Hudney Piquant kicked off his cybersecurity career working for a startup out of a garage in Michigan. He has since uncovered critical vulnerabilities as a Synack Red Team member, joined Synack full time as a solutions architect and been honored with a Most Inspiring Up And Comer award by CyberScoop last fall. Tune into the latest episode of WE’RE IN! to hear Hudney share his insights into getting started with the Synack Red Team, the importance of mentorship in the cybersecurity community and his “sixth sense” that helps him to find creative workarounds for tough security challenges.
Hudney Piquant kicked off his cybersecurity career working for a startup out of a garage in Michigan. He has since uncovered critical vulnerabilities as a Synack Red Team member, joined Synack full time as a solutions architect and been honored with a Most Inspiring Up And Comer award by CyberScoop last fall.
Tune into the latest episode of WE’RE IN! to hear Hudney share his insights into getting started with the Synack Red Team, the importance of mentorship in the cybersecurity community and his “sixth sense” that helps him to find creative workarounds for tough security challenges.
---------
More topics covered in the podcast:
* Why we haven’t seen the last of the blockbuster Log4j vulnerability
* The importance of applying an adversary’s perspective on your networks
* How to build trust among professionals skeptical of ethical hackers
Blake: [00:00:00] Thank you Ede for being on the show. We really appreciate it.
Hudney: Oh yeah, no problem. I'm always glad to be a part of anything dealing with cyber and sinc
Blake: Of course, of course. And I, I know, you know, cybersecurity is such a high stakes industry. It's can get pretty intense at times down to the wire. I was curious if you have methods for de-stressing or how you deal with such. Such a really difficult at times job description.
Hudney: Yeah. Actually, when I talk to people, it is a common thing. Um, I literally had somebody ask me the other day, like, how do you deal with managing all these different things and keeping up because it's always ever changing. Um, For me, I guess I enjoy it, you know, I really like it. Uh, and I think doing it for so long, I feel like it it's like it's, it goes slower over time. So even though there's a lot of things, but it's like, for example, when you're driving a stick shift, you have to remember a lot of things, but then the more you do it, it just becomes second nature. [00:01:00] So with this, it's similar, you know, it, it becomes second nature where it's just, you just got kind of get used. I gotta learn something new. Oh, this new thing happened. I gotta keep up with the wild. Oh, something else happened.
Blake: I gotta be completely honest with you, I don't know how to drive a stick shift. I've tried and I've learned multiple times and there was one time I could get away with it, but now, so I don't know what that says about my cybersecurity skills. But Sounds like, sounds like you've got the know how,
it's a good skill to have. Bella, do you, do you drive stick, if you don't mind me asking.
Bella: No, I think I've driven a stick shift vehicle. Um, once, so I have more practice with cybersecurity. At least that's i'll, I'll say that I feel more comfortable in the cybersecurity field than I do behind the wheel of a stick shift vehicle.
Blake: and I feel like it's such a, it, it's can be a bit of a cliche, but I think it is true that, you know, sort of like traffic, cybersecurity, it just moves so fast. There's things are constantly changing, kind of hitting at that ik with your, uh, uh, comments there [00:02:00] and how do you keep up, like how do you manage that, that constant stress.
one thing I will say is though I do wake up early before everybody's up, okay. This kind of helps me get my day in order. So I don't like kind of rushing, um, to have just enough time to make it to somewhere to do something. Like, I like to have like two extra free hours just to kind of slow myself down, think about my day, what may happen.
Hudney: So it kind of prepares me for when something crazy happens, it's like, okay, you know what? I expected it, it's cool. Um, I'm okay. You know, that's kind of how, that's my best strategy to, to have two hours before the day starts where everybody's kind of texting you, calling you all those kind of.
Bella: I feel like having worked with you and been on, like I think we've been on at least one like slightly stressful customer call. I am 0% surprised to hear you say that. Like I can very much imagine you as the person who like gets up early and has a super [00:03:00] zen morning and then is just like, all right, like nothing can touch me all day long.
I'm totally good. I've had my zen morning. We're good to go.
Hudney: That's funny. My zen morning. Yeah, I like
Blake: question I had is what do your days look like after these Zen Mornings? You know, what, what is a solutions architect? I mean, architect for the record is a really cool title. I feel like you add architect to something and it just sounds better. Like, I wish I could be called like editing architect or podcast architect.
