We are joined by Kenneth Bechtel and discuss this interesting phenomenon we’re experiencing where we’re short on information security professional talent, but somehow good security professionals are struggling to find jobs.
Protect Your Organization from Cybersecurity Threats
SecurityStudio help information security leaders at organizations ensure they’re protected against cybersecurity threats, stay insurable, and legally defensible with our risk assessment and risk management software. Schedule a demo to learn how we can help.
Podcast Transcription:
[00:00:22] Evan Francen: Hey Unsecurity podcast listeners, this is episode 54 the date is november 18th 2019. I’m Evan Francen and it’s uh, it’s my show this week joining me as usual is Brad Nigh. Brad’s here with me now. Say hi Brad.
[00:00:39] Brad Nigh: Hi, good morning Evan, how are you? Good. How are you?
[00:00:43] Evan Francen: I’m doing all right. We got a good show today. We’ve got uh, well, you and I, we’re gonna catch up. I’ve been on this security studio roadshow for it seems like ever, but I’m loving it. And uh, you know, lots of stories to share. I know you’ve been busy with a bunch of things and we’ll get to kind of some of that stuff that’ll be fun. And then I want to get real, we have a we have a guest and I’m going to introduce him after you. And I catch up. We’ve got Kenneth Bethel joining us in today’s podcast. Uh, you’re gonna get to know ken, uh and then we’re gonna talk about just kind of his cool past his cool history. Uh, a lot of the wisdom, he’s going to share it. But then he’s also having this, we have this issue, we have a talent shortage problem supposedly yet. He’s not the first person who’s come to me or brought it to my attention that he’s having trouble finding a job. So let’s let’s dig in on that stuff. Uh And then we’ll talk uh I have this idea for a kind of add to our show. I think it would be fun. It sets us apart, we’ll talk about that and then we’ll get into the news.
[00:01:48] Brad Nigh: Sounds good.
[00:01:49] Evan Francen: All right. So what you been up to
[00:01:51] Brad Nigh: uh stuff, what would you say you do? I don’t know. Uh Yeah you do you do stuff I’ve been doing. I got a lot of, you know the sales support the 2020 planning the business side of things. Which is different for me. It’s not, you know, I think we talked about it or we talked about it a little bit where it’s a security is going to come second nature to us and the business side of it is like okay that’s different. This is hard but they have been doing that. I was spoke on thursday. Yeah thursday at uh event on like I. R. D. R. Around cloud vendors and you know what should you do and got a lot of like the white eyes and yeah, no, I’m not doing any of that. So
[00:02:38] Evan Francen: Well there’s 70% of the rest of America.
[00:02:41] Brad Nigh: Yeah the fun part was then all the vendors that went up after me because I was the first speaker is they all were like and security and looked right at me so it was kind of fun and
[00:02:53] Evan Francen: buy our stuff by our stuff. They
[00:02:55] Brad Nigh: were all very don’t worry, nervous, don’t worry about tool crawl, just keep buying our stuff. Well, I did have the trifecta. I texted you 11 person said were the easy button with AI and machine learning all in one sense.
[00:03:10] Evan Francen: I just it’s incredible. I
[00:03:13] Brad Nigh: yeah, almost had to get up
[00:03:15] Evan Francen: and walk out. So I know I know who that vendor is and I won’t out them because we that’s not what we do. We don’t there is no easy button no in your AI probably isn’t a I right. What was the other 1? Machine learning OK, sure good. All right. So by some of that stuff and make all your security problems go away. Yeah. Why was ana I was all over the place last week I was in Rochester new york working with a client there. You know who this client is? Um This is great. Uh Ryan Abraham, the first time he’s worked here for worked at fr secure for 2.5 years. This is the first time he and I got a chance to to work together. Have you ever had a chance to do anything with Ryan? Okay. Isn’t he awesome. I had so much fun. He’s got such a great attitude and he’s, you know, he works, he’s a hard worker but that was good. Um just I don’t know what we did, what we do. Uh project a couple of projects like 34 projects wrapped into one, A Custom Methodology on one. They want to take that custom methodology and make it known to kind of all of their peers they belong to appear. Yeah. Which, you know, is good for business. It gets people on the same page, you know? Um, had some good barbecue into dinosaur. That is good. Yeah, best ribs so far on the security studio roadshow. Came back on Tuesday night, so I was out on sunday, flew back Tuesday night late, um, was back on the road again on Wednesday to Kansas city. Talk about good barbecue.
[00:04:56] Brad Nigh: That’s that’s a good place to go for barbecue.
[00:04:59] Evan Francen: Yeah, we went to Q- 39, that was a rental car. Bus driver told us to go to Q 30. Okay, so it was pretty good. And then, um, talked at the greater Kansas city, I saca chapter meeting at the University of Kansas. That was really cool. Um, we’ll just talk about security stuff, made really good friends. I called them out on the security studio roadshow, recap that I write every week, which is on my blog, if anybody’s interested. Um, then it was off to sacramento in. Sacramento was the first Time on this road show. I’ve given 20 ish talks on these things, these basics, these fundamentalist, these simple things about security and uh, first time I ran into somebody who was um, I don’t know, man. I’m trying to think of a politically correct word. It’s first time I ran into a snag, I guess.
[00:05:55] Brad Nigh: Uh, trying to think of the right word for it too, right?
[00:05:59] Evan Francen: Yeah. You and I were talking about before the show, uh, but he was the epitome of what’s wrong in our industry, I think, uh, where he was the smartest guy in the room and he wanted everybody to know it and his ego is not going to let him down. Uh and so what it ended up being is, and I like sharing opinions. There’s a time and a place to do that, and if you’re wasting people’s time, that’s not the place to share it. Uh but he was so, I called him out actually in the talk, which is the first time I’ve ever done that, you know, because he had another point to make and I said, what? That you’re the most uh you’re the smartest guy in the room and then the whole room went quiet. Uh but whatever,
[00:06:42] Brad Nigh: it was good. I know it had to feel good a little bit too to kind of just shut them down
[00:06:50] Evan Francen: and afterwards, john was like, that guy was an asshole. I’m like, well, you know, we run into them, It happens in our industry, so that’s good. It’s good to be back this week. I’m back on the road again to Kansas city tomorrow and then I’ll be in Orange County speaking at Webster University, which is a joint seminar with uh Misaka esa and a wasp, wow! Yeah, that’s cool. Yeah, the weather does not suck in California.
