¶ Understanding Cybersecurity
there are more mainframe transactions going through mainframes every single day than there are Google searches every single day. There are still huge amounts of data going through mainframes. So batch processing, every single time you use a credit card or a debit card, 90% of those are going through a mainframe. It would be great to talk about cybersecurity. It's an area that a lot of software engineers don't understand. So what do we mean by cybersecurity? Well, cybersecurity for me is...
purely the protection of almost all of our digital assets that are there. So it can be anything from penetration testing, which is offensive security that is where I'm coming from, cyber threat intelligence and anything that... can secure infrastructure, the other systems that are there, and of course, all the code that's at the back end as well. Because, I mean, everything, although the pieces of tin are sitting there, the code.
is the most important thing that actually drives all of these sort of things so when it comes to cyber security Just think of it as security, but in the digital world, that's just how I see it. Yeah, I think that's a good way of putting it too. When we think of security, you think of these kind of Hollywood films with the heist and people breaking into a bank vault.
In a digital realm, we don't have to do that. You could be in a different country, couldn't you? Absolutely. It's completely different. I mean, once upon a time, you know, if you wanted to break into a mainframe, you wanted to break into a computer system, you had to go in through the front door.
and then go through a few other security guards, et cetera. And now you're coming in through the digital pathways in order to get to the internal network. Yeah, absolutely. There's two ways to do this then. There's the physical attack, walk in the building and attack it. And there's the, over the internet or over some kind of externally accessible network. I know one company I worked with years ago was actually physically attacked and that people turn up with a van, walked in.
And Lava blazingly told the guy on the front desk they were here to correct some servers who actually let them in the server room and they walked out with the servers. And the security guard helped them carry them out through sheer confidence. That's a fairly unique story that I haven't come across elsewhere. How much of what you see these days is that physical attack of walking in the building versus accessing it remotely? I mean, it's probably less. So, for example...
I used to do quite a lot of social engineering about 20 years ago. One of the jobs that I had to do was actually for one of the companies I was working for, one of the subsidiaries was in Canada.
that was actually to see if I could get into the building physically, wander upstairs, sit down in the cubicle because it's Canada. They've got cubicles, obviously. Could I plug myself into the network? What could I do from... there and you know that that was successful there's there's other people i i know who do brilliant job like that which is like people like Brian Harris who runs the covert access team a lot of the times
These days, anywhere raid teaming, which is an advanced type of penetration testing, it's through phishing attacks. We would set up a website, get someone come to that website.
¶ The Evolution of Attacks: Physical vs. Digital
And then or we would send an email and we would just basically get onto the machine at whatever infrastructure or whatever place of work they are at. And then we are potentially free to roam the network depending on how good the security internally is because, you know, we've all got a good perimeter.
maybe sometimes a soft underbelly, which is a bit of a problem there. So it's a big thing. So I would say most of the time now, if you're doing a penetration test or you're trying to breach a network, you're going to do it by using users. and their weaknesses so you mentioned social engineering there which is a term i'm sure a lot of people will not have come across and i first heard of the term i think in the late 90s was with it was it um kevin mitnick i think yes yes the pentagon by
A lot of social engineering, I believe. So what do we mean by social engineering? Basically, pretending to be someone that you are not. It's almost like acting in order to gain access to something. Kevin Mitnick was up. brilliant actor. He was very confident. He was able to pick up the telephone, tell people he needed something. They were convinced enough to say, okay, here you are. Here's the keys to whatever.
the code to Ira. I think he very famously managed to steal the code to the Motorola StarTAC mobile phone back in 1996, 1997, because they thought he was supposed to have it. So it's that sort of acting thing. So it's social engineering a person to give you what they're not supposed to. You know what I mean? So it's all very important to do.
What amazed me about that is, as you say, that was 1996-97. In the 2010s, I worked for a company. I won't name them and I'll try not to be too specific to give it away. And I was working remotely at the time, one day. And they had some good security practices, or at least what was considered good at the time.
Our passwords changed every three months. We had to update them and change them, and our passwords had to be 16 plus characters. Perhaps you can answer whether or not that's good security in a moment after I've told you the story. We had that, and I was...
working on Windows Remote Desktop. Windows Remote Desktop crashed or my internet dropped halfway through me changing my password, which left me without access. I was shocked then, nearly 15 years later after the social engineer Kevin Mitnick, I phoned up.