That's, that's legit. So what does it mean? What do you do?
Hudney: Yeah, you know, as a solutions architect, um, you know, there's a lot of different, you know, ways that you can look at it. Um, but the best way to look at it is that, you know, there's organizations, there's these enterprises. and they have, you know, assets, they have assets that need to be protected. And in my space here at CAC as a solutions architect, my job is to help them harden those assets, protect those assets at all times.
Um, but actually the bigger picture even is, um, [00:04:00] obviously we're protecting those assets from adversaries, but I even tell 'em like, this is not gonna be like a hundred percent, the goal is to get the advers. To be annoyed by your environment, how hardened it is. It's gonna annoy them so much that they're gonna go to somebody else.
Now, I don't wish. I don't wish that, but I just don't want it to be my customers.
Bella: So your customers are like coming to you as the security. Telling them, like, here are the areas that you need to focus on in order to, you know, like you said, be so secure that, so secure that the, the hackers are not interested, they're going somewhere else. Um, how did you, like, how did you become that security expert?
How did you get into cybersecurity and then get to where you are now in this job?
Hudney: Yeah, how I got to cybersecurity. Um, I actually started in the IT space with doing help desk and honestly, I think that's one of the best ways to start, to start from the bottom and moving up because you have a better understanding [00:05:00] of the whole picture. um, dealing with dealing with individuals, um, and you know, back in the, so from it helped us, went to networking, did that, um, and then in 2009, uh, is when I really did cybersecurity.
But back in that time, it just wasn't a popular thing. Um, you know, you would go to tell someone that they need to be secure and it's like, well, my networking is good. Like, why do I need security? Like, you don't make me money. . Um, I, I, I don't have money to spend on security, so it was really challenging in some sense, you know?
But I started actually in a garage. Literally started in a garage. Uh, I'll never forget when I, you know, when I got the job, they said, uh, I just wanna make sure you're okay with working in a garage. Like, what you talking about?
Blake: You, you wound up in a garage. Who, like, how does that happen?
Hudney: Yeah, it was, it was, it was a startup, you know. Uh, but I loved it. Honestly. I just remember them asking if I had a. [00:06:00] A jacket. What? What's
Blake: was this now? Hold on. Garage. Working cyber out of a garage. That's, uh, this isn't a garage band situation. You're protecting people's networks.
Hudney: No, it wasn't Michigan. I used to live in Michigan and, uh, this was in Rochester Hills area. And, um, you know, it was through, uh, company. It was able to go through Robert Half, but the startup company was doing a big project with. And I just remember them saying that, you know, you know this, this job will be Monday through Friday in a garage.
I just wanna make sure before you accept the role. Are you okay with that I'm just like, yeah, I'm, I'm okay with that. Yeah. But I think in my mind, I was just like, I mean, I know they're saying a garage, but I don't think they really mean it. So I go to the location, I'm like, this is a garage. Okay, we're gonna do this though soon.
Be all right, we're gonna do this. But I loved it. It was just the best thing, uh, best.
Bella: I feel like that would be really nice until like February in [00:07:00] Michigan in a garage. I don't know. I don't know if I
Hudney: Oh yeah, it, it was cold at times, but you know, for a few jumping jacks, we'll do it.
Bella: Hang on. I need to take a quick jumping jack. Break warm up my fingers so that I can keep going.
Hudney: Yeah, you, that ip Gimme one second. I'm just gonna do a few. you know? Um, but yeah, that's why I basically started my cybersecurity, um, experience. And, but over time, uh, I, I realized that, uh, apart from work, it actually, you know, spills into your home because you also started having computers in your home and protected. So then you just start to learn about like how to keep things protected.
Um, maybe just different things. What would happen. In a, uh, like let's say if you're in a chat room and all of a sudden you just got a virus because you clicked on something that you thought was coming from somebody legit, or you're, you know, back in the day, you know, I did at the time, I don't [00:08:00] do it now, but downloading music and stuff and, uh, certain things that you would get from Kaza and bear share.
So I was like, what a minute. I need to be more protective, even in my own home. So overall, I think it kind of evolved that.