[00:07:20] Brad Nigh: Yeah, I bet it will be warm here. So we like right around 40, that’s not warm
[00:07:26] Evan Francen: that’s not warm breath. Mhm. All right, so the security studio roadshow is going really well, we’re getting a lot of people, the word is spreading. Uh if you don’t know about the security studio roadshow, uh you can check out my blog Evan francine dot com and you’ll see it posted there. But really it’s about getting everybody on the same page. It’s about um can it finding our common ground with information, security, not finding the perfect ground, but finding the common ground and uh you know, benefiting the business from that common ground. So it’s working well, that’s good. All right, so enough of that, what else do you have to add? What are you doing this week? Um
[00:08:06] Brad Nigh: You don’t even know what I’ve been doing I our stuff and helping out really cool because we’ll talk to the kids we actually found and grabbed Medusa locker off of a machine. So that was the first time we’ve seen that it’s exciting.
[00:08:20] Evan Francen: Our guests will be able to give us some good insight on that. Speaking of our guest joining us this week and I’m excited to talk to him because uh one He’s super credible, you know, I know him from B sides week, one of the security studio roadshow john and I traveled out to Harrisburg pennsylvania, which is the capital of pennsylvania by the way, middle part of the state. Uh, and spoke at B sides and I spoke in the, in the afternoon morning, mid morning session and the keynote was given by this guy with a cowboy hat on. I’m like, who is this guy? And he’s talking about, you know, information security back in, I mean even back in the eighties, nineties and he’s talking about, you know, viruses and threat hunting and all this cool stuff. And I’m like, I got to talk to this guy. So after he gave his keynote, I walked up to him and just, you know, struck up a conversation. Uh, and his name is ken petrol. So ken you want to say hi, Yeah,
[00:09:27] Ken Bechtel: hi. Uh, thanks for having me on. Yeah, excited to do this.
[00:09:33] Evan Francen: Yeah, I am too. I’m excited to talk about, you know, kind of your, your past share some of your wisdom. Some of the things that you’ve seen from the old days. And I say the old days, our industry is not that old.
[00:09:46] Ken Bechtel: Uh huh depends on who you talked information security as we know it. 45-50 years old at the
[00:09:57] Evan Francen: oldest. Right. And when did, when did you get started in? Information security,
[00:10:03] Ken Bechtel: 1984.
[00:10:05] Evan Francen: All right. So I was right. The 80s. Yeah. So tell me, how did you get started?
[00:10:13] Ken Bechtel: Well, that that’s why I’m chuckling here. It was, yeah, it was kind of a funny thing. I mean, okay, that was back in the days when Apple two E. S were big. Uh, TRS eighty’s were big. IBM PCS still booted off of a single sided 180 k five and a quarter inch floppy diskette. Um, I just graduated uh advanced individual training. It uh in the army has an intel analyst. I was assigned as a driver for a Division G2 operations team. And uh, hey, private doctor, you know about these computer things. Right. Yes, sir. You actually know how to program them? Yes, sir. Good. You’re the automation security. NCL Nice. Uh Sir, I’m a private. I’m not an N. C. O. You’re enacting NGO now help getting well right up the policies on these things and I like to say it’s been downhill been
[00:11:25] Evan Francen: down. So it’s Bechtel, it’s not petrol, correct, correct.
[00:11:32] Ken Bechtel: My apologies. And uh, no worries. Do you answer to just about anything except for late for dinner?
[00:11:39] Evan Francen: Yeah. And what do you call yourself? Do you prefer to be called Kenneth or ken?
[00:11:45] Ken Bechtel: I prefer 10. Okay.
[00:11:48] Evan Francen: All right. So you started to
[00:11:49] Ken Bechtel: leave the formal stuff from the legal beagles?
[00:11:51] Evan Francen: Oh yeah, I suppose you’ve probably had some experience with that
[00:11:55] Ken Bechtel: over the years more than I can prepare to count. Right.
[00:12:02] Evan Francen: All right. So you get your you started your career in the 80 for uh kind of you were the last for whatever reason. And I think a lot of us back then and I wasn’t insecurity back then. I was in What was I high school? But I remember the effort, but I do remember the Apple two and I do remember, you know, programming on the Apple
[00:12:23] Brad Nigh: two. I do remember the five and a quarter inch floppy. Oh
[00:12:27] Ken Bechtel: yeah.
[00:12:28] Evan Francen: So remember some of that stuff and then, but I stumbled. I got into security because I was the guy in the warehouse who understood pcs better than anybody else. And so they kind of nominated me to, yeah, that was, I mean everything else is history now. So you, you, when did you get out of the army?
[00:12:50] Ken Bechtel: I got out of the army in 93. Um, and you know that, that was really when I started, um, because it’s additional duties as assigned in the army. I learned about these things called computer viruses in 88 and I’m like, that’s going to bite us in the back side and started tearing into them. And in 93 I got out, I was just divorced single father and I’m looking at my skill set saying what can I leverage to put food on the table and take care of my baby girl. Uh huh. I looked and I saw that computer security, computer sport was a big thing. Yeah. On the horizon. Um, it was not a big thing then. Um, and I hate to say it, but here in central pennsylvania, we’re still way behind the eight ball when it comes to security awareness and security efforts. And I think you saw that when you were out here for B sides um started working with some companies doing pc support and desktop side support at the same time continuing to do independent research on to these viruses once trojans and things like that interacting with some really cool and interesting people. Yeah.
[00:14:16] Evan Francen: In this industry. Never.
