Elevate Security

Solutions

Use Cases

Identity & User Risk Authentication
For Identity and Access Management (IAM) and Identity Governance and Administration (IGA) professionals, Elevate Security provides proactive protection against workforce cybersecurity risk by applying the unique risk each user represents as a conditional factor in the authentication and access governance review processes.

Security Awareness & Human Risk Management
For Security Awareness professionals, Elevate Security helps you engage employees to become your best defenders. By deeply understanding the behavior of each individual, Elevate helps you make better decisions for protecting your organization, and fostering a culture of security accountability.

Security Operations & Case Management
For Security Operations (SecOps) professionals, Elevate Security reduces operational burdens on the SOC resulting from high-risk user generated incidents. By injecting individual risk data into SecOps policies, tooling, and controls automation, you'll free up resources to fight real adversaries, strengthen workforce safeguards, and improve response efficiencies.

Products

Elevate Identity
Inject user risk intelligence into IAM and IGA systems and processes as a conditional factor for authenticating or revoking system access, and enhancing access governance workflows.

Elevate Engage
Actively deliver personalized feedback nudges, scorecards, and direct targeted training based on individual computing behaviors and current security risk.

Elevate Control
Inject user risk intelligence into security operations tooling and processes to accelerate incident triage and response, enable better help desk decision making, and automate controls for risky individuals.

Use Cases

Identity & User Risk Authentication
Security Awareness & Human Risk Management
Security Operations & Case Management

Products

Elevate Identity
Elevate Engage
Elevate Control

Resources

Partners

Partners

Technology Partners
Value-Add Partners

Company

Company

About Elevate Security
Why Elevate
You: Elevated
In the News
Press Releases

Careers
Awards & Recognition
Contact Us

About Elevate Security
Why Elevate
You: Elevated
In the News
Press Releases
Careers
Awards & Recognition
Contact Us

Support
Book a Demo

Search
Podcast

How Human Interaction Make Security Systems Vulnerable With FC

Elevate Security

For any system that involves humans, there is always the potential for vulnerabilities. Whether it is a system of communication or a physical security system, if humans are involved in any way, there is always the potential for someone to exploit a weakness. In this episode, F (freakyclown) C, Co-CEO at Cygenta, explores some ways that any system involving humans can be vulnerable. FC is a well-known ethical hacker and social engineer. He has been working in the information security field for over 20 years and excels at circumventing access controls. As an ethical hacker and social engineer, FC ‘breaks into’ hundreds of banks, offices, and government facilities around the world. Join FC and Matthew Stephenson as they talk about how any system that involves humans can be vulnerable.

Listen to the podcast here

Leave a Review

How Human Interaction Make Security Systems Vulnerable With FC

For some of you that are new to the show, you may know me from pm73media or previous incarnations of InfoSecurity podcasts or any of the myriad of Security events around the world over the years. Speaking of myriad of Security events, we’ve got a fun one for this episode. Here on Friendly Fire, we are bringing you the top experts in the industry from around the world for a chat about keeping our world secure.

Speaking of keeping the world secure, we are excited to welcome FreakyClown to Friendly Fire. Yes, his nom de guerre is FreakyClown. He tried to tell me what his actual name is once, and I don’t want to know and you shouldn’t either because it might break the world in half if anybody finds out. FC is the Cofounder and Co-CEO at Cygenta. He is a well-known ethical hacker and social engineer working in the InfoSec field for many years.

I think it’s fair to say his key skill, his Wolverine claws, are circumventing an access control. He has been a senior penetration tester and head of social engineering and physical assessments for renowned pen testing companies across the world. This is true. Our man has been breaking into banks for twenty years. We’ll get to that. FC, welcome to Friendly Fire.

Thank you very much, Matt. That was a wonderful introduction. As always, thanks for having me on the show.

Could you be more English in how polite you are? You are welcome.

Thank you very much, Matthew.