Bella: So I know before working, you know, at CAC as a solutions architect, you were on the CAC red team for a bit, um, before you joined, like full-time at the company. What was that experience like working as like a bug bounty hacker?
Hudney: I mean, it was really cool cuz even the bug bounty thing, it is just like it, it was an exciting thing when it really got, kind of got really big and popular. Um, And I started in other, you know, platforms before. But what was cool about Sinna, I, I have to say this, like the thing is, which is funny, uh, because it's in the crowdsource space, but, um, a, a lot of people love Sinec because it's not as crowded.
Okay. [00:09:00] And it's a really cool thing because, um, sin I committed. you were vetted in and in the community. There's something about that that feels really cool, you know, that I made it through a process that had to be vetted in, uh, it was referred to as the Navy Seal of Cybersecurity, like in the different chat rooms and stuff.
Um, but it was a really cool experience because you not, you know, you don't, I thought I was gonna just field kind of like by myself, but you're actually with a community of people sharing different things. . but what I loved about the bug bounty, In the, in the enterprise world, you deal with one environment and that's what you see all the time in the bug bunny.
You were seeing, like, you're seeing so many different environments. So what you see evolves over time. Right? And it's an amazing thing because you're just seeing things that you would've never seen if you were just working at or looking at one environment. And there's something really advantageous about that in the bug bounties.
In the bug bounty.
Blake: is there a lot of competition? I. That world could get so cutthroat, it could [00:10:00] so easily get so cutthroat. Right. For, for listeners who may not be super familiar with the CAC RED team, you know, it's, it's our, uh, at cac, our group of 1500 plus elite security researchers around the world, all essentially competing to, you know, earn money.
Uh, working, finding these really important vulnerabilities on customer networks. Uh, what's that? What's that environment like? You know, you say it's the Navy Seals, I picture Navy Seals just trying to stay ahead of the next one and doing 10,000 pushups. And is it, is it, is it, is it pretty intense?
Hudney: Yeah, I mean, it is intense, you know, but I, I do see that here, the, the environment is, is really cool cuz there's different things that are always evolving, like different, uh, mentorship, mentorship programs that would, that's within the s r t. Um, just the fact that you learn from each other. Um, but there is a level of, like, I would say, like for example, uh, you know, There's, there's scripts that these individuals have that I would say is their [00:11:00] baby, you know?
Um, it is always ever-evolving, right? So in that sense, it's very competitive. Like you would never just get a, uh, a preview to that. And I would say that that's one of the one, one of the things that's most competitive is, um, I know for me that was a challenge because, uh, you know, when you have some really good scripts, you know, there's things that you can do to get really creative, uh, to get these tests pretty quickly.
um, versus the other person, you
Blake: So is that like the, the Secret spice mix at the Chili
Hudney: Yeah. I would say that's, yeah. Secret. You could say that's a secret sauce. So, um, yeah. To get your hands on that But yeah. Uh, I would say that's part, that part is pretty competitive, you know, as far as their secret sauce.
Bella: was it like getting into working bug bounty, both with sinc red team, and you mentioned you tried other platforms as well, did you have an idea of what working on Bug Bounty was like before you started doing it? And then when you started doing it, did it live up to your expectations?
Hudney: Oh, yeah. I, I, I had an idea, but man, it was [00:12:00] way different than I thought. Way different. And it actually, uh, exceeded my expectations. Um, and I really loved it because it, it made you realize that, wow, there's so many different things that I can even do for my own organization that I'd even think of, you know, because there's something about when you given like an opportunity to look at another environment and sometimes even their prod environment, and to be able to test that with permission, that's just like, oh my goodness, wait a minute.
What, what am I gonna. verse, you know, something you see almost every day. It's like, yeah, it's nothing really new, but there's something about that, you know? And one thing about I I'd say be it would be nice for hackers, like someone getting to hacking to have is just the idea of being curious. So for bug bon, if you're a very curious person, like, this is just a goal of mine, you know?
Um, and I didn't realize just the vast of information and things that you could see, like, just like for example, like there'll be technology that you may have not even heard. that you [00:13:00] see one of your, um, targets have, and it's just like, I never heard of this. I'm gonna have to Google it real quick. Oh, this is great.