[00:14:23] Ken Bechtel: All right. So it seems everybody in the industry that at some level of functioning alcoholic at least after hours, right. More work gets done around the bar table than it does in the office room.
[00:14:35] Evan Francen: Yeah. Well, and I could and I was in that same boat. I mean I quit drinking. Yeah. How many years, 18 years ago? For that reason it just got you didn’t get it wasn’t pretty so uh what was now can do you recall your for the first virus you ever saw?
[00:14:55] Ken Bechtel: Yeah, it was actually dark Avenger. Um Like I said I was working in the army, I was running an emergency operation center. Um and I just read about these uh things called computer viruses. So I’d take a box of biscuits and there was a thriving black market in Korea at the time. You take the just get downtown to the vendor and it was a dollar disk to get duplicated. Didn’t matter what program you’re putting on was a dollar disk. Uh So you can pay a dollar and get Norton disk doctor, you can pay $5 and get um Harvard graphics because it was on five biscuits, stuff like that. So what I would do is I go downtown.
[00:15:47] Evan Francen: Sorry I’m sorry Windows 95 would be $26.
[00:15:51] Ken Bechtel: Yeah. Yeah. I mean I mean when you look back at it, I mean yeah our whole Os was in 1 80 K. And today 1 80 K. You can’t write a program that small. Uh But so I was going downtown and I was buying these biscuits and I was trying to, you know, we didn’t have quote unquote spare pcs but I was using debug to go through some of the different execute a bles and such and trying to find something, anything that I could look at boot records. Um Use the uh Norton disk doctor too analyze the disk and files and stuff like that. And the one day one of the other NCS on the team, hey ken you gotta look at this uh computer, I think something’s going wrong. Um And I look and you can see the classic symptoms of dark Venturers files are being Wiped out the heart. The diskette drive, just continuous chatter of the whole nine yards. So we turned off the computer um we happen to have a copy from uh see see to mug which was a. D. O. D. Software library of shareware booted up clean ran mcafee scan there verified that it was actually dark Avenger. Use another um uh what was that? It was another antivirus software product at the time that would actually clean and we cleaned up dark Avenger and then uh I took the execute Herbal, he happened to be playing Tetris. I remember that will and uh started turning out apart to find out what it did, how it did it and why it did it.
[00:17:59] Evan Francen: Okay. And this was 88.
[00:18:03] Ken Bechtel: Um This would have been 89. Okay early 90. Yeah it would have been closer to early 90 because I wasn’t long afterwards that I was rotated back stateside. Okay.
[00:18:18] Evan Francen: And then uh so then in the in the army was that kind of your job was to support Pcs and and uh you know make sure that they’re functioning which part of that would be you know, hunting down these viruses and making them
[00:18:33] Ken Bechtel: getting rid of. That was an additional duty as assigned because I knew all these computer things and oh you were the automation security into back there. Okay we’ll let you do that again here and it just kind of follows you once you get that kind of expertise um actually wound up writing my first paper while I was in the army because you know we had we had a lot of. Okay. Mhm ignorant individuals. Um And I’m saying ignorant in the uh typical um in the traditional manner, lack of education.
[00:19:16] Evan Francen: We don’t have any of those anymore.
[00:19:18] Ken Bechtel: Well it wasn’t that they were ignorant on purpose. They just there wasn’t any educational material on this stuff at that time. Right. So I wrote up a small white paper what our computer viruses um and pretty much was the definition sheep, What’s the virus? What’s a worm, what’s a trojan and some of the best ways to protect against them and what to do if you ever suspect your machine of being infected with one. Um hm. 5th Infantry Division not um I was working at a brigade and that became one of the popular go to read items for everybody in the division. Get even got kicked up the line. But
[00:20:06] Evan Francen: do you still, do you still have that document?
[00:20:09] Ken Bechtel: I’ve got it somewhere. But is it accessible? I don’t know if you can have got those five and a quarter inch discuss
[00:20:15] Evan Francen: because if you do, if you do have it would be awesome to to read it and share it. You know the history of because we have in such a short period of time. We have such a fascinating history.
[00:20:29] Brad Nigh: Yeah. How far it’s come how quickly it is funny, you know, you mentioned the other duties as assigned, how many of us that have been around for, You know, 15 plus years before really. This became a big thing. That’s how people got into it. Just, well, yeah, I was the I played games and just kind of fell on me or I showed
[00:20:55] Evan Francen: up late time meeting. Yeah,
[00:20:57] Ken Bechtel: yeah. Unfortunately there’s still a lot of people that are getting into it just like that. Speaking with one young lady at B sides and she’s she mentioned how in my presentation I had said, you know, the early adopters were people that, you know, well you know how to run a virus scan. So you’re, you’re the corporate virus defense guy. She goes, I’m one of those people even today, I knew how to install virus scan. So I’m the automation security person and I want to learn more. It’s still happening, just not on as large of a scale as it was back in the day when we were actually unbeknownst to us building the foundations for what’s coming up today. Yeah,
[00:21:48] Evan Francen: Yeah, that’s cool. Well, one of the things I think the thing I admired the most about people that, you know, have been in this industry a long time is we understand the fundamentals of security better than I think many of the new crop kind of coming up through the ranks today. Uh because we were sort of forced to write, I started out as a network guy. I had to understand how networks work and then, you know, you take
[00:22:14] Brad Nigh: that Dragon
[00:22:15] Evan Francen: drop. No, no, it was it was all command line. Right. Uh And when computers only did what you told them to do and you had to tell them much more directly than
[00:22:27] Brad Nigh: today. Even now it’s like you type in the command or whatever you like. No I realized I had a single typo but do what I meant.
[00:22:36] Ken Bechtel: Right.
[00:22:37] Evan Francen: But so then what did you do? Uh Okay after after getting out of the army in 93 what where did you go from there?