Let’s do a little bit right off the bat. It’s not quite shameless plugs, but I think that it’s worth noting what Cygenta does. Why you and your wife, your cofounder, your co-CEO created Cygenta, because you do things a little differently in a way that I don’t feel like a lot of people are doing all of the things. They may do some of the things you do, but you have a 360 approach.

We very much do. We started Cygenta because we brought together different skills from different areas of security. Obviously, we were married, so that made it much easier. Basically, a lot of security companies focus on one area. They focus on the digital side or maybe they do focus on the physical side or maybe they’re focusing on the human side, which is now growing quite considerably.

No one is bringing the expertise with the longevity that we have into one company. Every time that we come into a client and we’re looking, even if it is one part of their security, we’re looking at it from a perspective that includes the other sides as well. It’s like these three areas of security, physical, technical and human, we bring in that expertise from those areas for whatever we’re doing.

You’ve got chops in all of the areas, but your specialty, the team that you lead, is specific to physical. When you come in to talk to a client, do they consider that or is it more of a thing where we all default to, “We’ve got to make sure that the software is here and we have to deal with the human element?” You’re like, “I might steal your stuff,” and they’re like, “What? Really?”

Thankfully, by the time we come into a client, we were already having that conversation. They know they come to us because of our expertise. It’s those people that hear about us like when we’re speaking around the world or on shows like this. They hear it and they’re like, “I never realized that our budget for digital security is like $8 million, but our physical security, we spent $20,000 last year.” Maybe it’s possible for someone like me to come in and steal the servers then you bug it. It circumvented all of that digital controls that you’ve put in place because someone has physical access. Whenever you get physical access, you win everything. It doesn’t matter what it is.

With any system, if a human has to go in or out of it or interact with it, that can be utilized. You can find a way to manipulate or leverage it and gain access that you shouldn’t do.

They probably spend millions on technology and hundreds on physical security because now, we got that dude standing out front with the badge and the blue shirt on. We’re good.

They put this perimeter around. It’s very similar to how digital security used to be and it’s slowly moving away from where you have this wood layer around it. You have this perimeter that you protect. If you throw all of your money at that, no one thought about what happens when they do get past that perimeter or whether it’s physical or digital. It’s completely ruined it. It’s still running the same method. Let’s protect this perimeter and then hope that everyone that’s inside is totally trustworthy.

I love that you say everyone inside. We hope that they’re trustworthy for one because you want to hire good people. Two, you want to train them to be good at what they do. I’m not kidding, folks. This is a thing that he does, climbing up the sides of buildings to get into windows. Where’s the human element in that when it comes to insider threats? I don’t think anybody is purposefully leaving their window unlocked, but these are relatively easy things compared to the rest of the other stuff to teach people not to do.

It’s all about having a piece of awareness around you. Not that awareness, but it’s like having an understanding of the threats around you. When you’re in your office, for example, leaving the window open doesn’t seem that bad but when you walk away from your desk, maybe forget the windows open or maybe you’re trying to get into the coffee machine and you’re distracted by whatever you’re doing with work.

You don’t think about the things that are going on around you. It’s like being in the street. You wouldn’t walk down a dark alleyway. You’d have some awareness that that might be a dangerous thing. It’s not as easy when you’re in an office environment to understand where those risks are. I think that’s the biggest issue we see. People aren’t thinking about or they’re not educated in the security around them.

Viewing the human element through that prison specifically the way that Cygenta has it laid out human, physical and technology. Have you found in your experience working with various clients and you’ve done government work, private sector work, big, small, everything in between? Is there one that tends to be better, and is there one that tends to be the worst?

No, they’re all very bad. There are all equally bad. I say that half-jokingly. Even the ones that are supposed to be good, there’s always a way in. I’ve been doing for decades and I have a 100% success rate with getting into wherever I want to get into. That’s not because I’m some superhuman at this job. I’ve got some skills and I’ve got better at it over the years, but it means there’s always a way in. Like with the computer system if there is a way. If a human has to go in or out of it or interact with it somehow, then that can be utilized. You can find a way to manipulate it or leverage it to gain access that you shouldn’t be.