I, I, I hear you on Googling. I often, I often end up need to frantically, frantically Google things, terms that I don't understand. You know, even I, I feel like for outsiders of the industry, even terms that we toss around, like penetration testing, it just sounds sort of awkward and incomprehensible. I'm wondering even what that means to you.
Blake: Uh, doing pen testing.
Hudney: Yeah, no. Like sometimes it's just, there's no good word. When somebody asks you from the outside, like, what do you do? You know? Uh, cause you could say all the different terms that we have. Ethical hacker, pen tester, you know, it's, it's, it's still very hard, you know, but pen testing is, you know, typically what we use, but I try to explain in a basic form is, There's obstacles and you're, you're literally trying to penetrate, you're trying to penetrate and see how far you can get, you know, what, what can you pass?
Like there's some defense and as an offense, you're trying to, in [00:14:00] basketball terms, for example, you're trying to do a crossover, you know, and you're just trying to continue penetrating. Um, but that's typically how I explain to people on the outside, just so that they have a good understanding. But what I really tell 'em big picture is, you know, yes, we have tools, we have compli.
But the thing is, how do you know you're really protected? Like, how do you know that? know, like
Blake: I appreciate the basketball analogy, but I'm, I'm just telling on myself today I can't drive stick and I really can't play basketball. And peop people think I'm six two. People think that I'd be good at it and I just end up in the wrong spot. Everybody's
Hudney: Oh.
Blake: Uh,
Bella: Blake, please. You have to have some cool hobby or something because you're just, you're gonna drive everybody
Blake: guess I know I need to, I need to, we, we need to, we need to bring in some other analogies here.
Hudney: Yeah, we gotta finish
Blake: but, but no, I get it. The cross the crossover. Right. Getting, you know, trying to, trying to really get past any obstacle in your way and score that, uh, goal. What do they even say in basketball?
Hudney: Oh, no, [00:15:00] no,
Bella: no, it's in the.
Hudney: No
Blake: All right. I'm just gonna stop talking now about, basketball.
Hudney: Yeah. I mean, I would've used NFL analogies, but the thing is, I, I'm a football player, but the other football, so,
Blake: Oh, okay. As we liked, as some would call it soccer
Hudney: soccer. Yeah.
Blake: Interesting. Interesting. Well, maybe I can hold my own on the, on the, the field slash pitch
Hudney: Oh, you know about pitch. There we go. Okay. That's good.
Bella: there we go. A little redemption arc
Hudney: right. You've
Bella: you Blake
Hudney: got two credits.
Bella: Whew. All right. We're safe. Everyone's gonna stay. Blake, you've, you haven't scared everybody away. We'll keep at least the soccer football fans,
Hudney: exactly.
Bella: So like you, you talked a little bit about like you mentioned ethical hackers and, and I wanted to ask you about like, I think something that we deal with a lot in this field, particularly on [00:16:00] this side of things like where we are working with customers and we're trying to like have them pursue security.
I feel like we often hit this wall. Like misconceptions or misunderstandings about the type of people who work in security as bug hunters or as pen testers. Um, what do you like, what kind of misconceptions do you see and how do you maybe like correct people on those misconceptions?
Hudney: Oh yeah. I mean, back in when I was getting to Bug Bunny, like when I realized how cool this really was, um, you know, it's funny because there's two things that I always got from people when I would tell 'em about, Bug bound and how great it is. Uh, the two things, the first thing was how can I trust you guys? Right? And then the other one was with all the, like, if you were to find all these vulnerabilities, who's gonna manage all that? You know? Um, but as far as the first one, um, how can you trust that? That's the biggest thing is, [00:17:00] uh, I mean, who are these people? Where are they? Where do they live? Like, I don't know what they're doing.
Like these kids, like, what, what are you guys? You know, um, how can I trust you? You're gonna do stuff. You're gonna, you're gonna put stuff on a dark web. And you know, even when you go to blackout today, like there's even misconceptions there. Like, you know, people start hiding their phones and all this kind of stuff.
I mean, you know, it's, I think sometimes it's just they go too far as far as like what, what things are really like, but of course some things of that like that do happen. But it is funny that, uh, it's just a trust issue. It really is. It's a big trust issue and. That's the biggest thing that I find is, uh, yeah, you guys are bug hunters, hackers, but how do we, how can we trust you?
