The Hacker's Cache

#6 Is AI Going to Cause Bad Stuff? Of Course, Everything Does ft. Mike Finkel

Kyser Clark - Cybersecurity Episode 7

In this conversation, Kyser Clark interviews Mike Finkel, a penetration tester, about his background and experiences in the cybersecurity field. They discuss certifications, the importance of customer service skills in pentesting, and the role of AI in the industry. Mike shares his hot take on AI, expressing his excitement for its potential in pentesting. They also touch on the value of getting out of one's comfort zone and overcoming social anxiety. Overall, the conversation provides insights into pentesting and the skills and knowledge needed to succeed.

Takeaways

  • Certifications such as OSCP, OSWE, and CRTP can be valuable in pentesting, providing a baseline of knowledge and helping with specific areas like web application testing and source code review.
  • Customer service skills are important in pentesting, as effective communication with clients can lead to better relationships and repeat business.
  • Getting out of your comfort zone and overcoming social anxiety can benefit personal and professional growth.
  • AI is a hot topic in the cybersecurity field, with potential applications in pentesting, but it should be used with caution and not relied upon as the sole solution.
  • AI tools like ChatGPT can be helpful in research and information gathering, but their results should be verified and not blindly trusted.

Connect
---------------------------------------------------
https://www.KyserClark.com
https://www.KyserClark.com/Newsletter
https://youtube.com/KyserClark
https://www.linkedin.com/in/KyserClark
https://www.twitter.com/KyserClark
https://www.instagram/KyserClark
https://facebook.com/CyberKyser
https://twitch.tv/KyserClark_Cybersecurity
https://www.tiktok.com/@kyserclark
https://discord.gg/ZPQYdBV9YY


Music by Karl Casey @ White Bat Audio

Attention viewers/Listeners: This content is strictly for educational purposes, emphasizing ETHICAL and LEGAL hacking only. I do not, and will NEVER, condone the act of illegally hacking into computer systems and networks for any reason. My goal is to foster cybersecurity awareness and responsible digital behavior. Please behave responsibly and adhere to legal and ethical standards in your use of this information.

The postings on this site are my own and may not represent the positions of ...

**Mike Finkel** (0:00 - 0:16):
I love AI. I think it's awesome. I think it's the future. It’s great. Is it going to cause bad stuff? Of course, everything does. I think this is just the beginning, and I think it's really huge. There's plenty of people who think it's overrated and not anything special.

**Kyser Clark** (0:16 - 1:46):
Yeah, I agree with you. It's definitely a huge thing, and there are people kind of sweeping it under the rug. I don't think it's a fad at all. If you're ignoring it, you're going to get left behind in this competitive field.

Hi, I'm Kyser Clark, and welcome to The Hacker's Cache, the show that decrypts the secrets of offensive security one byte at a time. Every week, I invite you into the world of ethical hacking by interviewing leading offensive security practitioners. If you're a penetration tester, bug bounty hunter, red teamer, or blue teamer wanting to better understand the modern hacker mindset, this show is for you.

Welcome to The Hacker's Cache. My name is Kyser Clark, the host of the show. I have six years of experience in cybersecurity, currently work as a full-time penetration tester, and hold 12 certifications. I have a master's degree in cybersecurity and am currently working on my second master's degree. Today, I have Mike Finkel, who has spent 15 years in IT, with five of those years in pentesting. He started out routing tickets and on the help desk, moved to system administration and network engineering for healthcare and hospitals, and then went into pentesting. Mike has a bachelor's degree in information systems and holds certifications including CRTP, CPTS, OSCP, OSCE, and OSWE.

So, Mike, thank you so much for joining me. Can you walk us through your background and introduce yourself to the audience?

**Mike Finkel** (1:46 - 3:32):
Yeah, happy to be here. My name is Mike. I started off just routing tickets, and when I was doing that, I realized I actually knew how to fix the stuff. I’ve been working with computers for a while, fixing problems with my parents' computers and my own in DOS and all that. I started doing help desk work, hungry for information, and moved on to system administration. Then I did network engineering for hospitals and everything. I wanted to take a more unbeaten path, so I decided to learn how to hack. I had no security experience, just some work with firewalls. I decided to take the OSCP with very little experience and studied for about six months. I was starting from ground zero, Googling every little bit until I understood it. I got my first pentesting gig before I even finished OSCP. I’ve been working as a pentester for five years, doing everything from internals to externals, web applications, container breakouts, and source code testing, except for mobile.