Can we take a moment to weigh upon and respect the notion? A 100% success rate? I have been breaking into the buildings for nearly three decades. I always get in and I’ve never been arrested or caught.

Security Systems: Many security companies focus on just one area. Either they focus on just the digital side, or maybe on the physical side, or they’re focusing on the human side.

There are some issues that have occurred that have messed up the assessment, but for the sake of going in and having everything go, 100% success rate. I can think of only two times where that has got wrong and only one of those involves the armed police response, so pretty good.

I have had the great fortune to talk to you a bunch of times about a lot of the things that you do. The easiest thing ever is like, “Tell me a story,” but which would you rather share given that you have said that the armed police response or the funniest one that you got away with that maybe you shouldn’t?

There was a great one where I kidnapped someone in order to get into the building. That was quite cool. That took a lot of legal wrangling before we got through that. This bank had hired ex-Gurkha soldiers. They had signed on and said, thinking there could be physical harm to them at some point. We ran everything through the lawyers. Everything got signed off.

I drove a hired car at high speed through some gates, grabbed one of these Gurkha soldiers, chucked him into my car and was out of the site. Before I knew what was happening, I got what I needed from him. I got back in, broke in and did what I needed to do. Maybe a year or so later, I ended up going back to that same site because I was there to do a penetration, some ethical hacking.

I walk up and I go into the reception area. Suddenly, I saw the guy that I had kidnapped and he came running toward me. I’m like, “What is he going to do? He is going to be so angry.” He grabs me and I tell you, I’ve never been so welcomed by someone. He was literally so excited to see me. He was jumping up and down. He was like, “It’s you.” He was dragging me back into the security room at the back of the office. He was introducing me to all these other security guards. He was like, “This is the guy. This is the guy that kidnapped me.” It worked out well, but it was odd for my colleague who was there, who was like, “What just happened?”

That’s the ultimate turn to help you deal with the internal threats, the weakness of the human situation. We’ll kidnap one of you. From there, then you can learn what you did wrong, and how do we fix it from there.

It’s interesting to know that there are certain levels that people like being tested too. Can you do a pen test of this web app? Can you get in? That’s great, but all you’re doing is a tiny piece of testing against one particular type of adversaries like a script kiddies or whatever. When you get up to the high net worth individuals, when you get up to the expensive stuff, you’ll get organized criminal gangs that are violent and will do incredibly horrible things.

It’s like, at what level do you take your testing to? We’re not going to do anything horrible to people, but we have to prepare some of these high-net-worth people to understand like, “You are now in a different lead. You are now in a different threat landscape.” There are people out there who will do horrible things to get to the money, or worse, get you to get them even more access.

Whenever you get physical access, you win everything.

I think that’s what we can look forward to in Fast and the Furious 12. Cullen, expensive stuff and it will feature FC leading The Rock and everybody that’s going out there.

I would look like Kevin Hart against those people. I’m so tiny.

Shout out to our man, Kevin Hart. He does have an Eight pack. It’s very small, but he’s in very good shape. When you are coming in and looking at what is exploitable and again, we want to look at the insider threats, whether overt, covert, inadvertent or advertent. Are you looking for patterns? What is it that you, as a physical pen tester, are seeking? I don’t want you to give away the secret sauce for this thing, but how do you size up a target in order to lay out your strategy for what you’re going to do to come in and show your client what they need to improve?

I think the first thing we do is try and understand what is valuable to that business. Anyone can go in and steal some simple stuff. Anyone could steal purses or small laptops or whatever, but that’s not going to bring down the company. We have this discussion with our clients. A lot of people call it crown jewels. It’s not always obvious what those crown jewels are because what people think is the most valuable to their company sometimes isn’t right. They may go, “It’s these sets of files over here,” but it’s something much more interesting.