The reception of the company, because I didn't have a number for anyone else, asked to be put through to the IT department. And I explained to them, hey, I'm changing my password. I've got locked out. Can you reset my password? And they said yes, and gave me a new password over the phone.
¶ Social Engineering: The Art of Deception
And I was shocked at that point in dealing with a company that, you know, very high value, big company, suppose lots of security, just reset my password and gave me a password. No verification of who I was. Could have been anyone. Phoned at the public reception. So it still worked then. And I've seen it more recently of another company I did some consulting for. Again, they had a lead team in, which I'll actually explain lead team in as well in a minute, if that's okay, who...
Did the same. They contacted people and said, hey, I'm the CEO. I need you to do something. And a scary number of people in the company actually did that without verifying who it was. So it seems that social engineering is still a huge problem. Definitely is. In terms of security, you should have probably had slightly more security on that. They should have been able to do some sort of two-factor authentication with you, such as, okay, right, you're saying that you are this user.
You have a badge with a user ID, and on the back of that badge, there should be some other code or code word that you should be able to provide that code or code word to them to prove. say who you are because you're the only owner of that user ID or that badge. But I've seen the case that they don't just do that. I mean, they should be asking for your internal user ID, obviously.
and sometimes they just don't take your name and there you are it's like oh great so you are slb 558 or something like that and then you know that's fine yes i am off you go. Use it on your own. That would be a disaster.
People should know slightly better these days, but it's not always the case, especially with small to medium enterprises. Yeah, I absolutely agree. And what scared me is both of these were big companies that had invested in cybersecurity training. And you're right, the two-factor would have been perfect because in the first case...
I had one of those RSA tags generating a new number every minute. That would have been very easy, surely, to ask for that and verify that I was in possession of that tag and the right person. Definitely. It's interesting. Yeah, so you mentioned red teaming then as well. What is that for anyone that doesn't know, please? So you've got sort of three different levels, I would say, of...
scanning penetration testing and then advanced penetration testing. So at the lowest level, let's just say you've got... vulnerability scanning. I don't know if you've heard the name Nessus or Qualys, etc. These are scanning engines. They will scan a computer system. they will just basically give you a report back.
¶ The Importance of Penetration Testing
That report, unfortunately, doesn't have any context, right? So that's probability scanning. The next piece is penetration testing, where you have a very well-defined scope. And you will maybe looking at a few different systems or a web application or maybe APIs or something like that. And as part of the penetration test, you will do a vulnerability scan as well.
It's tightly scoped, right? A red team, that is usually coming from external, and in the style of Kevin Mitnick, all bets are off. The scope is much. wider so you can have things like just get into the just get into the building right just exploit tell me what you can do Can you get into the voiceover IP systems? Can you get the databases at the back end? What else can you do? So that can encompass everything from the social engineering that we've just talked about to setting up.
websites externally trying to get users to come to those websites and then you've got a drive-by compromise or you know sending phishing emails and the the difficulty now is since that the rise of ai pushing emails and other things like that. I've gone from last year, as part of my cyber threat intelligence role, we monitor all these things. has gone from 12% success rate to 54% success rate. So it's getting really, really tight these days. It's very difficult to stop.
some of these very intelligent attacks and so that's basically what red teaming is it's all bets are off let's see how we can um get in So this thought was much weighed on. Yeah, many years ago I talked to a few people who were doing that and that included things like they'd turn up at the office pretending to be there for interviews or they'd walk in pretending to be...
engineers to fix something and they try and plug in to vulnerable network sockets or connect to Wi-Fi's. And it was kind of scary how many companies that they said they could literally walk up to reception, pretend to have a legitimate lease and then be allowed in. and be allowed to wander around offices. Yeah, I mean, I think the story from the Canada office, so the company that I work for, that, you know, their security was really tight.
However, they had a coffee shop which looked onto the reception. So I sat in the coffee shop for the day before that I was due to meet the IT security manager and just watched. the pattern, the sort of security guard rotation pattern, looked at the Cummins and Goins, et cetera. I already knew what the badges looked like. So I had all that sort of thing.