**Kyser Clark** (3:32 - 4:06):
You were talking about wanting to take the road less traveled and went into pentesting, which is a great description of what we do. That’s actually one of the reasons why I started this podcast. A lot of people don’t know how to break into the field, and I wanted to tackle that with this podcast. What made you choose offensive security over defensive security?

**Mike Finkel** (4:06 - 4:07):
Because it’s cool.

**Kyser Clark** (4:09 - 5:40):
Yeah, same here. I wanted to be a hacker because it’s such a mysterious title. When you talk to people, they’re like, “Whoa.” For those who don’t know, I’m a military veteran. When I got out of the military, I had to get my VA identification card. The guy asked for my occupation, and I said, “I’m a penetration tester.” His reaction was so confused. A lot of people’s minds go to a different place when you say that. That’s why I went into pentesting—it’s the cool factor.

Let’s get into the rapid-fire questions. Are you ready? 

**Mike Finkel** (5:42 - 5:42):
Certifications.

**Kyser Clark** (5:43 - 5:46):
Favorite tool not many people know about?

**Mike Finkel** (5:50 - 5:50):
Skip.

**Kyser Clark** (5:52 - 5:53):
Blockchain, yay or nay?

**Mike Finkel** (5:54 - 5:54):
Yay.

**Kyser Clark** (5:55 - 5:57):
Favorite hacking distro?

**Mike Finkel** (5:59 - 6:02):
I just use Ubuntu, but I like Linux.

**Kyser Clark** (6:04 - 6:12):
Security through obscurity, yay or nay? 

**Mike Finkel** (6:16 - 6:19):
Weird Al. Just because I like the name.

**Kyser Clark** (6:20 - 6:42):
That was 40 seconds, a bit over. What does Weird Al do?

**Mike Finkel** (6:42 - 6:50):
I think it does AWS scans, but I could be wrong.

**Kyser Clark** (6:53 - 8:01):
Definitely a unique name. Let's dive into security through obscurity. I personally like it, but I don’t think it should be the sole security measure. You should build something secure first before hiding it. Do you think that’s okay, or is security through obscurity a waste of time?

**Mike Finkel** (8:01 - 8:25):
Yeah, it makes sense. Defense in layers. Obscurity is a layer, maybe a weak one, but it helps. It shouldn’t be the sole method, but with context, I agree.

**Kyser Clark** (8:27 - 9:30):
Let’s get into our main discussion. You mentioned certifications as the best advice for aspiring hackers. What certification do you lean on the most for your daily work as a pentester?

**Mike Finkel** (9:30 - 10:56):
It depends on the service I’m doing. For web apps, the web certs are helpful. OSCP and CPTS are good for a baseline. I found the OSWE or AWAE helpful for source code testing. I’ve done most of the burp Academy too. For internals, OSCP and CPTS help a lot.

**Kyser Clark** (10:56 - 11:40):
Learning new technology fast is key, especially in client engagements. I see people bash OSCP because it doesn’t explain everything you need to know. That’s the point—you have to research on the fly.

**Mike Finkel** (11:41 - 11:58):
Yeah, 100%.

**Kyser Clark** (11:58 - 12:28):
You talked about OSWE, which is more for source code review and white-box testing. Is that correct?

**Mike Finkel** (12:28 - 13:08):
Yeah, but I haven’t seen the updated modules. It was mostly source code testing when I took it. OSWA is the lower-level one for black-box testing. I think both help with black-box assessments.

**Kyser Clark** (13:08 - 13:46):
I agree. I haven’t done OSWE yet, but I plan to. Knowing what’s happening under the hood helps with black-box testing. It eliminates attacks and guides your next move.

**Mike Finkel** (13:46 - 14:33):
Exactly. Understanding what it can’t be is important. The more you know, the better. You can skip OSWA, but I found it helpful. Moving on, what’s your opinion on college degrees for an offensive security career?

**Mike Finkel** (14:34 - 16:12):
I hated college. A lot of classes felt like a waste of time. Some companies require a degree, which sucks. Some degrees are useful, like computer science, but many aren’t. I did poorly in classes I didn’t care about, but I excelled in ones I was interested in.