[00:22:47] Ken Bechtel: Well I did go I worked for a large telephone company doing desktop sport until I could wound up working for bob bales over N. C. S. A. Which is went into KSA and is now labs a division of horizon. Um We were actually set up the first antivirus testing protocols and certifications um when um bob’s vision and I give credit for him and may he rest in peace for it. Um He wanted to be the underwriters laboratory of the cybersecurity world Because back in this was about 95 time frame. Um at one of our meetings he was saying look we’ve got all these firewalls coming out that are making these audacious claims. Your antivirus vendors are promising perfect support that never needs updated and those companies are no longer around me. I wonder why. Um
[00:23:59] Evan Francen: And so what what what what what was his name?
[00:24:02] Ken Bechtel: Bob bales
[00:24:03] Evan Francen: bob bales. We still have these problems today, don’t we? We
[00:24:08] Ken Bechtel: still do
[00:24:09] Brad Nigh: so as far as we’ve come with technology and what we can do these. Yeah fundamental issues still, they kind of kneecap us.
[00:24:20] Evan Francen: Well, what a pioneer Bob Bales must have been to recognize as far back as 90, the mid, too early nineties that we needed some sort of, you know, like, like he’s like you said underwriters Laboratory for security because we still need it today. We still have all these audacious
[00:24:39] Ken Bechtel: claims, uh, not to take away from anybody, but if um, there is potential, but there’s also, you know, a lot of baggage there that would interfere with with claims of independence and whatnot. And there’s other organizations that are in a similar boat that could have gone that way. But for one reason or another didn’t. And now they’ve they’ve got so much attachments and cross linking and contamination that there’s always going to be a question of are they truly independent or are they out there just to make the bucks? Right.
[00:25:22] Evan Francen: Yeah. The money grab.
[00:25:25] Ken Bechtel: I mean, we even heard it at, at one of the B sides presentations on, well, how do you know that your test hasn’t been paid for by the by the company? And a lot of times they are
[00:25:38] Evan Francen: all right. Yeah. How many studies do we see in our industry surveys, research that is sponsored by a product vendor?
[00:25:45] Brad Nigh: It’s pretty much all you see
[00:25:48] Evan Francen: right
[00:25:50] Ken Bechtel: in the end. And then you got a question, is it a legitimate independent unbiased survey or since they paid for it, did they get final, Let it and say let’s cut out those results because they don’t match our preconceived notions. So you’re always going to be questioning that as long as that is tests and those surveys are done by security organization.
[00:26:17] Evan Francen: Right. Right. So you worked with bob bales? Uh huh. And when did bob pass away?
[00:26:26] Ken Bechtel: Oh not too long ago, Maybe Maybe three years at the most. Maybe four. Kind of hard to say. I hate to say it. It seems to be running together a lot lately.
[00:26:38] Evan Francen: I’m feeling the
[00:26:40] Brad Nigh: same way as crazy. I just looked it up and there’s an immediate release from 95 where the N. C. S. A. Is selecting internet security systems internet scanner to help define testing criteria for ensuring internet firewalls live up to their promise. That’s really cool so far ahead at the
[00:26:57] Evan Francen: time. And no and bob bales is yeah it’s it’s too bad. He has passed away because he’s totally a person that I think I would get along with really well just based on what you said, you know,
[00:27:10] Ken Bechtel: bob was a great guy um very easy to talk with and while we had our disagreements from time to time um they were always professional and you know it was the discussion was never shouting and arguing match.
[00:27:28] Brad Nigh: That’s what you want.
[00:27:30] Ken Bechtel: Yeah exactly. I mean especially back then when there was no right answer, there was no foundation. Um you know uh it was not uncommon to have a room full of phds and room full of, uh, with drop high school dropouts and college dropouts, all sitting around the same table and respecting each other as peers and just throwing out ideas and discussing the merits of each idea. Got heated sometimes. Yeah, but at the end of the day,
[00:28:10] Brad Nigh: yeah, you leave the room and you go have a beer with them and it’s, you know, it’s all good.
[00:28:18] Ken Bechtel: Yeah, exactly.
[00:28:20] Evan Francen: Yeah. I wish I would have been in some of those rooms. So I, I do remember some of those discussions but they don’t happen like that
[00:28:28] Brad Nigh: much anymore. It’s
[00:28:28] Evan Francen: all online.
[00:28:30] Brad Nigh: Yes, that’s true. Anonymous behind nobody’s yeah, there’s a difference to with that right? With the sitting face to face to someone and having that discussion versus behind a screen.
[00:28:43] Ken Bechtel: Well, we did have, especially because we were so dispersed. We did have a lot of discussions in private email lists and um, even places like all virus on news. Net. Um, now comp virus was more of a snake pit because you never knew who was really there. But the mailing list were for the most part vetted. And uh, one of my more favorite uh, conversations to bring up was people don’t realize back in the day there was actually an argument. Um, we are anti virus vendors. Why should we detect trojans what is a trojan is delete dot com. A trojan. Should I detect it? And there was a month long debate in a mailing list on should anti virus products detect trojans or not. If one is going to detect it, that’s going to force the others into detecting them. Um, wow. So it was, I love looking back and reminiscing about the early days. The insists it’s times of the antivirus industry and being there, uh, sometimes as a bug on the wall, sometimes involved with the discussions, but just being there, it’s amazing to look back and see the, the pants that we’ve traveled. I mean, even back in those early days, believe it or not, there were people that were saying antivirus is dead because these signatures can’t will not be able to keep up with malware when it comes up in the future. Just have to change one bite and you’ve got a new virus. And this was a time when it took like six months for a virus to spread around the world big enough to be called in the wild Not love letter work took 30
[00:30:55] Evan Francen: seconds. I remember a love letter. That was a pain in the ass. All right. So what do you uh, so lots of things, you know, over the, over the time from 93 to kind of what you’re up to now. Tell me what what’s a I mean, what was your last gig? Let’s start there. What was the last thing you were doing? At least getting paid? I mean, not, I’m sure you’re doing other things.