You know? Even when you put, have they call in front of it, it's like, Hmm, I don't think that's possible. That's what they say, you
Blake: if you have to specify right, then that's already a bad sign, you know? So it's like, what is this hacker business? But I do think that that term gets, [00:18:00] uh, just. Really short shift. It's, I think it's a really valuable term, you know, styling oneself, a hacker, and really, uh, I, to me it speaks to something actually quite positive and creative, right?
Finding your way around different obstacles, to your point earlier, YK and, uh, it, it's a really interesting field. And, you know, one thing to circle back on the vulnerabilities point, I feel like a common maybe criticism of especially bug bounty models, right? Hey, look, maybe you're, you're really good at finding these potholes on the bridge, right?
But what about the bigger structural issues, the, the really impactful vulnerabilities that could jeopardize the entire bridge or the, your entire organization? Ha, have you ever found anything like that? And how do you know, is there like a, a eureka moment or how do you even know when you've come across it?
Hudney: Yeah, it's a, it's, it's, I like to call it like the, the sixth sense. type of thing. Right? Because it's funny because typically when you find it, that's the thing that's really special about this bug bounty space is like [00:19:00] in the traditional pen testing, it's more very method. It's like, okay, let me just follow this method.
Okay, I did this, I did this. Okay, cool, I did this. See what the bug bounty like, you know, you're, you're starting and you don't know where you're gonna go. Like honestly, you just, sometimes you just don't know where you're gonna go, but you just keep going. You find this one thing and then you kind of pivot and you keep it there and it's like, oh, wait a minute, let me go back.
And of course you got your good, your music in the background, whatever you like to play, and you're just in a zone, right? You're going down this rabbit hole. And then when you finally see that one thing's like, oh wow, this is it right here. Um, and I feel like it's, it's, that's why is actually really special because typically, um, you know, you have, you know, you have a good, uh, kind of a environment where it's not so restrictive, you know, you're just kind of thinking like more. right? With the pen testing, it's, it was always like, you know, this is step one, this is step two, this is step three. Um,
Blake: a couple people with clipboards or versus, you know, a whole team of, uh, of individuals looking [00:20:00] into your networks and pen testing your networks, which I think I, I, I think that does sort of set things
Hudney: oh yeah. And when you do find that thing, I think it, it, it's also important to understand like what your target is because you, you know, in order to understand that thing, is that thing. It helps to know like what your target is, right? To understand like what makes this such, such a big impact. Cause I remember, you know, back in the day, like, you know, at work, like I would find something, you know, early on in just really understanding this and you know, sea level would be like, okay, that's, congratulations.
Like, what does that mean for me? And I realized that wow, like I do have to look at this in a bigger picture. I have to understand my target and what really matters. And that's really one that's, that's really thing that's really good about the adversaries. They underst. okay. This asset, for example, may generate this amount of revenue.
So if I get to this, this is how it can impact the business. So therefore, when I do a ransomware, for example, they will more than likely pay up.
Blake: Yeah. Well, I do wanna lock into kind [00:21:00] of a concrete example of that. I feel like the log four J. Vulnerability. That's a, uh, a, a Java logging utility that just had a terrible flaw that emerged and just went haywire. I mean, headlines were screaming about the internet on fire because it was just everywhere, all of a sudden, and everybody was hunting for this vulnerability trying to figure it out. I guess on the flip side, you know, we haven't really seen widespread disruption from that, but I wanted to ask you about Log four J and just what you think of this vone and have we seen the last of it?
Hudney: Yeah, we most definitely haven't seen the last of it, but there is a lot of arguments out there on the internet. a lot of fun ones. Um, but the thing about it is, What I think makes this one a little bit different is the Java is like everywhere, I mean, there's about like 12 million developers that use Java in the whole world, right?
And it's sometimes it's really hard to know where it's at. And I'm, and I'll be honest, like sometimes I think when this la Fu [00:22:00] happen, I'm presuming that there are people that just turn stuff. Okay. And so there, there, yeah. You know, it hasn't been as I would say, like, oh, there's another preacher, there's another one.
But I think it's gonna be a long, a long kind, long game type of thing. Right? Because I think even recently, a few days ago, LA four J has been popped by, um, Lazarus, Lazarus Group.
Blake: The North Korean state sponsored group. Yeah, I did see.