**Kyser Clark** (16:12 - 17:34):
I actually used something from my statistics class in a pentest. I tested payloads 30 times each for a good sample size. It’s funny you mentioned statistics. Client engagement is crucial in our company. Do you think customer service skills are vital for pentesters?

**Mike Finkel** (17:34 - 19:15):
Absolutely. I had social anxiety and didn’t understand the technical aspects of talking with clients at first. Communication is key. Our report is a product, and how we present it can make or break the project. Charisma and client engagement are important for repeat business.

**Kyser Clark** (19:15 - 19:54):
I agree. I spent six years as a system administrator, which helped me with client engagement. Do you think your help desk and system administration experience helped you communicate with clients?

**Mike Finkel** (19:54 - 20:32):
It helped, but I had social anxiety beyond work. Overcoming it professionally and personally was important. Some people enjoy talking to others, while others don’t. Many pen testers become good at client communication over time.

**Kyser Clark** (20:32 - 20:36):
What advice would you give the audience to overcome social anxiety?

**Mike Finkel** (20:36 - 21:38):
Get out of your comfort zone. I traveled alone

 and took improv classes to overcome my anxiety. Nothing gets you out of your comfort zone faster than trying to be funny in front of a crowd.

**Kyser Clark** (21:39 - 23:07):
Public speaking is one of the top fears for many people. If you have social anxiety, it’s normal, especially in our field. Technologists are often introverted. I’m naturally introverted but learned to talk to people through my job. Traveling alone can help, and I did that once going to South Korea.

**Mike Finkel** (23:08 - 23:42):
Exactly. We like being behind the computer, but developing social skills is valuable. It helps personally and professionally.

**Kyser Clark** (23:43 - 24:38):
I used to avoid talking to people, but one time at an airport bar, I struck up a conversation with a guy about football. Turns out, he was a pen tester too. You never know where a random conversation will lead.

**Mike Finkel** (24:38 - 25:03):
In Peru, I met a red team operator at dinner. It’s wild meeting someone in a different country doing similar work. Those moments are awesome.

**Kyser Clark** (25:03 - 25:05):
That is really cool.

**Mike Finkel** (25:06 - 25:18):
You never get those moments unless you get out of your comfort zone. Those experiences are invaluable.

**Kyser Clark** (25:19 - 25:50):
I'm glad you brought this up. It’s a big challenge in our field. My first job was at a restaurant, and I was terrified to talk to customers. But I had to break out of my shell. What’s your take on AI in cybersecurity?

**Mike Finkel** (25:50 - 26:28):
I love AI. I think it's awesome and the future. It’s going to cause some bad stuff, but everything does. I’m excited to see what comes next. Some think it’s overrated, but I see it as a big positive.

**Kyser Clark** (26:28 - 29:09):
AI is definitely a hot topic. I was at AWS Reinforce, and AI was a major focus. Ignoring AI sets you up for failure. I use ChatGPT for almost everything. It speeds up my work. Sometimes I ask ChatGPT before Googling something. It remembers past conversations now, which is great. I use it to help structure this podcast and run ideas by it. AI has security risks, but it's a powerful tool if used correctly.

**Mike Finkel** (29:09 - 30:53):
Yeah, AI is my Google 2.0. It gets things wrong sometimes, so you have to fact-check. It’s not perfect, but it’s getting better. Be cautious and don’t trust it 100%. It can write insecure code, so always double-check.

**Kyser Clark** (30:53 - 31:00):
Great advice. Mike, if the audience wants to get a hold of you outside of the podcast, how can they do that?

**Mike Finkel** (31:01 - 31:04):
That’s a good question. I’m not on much social media.

**Kyser Clark** (31:06 - 31:09):
He’s a ghost in the wires, ladies and gentlemen.

**Mike Finkel** (31:10 - 31:12):
Yeah, I don’t have much social media.

**Kyser Clark** (31:12 - 31:34):
He was here, and now he’s gone. Thank you so much for your time and attention. This episode will give a lot of value to the audience. If you want to get a hold of me, the best place is on LinkedIn or check out my website, kyserclark.com. See you in the next episode. Until then, this is Kyser signing off.

People on this episode