[00:31:22] Ken Bechtel: Yeah I’m doing a lot of volunteer work but I’m also continuing to track the threats and do all that in a non paid basis because if I don’t keep up with the threats I’m gonna be left behind. Um My last paid job was with cyber adapt. Um I was kind of sort of a bridge between research and marketing. Um a lot of the stuff that we do in research um it’s a lot of technical mumbo jumbo to people outside the industry, even within uh the computer industry, you start talking things about replication and uh infection mechanisms and stuff like that in their eyes gloss over and roll back in their head. So um they wanted somebody that could take all that technical knowledge and information, put it into a way that the sales engineers, support engineers responders and even the marketing team can go out to customers, potential customers and the internet at large and say this is a threat that’s going on and this is what we’re doing to resolve it. Uh worked a lot with mapping things to the A. T. T. C. K. Matrix. Um help to do some editing and revision and prioritization of the detection als uh you know little bit of a jack of all trade um reverse on some of the major outbreaks um uh somewhat of a float if you would that’s an important thing. Well they got to the point that they realized that, you know, they needed more development team and quite frankly that’s something I can’t do, you know, yep, I mean 20 years ago I stopped coding because I was, I wasn’t needing that skill set right? Um now I can take like if you give me a PERL script or a python script, I can take them modify it, uh revise it, make it work with my environment or do some other things. But I’m not going to I’m not going to tell you I consider and write something In the next 30 minutes that that will get the job done. I can do some bash scripting um quick and dirty. I can do windows scripting quick and dirty just to get my job done. But uh you want me to write something on a development level? I’m sorry, I’m not the person for the job.
[00:34:12] Evan Francen: Yeah, I’m the same way. And I’ve always, I’ve always been a hack. I I’ve never been creative enough to be able to take an idea out of my brain and put it in the code other than just simple things.
[00:34:24] Brad Nigh: Just what a big one for me was power shell for Windows to make it do, do what I needed for the job. But you had to coding and dove just never appealed to me
[00:34:35] Evan Francen: what you need time. You need to dedicate your time to it. So I get that,
[00:34:42] Ken Bechtel: you know, I could and I probably could still do it if I needed to. But I wrote some kick butt batch scripts back in the day that almost came up to program level just so that we could say literally drop a zip file of infected files into a directory, run the batch file, it would be compressing, it would kick off the virus scan and then it was uh log the results, uh part of the results and put it into a format that we could process. Um Some of those some of those batch scripts contain a lot of weight and what ifs and houses and but you know again it’s not programming in my mind. Right. Right. Um And these guys really needed somebody that could focus more on the development side of the house uh and do some development. They just weren’t getting the value out of me that they were paying me. No hard feelings. It was a business decision and I think it was justifiable but at the same time it’s been kind of hard for seven months. I’m down to living off savings and debating do I sell something so I can pay this bill or do I pull out money from my 41 K. Plan? What’s my next step? Yeah. I mean
[00:36:24] Evan Francen: we’re going to get to that. I’d like to talk about, you know the job thing but one of the things I wanted to ask and I don’t know if I just interrupt you brad. But um is what what you’ve been around for a long time. We’ve seen a lot of people met, a lot of people can, uh, what advice would you have for somebody getting into this industry? You know, Do you, do you have some uh huh
[00:36:48] Ken Bechtel: Be flexible.
[00:36:49] Evan Francen: Be flexible. Yeah.
[00:36:51] Ken Bechtel: Um, always be learning. Uh, not just keeping your skills current and up to date, but have that curiosity to want to know why does something work the way it does never lose that. Uh, that’s, that’s the only way you’re going to to stay on top of things. And you know, you lose that curiosity, you lose that drive. Uh, you’re gonna fall behind real quick and I hate to say it, but you’re going to become stale and lose any any potential that you’ve had
[00:37:31] Brad Nigh: agree.
[00:37:31] Evan Francen: Yeah, I agree with that too. It’s that constant learning. And I think having that passion, that’s one of the things that I know we hire for here, uh, is finding people that have a passion for security or a passion for something that we can use in security because then they’ll stay motivated. They’ll continue to read the news that continue to tinker and
[00:37:54] Brad Nigh: right, yeah, we’ll get into it with the job hunting piece here. I don’t want to jump ahead too much.
[00:38:01] Ken Bechtel: So I’ll tell you what, that to me that was one of the biggest game changers in the antivirus are not just the antivirus, but the computer security world, um, back in, I’m going to put a line hardline just around 2003 Before 2003. 2001. 2000 and earlier, virus authors. Let’s face it. Virus authors, everybody looked down on the hackers. The the crackers. The free curs Yeah, they look down on, um, as having no skill, no talent. Uh, they’re they’re they’re worse than script kitties. There’s no challenge behind rating the viruses and most of the viruses and worm authors were there, I want to be the first to infect whatever platform I want to get a political message out and they were doing it just for fun. Um, 2003. Um, and then you had your Attackers, your hackers are precursors. They were exploiting vulnerabilities in systems. Um, sometimes just to get in and drop a text file saying hi, I was here just for the challenge to Yeah, go ahead.
[00:39:29] Evan Francen: No, I know I was, I remember that the first time I ever was, you know, a system that I was responsible for was compromised. It was from Romania and it was developed, it was another developer who had taken uh, it compromised our database server through a sequel injection attack and he emailed me to tell me, hey, this is what I did. This is where you can find me, this is how you secure it. You know, it was, it was so much more cooperative back then. It didn’t seem like it was so money motivated as it is today?
[00:40:07] Ken Bechtel: Well, you know, that’s just it in 2003, uh Dr. Sarah Gordon? Did a wonderful paper presented at virus bulletin uh concerning blended threats is what she was calling them. I remember pretty well. And that’s where you’re viruses and malware um are now going to start leveraging exploits. It’s not either exploit or malware, it’s combination. And about that time, we also started seeing the professional developers getting into it with the fall of the Berlin wall fall of the soviet union. All sudden you’ve got these high level, highly skilled programmers and developers that can’t put food on the table and organized crimes coming up on the same. How would you like to earn $50,000 for a day’s effort? Right? Yeah. It’s kind of hard to turn turn away from something like that. And sometimes it was the godfather choice. We’re gonna make you an offer you can’t refuse.