¶ Career Paths in Cybersecurity
Later on, at the end of the day, I was able to just look at the ship part and what was the best sort of time to actually access the office, tailgated into the office, got in.
and was able to find a cubicle that was not being used. As soon as you've got a cubicle around you, that's it. Nobody knows you're there. Plug my laptop in. That should have been another security... something that would have been protected such as your laptop and you've got no network connection that was there still because they assumed that once you're in you're in but
You know, a good report came off the back of that, and they fixed up these sort of things, you know, barriers were added, et cetera. Yeah, it's good fun, though. It's quite scary. So doing that sort of thing. And, you know, Brian Harris, who does this all the time, who works for certain governments, he tells amazing war stories about being in left switch.
surrounded by guards with M5s not knowing that he's not supposed to be there. So he's got some amazing stories on social engineering and other things like that as well. So it's good. Really entertaining. I'm sure they'd be fascinating to hear because it sounds very James Bond and it must be quite a tense thing. What if you get caught? Are they going to call the police? At what point do you... calling you whatever executive support you've got to say that you are allowed to be there breaking in.
if you see what I mean. Absolutely. Absolutely is. And, you know, he's still doing things like, you know, teaching walk-picking and breaking into safes and all. It's very important stuff. But kind of scary. Kind of scary.
Cool. So if we made cybersecurity sound attractive to anyone that wants to get into this as a career, hopefully on the white hat, good side. What is the path that people can take to get into cybersecurity? Because I believe we still have a shortage of... expertise in this area so how can people establish a clear what they need to do um well it's it's it's really uh strange i mean i fell into cyber security i wanted to be a pe teacher right
Okay, that's a story I have to hear. So I wanted to be a PE teacher. Unfortunately, there was like 1,500 people going for 80 places. And of those 80 places, 74 men. got in to be PE teachers, you know, to train PE teachers. So I was like, okay, I'm not going to get in here. So I went off and did a youth training scheme, a YTS, something we've got in the UK.
¶ The Diverse Landscape of Cybersecurity
probably slightly before your time, they managed to remove it. But, I mean, it's almost like an apprenticeship. And it wasn't great. So then my girlfriends... My father at the time was sort of pivoting into IT. And I thought, oh, that sounds great. I've got to get out of this YTS. I went to college to do IT. He didn't.
going along to the class in the end. So I did that and then shifted on from there. And security was something that I was always really interested in. I was talking about 1992. So... Cyber security wasn't a word that existed at all. IT security kind of was.
but only in terms of, oh, somebody's got a firewall, so that was where your security was. There was almost nothing else. And certainly in coding terms, nobody really coded for security, even back in the early 90s, as far as I'm aware anyway, to be honest. How do people get into it these days? I think, I mean, everybody in my team, I used to work at Standard Life, and my manager had a degree in geography.
I was a penetration tester and I had wanted to be a PE teacher and my skills were in history and the analyst I worked with had a degree in medieval strength. I think it's probably slightly different. I think you probably need to have a degree of some sort. It doesn't necessarily mean to need to be... cybersecurity, it doesn't need to be any of these things, but a degree seems to be the standard. What I would then do, and this is what I...
say to people who I'm constantly, I'm mentoring quite a lot of people at the moment and I have done, I would always say get the foundations in. To be a penetration tester especially, you've got to understand Where your target is, you've got to understand how to get to your target, and then you've got to understand what to do when you get there, right? So you really need to understand networking. You need to understand what's the different server types.
And, you know, get some coding in there. Absolutely. Get some, especially Python coding and shell scripting and various things like that as well. Get the fundamentals. And then... The world is more open at that point because there are so many different facets to cybersecurity, cyber threat intelligence, cyber threat hunting, penetration testing, still firewalling and infrastructure security.
all of these things. So you probably need a lot of luck and you need a drive to make a decision where you're going to go. But in the meantime, get all the fundamentals there. Understand how infrastructure works. understand how code works and understand how the network works. And once you've got those, you know, grabbing the other certifications that you can, like Comcha and...