Hudney: uh, I mean it's still happening, you know, it's just more so did somebody turn it off? Did somebody shut down their services because they don't know where it's at, you know?
And then honestly it is, it is a lot of work to find scan, where might it be? And even when I find it, is it really vulnerable or, um, oh, cuz the thing one, one of the biggest things about in our space right now is because assets are growing and growing and. It's just hard to manage those things. Right. And it's hard to know.
Wait, I thought I sunset that. Oh, it's still up. Oh my goodness, I forgot. Um, [00:23:00] so it's just, I think it's a long game, but Java's everywhere. So honestly, I, I think that Lockford J might be around until the internet shuts off.
and I'll, I'll even add this is, you know, typically now, Vulnerability comes, I mean, literally the next day, or probably that night, there's a POC on GitHub, right? And I mean, you can pop block for J in like under three minutes, even if you're not IT savvy. You could be some 12 year old kid somewhere just like, oh, lemme try this out. And that's, that's a little, um, nerve-wracking. , you know,
Bella: Yeah.
Blake: Uh, tell me about it. That doesn't, and I, I know that's part of what set off this frenzied response to try to find and patch and then repatch when a new patch came out, et cetera, et cetera. But I mean, there's a challenge sometimes I feel like there aren't enough people to do this, right? There's just, there's this, this talent shortage in the cybersecurity industry that I know certainly we harp a lot on at CAC because, you know, it is an urgent, an urgent [00:24:00] problem that needs addressing.
Um, Iena, I'd be curious to hear your thoughts on. How to build a bigger tent in cybersecurity. How to get more people immersed in the industry involved in it, fixing some of these really tough problems.
Hudney: Yeah, I mean it, it most definitely, it takes the community like one of my favorite. uh, Lennox is the best always, by the way. Um, , it's one of my favorite.
Blake: just gonna drop that in there. Yeah. Okay. All right.
Hudney: Uh, so I'm, I'm, I'm trailing into that cuz uh, one of my favorite Distros, uh, of Lennox is a btu. A BTU means community, right? It is gonna take the community to do this.
Uh, this is why I love open source so much, uh, because you have a lot of eyes on a particular software, right? something special about that. Right. And again, it takes the community out difference to the eyes, different perspective, of course, as we know, being in our crowd space in Sinna Care. Um, I like to, I like to always, [00:25:00] what I like to use in, in our day and age is ways, uh, for me to drive and for the app to tell me through the community again to the crowd that there's a tire on the right side coming up in about a mile.
My goodness. That's like, wow, that's. you know, even when it tells you that there's a cop, you know, that'd be nice to know too. But you should be fine. The speed limit. So I'm not saying don't speed, um, but , there's something special about that.
Blake: music on Kaza that you mentioned
Hudney: Right, right, right, right.
Blake: d Yeah. Yeah. I, I, I got you. Of course, none of us have.
Hudney: Yeah. No, that's silly. Right. Come on. Nobody does that.
I really like that kind of idea of, you know, the industry needing to. Move more towards community to solve problems, including the talent gap problem. But like how do we who, who drives that push towards, you know, a community mindset in cybersecurity,
Hudney: Yeah. I [00:26:00] mean, it is, that's a, that is a good question. Um, cause I, I do think about that even myself. I really do feel like it's something that it needs to come from the cybersecurity individuals, right? And it shouldn't have to be something that's like organized only in the workplace. That should be something that we basically evangelize, even starting from home and then it propagates out, right?
Um, like for example, like one thing that I love to do is I love to mentor people into cybersecurity. Um, but even when I do that, I don't just focus on the technology. I focused on the human element as well. Right? Um, because when you understand the bigger picture of what, what's all going on, it starts to make more sense.
So for example, if I, I'll tell somebody, okay, it's good to understand like networking routers and switches, but let's start with your router at home, right? Like, you know, right now for breach, all these breaches that are happening, one of the biggest things is network [00:27:00] segmentation. That's like, okay, I start that at.
Well, we have TVs today that have an IP address. Okay? And when Samsung is creating a tv, for example, they're not thinking, oh, let me, lemme secure that tv. That TV is connected to your network with no, with no, with no protection, as opposed to like a laptop, you know, maybe with the AV on it, but the TV doesn't, right?
