[Kyser Clark]

So for people trying to break into red teaming or bug bounty or pen testing, what skills or habits do you think matter the most more than certifications?

[Nick Aures]

You're probably going to have to write a lot of reports. It's like the less glamorous side of pen testing. I remember the first time I hit that awkward, like the first really good pen test I had with like a ton of findings.

And I'm just like, it's in the back of my head, like, man, I'm gonna have to write all this, man, I'm gonna have to write all this. And it's a lot of details. And the clients don't always have the same level of knowledge.

In fact, they usually don't have the same level of knowledge. That's why they hired you. And so not only do you have to explain it in a way you have to understand, you have to explain it in a way they understand.

[Kyser Clark]

Hello, and welcome to the Hackers Cache, the podcast that decrypts the secrets of cybersecurity one bite at a time. Today's guest is Nick Ours, a senior penetration tester, bug bounty hunter, and seasoned red teamer with over a decade of experience in IT and cybersecurity. He's led red teams presented at B-Sides Buffalo and has found vulnerabilities in high profile companies like Tesla, USAA, and Asana.

Nick brings a wealth of real world hacking experience, research insights, and a deep understanding of offense security operations. Whether it's coordinating red team engagements or submitting critical bugs in his spare time, Nick works, reflects both technical depth and relentless curiosity. So Nick, thank you so much for hopping on the show and doing this episode with me.

Go ahead and introduce yourself and unpack your experience for the audience.

[Nick Aures]

Yeah, well, first, thank you, of course, Kyser, for having me. I'm really excited to be on the show. So yeah, a little bit more about my background.

Again, my name's Nick. I started my kind of journey here in cyber, really in IT prior to cyber. I just got a basic associate's degree.

And at this point, going back 20 years almost, it was funny because they were kind of, at the time when I was signing up for school, they were like, do you want to do help desk? Or do you want to do networking? We really encourage you to do networking.

I was like, OK, sounds great. So I went the networking route. And for maybe seven or eight years, I did help desk.

I did network administration. I did a lot of Active Directory stuff. I did routing and switching.

And then kind of got into even a little bit of data center engineering, which was pretty cool. But what I started to find was security was extremely interesting, and it was almost mysterious in its own way. And so right around, I want to say 2017-ish, no, no, 2016-ish maybe, I kind of was like, I got to figure out how to get myself into a cybersecurity job.

Of course, I wanted to be a hacker because that sounded super cool. But I knew that wasn't going to be just a couple of steps on how to be a hacker. I knew that was quite the road.

So it was just a lot of self-study. I fired up a blog. I learned how to crack hashes with Hashcat.

I learned how to capture WPA2 handshakes for Wi-Fi and then how to crack those handshakes. And that was a lot of just self-study. Hack the Box was relatively new around that time.

It was still hackthebox.eu. There was no .com yet even. So yeah, I guess a lot of self-study kind of got me to the point where I had enough, I guess, on my resume combined with the IT Foundation to start putting some resumes out. And I put a resume out to a local casino, actually, for a security engineering job.

And then a startup that was kind of in the SOC and monitoring and more defensive side kind of space. And I got hired at that startup company to do sim and EDR monitoring mostly. And at that point, I did the job.

I was happy. I learned a lot. It was really cool to be on the defensive side for a while, but I did tell the owner of the business when I could be a hacker here, I want to be.

Get me the shot. Give me the opportunity. And one of the SOC customers had an e-commerce website where you could upload any picture to print it onto a pillow, to print it onto a calendar, that sort of thing.

And I was able to upload an ASPX web shell, pretty much immediately popped this web server. And that was my first, I guess, on the clock pen test. And it went really well.

That happened in like 30 minutes. I thought it was like a sign from the pen test gods. This is where I'm supposed to be.

And told my boss and he's like, oh my God, this is great. And so the next four or five years after that became like, all right, here's more pen tests. Here's more pen tests.

I built up the entire pen test division. I passed off all the defensive kind of responsibilities I had to a new hire who he then kind of went and created the SOC and made the SOC be bigger. So it was really cool to be a part of a company that was like that.

And it really is what paved the way for my cybersecurity foundation. And now I'm just, I don't want to say just, but now I'm a senior penetration tester at a different company. It was a recent change.

It was a tough change. I had a lot of, I guess, I don't want to say emotion, but I had a lot of attachment to that practice I'd helped build, but I knew it was my time to kind of move on. So that's where I was right around the time that you had actually reached out to me to be on the podcast.

And it was also a big change for me. So it was why it took me a little while to finally, to finally reach back out to you and get this podcast going. So super excited to be on, man.

[Kyser Clark]

Yeah. Glad to have you here and no worries on taking a little longer to get on the show because you just got more experience to talk about now. So it works out in the end.

[Nick Aures]

Good point. Good point. More stories.

[Kyser Clark]

So you mentioned that from your transition from network administration roles to leading red teams, you said it was a lot of self-studying, but what motivated you to do that self-study all the time? Because I know you'd put in a lot of hours because it's just part of the game when making that transition. What motivated you to keep doing that day in, day out?

