to the data center or, gotten somewhere partially and not able to get the rest of the way. That under the desk one was a pretty good example.
Matt: That was, can you get into the building? Then, can you get into the data center? Well, I got into the building. Hoped that by five o’clock everybody would be gone. Didn’t know that the data center was staffed 24 hours. So funny story about how we ended up getting caught. And I actually had a coworker with me that got caught by the same woman three times.
Matt: And I guess on the third time she finally called the cops. The data center was on the first floor and the IT department was on the second floor. While we were waiting for everybody to leave the data center, I had gotten in at nine o’clock in the morning, waited all day, then everybody upstairs left.
Matt: I went upstairs to kind of roam around and dump credentials off of computers. I had let my partner in because it was cold outside. So, one of the women that worked in the data center walked around the IT floor on the second story. So, he’s walking around, she’s walking around, and they walk into each other.
Matt: Scare the crap out of each other. She’s like, “what are you doing here?” And he’s says “Well, I’m an intern”. She responds “You’ve got to leave” and then shows him the door. So, he calls me, he says, “hey dude, I got caught”. I’m like, all right, I’ll come let you back in. So, I let him in a second time. 20 minutes later, I guess she decided to take another walk.
Matt: And she runs into him again and she’s says “hey, I thought I told you, you had to leave”. He tells here he forgot something. She kicks him out again. He calls and tells me he got caught again. So, I let him in the third time and now she goes for the walk. This was probably 45 minutes later.
Matt: She goes for the walk. We hear her coming, we ditch our stuff and run and hide under a desk. She sees my backpack in a conference room and she’s like, this wasn’t here. She calls the cops and the cop showed up. I’m hiding under a desk and he’s hiding. He hates physicals by the way. This is absolutely not his bag. He came because he was actually doing the penetration test. Then it brought me in for the physical.
Chris: Yeah, he doesn’t sound too stealth.
Matt: Yeah. Well, he’s like 6’5” so he blends in like you can imagine a 6’5” guy would. So, he’s hiding kind of between two cubicles and I’m hiding under this desk.
Matt: And I see these flashlights start making this like sweeping pattern across the row of cubicles and I can hear his radio going and I know they’re here. We’re on borrowed time. The flashlights pan across the room, and it pans past him and keeps going, and then it immediately goes back and locks on him and he’s caught like a deer in headlights.
Matt: The cop starts yelling “Get on the ground! Get on the ground!” I’m hearing this and I can see my partner across the hall. So, as he’s approaching my partner, the cop looks over and sees me under the desk. So now it’s two against one, and one of them is 6’5”.
Matt: So, this goes over like you can imagine it would. I don’t remember if they got him in handcuffs, but they definitely got me in handcuffs and I’m yell “I got a letter in my pocket! Check my pocket!” To make a long story short, they finally sorted it out. Everybody was cool. Nobody got hurt, but they did say I missed the K-9 unit by about 45 minutes, so you might want to thank your lucky stars. Yeah, dogs don’t understand “I have a piece of paper.”
Chris: I have a piece of paper? Don’t you need to carry a piece of meat?
Matt: Yeah. That’s also in the tool bag under the frozen goods section.
Chris: Oh man. So, you always find at least one vulnerability. I mean, you can’t hand in an empty report, there’s gotta be something. And it’s interesting that there always is something.
Matt: My preference is always to go in at night or more specifically at a time when people aren’t there because I don’t want to lie to people. I don’t want to have to talk my way into something if I can help it.
Matt: That was the lesson I learned from my mentor. Don’t put yourself in a situation where you have to make it more complicated than it needs to be. If it’s just picking a lock, don’t add convincing the secretary that you need to pick the lock to the list of activities you have to perform.
Matt: So, my preference is always to avoid people. And if you can’t, that’s when the social engineering comes in.
Chris: If we got people listening to this podcast, they’re looking to get into this line of work. Where would you direct them to? Cause to my knowledge, there’s no certification for this. There’s no training course for this. There’s nothing that really teaches these types of skills holistically to my knowledge. What would be your guidance?
Matt: It’s funny you mentioned that and this is in no way shameless self-promoting, but it is one of the knowledge gaps that we’ve seen in this field is there really, isn’t a good training program for that.