Your refrigerator has an IP. Now, uh, you might want to segment these IT I L T devices so that they're not in the same network. So let's start, let's start at home. and then we go to the, oh, well how do I do that? Oh, okay, so we're gonna log into your route. We're gonna do this. You know? So it makes it more real because it's now your home.
Like it's your stuff, like when it's your stuff. It's a little bit different when it's the company's stuff, honestly, like people just have a feeling like, well, it's not my stuff. . You know? When it's your stuff, it hits home differently.
Bella: Yeah. So if you are, if you're listening and you're like, huh, I don't think I'm a cybersecurity expert. Well, [00:28:00] if you've like, done anything to make sure that your devices are secure, then boom, you're, you're on your
Hudney: And I will say this, if you use Instagram or Facebook, you're are too savvy.
Bella: Yeah.
Hudney: honestly, like there's things on Instagram I don't even know how to do. Okay. Like it's just, it's
Bella: Every time I like turn on MFA on another account, I'm like, oh yeah, I'm a security expert. . I just did security today.
Blake: still trying to figure out these Instagram reels. I don't know if there's some sort of secret code or password. I need to unlock those, but,
Bella: Okay, well I'm not that kind of expert yet.
Hudney: Right, right. And TikTok, I mean, that's a whole nother level right there.
Blake: that's, oh, we TikTok as its share of, uh, cybersecurity and functionality issues, I feel like, but we won't go down
Hudney: Right, right, right, right.
Blake: I, I, I, I will, I, I am curious, you know, just looking, stepping back and, and looking at the cybersecurity arena as a whole, are there any issues that you feel like just don't get [00:29:00] their fair shake or don't get enough attention or investment in this?
Hudney: Um, you know, I think the, uh, for that I would say, um, you know, one of the things that I love that, uh, Sean Parker said when he was talking about Facebook, he used a term, um, and he says, you know, psychological hack. Okay. And I think the thing that really doesn't get pressed on is we focused a lot on technology, just missed the psychological part of, of hacking, you know, I guess we could call it also social engineering.
Um, this is a really big aspect. Um, and I would co I would cover that with. The reconnaissance phase. Uh, we talk a lot about exports a lot, but the reconnaissance phase doesn't get enough attention. and that's a big, the reconnaissance phase is huge. It's a big deal. Uh, I just [00:30:00] think it doesn't get, I don't know if it's cuz it's the first phase of an attack, you know, I don't know.
I still don't know what it is, but I think it's the reconnaissance phase. Um,
Blake: what are you, what are you referring to when you say reconnaissance phase? What does that encompass?
Hudney: Yeah, the conman's phase would be the, uh, equivalent to like, you know, I like to use this example, like, you're watching a movie and, um, the bad guys, even if it's like, you know, cause they've been home alone, like, okay, how, how are, we're gonna get into Kevin's house, all right, this is what we're gonna do. And typically you see like the map drawn out on the table.
Okay, this is an entry point, this is an entry point. So you're, you're, you're basically mapping. , how you're gonna find a weak entry point, right? Because you're not necessarily gonna go to the front door, but sometimes you can't do that , but you're trying to figure out, how can I get into this environment? I gotta think this out first.
I'm gonna collect all of these different data points, all this different data from me. I'm going to do some homework even before, figure out like maybe who are the neighbors or, um, [00:31:00] you know, like even if your target is some part, , uh, C level person, you're not gonna necessarily target him first. You're gonna go to his, his wife, you know, or, you know, husband, whatever, or uncle or sister.
You know, it's, it's all of this collection that you're doing to understand your target, you know, and that takes some work, right? Like, and I feel like that just doesn't get enough, um, emphasis.
Blake: So I guess, you know, thinking back to going back to some trends that you're witnessing and seeing, what, what do you feel, what do you feel like is the next big thing in, in cybersecurity? Like, do you see any, uh, is, are we gonna continue to see these open source vulnerabilities like log four j? Is it maybe something else gonna come on the horizon that you anticipate?
What sort of trend lines are you seeing?
Hudney: Yeah, I, I do, uh, foresee more of those open source vulnerabilities. I mean, I think the biggest thing is we have more assets today, more [00:32:00] than ever. So anytime there's more assets, there's gonna be more vulnerabilities naturally. Right? Like, even now, somebody's home is way different than in the past. Like, there's so many ways to pop a house now because of different things.