We have this conversation with them and say, “What is the thing if you, as an insider, took that insider mentality and you were asked to bring down the company as fast as possible and destroy everything? What is the one thing you would try and do?” That starts some thinking about how. Maybe it’s not these files. Maybe it’s our customer database. If that got leaked or if that got removed, if our entire CRM got knocked offline and deleted, where would we be? If it was the order processing if it’s the factory, what is it that would ruin the company completely? That’s what you need to be protecting. We go in with that as a goal, like, can we get to that? Can we affect those systems? Without breaking everything. Can we simulate that, at least?

You and I tend to do this when we do these things. The outline for our conversation is already completely blown up. You mentioned the small things that might be sitting on someone’s desk. You’re focusing on. An internal threat may not be the right word for it. Even almost like internal weakness. When you say whether it’s a purse or a backpack or a briefcase. For you, you’re coming in sizing these things up. Your head’s on a swivel looking for anything. Is there value in those types of things? Do people need to do more about what they do with their personal stuff?

Generally, during these assessments, I will get into a building and I will look out. You’ll see and this will be universal to almost every office you’ve ever been in. There’ll be unlocked desktops, which means you have access to their machines, their emails, etc., if you need it to. I’ve started a dummy call on what you can do with that. Do please go and sign up for that.

Shameless plugs or the website out there. Come on. It may be a YouTube channel or whatever.

Security Systems: It’s not always obvious what those crown jewels are because what people think is the most valuable to their company sometimes isn’t.

You’ve done any online training platform. I’ve released a course on the introduction to the Bash Bunny, which is a USB device that you can plug in and do crazy things with and steal loads of dealing with it in like three seconds. It’s pretty cool. What did you see? Desktops, etc. You can compromise those. You’ll see car keys, notepads, paperwork and passwords on post-it notes. You’ll see folks. Those are family members. Everyone in that office try and make it all about them.

There are loads of personal items there. What they do is that they think that they’re safe. As I said, once you pass that perimeter, once you pass that security guard, you go, “Everything’s safe here, so I’ll lay out all my stuff and I’ll leave it here. I’ll go off for lunch for an hour or I’ll go to the toilet for like ten minutes and chat to Carolyn accounting for twenty minutes. Another smoking break or whatever.” They leave everything. It only takes a few seconds for me to come along and take stuff.

I’ve spoken about this in many places where I show photographs from these types of assessments where you can see all of this stuff. It got to the point in some cases where I would take everything off of your desk if it was like valuable and your car keys and go and find your car in the car park then put everything in that car to say, “I could have done something more with this.” It’s interesting what people leave around. The next time you’re in the office, have a look around your desk and be like, “What can an attacker use against me all this company that I am leaving on my desk without thinking about?”

My takeaway from this is that you’ll come in, clean up my office, put everything in my car, and then bring my car keys back to the desk.

I didn’t bring the car keys back.

When you’ve done your assessment and now it’s time to come back and sit down with whether it’s the leadership team or hopefully, at the board level and you can say, “Here is what we have.” The data you’re bringing is different. It’d be one thing. If it is coming from the technology standpoint, if it’s come from the people standpoint but you’re talking about a very physical thing. You mentioned that you’ll take pictures. How do you present this to the board so then the board can act and react accordingly?

What I tend to do is take them around the site with me and show them physically what is wrong and demonstrate how I would use or abuse whatever system it is. For example, I had one client who had a clean area. This clean area was pressurized to keep dust out. Their security door to get into it didn’t quite ever shut properly. If you let it go, it would slowly hinge back, but the pressure inside the area would slowly bounce away from the hinge. It would stay like that for two or three minutes before, eventually, it would shut.

They would never have picked up something because when you check that, it was always locked unless you’re using it every day. You don’t even notice it. There was another time when I broke into a government building in Europe that was full of security, like 300-plus CCTV cameras around it, roaming armed police inside and outside the building.

Security is part of planning and part of the risk strategy.

I managed to get in, which I thought would be an impossible task, but I got in because the way that they had positioned one of the cameras happened to look almost directly at the sunrise in the morning. It literally blinded the camera. I was able to bypass that camera because it was blinded. There’s no way that they could have figured that out without seeing that particular moment of the day when I went in.