¶ The Necessity of Ongoing Security Measures
Maybe OSCP if you want to be very specific. These are all very good to go and do, definitely. So as you're talking, I'm thinking cybersecurity is... actually a massive field so we talked about the lead teaming and the social engineering and kind of acting skills and the social skills and that emotional intelligence so that's very much a people focused element you talked about the networking and
Python and that level of code. Then there's the low level code we could think about where you, as we're mentioning before the call, thinking about maybe you'll see programmers and that low level understanding, exploiting things like perhaps Buffalo overlands and low level code. And then there's even lower than that. And the people are doing hardware. So I'm wearing the hoodie from a hardware manufacturer and we had people pen testing the products we're building that were security rated by.
attacking the physical device and looking at how they could you know inject stuff into the hardware and attack the hardware to extract data from it again very different level of attack and you'd need some of those other skills to get to the hardware But no, as we all have a mobile phone here now that's got some level of security with data on, you know, if somebody can get your phone, the hardware security is perhaps increasingly relevant as well.
Yeah, I mean, absolutely. As you say, you've got phones here, right? And what people forget is a lot of your two-factor authentication, your authentication systems, whether it's your... Gmail account or it's your work account if you work for a bank like myself.
A lot of these things are there. You can't afford to lose your phone. Your contacts are there. Your security is there. All the other things is there. Phone is now, you don't need your key hub anymore. You've got your two-packed authentication. on your phone and that is if something goes wrong it's like hey we'll send you a text it's like well I haven't got my phone so you know what I mean you're absolutely absolutely right
These things are really important. Yeah, I bet RSA never had on their business risk assessment that mobile phones would destroy their business for key fobs. That is absolutely it. I remember on my key fobs. For many years, then somebody said, you don't need that now, you've got your phone. Yeah, okay. So we talked a lot about these different issues. So what should businesses have pen tested? Which businesses should be thinking about it?
What's your view on that? Yeah, I mean, everybody should think about penetration testing. The problem is, you know, some businesses obviously can't afford to do that sort of thing.
¶ The Cost of Neglecting Cybersecurity
For me, security is just simply a part of doing business. Especially now, if you look at... If you look at all the ransomware groups that are currently on the go, never mind nation states that are at times in bigger businesses, we've seen Marks and Spencer and we've seen the Co-op and Harrods and everybody hit in the last few weeks.
Now, we were looking at that and we're going, well, are these specifically targeted? It's like, not really. What happens is a vulnerability comes out in either a piece of code or... you know, some sort of service that's running, and then they use it again and again and again, and they get lucky. And I've seen it a few times, some businesses where I've said to them, you really need to get a penetration test here, and they've ended up.
exploited and their business has been down for three months. It's like people go into the voice over IP systems, they can't telephone anybody, there's no access to their data. You know what I mean? So it's really important that you get some sort of security assessment and it can't just be a tick to the box. type assessment it's got to be a let's see what we can do here and make sure you're secure on the outside but equally now user awareness is really really important
Because AI is getting better and better at actually, you know, providing emails and other things for attackers to use. I'm gathering open source intelligence across LinkedIn. You know what I mean? Yeah, it's scary how much information you can get from those open source. Yeah, absolutely. Open source intelligence, isn't it? Absolutely. And it's just, again, it's just become easier because of things like chat GPT. So, for example, I used to do a lot of...
I used to do a lot of research across, you know, LinkedIn. If I was specifically targeting someone for a penetration test, right, now you can use some of the chat GPT, for example, Deep Research or Copilot Deep Research and say, go off find me everything you possibly can about x company and also get me the employees get me who's relevant to this technology or this developer type provide the evidence that you're not lying and hallucinating to me.
And, you know, you've got a port, so you've got something you can really dig into really quickly. So, yeah, these have become a force multiplier for certain attackers. You know, we need to catch up with that a little bit. Yeah, and that makes it a challenge, doesn't it? That this is not a, you know, we do this project and we're done. It's an ongoing thing you have to continue to invest in.
And I likely brought up Marks & Spencers because that statement you said of a lot of companies feel they can't afford it. I don't know how Marks & Spencers felt, but looking, I just pulled it up. cyber attack was estimated to have cost them 400 million pounds. That's right. I mean, you maybe feel you can't afford the testing and the development of cybersecurity, but can you afford not to?
when you have that kind of level of cost and the sheer risk involved. I mean, there's been several companies, small to medium enterprises, who've been hit by ransomware attacks, and that's been the end of the business. And they've been on the go for, I mean, I think there was one. I can't remember. It'd been on the go for 120 years and one cyber attack finished it. They just can't continue.