[00:41:20] Evan Francen: No, that makes sense. So that was kind of the birth time, you know, of Professional Attackers was, you know, the early 2000s when uh, I think everybody’s job, at least the defender’s job got a lot more difficult because of the skill levels of the Attackers got much better. Is that kind of what you’re saying? Can
[00:41:41] Ken Bechtel: Yeah, exactly. Nowadays you have entire research and development teens, they go out and they buy every commercial off the shelf antivirus product they can and test their new creation against it. Does it detect it? If it does, we go back to the drawing board, They put they put every bit, uh the effort to software development cycle that ourself for development houses do, Yeah, they have help desks, they have customized ransom, where, uh, it’s big business now. No, that’s very true. And that’s not even counting state actors,
[00:42:26] Evan Francen: right? Yeah. The nation state, that’s our job has gotten difficult. That’s for sure. And I think all the more reason for us to be on the same page on how we approach these problems, you know, going back to bob bales and the thing that I think that he was doing, you know, getting tools that are actually effective in doing what they are claimed to do because none of us have unlimited funds to just dump on things. We have to really be more focused. Um, well, let’s get into talking about you can and kind of what you’re currently doing. Let’s talk about this labor crunch thing. I mean, is it from your perspective, it doesn’t exist, right?
[00:43:10] Ken Bechtel: I’m not going to say it doesn’t exist. We do need talented skilled people. Um, and we need a lot of them. Right? Um, however, I don’t think my opinion is uh, a lot of it is self inflicted too. Um, I mean they’re getting these kids coming out of universities with masters and phds and they don’t understand the context of things? Uh, well why do why do login screens no longer say welcome and log in? Well, that goes back to the 80s when a hacker successfully defended himself saying, well, it said welcome. So I thought they were welcoming to try and he got his freedom that way. If you don’t understand these complex context issues, how are you going to defend against them now or in the future? Um to them malware research? Well, anybody that’s guy master’s degree knows how to reverse engineer and run IDA pro and can tell me if it’s malicious software. Well, there’s more to malware research than malware classification, right? There’s context ng um and I I’m rather I don’t like where we have to two a sign. Uh huh. Well this is the group that’s doing it. I don’t like to attribute to people or organizations Nine times out of 10. The company that’s under attack doesn’t care much who is attacking them. They just want the attack to stop. Yeah, let the company, you know, do some research on back end after we got it resolved, then we’ll figure out context and trying trying to sign it a value and say, okay, well it’s a nation state and that’s why we’re being attacked or it was just straight up criminal activity. Um there’s a lot of people trying to make big money off of attributing and you know, it’s too easy to spoof somebody else’s identity and make it look like, you know, there’s even a gag running around in the cybersecurity industry. The attribute uh randomizer uh roll one dice north Korea. It has north Korea, Russia china, Every actor that you normally associated with. And the 2nd dose is why.
[00:45:58] Evan Francen: Well attribution is always, I mean, I’ve done,
[00:46:00] Brad Nigh: we probably always say just don’t expect if we can find it at a bonus, but there’s just don’t expect it, but most people don’t have logs anyway, so it doesn’t matter.
[00:46:09] Evan Francen: We’ve done hundreds of hundreds of incident responses and attribution is what are you going to do? Even if you do find out who are Right, right, you’re gonna press charges against uh the guy. Right, Good luck.
[00:46:25] Ken Bechtel: And then uh going down even that rabbit hole even further. I mean there’s a lot of people that still, you know, they don’t see the malware as set in a threat hunting as a specific career path. Um They see it either as an add on or Yeah, something nice to do or? Well, g he knows how to run a d bugger. Yes, he can do the reversing Well, it’s nice to be a reverse engineer, but are you doing actual malware research? Are you doing actual um threat hunting to that? And the actual answer nine times out of 10 is going to be no. And then, you know, let’s look at some of these job descriptions that come out, I want, I want 10 years experience in Windows widget washing. Well Windows widget watching is only two year old technology. How the heck are you gonna get 10 years out of that? Right. Um There was one job that I applied for and I won’t name the company but talking with I think five different headhunters contacted me on this same job and virtually everyone said the same thing. This What they want is three people they want a developer, they want to reverse engineer and they want to they want to threaten modeler but they’re putting it all into one person. They’re paying. I want to say it was like $52,000. Or and not only were you supposed to be able to reverse engineer the threats and identify the threat. But then you were supposed to develop tools for and um shit the prototypes to development for further uh review plus develop a web front end and back end for the database
[00:48:37] Brad Nigh: For $50,000. I think a lot of the issue you’re kind of hitting it on the head is that companies don’t know still. And so you know, they’re like oh entry level job but you have to have a C. I. S. P. Wait a minute. That’s that requires at least five years of experience. How can you, there’s a disconnect I think from from HR into um where you know what what’s actually needed a lot of times?
[00:49:07] Ken Bechtel: Well dead on that on. There is a major and part of it is our own fault. Yeah, because we don’t have a standardized job description, uh, even though we’re a young industry were still in flux. Um, what is a malware analyst to you is not a malware analyst to me, what is a um,
[00:49:33] Evan Francen: it’s almost like it’s almost like we’re not speaking the same language.
[00:49:36] Brad Nigh: Exactly, yeah,
[00:49:38] Ken Bechtel: cybersecurity management teeth two company X is a C I S S A C I S O for cyber for company why? Uh there is no standardization um many HR teams think that every cyber position has to no coding and it’s like why if you never use it? Uh you know, and you know, there’s don’t get me started on the lack of hardware understanding.
[00:50:11] Brad Nigh: Oh my gosh. Yeah.
[00:50:13] Ken Bechtel: So I mean, I mean I’ve run cat five cable. I know the difference between a chatty nick and a failing nick and general network traffic. But you ask these malware analysts that are being grown or these um, masters with cybersecurity and they’re like hardware. Yeah, hardware.