Now, I have to ask you a question because I follow you the way the kids follow footballers. I’m like a fan, so I’m going to fanboy a little bit. “This one time, I broke into a government building in Europe.” That’s amazing. When you come in to do this thing, and again, this gets to the different ways that companies should view what is an insider threat, how much of this is an act as if? Speak authoritatively and wear a blue shirt with black pants. Can that cover like two-thirds of what you need to do to get where you need to be?

Not always. A lot of it is about confidence, but the one major thing. I hear this everywhere. It’s like, “Wear a high vest jacket or wear work clothes or carry a ladder.” That works for some people in some circumstances in some environments. If you try and break into a government building, a military site, or a massive trading bank, you will not get in with those tools or disguises. You have to dress how your client is dressing. For example, I once broke into an international trading bank.

Let that sit for a minute, so people understand what that means.

This is not a bank that holds money. They trade money internationally. We’re talking billions of pounds every day. There’s no cash on site, but these people are very old-school. You have to wear a tie on certain floors. You have to wear shiny black shoes. They’re rich. If you go in an off-the-peg suit and sneakers or whatever, you’re going to get spotted straight away. You have to dress the part. You’ve got the shiny black shoes, the hand-stitched Italian suit, a Breitling watch on because if you don’t have those things, you are going to get spotted straight away and out straight away because you shouldn’t be in that environment.

If you’re wearing the same stuff, you look the part, you’re probably meant to be there. Dressing correctly for what you’re looking at is important. It has gone wrong a couple of times. I once tried to break into the headquarters of a high street bank. I got there, I had done some reconnaissance for a couple of days and I recognized what they were wearing. I matched that outfit. I went into the building. I was waiting around like trying to get in and then I saw a guy in a dinosaur onesie cross the reception and I thought, “They’re having one of the charity days. I am not going to fit in.” I left and came back the next day when they were wearing what I was wearing.

I was picturing Lancelot taking a suit into the taylor during the Kingsmen, then you say a dinosaur onesie. Welcome to the world of cyber.

It can be a bit absurd sometimes. I once tried to steal a helicopter, but I went into the pilot’s area. You’d imagine it’s like, have you ever seen the movie Firefox with Clint Eastwood or even Airwolf, the TV show? They’re stealing the helicopter, the super military funded by the CIA, gets stolen. They get this guy Stringfellow Hawke, I believe his name was, to go and steal it back. He goes there and him and his mate get into the pilot suits. They go out to the helicopter with their light visors down and no one can see who they are and they steal the helicopter.

Security Systems: Next time you’re in the office, look around your desk and ask, what can the attacker use against this company or me that I am leaving on my desk without thinking about it?

I thought it was going to be like that. I get into the building. I get to the pilot’s room and there are no pilot suits. It’s not how you imagined in the movies. There are no lockers with these great helmets and stuff. It was like, “Where the hell is everything?” I ended up having to go up these stairs with jeans and a t-shirt because that was what I was wearing.

You’re genuinely bummed that you did not get to put a flight suit on and you’re stuck wearing a golf shirt and khakis.

I did get to wear scrubs once. My wife and I did a test against the hospital in the UK. We broke into like the secure areas that you are not supposed to get to. We got some doctor’s scrubs and put them on and pretended to be doctors. It was great fun. We didn’t do any surgeries.

Not that you’re allowed to tell us about, at least on this show. When you come in to sit down, either before or after when it’s time for you to go to work, what do you see in the room? Are there legit security people in there or do you have to dedicate X amount of time explaining what you’re doing so they understand the context of it and the value of what they need to do?

You get some clients who know it. They’ve seen me give talks on it. They’re in the field. They understand the value of what we’re doing, then you get some people that do not understand it. They’re generally below like managerial level or the level where they’re a bit fearful of their job. They think we’re coming in to show them up when we’re not. We’re there to help them. You do get a little bit of animosity from those people. I’ve been shouted at by people.