Matt: To that end, we’ve started creating training material and teaching people, not just the hands-on skills, because you can go on YouTube and learn how to pick a lock. You can go to pentestingkeys.com and order keys for half of the normal grade locks in the world. But there’s really a whole mindset that goes into it.
Matt: There is a methodology that goes into it. There is recon that goes into it. There is, having a plan for when your backup plan fails. Those kinds of things you have to account for. There are a few courses out there that train people up on how to do this, but certainly nothing to the level of complexity that we’re striving for.
Matt: So, stay tuned. I’ll give you more information as the, as the course becomes available, but we’re piloting it now. We’ve got a few places that we’re going to be doing it. We’re looking at having a session over a Secureworld here in the Philadelphia area, and we’re also looking at the ISACA conference in Atlantic City.
Matt: So, stay tuned for that one. And then a couple of big ones on the horizon.
Chris: Yeah. You should try to get to H.O.P.E. too in New York. Have you heard of that?
Matt: Hackers on planet earth? Yeah.
Chris: Have you ever been? I’m going dude.
Matt: Are you? Well, let me know. Maybe I’ll roll with you.
Chris: Yeah, dude. You should. I could use someone to get me in places.
Chris: Let me ask you this, since we’re going down that route, have you ever used your skills in a situation that you selfishly wanted to inject yourself into?
Matt: So, yeah, there’s, there are definitely some funny stories. some bets that get made out of band. We were at a party in Vegas for blackhat. And if I remember correctly, I think the party was put on by a ReliaQuest and they had Marshmallow there and it was a big party to do. And we were talking, and they were like, yeah, you’re a pentester. Go get backstage and get past all those security guards.
Matt: I go stumbling down there and it was funny. I went with one of the guys, that wanted to see it happen, and I caid “Come on. I’ll show you.” So, we get down there and we’re right up along the stage. And the security guards there and I look at him and said “Alright. You ready?.
Matt: He said “Yeah, for what?” and I pushed him into the security guard! He runs after him and my guy just says “Hey, sorry about that.” Well, while that’s all going down, I slipped right past the security guard went right up on stage.
Chris: Meanwhile, your boys taking a beatdown. But, you got in!
Matt: Yeah, the bet was can I get upstage. Not, can we get upstage.
Chris: I love it, man. I love it. So, we spoke about SEVN-X. Tell me a little bit more about the company and what services you offer.
Matt: Yeah. SEVN-X is a regional cybersecurity company based out of the Philadelphia area. We kind of got a national footprint at this point, but certainly our roots are here. We have been in business about a year and a half, August of 2020 at this point. Time flies, man. I look back and I’m like, wow, I can’t believe it’s been that long already. We certainly specialize in penetration testing and the physical security aspect. We also do web application assessments. We have our VC, so practice and some of our strategic cybersecurity initiatives that we help out with for some of our long-term customers. Yeah. It’s growing.
Chris: Awesome. Do you guys offer any services for ransomware protection? I mean, that seems to be public enemy #1 these days.
Matt: So, I actually spent New Year’s Eve and New Year’s Day onsite with a customer this year, helping them through probably one of the worst days of recent memory for them. And one of the things that came out of that was this entire ransomware readiness type of assessment.
Matt: I realized that there were some things that in my career of dealing with ransomware time and time again, could be helpful for other organizations. So, we’ve put together this whole playbook for not only how to operate under a ransomware attack in the moment, but also, what do you need to do to make sure that you’re prepared for it.
Matt: We have this whole kind of test basically where we have a list of documents, a list of items that, if you were in a real environment and you needed these things, how quickly could you pull them together? How quickly can you run this piece of code to get me the answers I need to all of these questions about your environment.
Matt: So, yeah, this ransomware readiness assessment is something that’s also pretty new for us, but something a lot of our customers have expressed interest in.
Chris: Yeah. And I liked that approach where it’s not just, a tabletop exercise, you actually put them to the test and make sure that the action items are being performed.
Matt: And we do tabletops too, but one of the shortcomings that all tabletops have is it’s just implications. Oh, well that’s done, I would just restore from backup. Oh, that’s it really? That’s all you do? Nothing’s ever going to go wrong?
Chris: Yeah. It’s all hypothetical.