They couldn't get their systems back up and running. They'd lost so much data. That was the end of the company. So, I mean, much as a small to medium enterprise is someone who may think, well... Let's sort of cut back on the security a little bit. You can't do that. And the same sort of things happen with councils as well. They've got less budget for cybersecurity, and they're an easy target for watching ransomware groups.
or infrastructure groups who just want to cause problems to the UK infrastructure. You know what I mean? Yeah, absolutely. And again, just talking about small businesses. One of the times I thought a bit more about security was I joined a small startup that had had some disgruntled employees. And I was kind of shocked to walk into this startup and find the Wi-Fi password hadn't been changed in several years.
And everyone that had ever worked at the company had had new access to the main server because it was like, we're flat, we share everything, there's no hierarchy. Yeah, but you've got disgruntled ex-employees and a Wi-Fi that I can access from the pub across the road. You know, that's a vulnerability. You've got a responsibility to your investors to actually, you know, run this business in a professional manner.
Absolutely. And it's really strange things that, you know, especially when Wi-Fi came in as well, I used to do a lot of Wi-Fi penetration testing. And I also used to look for rogue Wi-Fi access points.
¶ The Evolution of Wi-Fi Security
and things like that. And the company I worked for was right in the middle of the centre of Edinburgh. And all around Edinburgh, there's hundreds of parts around where we were and different businesses.
and obviously that all that wi-fi information is leaking in and out and the problem was they decided by company decided some people would just use wi-fi to connect to the system first thing the windows system did was go up and connect off to some of the pub across the road and there was other connections into the network so it actually turned out one of the pen tests that I found was the pub across the road was connected directly into the
insurance companies network. You know, there's lots and lots of things you've just got to be careful with all the time, especially when you're deploying a new technology because you may think you know what it's doing. But you know what, it's like usually it's baby steps to suddenly find, oh my goodness, I didn't even think that would be an issue. Yeah, it's so easy, isn't it, to miss those things when it's new.
¶ Mainframes: The Misunderstood Giants
Switching to a completely different context, there's this myth amongst a lot of software engineering and a lot of people in tech that mainframes are dead. We stopped using those decades ago. This is something I've pushed back about. as we talked about earlier. And I was quite surprised. Again, I've never dealt with mainframes really. To find about a year ago when I looked that mainframes were the peak, the highest level of sales that there's ever been.
As we all think that mainframes don't exist anymore, what's the security like on them? What's one of the challenges with securing the mainframe in this day and age? So, I mean, the security in the mainframe can be... Absolutely excellent. Okay, well, one thing, you've got your two things here. Okay, so everybody thinks that mainframe is now being migrated out to cloud, right? And cloud can cost an absolute fortune.
especially if you try to run the amount of transactions and batch jobs that mainframe does. So just to sort of give a lot of that context, mainframes...
¶ Mainframe Security: Myths and Realities
um there are more mainframe transactions going through mainframes every single day than there are google searches every single day so wow there are still huge amounts of um huge amounts of data going through mainframe so batch processing every single time you use a credit card or a debit card 90 of those are going through a mainframe
Right. And that's one of the reasons that it's so quick that you can tap a card and off it goes. It can go straight through me and get an approval and come back. On your... mortgages or your salaries or any of these sort of things are going through the mainframe right so if you think about what would happen if a mainframe was taken down or breached
considering you link them also to ATMs and other things like that, you've suddenly got a real problem there whereby everything grants to hell. And the other thing is people just think that mainframe's set. in the bowels of the network somewhere. Well, that's not the case. They're linked now to APIs at the front end. They're linked to web applications that are doing banking. Hospitals will use healthcare services will use mainframes and obviously companies such as...
Airports, they're also using mainframes for booking services as well. So they're absolutely everywhere. How's the security on mainframes? It's probably, it's difficult to say the security on mainframes. It can be... really, really tight. Everything can potentially be there. I've heard that they can be the most securable system. I would say they're as securable as any other system. It depends how much functionality you want to have within the system, right?
¶ The Challenge of Legacy Code
The other thing is you will sometimes find that because it's supposed to be backward compatible right back to 1964, literally when the first IBM 360 mainframe came out, it was using cobalt and job control language and all the rest of it. That same COBOL, our job control language, will run on the modern mainframes, which are massively powerful systems, right? That becomes a code problem, though, because people can say, well, it works.