I remember once, years ago. I went into a place. I went into this place and the head of one of the areas, he was against it. He was screaming at me and he was like, “If I see you in my building, I’m a rugby player. I’ll tackle you to the ground and I’ll pin you there until the police turn up. I don’t give a s*** whatever the board is saying. You’re not coming into my building.”

The checks clear. I’m good.

There was a funny story, but I can’t tell it. I’m going to tell it. I don’t care. This guy annoyed everyone. He was hated by everyone. It was decided that if I could take him down a peg or two, I could. That was agreed with the client. This is me being an idiot or a bit of a twat. I break into the building. I completely ruin it. It’s all of the worst things. I eventually find the stool that he sits on. I’m watching him from afar and I see him get up and head off toward the toilets.

If you try and break into a government building, a military site, or a massive trading bank, you have to dress how your client is dressing.

I go over to his desk. I look at his desk and there’s not much there. I asked his colleague who sat next to him who didn’t know the test was going on. He doesn’t know who I am. I’m like, “Excuse me, have you got a pen and paper? I want to leave a note for this guy.” He gave me this pen of paper and I wrote, “Haha! I sat at your desk,” and stuck it to his keyboard and legged it. During the wash-up meeting after that, the phrase apoplectic with rage springs to mind. He was removed from the boardroom.

Tell me if this is a stretch. Is that something that qualifies as an insider threat? This guy is so protective of his turf and is scared of bringing in an expert, a legitimate expert, 100% success rate and acted accordingly and you punked him like that?

It clearly is an insider threat. It’s like, “I don’t want anyone to tell me what’s wrong with my systems because it shows me as not doing my job.” It’s like, “No, you’re doing a good job.” They’ve done loads of work and before I got there, they’d been tested before, physically tested and they had upgraded loads of stuff that was spent. This is unusual for clients that spent over a million pounds on physical security in the front of this building. That was many years ago. I’d go in through the back clearly because the front was good. I got in through the loading bay. It was quite hilarious. It’s like, “What have you done?”

Millions of pounds in front-end insecurity. Tens of pounds on the backend security and guess what? Where does the buck stop when you’re coming back to tell the story? Obviously, this guy had his own internal things going on, but when you’re presenting this, who owns it at the end? We’ve had some great guests where we talk about people who aren’t the problem. It’s the people who run the business of the people that tend to be the problem. Is that your experience? Where do we need to say, “This is who needs to own what happened?”

The C-suite needs to own this because it’s part of their business. They’ve got loads of stuff on their plate that they understand. Like, “If we do this or if we market this product or if we sell this product and we don’t sell this one, it affects the business.” They need to start understanding that security is part of that, part of that planning, and part of that risk strategy. If you don’t start taking it seriously and you feed it off to someone who doesn’t even report to you. You see it as a loss. You go, “Security spending all of this money and we’re seeing no gain from it.” You are. You’re just not getting pop to that at any point. It’s hard to show value to the C-suite without something happening.

By that point, it’s too late. It’s the C-suite that with almost all security, it has to be driven from the top down. If someone had like good security culture and great security training. They understood everything and got brought into a company. They’re the low level. Maybe on the help desk or whatever. They can affect no change. What will happen is everyone around them will start to wear them down.

When they’re trying to do things properly, everyone else’s like, “Why are you bothering to encrypt the emails for no one encrypts the emails? Send it over or plug this USB stick in, then we’ll transfer it that way.” All of those behaviors start to wear away at that one person. It has to be driven from the top down rather than the bottom up because it doesn’t matter what those people are doing. It’s what the people above you are doing that will drive your security culture.

Feel free to tell me if this is a stupid question. Do movies and TV get in the way of security being good?

Security Systems: People aren’t the problem. The people who run the people’s businesses tend to be the problem.

