The following is an excerpt from a discussion with Heath Adam, CEO of TCM Security.
Mark Shriner
Hello, everybody. Welcome to secure talk. My name is Mark Shriner, and I’ll be your host for this episode of Secure Talk. Today we’re going to be talking to Heath Adams, who is also known as the Cyber Mentor on social media. Heath is the founder and CEO of TCM Security, which is an ethical hacking and cybersecurity consulting company. And while Heath is an ethical hacker and he leads the TCM Security consulting business, he also loves to teach, and that’s part of TCM’s offering. We’re going to talk to Heath about how he got a started in cybersecurity, what is ethical hacking, and about some of his courses and probably a lot more. But before we do that, I want to say hi to Heath. Heath, how are you today?
Heath Adams
Hey. I’m doing well, thank you.
Mark
So, let me ask you, You have this amazing presence on social media. I think that you’ve taught over 170,000 students, and on YouTube, you have close to a half million subscribers. You’re also on other platforms, including Udemy and Twitch. And it’s amazing. I looked some of your videos have over 3 million views. Given the fact that cybersecurity it’s not like a Mr. Beast topic. This is kind of a relatively narrow niche, and the fact that you have that big of a number of subscribers and that many views, that’s really commendable. I want to talk about that, but first, how did you get started in this space?
Heath
Yeah, so I actually have a weird background. I feel like a lot of people do for cybersecurity. I came or started out as an accountant and just quickly realized that it wasn’t for me. So I went back to the drawing board and figured out that I was pretty passionate about computers. My first operating system, I shouldn’t say, oh, Windows 98 was mine, actually 95, and I used Prodigy back in the day before AOL, so I’ve been using computer for a very long time. I think I got my first one when I was four years old. So it was one of those things that was really comfortable for me, but I never thought about making a career out of.
And eventually I just dropped everything one day and just literally quit my job, turn to my keys at lunch and try to figure out something different. So that ended up me moving from the middle of nowhere to New Mexico, and I ended up just finding a job. When I got out here working Help Desk, and I was able to just study. And when I was working Help Desk, got a bunch of certifications, and one of my coworkers said to me, do you know that you can get paid to be an Ethical Hacker?
And I had never even heard of that. I was interested in cybersecurity.
So I always thought that at that point it was just a bad person in a hoodie, like every stereotype you could think of, and I just immediately became obsessed with the idea. So I went online and just started researching, okay, what kind of training do I need? What kind of skills do I need? What certifications are out there for this? And just started putting together a roadmap and slowly checked off that roadmap until I got hired as an Ethical Hacker in the field. So kind of just wound up there.
Mark
Well, for those listeners or viewers who don’t know, maybe you can explain what Ethical Hacking is. And then what did it take for you to actually become qualified to become an Ethical Hacker?
Heath
Yeah, so Ethical Hacker is somebody that gets paid to break into organizations. So it’s legal hacking, and there’s various forms of it. There’s network based, whether it be like external or inside a network. There’s web applications that are really heavy, cloud, even physical, so literally going to a building and trying to break into it. So there’s all different forms of what we call Ethical Hacking. And the transition for me from start to pen tester was about two years, and it was just honestly just grinding out the foundational. Skills I think is the most important. Learning, like your A Plus skill set or your Help Desk skill set. Learning your basics and foundations and networking, I went and got a Net Plus and a CCNA. Learning your security concepts, your basic security concepts, I went and got a Security Plus. Understanding Linux. I went and got a Linux plus. Not that it was necessary, but just getting these foundations down. Understanding coding languages. So I went and learned Python and just started building those foundations and then utilize that to start learning. Okay, what is Ethical Hacking? What are the foundational skills within Ethical Hacking, and how do I utilize those to become a Pen tester, essentially, or penetration tester?
Mark
And what are some of those foundational skills required to become a Pen tester?
Heath
Yeah. So within the field itself, it really breaks down to five items. They have the intelligence gathering, open source information, and reconnaissance. That’s step one. So learning how to go and do what we call ocent or how to look up an organization. For example, I might be interested in finding out who an organization’s employees are, what their email format is, what their known breaches were in the past, or if they have any emails or users tied to known breaches, regardless if it’s tied to their business account or their personal account. And then how can we use that information against them? The next thing is scanning and enumeration. So it is, hey, what do we look for when we’re scanning? So when we’re scanning them, do they have any specific ports open? Are those ports known, vulnerable? Are there services running on those ports that are vulnerable? More likely, are there login panels that we can utilize that information we gathered in the first step, and then we move on to what’s called the exploitation phase. So how do we exploit against them? Is it logging in? What do we do once we’re logged in? So we have, like, post compromise.
Post compromise enumeration. You kind of repeat the process again until you get to this cleanup phase of getting rid of everything that you’ve done and making sure that everything’s back to normal before you close the books out. So, yeah, you pick up those skills and you learn different. It’s really, for me, the most important thing is the methodology because tools change all the time. So you can learn a favorite tool, and then somebody will stop supporting it because most of these are just open source, and then you have to go find the next tool or the better tool. So it’s really understanding the methodology between different types of pen testing or hacking that are required and learning those foundational methodologies that are really important.
To listen or view the rest of the conversation with Heath please visit: https://securetalkpodcast.com/getting-started-in-ethical-hacking/