[00:50:35] Evan Francen: Right? Yeah. I started my Children, two of them that are, you know, show propensity for security, started them actually in electronics, learn how circuitry works, learn how things get put together because the circuitry just sit there and won’t do anything until you learn how to just program it, you know, it does what you tell it to do and you don’t have to be a programmer to, you know, to do some, you know, some simple logic.
[00:50:58] Brad Nigh: So I got a question, I mean, just looking at your linked in what are the types of responses you’re getting from companies that, you know, when they’re there letting you down.
[00:51:10] Ken Bechtel: It, that’s the worst part of it. nine times out of 10, I’m getting zero response at all. I’ve applied for over 200 positions. I’ve gotten maybe 20 uh, callbacks and interviews. Um, and then, you know, you’ll go down through the line of a bunch of them. And then also, yeah, you’re, you’re great. You’re just what we want. Uh, Oh, I’m going to reschedule your interview for next week. Next week comes. Just send a follow up email. Nothing. You try and get him on the phone, you go straight to voicemail.
[00:51:52] Evan Francen: Yeah, it’s 200 positions with the
[00:51:55] Brad Nigh: crazy. Well, so I’m sort of feeling a little bit of like, so when I was looking to move up to the twin cities areas, I did Not 200, but probably two dozen interviews and a lot of phone interviews in person and they went where I thought we went really well would leave with, hey, yeah, this is, it seems like it’s a great fit and then just some random excuse. I got a bunch of, you know, you’re not local already or things like that, luckily Evan and Kevin didn’t, didn’t take that. But uh, uh, you know, I think I’ve gotten good,
[00:52:36] Ken Bechtel: I’ve gotten quite a lot of that. I’ve gotten, well, if you moved to Maryland Virginia Dallas and quite frankly, yes, I know my location is not an ideal for a lot of people. Um, I understand that I was expecting to lose interest from several companies for that, but it seemed like a year, two years ago. There is a lot more openness to remote work this time around. There has not been that openness to, which
[00:53:11] Brad Nigh: Is insane because you can do 99.9% of everything that needs to be done remotely.
[00:53:18] Ken Bechtel: Well, that’s what I keep saying. Um, and then there had been a few that I’ve talked to through back channels and they have said point blank, uh, to me, hey, look, the hiring team looked at your resume. I’m not afraid they can’t afford you. That
[00:53:36] Brad Nigh: was exactly where I was going to go next is, is looking at it and be like, I’d love to have this guy, but I don’t know if there’s any way I could afford him.
[00:53:47] Ken Bechtel: Well, let me, let me point blank say I’m remarkably affordable. I’m not looking to be rich. I’ve got friends that have quite literally made millions off of this. Uh, some of them are actually retired at this point. Um, I’m not looking for that. I’ve always been traditionally underpaid for my skills and as long as I can pay my bills and take care of my family. It doesn’t matter to me. I’m not looking to be Part of the .5% or whatever The number is today, I’m doing this, I wouldn’t be doing it for 30 plus years if I didn’t have the passion and the drive for um for sure the money to me, you know, it’s a necessity evil because I gotta pay my bills to
[00:54:39] Evan Francen: right. Exactly. I’m the same way I give away free stuff all the time here. Another business people don’t like me do it. Like Evan, we have to pay people salaries. I’m like, yeah, I guess
[00:54:52] Ken Bechtel: that’s
[00:54:54] Evan Francen: true. Uh well, let’s we’re coming up on, we’re coming up on time. So I think a couple of things I’d like to do, ken, I’d like to have you on the show again because I’d like to stay in touch and I’d like to explore this topic more. I feel like we didn’t get enough into kind of the challenges of getting uh a job right now. But I
[00:55:17] Ken Bechtel: hate to say it, this is such a complex issue. I mean, I did a I did a nice little article on linkedin on the challenges I’ve encountered and that people have talked to me since I started logging my adventure in finding a job. Um There there’s some many complex issues I don’t think we could get discussed in 51 hour shows. Uh I mean it’s complex, but yeah, I would love to be back.
[00:55:51] Evan Francen: Yeah, I think so because at least in this show we we gave an introduction to who you are, and for people online that want to follow ken on linkedin, it’s D E C H T E L Bechtel uh follow ken if you have a position, help ken. Uh but we’re all in this together. I mean, I’m
[00:56:11] Brad Nigh: well and and here’s the thing, like, he’s kind of touched on, like, I think companies are looking for cheaper younger, but there is a there that expertise in that experience that you just can’t fake right? Like, we’re looking for some senior people to help train the next group, right? That tribal knowledge, that experience of being in the trenches, you cannot fake that you can’t rush it. And just there’s only one way to get it
[00:56:41] Evan Francen: well, and, you
[00:56:42] Ken Bechtel: know, and something you brought up earlier on that, I mean, you were mentioning egos, Yeah, I mean, yeah, do your job, you’ve got to have enough of an ego to be confident in yourself, your skill set, but you can’t let your ego get in the way of training the next generation or learning from them as well.
[00:57:07] Brad Nigh: Absolutely,
[00:57:08] Evan Francen: very true. Well, let’s get uh and I hate cutting this short, but because I do want to, because I do want to talk more, but I think um I’d like to get you on another show in the next couple of weeks, I know, next week we’ve got uh you know, maybe somebody planned, but wherever we can get you in again, ken, because I want to talk more. I love your approach. I love your wisdom in this industry. We can all learn so much from, you know, kind of your path that you’ve taken. Um
[00:57:39] Brad Nigh: I want to, I’ll be honest, I want to geek out a little bit more. Yeah. Get a little more technical.
[00:57:45] Evan Francen: Yeah, for sure. And I think some of our listeners want that too. Right. We’ve we’ve heard some of our listeners want to get more technical. All right, well, let’s do this. So follow, ken, on, linked in, connect with them if you know something even just to keep up on this. Uh again, B E C H T E O. Let’s get to some news quick before we wrap this thing up. Um First is this is a story from Brian Krebs, one of my sort of favorite authors. But then, you know, he did some things that kind of ticked me off, but that’s a whole nother
[00:58:22] Brad Nigh: I think the research is still solid.