Yes, so much. There are two ways they do it. They either make it look way too easy. People would do something so stupid that people are like, “No one will ever do that.” They make it look so complicated. They’re like, “Clearly, that will never happen because there are two people in the world that can do that.” They didn’t get it. They’re not in the middle where it is.What’s your biggest pet peeve from what you’ve seen? We’ll use Hollywood as the biggest thing, but when you look at it and it’s facepalming.

I can’t even pick one thing. Literally everything. I find it so hard to watch movies and not pick fault with literally everything they’re doing, but I understand why they do it. We’re helping consult on a TV show that’s being filmed very imminently in Italy. We’re very excited about being consultants for that. We’ve had this back and forth with the scriptwriters like, “You should do this.” They’re like, “That’s not going to relate very well on screen.” It’s like, “Maybe you should do this.” I can completely understand why Hollywood shows things the way they do because they have to try and get over these complicated things that we do as hackers to the wider audience that doesn’t understand that.

When you come into a client, when you are on the job, whether it’s doing the physical thing or social engineering, detective or anything, what’s your biggest pet peeve when you look around and you’re still?

People do not think it’s going to happen to them. The complete delusional atmosphere around it. It’s like, “Who is going to hack us? Who’s going to walk in here and steal this? There are bigger companies. There are better companies. There are better places to steal from.” People don’t understand that everyone is a target.

It’s not that it’s bravado. It’s that it’s almost humility, like, “Who would steal from us? Why would anyone want to steal from us?” As opposed to, “Who’s going to try to steal from us?”

I’m sure there’s a psychological term for this. I’m sure Jess would tell me what it is, but I can’t think of it. It’s like the Dunning-Kruger of cultural awareness. It’s like you don’t know what you don’t know about security. Therefore, it’s not going to happen to you.

That’s officially not going to be the name of this episode, the Dunning-Kruger cultural awareness, but it is a great line that we’ll probably try to stick.

It’s what the people above are doing that will drive your security culture.

Please don’t. My wife will kill me for that.

Courtesy of FC much to the chagrin of Jessica Barker. Creeping up on the end here and this is a part that I like and some people answer it well and some people answer it poorly. You have gone back and forth. Let’s talk a little bit about the leadership corner. What is on your playlist? What books might be sitting in your bathroom or next to your easy chair? Are you cooking? What is happening when you’re not breaking into buildings and making the world a safer place?

I read a lot. I consume books a lot. I can’t even start to list all of the books I finished in the last two weeks. I’m sure I’ll miss one. I’ve read The Asset, which is a great fiction book. The Jewels of Revenge as well. I’ve read The Goal, which is like a business leadership book. I read The Biography of Leonardo Da Vinci. The memoir of a forensic scientist called Traces: The memoir of a forensic scientist and criminal investigator, which is a good book. A book about nerve agents, a book on microeconomics and also Mikko Hypponen’s new book, If It’s Smart, It’s Vulnerable and there are some audiobooks in there as well. I read a lot.

To date stamp this, we did a show and you held up Mikko’s book like “I know. I got this in the mail.” I’m glad you got that. Do you work?

Yes, I do, but I also love reading. I can consume books maybe a little bit quicker than most people. I’ve learned speed read. I get through a book quickly. I can also listen to two different audiobooks. We did a bit of science experiment around this, where I can listen to two different audiobooks, read a third book, and still consume all the knowledge. I don’t often do that. That was for an experiment, but I do sometimes listen to a book and read a book at the same time. I was in the dentist for a root canal for two hours. I listened to an audiobook the entire time. You always listened to them like time and a half, two times. Otherwise, it’s boring, isn’t it?

He says confidently, “You always listen to them at two times.” Yes, because that’s what we all do.

Honestly, you can train yourself to do this. Anyone can do this with YouTube or audiobooks. Listen to whatever it is on one speed, then notch it up a little like 1.1. You’ll barely notice a difference, then eventually, you’re up to like 1.2 and eventually, you’re up to like 1.5. Suddenly, you’re watching more YouTube videos about whatever subject you’re trying to learn or you’re listening to an audiobook. Almost a time and a half quicker.