Chris: Okay. Hold on, man. I got to me got to refill my drink.
Matt: No, you’re making me jealous of all these all these cocktails you got going on.
Chris: Why, you’re not drinking over there?
Matt: Oh, I’m drinking. I got to put away a gallon of water every day for 75 days.
Chris: Oh yeah. You’re doing the 75 hard challenge.
Matt: So, my problem is it gets so busy during the day that I forget to drink. And then it’s, 10:30, 11:00 at night and I’m pounding a gallon of water.
Chris: So, pay no attention then to my Angels Envy!
Chris: So, you told us about SEVN-X. I’m going to run through SEVN-X shots for you. Rapid fire questions.
Chris: You ready? Fill in the blank. The biggest cyberthreat in today’s society is______.
Matt: ransomware
Chris: Legal robbery: The Film. Who would play you in that biopic?
Matt: Oh, man. I gotta go Tom Cruise man. He does such a great job with Jack Reacher.
Chris: Yeah. Yeah. Mission Impossible.
Matt: Oh yeah, of course. Yeah. Gosh, glazed right over that one.
Chris: If you had one superpower, what would it be and why?
Matt: I’d want to be able to predict the future.
Chris: Okay. I like that, because you could say wealth, although being able to see the future can provide that wealth.
Matt: Exactly. Just give me tomorrow’s newspaper. I’ll tell you exactly what stocks to pick.
Chris: What book is currently on your nightstand?
Matt: So, the 75 hard challenge requires that you read 10 pages of non-fiction, but it’s really intended to be kind of like self-help or a non-fiction book about something.
Matt: I do love the 48 laws of power. I think that’s a great book.
Chris: I love that, man, it’s a great book. I can’t stop reading that. I’m actually… hold on…… I’m actually looking at it.
Matt: You have it?
Chris: At arm’s reach at all times. The 48 laws of Power!
Matt: That is a power move.
Chris: It is. Alright, next one. When you aren’t working, what do you enjoy doing?
Matt: Big photography guy, huge into it. Obviously, you see all the content that we make. I mean, a lot of that is just a labor of love. I love making those videos. I love taking pictures. I love taking my camera with me anytime I do these physicals. I spent a week in Alaska, half the time onsite, half the time staring at the Northern lights, that’s definitely my passion.
Chris: Next one. Best bar you’ve ever been to?
Matt: So, my business partner, Ryan and I stumbled into Cannon up in Seattle. It was one of the most impressive collections of whiskey bourbon, scotch bar, none, no pun intended. They had so much that the bathroom, wall to wall floor to ceiling, had cages in it that protected the alcohol. So yeah, check it out – Cannon in Seattle if you ever get up that way. And of course, BarCode.
Chris: You can’t leave out BarCode! Okay Matt, number seven. If you opened a cybersecurity theme bar, what would the name be? And what would your signature drink be called?
Matt: Oh, Alright, the name of the bar would have to be Breakers.
Chris: Would that be beachfront property?
Matt: Yeah, of course dude. You know Laguna beach is my second home. So of course, I mean, they just had some pretty bad fires out there recently, so hope everybody’s okay.
Matt: And the drink is the Stolen Identity.
Matt: It’s made with the clears. So, you don’t know what’s in it, and it can change based on who the bartender is. So, the bartender gets to make it, but no matter who makes it, it’s always different. So, it could be gin…. could be vodka….could be water.
Chris: Dude. That’s the transparent killer. Well, Matt, it’s been awesome catching up with you, man. Thanks for stopping by. Real quick, before you go, let our audience know where we can all find you online.
Matt: Yeah. Certainly, on LinkedIn, you can find the company and all of us up there. SEVNx.com is our website and YouTube, obviously for all of our videos, for password crackers and all that good stuff.
Matt: And then we also do a seven second security every week. We put out the top pressing security issues that you can kind of read about in seven seconds, figure out if they apply to you and, and then go on with your day. So, if cybersecurity is not your primary gig, well, that’s what we’re here.
Chris: Thanks again. I’ll have security escort you out now.
Matt: No need. I’m just going to go to the bathroom. Opens window, exits.
Chris: Thanks dude. Take care!
Matt: Yeah, thanks dude. Appreciate it.