And it's fast. So why would we change this? Nobody will get in anyway. So that is really where they can fall down. So they can be very securable, but also... apathy, I think, and an aging generation of main framers who think that, you know, you can't get into the network, therefore we're secure.
will potentially reduce the security depending on the company culture, I think. I guess you've probably also, on the software side, got a bunch of people like me, and that I would... very vehemently argue if you have working software that's that mission critical you need a damn good reason to change it and you need a very good testing process if you can change it and don't just relight it for the sake of it
So I think certainly if I was managing a project, I'd have that tension of I want security, I want to be on board with that. But if we break something that's processing all those transactions he's talking about, so there's that real tension, I guess, isn't there? And the risk reward and how you balance that choice between security and don't break anything. Absolutely. And you've got to really, you've got to be careful how you do the migration. Because I mean, I think the best example...
Lately, it was when Elon Musk was saying, right, we need to upgrade, we need to get rid of all this cool bolster, and we need to upgrade to brand new systems, etc. And I think they went to change the American social security system. at least in one of the big states, and there was billions of lines of cobalt code. It went completely wrong and walked out of the social security system and really caused huge amounts of damage.
¶ Balancing Security and Functionality
they then realized, hey, we can't actually just move that. That was a standard sort of, you know, doge thing. Let's go in. Removes it all. Oh, no.
we've caused a better problem here, we better go back. And that's what happens. I mean, it's as simple as that. COBOL's not going anywhere at the moment. There is, you know, obviously there's a push to do... you know standard java web front ends and all the rest of the stuff and there are api connectors that connect back into the customer information control system and db2 and you know we're still using sql etc mainframe can run all of that
It can run all the modern languages, but there is still a requirement at the minute for some job control language and COBOL and RECs and all things like that as well. And I suppose every single one of those seems... when you're going from Java to COBOL or Python to COBOL or some of the other things, also another vulnerability. You could have a, you know, you'll think there's some security there and it's not big.
And the phrase that came to mind right at the beginning of this conversation that you hinted at is security, to my mind, has always been about it should be something in depth. It shouldn't just be, here's the wall, and we assume nobody can get past it. you know here's our firewall if you will on the cyber point of view then here's our encryption behind it and then the more secure systems have got better encryption that layers of defense assuming that people will get past one or two
Again, that's why, you know, if you're going to business, we have that second check. Shouldn't just be one person signs the checks. It should be a couple of people. So you build that defense in depth to every level of it. Yeah. It seems that's still not that common.
¶ Defense in Depth: A Security Strategy
yeah i mean yeah i mean that that was the key phrase that we we keep saying because you know all we want leads uh needs one weakness to to let an attack around that's the that's the problem there so you've got up your defense in depth and sometimes you can find the perimeter face very strong but the internal systems and internal networks are not great, and you'll even be able to find code. If you wander along the intranet, you'll be able to find...
code with, you know, keys in it or passwords in it or developer comments that says, oh, this unlocks such and such. So, I mean, these, everything all the way through, you've got to really look at these sort of things because it only takes one week. for the attacking to succeed. We've got to find it all. That's the thing. So it's a pretty huge skill set there.
you need within a semi-penetration tester and anybody doing offensive and defensive security. And I guess AI is further adding based on what you said. said before, AI is further adding to that problem in that all that analysis you did before, you'd have to do manually or gripping things, looking for patterns. Now you can take anything you get, chuck it into AI. and potentially search for vulnerabilities a lot quicker i guess yeah i mean absolutely ai is better um it's i mean it's
¶ AI's Role in Cybersecurity
Great for me because I'm not a great coder, right? So it's helped me look at various security issues, et cetera, and also knock up quick little. you know, coding projects or things like that, go too far and it just all goes wrong and then starts deleting itself and it's not quite there yet. But, you know, writing a lot of scripts is great.
Problem is, it's also very good at allowing attackers to very quickly turn a vulnerability into exploit code. And I'm now telling the team, don't think that... you know, it's going to be three to six months before an exploit exists for this. I can throw a white paper into ChatGPT. tell me about this what's the what's the issue what's the exploit start looking at it and then go give me some concept code and then off the back of that you can then start digging deeper and you know
You know, from vulnerability to exploit code sometimes can be 15 minutes. And also circumventing the controls that are there can be 10 to 15 minutes. And it took three months, a couple of years ago. So it's... It's great for us as well in terms of security because it can help shore up some issues. It's good for open source intelligence from a point of view of going, right, okay, this is a leaky bucket out here.