It depends on the book you’re listening to and how far and fast you can push that. You can go up to two times speed, but you have to pay attention to it. Do try it. It’s worth trying. If you’re reading a book, use a ruler or a piece of paper to show where your line is. Try to get rid of your inner monologue as you’re reading, and you’ll consume words much quicker.

Speaking as someone who speaks incredibly fast, I don’t need to listen to things any faster than I can, but I speak at 1.5 speed compared to any. Shameless plug time. We are coming up on Hacker Summer Camp. I know, unfortunately, that you and Jess will not be crossing the pond for Black Hat and DEF CON and all the things. It doesn’t mean that you are not out there. People looking for you, what’s going on? You personally, Cygenta or all the good stuff.

Cygenta, you can find it on Twitter, @CygentaHQ. You can find me at @_Freakyclown_. You can find our YouTube channel, Cygenta HQ, or my own YouTube channel, which I’ve literally started called MrFreakyclown. There’s LinkedIn, if you can ever find us on that. I’ll be surprised because my FC initials don’t seem to come up on the algorithm when you search it. Good luck with that one. The website is Cygenta.co.uk where you can find out a bit more about what we do.

What they do is a real thing and you’ve seen it happen in movies. These people do it for real and the team is interesting. It’s super fun. It’s also informative. That’s what we want to do here. Speaking of being super fun and informative, that is it for now. Thanks for joining us on Friendly Fire, FC. You have taken so much time out of your calendar for me over the years. I’m so glad that we had this chance. We’re going to do a lot more. We’ve got to get you and Jess and a few of the other guests that we’ve had together. We’ve got a round table coming that I think we might fix cybersecurity if we get the right people in the room.

It’s been an absolute pleasure as always, Matt.

No pressure on you. For all the information on what’s good in the world of cybersecurity, make sure that you check us out. We are on LinkedIn and Facebook and ElevateSecurity.com. It’s simple, not a whole bunch of underscores. Nothing freaky going on there. My name is Matt Stephenson. You can find me @PackMatt73 across all of the socials.
Please come back to the show. As I said, we’ve got a killer lineup coming up. We got a lot to do. I’m going to leave it at that. I can be played with flavor and be the hype man here but I’m going to say, come back. It’s going to be fun. Subscribe, rate and review and you’ll never miss a thing. We’ll see you next episode.

Important Links

About FC

FC is a well-known ethical hacker and social engineer. He has been working in the information security field for over 20 years and excels at circumventing access controls. As an ethical hacker and social engineer, FC ‘breaks into’ hundreds of banks, offices and government facilities around the world.
Now Co-CEO and Head of Ethical Hacking at Cygenta, he continues to perform valuable research into vulnerabilities. His client list involves major high-street banks in the UK and Europe, FTSE100 companies and multiple government agencies and security forces.

Share This

Elevate Security

The Elevate Security Platform identifies and responds proactively to your organization’s riskiest users, providing security teams with the visibility and playbooks necessary to prevent the next security breach.
74% of breaches involve the human element. The only way to combat this is to strengthen your IAM. Get started with these IAM best practices.

4 IAM Best Practices for Securing Your Organization in 2023

According to Verizon’s 2023 Data Breach Investigations Report, “74% of breaches involved the human element, which includes social engineering attacks, errors or misuse.” The DBIR […]

Read More
Dive into a couple of use cases to show off what Elevate + Cisco can do together.

Elevate + Cisco: Redefining Cybersecurity Together

Having built several security programs from scratch, a strategic combination of “best of suite” and “best of breed” can go a long way in securing […]

Read More
IAM in the Age of Remote Work: Ensuring Security and Productivity

IAM in the Age of Remote Work: Ensuring Security and Productivity

Today, organizations need to adapt their Identity and Access Management (IAM) strategies to ensure their remote workforces are secure and productive. Above all else, today’s […]

Read More

Get Started Today

Quantify risk across the organization, and identify areas where increased safeguards and processes are needed to reduce your risk profile and protect your team.
Book a Demo
>