Like people have ring, um, devices in their homes now, you know, back in the day.
Blake: you're really making me want to check my home network. I gotta tell you, we keep coming back to this. I'm getting nervous.
Bella: Oh no,
Hudney: You know, it is just more assets, right? That's how I kind of look at is there's more assets. Um, and now instead of applications being more like on-prem and local, like to go to start launch your application, now you're going to launch your web application, which is access all over the world, you know, to, to 4 43 and 80. it's like you're logging into the application, like a website and a web application is so different. Website, it's like you just have a flyer posted about, oh, we're open at this day. That day, okay, whatever. But now we have web applications, we have open doors that we can access from anywhere in the world.
So it's a game changer. But at the same time, it's nice [00:33:00] too to be able to access it everywhere in the world. Right. So for me, the biggest thing I see is, uh, and it's funny cuz Gartner. Called this, uh, E A S M, external Tax Service Management. Uh, they, they coined this last year, but I mean, since the nineties, you know, hackers has been all about the tax surface.
And I think that's gonna be the really the biggest thing because, um, because of there's so many a, there's, because there's so many assets now, there's just more opportunity to get into so many places that it's hard to keep up with. Right. Because honestly, some of these breaches, I'll be honest, Some of them are not even that sophisticated.
It's like, oh my goodness, I haven't realized that there was an Apache server out there that wasn't patched. My goodness, I didn't even realize that. Uh, so E A S M is gonna be a good help for that, um, to be able to start knowing your assets. But at the same time, actually, I would say even playing the game, because now that you start to understand your assets you under, you start to more [00:34:00] understand, okay, potentially this is what they'll go for.
And this is. you can you start, you start to understand the why about something. When you understand the why, you can play the game better. But when you're just doing things, you just don't even know why you're doing it, but you're just doing it. It's just hard to understand what is the adversary looking for?
Like what is it that they want? But when you start understanding what you have, you'll start understanding what they want and why they want it.
Blake: No, that's a really good point. And, and really appreciate all the insights you've shared into kind of what you're seeing and, and, and your work. I I did wanna ask, we always ask our guests one question, uh, toward the end of our interviews, and that's what's something that, uh, we wouldn't know about you from your LinkedIn.
In other words, maybe a fun fact or something that, that just wouldn't be apparent to somebody browsing through your LinkedIn.
Hudney: LinkedIn. Yeah. So you wouldn't know that. I, I, I love, I'm a soccer player. Arsenal is my team. Uh, my, my , my wife and fam my kids
Bella: Oh [00:35:00] no.
Hudney: I know, right? Putting it out there. Um, been married for 16 years, two girls, and we love traveling all over the world. We love Disney World a lot. Um, and something that you probably never know is,
My wife and I like, we love dancing. Love dancing. It's like the best. It's like the most free. Just very free. You know? It's like one of the best things dancing.
Blake: I do love dancing as well. I, I, I respect that. I, again, I'm not sure which is worse, my dancing or my basketball, but we can flip a coin. Uh, but I do, I do enjoy it. I do enjoy it, and, uh, we really
Bella: evening. I feel like that's your secret. Like, uh, you, you didn't say you had a specific, I mean you had your Zen mornings, but maybe this is your secret, you know, fight the stress of cybersecurity trick is that you just
Hudney: Oh yeah,
Bella: I don't know. I feel like that's something, maybe I
Hudney: I mean that, that tell me that's it. You know, a, a breach happens and you know, just do a little quick breach dance, you know, little breach dance, and then it gets you [00:36:00] kind of
Blake: I love that
Bella: Breach
Hudney: Yeah. You know, should try it out.
Blake: the hackers away.
Hudney: Yeah. Well, thank you so much for, for coming on the program here and, uh, really enjoyed talking with you. And I'm probably gonna have to go double check my own local IP
Yeah. I, I check that out real quick. Yeah.
Bella: Blake's just been getting progressively like sweatier for the last 15 minutes.
Blake: it's, uh, I don't know how to feel about this conversation now, but we really appreciate your insights and, uh, it's, it's been great getting to know some of your work.
Hudney: Oh yeah, for sure. And I appreciate, uh, thank you for having me on the show. Um, you guys do great work. I love it.