Let's find it. So let's do something with that. But also the attackers, they're using it. Absolutely. And, you know, before some of the best attackers in all were brilliant coders. Now... it's a lot less to get into that sort of thing. So you get some script kiddies who are just using AI to start throwing stuff and be pressed or sometimes they've got to be really careful with that stuff. Yeah, and again...
I think the thing we forget about is some businesses will say, we're too small, nobody's going to attack us. But back to that script kiddies, they don't necessarily attack you, do they? They might. I mean, literally, you can build a port scanner very, very easily. Yes. And scan the entire internet if you want. It's not that hard, technically. Yes, absolutely. They can just randomly scan IP addresses, and they don't care what they hit.
¶ The Threat Landscape: Script Kiddies and Beyond
Absolutely. They absolutely don't. So you've got to be really careful with that sort of thing. I mean, and then the problem is once they get in as well, if... it's not possible to install that software if you're able to get to python you can very quickly just go right import the you know python ftpd lib and give me something very quickly that allows me to export data out
You know, that's something I couldn't have probably done very quickly before. Now I can. So it's, yeah, I mean, all that sort of stuff's kind of worrying. It worries me as a cybersecurity person. Okay, cool. I see that you've recently set up...
¶ Training the Next Generation of Cybersecurity Experts
um, some training around mainframes because you struggled to find the light training, the certification for people. So you want to tell us a little bit more about that and how you can help people? Yeah, absolutely. So, um, I, three years ago, even though. I've been in this game for about 30 years, 1992 actually, so 33 years. I was running the penetration test team at the bank that I work at.
One of the questions came up, can you do mainframe penetration tests? And I thought to myself, yeah, absolutely. Let's do that. I don't know. It may take me two or three months to learn enough to be able to do that. How hard can it be? It turned out... really difficult because there was nothing there that you could just go to. There were no books at that point that you could just, in fact, still, that you could go to to learn a bit of stuff. There was a bunch of YouTube videos done by...
one of my friends, Philip Young, and he's in charge of Godreud as well. So it was... scattered everywhere. IBM Redbooks, you could read those, but they're millions of pages. And again, trying to find when you've not got the lingo and, trust me, the mainframe. All the commands are different. The lingo is different. Memory is called storage. Hard disks are called DASD. You're trying to understand what you're looking at.
Very difficult. So I then went, right, okay, so let's see, there must be a Rainframe pen testing course. And there was not at that point, there had been one run. But to Broadcom, we were revamping it. So finally, once I'd spent probably two years, and I'm still learning, getting to the right point, I decided I'm...
I'm writing a book for No Start Press. And so that's an absolute ton of research on hacking mainframes. Getting into a little bit of... understanding the real need for COBOL code, job control language and other things like that, rec scripting especially, it dawned on me that I really want to teach this sort of thing.
So I started the mainframe offensive security testing course, and it is the only mainframe penetration testing course in the world at the minute. So I run it probably around once a month over a weekend. And it's great because the last one I had, we had people from Australia, the United States, Denmark, multiple people in Africa and other places like that.
There's a lot of people still interested in this sort of thing, but I felt it was necessary because it's very difficult to learn any of this and trying to get it into one place is important, hence the reason for that. writing the book as well. Right, awesome. We will put links to your course and so on in the show notes for anyone who's interested. And what's the book called? Hacking Mainframes. It's from No Starts Press.
¶ The Importance of Conferences in Cybersecurity
So it hasn't got the full title yet. I had mentioned the title and they went, no, no, our marketing team will decide based on the book. The second part of the title is to be confirmed. But that has been a really interesting journey, to use a word, a modern word these days. But it is really good. And, you know, I'm looking forward to it coming out. And I think it'll be good. No Star Express will make it.
better than I could ever make it myself. So I've got the technical backing as well from some of the best mainframe hackers there are who've got 30, 40 years of experience. It's enjoyable as well. It's different. Excellent. And when's that due out? It's going to be in 2026. There's a whole production process that's got to be done. So once I finish my writing... It goes, I've got an editor who keeps on decimating it. Every time I write a chapter, I give it to her who decimates it. And I fix it.
and it goes back again. Then it goes to the technical editor who will look to make sure absolutely everything is perfect technically. It then goes to the copy editor, then production team, and then out it goes. So I'm hoping to get... have it completed and out there and being conservative here by Defcon 2026. So you're talking about six months, I think. So I have 10 chapters in or 16 chapters.