[00:58:24] Evan Francen: The research is still solid. He’s a very good investigative journalist. This is a story from, So it’s on Krebs on security. This is from the 7th and it’s a study says, ransomware data breaches at hospitals tied to uptick in fatal heart attacks. Yeah,
[00:58:43] Brad Nigh: I mean, you weren’t warned, well, you said this in 2000. When was your last predictions? Was that in 17 or early
[00:58:51] Evan Francen: 18, 17?
[00:58:52] Brad Nigh: He said it’s going to be deaths this year and it looks like, you know, you’re off Well or the they just hadn’t come up with the studies yet. But yeah, as many as 36 additional deaths per 10,000 heart attacks. And that care centers have experienced breach. Took an additional 2.7 minutes for suspected heart attack patients to receive an electrocardiogram. And it doesn’t sound like much, but I mean,
[00:59:19] Evan Francen: unless it’s your
[00:59:20] Brad Nigh: father, right? A family member that I’ve got. Yeah, people that have had it in seconds count not. I mean three minutes is an eternity when that happens.
[00:59:30] Evan Francen: Well, it’s only gonna get worse. Right? You have equipment now equipment that it’s hardware in people’s bodies that do things and they only do things that they’ve been programmed to do in programs have program them with Bluetooth programmes have bugs, right? And vulnerabilities. And I can only imagine, ken, what do you think about ransomware? I mean holding somebody’s defibrillator as ransom.
[00:59:59] Ken Bechtel: Yeah. You know, software is written by humans and all humans fail. Um, we all have flaws as heard as we try not to. So if we all have flaws. The software, we’re gonna write is gonna have flaws. Um, Holy, you know, I’m a big component of do not pay the ransom because you’re only encouraging negative behavior, but when we’re talking to somebody’s life literally with a pacemaker. My father had one good friend of mine has one, I’d be hard pressed to tell you not to pay the ransom that yeah, when we’re talking about somebody’s life here.
[01:00:46] Evan Francen: Well these are professional Attackers and Attackers know that they’ve always capitalized on our flaws as human beings. Uh and they’re in it for the money. Right? What’s the return on investment of attacking, you know, medtronic device knowing that you’re probably going to pay because you know, and what insurance are you going to get to cover that?
[01:01:09] Brad Nigh: Yeah, that was a whole can of worms
[01:01:13] Evan Francen: risk insurance isn’t gonna cover your dead
[01:01:16] Brad Nigh: father. Right. Well, but then what does that come? You know, was the company’s liability for putting out a device to everybody. They’re going to face class action and just get hammered. It’s just gonna snowball. It’s a problem. Like same with Iot saying it’s kind of sort of the same thing. It’s a rush to get it out with no real thought around security and updates and all the fundamentals is just get the first market so you can grab that cash. It’s a
[01:01:43] Evan Francen: scary scary path Ron I don’t know what the end game is on that. But Uh you know Ken What Ken said is completely 100% true. Anything that’s developed by human being will have flaws period
[01:01:58] Brad Nigh: Ai isn’t the answer,
[01:01:59] Evan Francen: including I was going to say including a I a human being developed a i it’s going to have flaws and then I’ve heard, you know, people say, well you just make an ai to fix the ai and like well that a I also was developing humans. I mean it’s like every for every problem we solve, We create two more. It’s bad, whatever. I’ll be retired before too long I hope. And you know, being the caribbean. Well, let I don’t know what to do man somewhere I gotta run. Alright, well that’s it. The other news that we have is Git hub launches a new lab to tackle open source security. Get hub. I applaud them on that. I’m not going to go into that story. Uh Then Apple fires employee after he text customer customers pick or picture to his own phone. It’s not your data, so you taking somebody else’s.
[01:02:55] Brad Nigh: I mean we’ve seen that. It’s not excuse me not just this, I mean we’ve seen it with other big name companies that offer in store support where people have taken things they’re not supposed to. I mean, you know, pay the best and right, you’re probably not gonna get the most that people
[01:03:17] Evan Francen: should ask people first. Alright, so closing uh Okay, episode 50 for this one. It’s a wrap. Uh Thank you again, ken for being on our show, we’re going to have you on again,
[01:03:32] Ken Bechtel: you know, thank you for having me.
[01:03:34] Evan Francen: I think our discussion, you know, definitely benefits our listeners and uh just like you said, it’s a complex issue and I’d like to dig in more. I enjoyed talking with you too, That’s just an added benefit. Uh
[01:03:49] Brad Nigh: This was fun.
[01:03:49] Evan Francen: Yeah, and thank you to our listeners. Keep the questions and feedback coming. We do love it. Well, at least brad. I think you do. I don’t actually read people’s emails because
[01:04:00] Brad Nigh: I’ve actually been logging in and checking what I know. I finally remembered the book market so I would not forget it be like three weeks like, oh, I should probably check
[01:04:09] Evan Francen: uh send us things uh to email or by email to un security at proton mail dot com. If you’re the social type socialize with us on twitter, I’m at Evan francine and brad’s at brad ni ken. Do you have a way you want people to socialize with you?
[01:04:27] Ken Bechtel: Um They’re welcome to link up with me at uh on the length in um Team antivirus. I’ve had that on the Internet for 20 years as of September. Um that’s T E A M A N T dash virus dot org. Um Welcome to send me an email there as well. Uh awesome. And just look ken, Bechtel and virus. Antivirus. You’ll find me. I’m out there.
[01:05:00] Evan Francen: When did you see? Did you see the picture I took off your website?
[01:05:04] Ken Bechtel: Yeah, I gotta update. I have got to update the website. My goodness. I love it.
[01:05:11] Evan Francen: Alright, we didn’t even get to talk about your cowboy hat, we’re going to do that next time to. Alright, we’ll have a great week ken. We’ll be in touch, sir.
[01:05:22] Ken Bechtel: All right, sir. Thank you.