I want the content there, but it's a crafting process as opposed to a writing process more than NCS. Yeah, I think people forget that about books. But if you've got a pre-launch website for the book where people can sign up or pre-order... We'll stick that in the show notes as well. I'll get that for you after we've finished. You mentioned DEF CON then, so conferences. We haven't really talked about that. So it's my final question for you.
What are the conferences that you think people should attend to stay aware of what's going on in the industry in cybersecurity? Yeah, it depends where you are. I mean, obviously, the biggest conferences I would like to have got in cybersecurity. These are huge. And obviously, both of them are in Las Vegas. So, you know, even I haven't managed to get there yet. I'm definitely hoping to go next year. It's once in a lifetime time. Obviously, if you're in Las Vegas, great.
off you will wander along 60 000 people attend black hat so it's definitely not a small conference um but i i often talk at um conferences around conferences around Scotland and the UK. So there are smaller ones such as B sites are very good. And if you're interested in mainframe, there's a lot of mainframe conferences and GS UK. which is Share UK. They have a conference in November for four days.
but there are also lots of working groups and they're completely free. And also there's a lot online. So you just need to start looking at GSUK or Defcon or B-Sides. any of these other ones. ScotSec West is another one that I was at recently. But there are equivalents down in England, SACA, any of these. There's lots of stuff. Just look up cybersecurity conferences.
and away you go. Because it's so wide, you get people who are not particularly technical, so don't worry about that. You'll get people who do risk and governance and policy, but you also get... If you want to go to DEF CON, super techy, super techy right into the code about how the vulnerability works, how the exploit works, etc. So anything for anybody out there.
Yeah. Yeah. I guess with everything from that social engineering to, you know, hardware penetration, you're going to have all levels of technical knowledge to the social engineering, the people side and everything in between. And 60,000 at a conference. I mean, that suggests that you're looking at millions and millions of cybersecurity professionals around the world. There definitely are. If you look at some of the...
Biggest names in cybersecurity, John Hammond and David Bombard, et cetera. These guys have got millions of followers across their social media platforms and things like that. Absolutely, definitely. One of the conferences, I'm talking at GSUK on cybersecurity and pivoting into the mean fleet and raid teaming. I've got a chat on that. But in the same day, it's going to be a very busy day because the...
Ryan Williams who runs Hack Magazine has got Hack the Hills which is in Melbourne and I'm doing a talk remotely to Melbourne so it's going to be an early morning and a mid-afternoon I'll need to keep going but that one has got everything from hacking mainframes to covert access and physical security to thinking like an attacker and some, you know, it's got lots of different stuff there as well. And yeah, so you've got all things for...
for all people depending on what you're interested in. It sounds like a fascinating career option and a really interesting area to work. It definitely is. It definitely is. And I'm still constantly learning as well. I've just shifted into... proper cyber threat intelligence side which is chasing the chasing the bad guys and um you know looking at you know it's some time to be in that actually because it's all all year is about I want Viscard Spader and I look at
you know, Salt Typhoon, who are Chinese, pretty much Chinese government, and then you've got all the geopolitical stuff going on and the interesting things that comes out of, you know, attackers from Iran or Russia or wherever. Again, it's not just pure penetration testing, it's now hunting the hackers and understanding where they are and what they're doing. So yeah, a lot of these things are really great.
Sounds like a fascinating field. I've taken up a lot of your time though, Kev, and I have asked all my questions. So is there anything else you'd like to share with the audience? No, I absolutely loved it. Thanks for inviting me on. Well, thank you for coming on. Yeah, I mean, I haven't been much of a coder until the last wee while, but I'm really...
hugely getting into Python. I think it was probably AI that started me off on that, but now I've realized all the weaknesses that are there and how valuable Python and shell scripting and, you know, even COBOL. and things like that are. The first thing I learned was back in 1988 at college where we had a VMS mainframe. which was absolutely ancient, even at the time. And it was Fortran and it was kobold.
and then a little bit of Pascal. So things change, but in the end of the day, you still need code. So, yeah, it's been really interesting. So thanks for inviting me on. I really enjoyed it. Awesome. Thank you, Kev. Appreciate the time. No worries.