[Nick Aures]

Sure. Yeah. I mean, I already really did love the networking stuff, but I did kind of see like, okay, there's a point where you could master networking.

Sure. Maybe you find a bigger enterprise or something that has a new challenge and you could get hired there and maybe work through a bigger challenge. But it felt like the challenge in cybersecurity was going to be never ending.

And I don't like a mundane routine. It's weird because I'm a very routine person, but when it comes to my work, I don't want it to be the same thing every day. So I think kind of seeing that potential was part of it.

I think just the idea of being able to walk around and saying, I'm a hacker. I don't know. Now that I'm a little older and now that I'm this far into my career, I almost cringe to say that, but it's true.

At that time in my life, I wanted to be able to say I was a hacker. So that always kept me back studying. And then there was some big stuff in the news going on.

WannaCry had happened. That was in the news. I wanted to understand how that was possible.

And then the toolkit that was kind of related to that whole thing got leaked, the Fuzzbunch toolkit, where like Eternal Blue and Eternal Champagne and all those kind of hit the internet. So I started playing with those, barely knowing what I was doing. And then the viral video of a Grand Cherokee, a Jeep Grand Cherokee getting hacked, that was also somehow in my mind of like a thing that happened around that time that stuck out as like, whoa, this is going to be important.

And then last but not least, of course, it seems like when there's a very important thing and there's not going to be a lot of people who are qualified to do it, there's the potential to make good money. So of course, that was always in the back of my mind, too.

[Kyser Clark]

Yeah, I feel like, I mean, I didn't start as early as you did. So I didn't have like those like real world events happening that made me make my decision to make that transition from system administrator to pen tester. But a lot of the same, yeah, like, you know, like being a system administrator, like, I, you know, I come across the same 100 problems every day, very rarely when I come across a new problem, and like, I just had it down to a science and it just got boring, and it wasn't challenging.

And that's one of the reasons why. And yeah, the ability to just make a nice living and enjoy my work was a huge motivating factor for me.

[Nick Aures]

Yeah, yeah. I mean, I joke with my family all the time when I start my job, and I walk from my couch or my bed to my computer. I always say, Oh, off to save the day.

And mostly kidding, of course, but I do feel that securing organizations can make a big difference. And so that always is a big rewarding piece is knowing you're helping secure something too.

[Kyser Clark]

Yeah, I mean, that's 100% true. A lot of people, you know, maybe in the field, downplay the significance of their role. But I mean, we're out here securing companies that people we know and love use every day.

And we protect people and organizations from cyber criminals and identity theft and all that. And a lot of people take it for granted. You know, they don't realize that the risks and the vulnerabilities and the threat actors that are out there until something bad happens to them.

And, you know, a lot of people don't think they're a target, but they absolutely can be and will be a target. And yeah, a lot of people, they don't think about security at all. And it's our job to keep it that way, right?

They don't want to think about it. And it's our job to keep it that way. We're kind of unsung heroes of cyberspace.

I like to say, like, we don't get a lot of credit, but you know, someone's got to do it. And I get a lot of joy and satisfaction out of that.

[Nick Aures]

Yeah, yeah, I couldn't agree more. That's very well said. A lot of satisfaction out of the job I don't see myself doing.

And who knows what the future brings, but it would be hard to get out of this career. I really do love it.

[Kyser Clark]

All right, let's go ahead and dive into our security Mad Libs. So, Nick, are you ready for the security Mad Libs?

[Nick Aures]

I'm ready.

[Kyser Clark]

All right. So, for those who don't know, Nick will have 40 seconds to answer five Mad Libs. It's like fill in blank questions.

All he has to do is say one to, I guess, however many words he wants. He needs to fill in a blank on the questions. And then if he answers all five questions in 40 seconds, he'll get a bonus Mad Lib that's unrelated to cybersecurity.

[Nick Aures]

All right. Yep. I'm ready.

I'm ready.

[Kyser Clark]

So, Nick, here we go. Your time will start as soon as I stop asking the first question.

[Nick Aures]

Okay.

[Kyser Clark]

Nick, the tool I secretly hate using is... Oh, man. Addercap?

I'd never want to defend an attack against...

[Nick Aures]

Oh, nation state threat actors.

[Kyser Clark]

The first time I broke something in prod, I... Was sweating profusely. The most underhyped skill in cybersecurity is...

[Nick Aures]

Communication.

[Kyser Clark]

My guilty pleasure productivity tool is...

[Nick Aures]

Oh, man. Nuclei? Do I dare say?

[Kyser Clark]

Great. That was 36 seconds. So, congratulations.

You earn the right to answer the security Mad Lib.

[Nick Aures]

It's awesome.

[Kyser Clark]

And for this one, you can provide an explanation if you want as much or as little as you want to. You can even dodge a question entirely if you want to, if you don't want to answer it. It's a little silly.

All right. So, here it is. All right.

The worst possible ice cream flavor would be...

[Nick Aures]

The worst possible ice cream flavor would be... I want to say like popcorn because people love to make popcorn. Oh, wait.

No, no, no. I'm taking it back. Popcorn is a good one, but I'm taking it back like a dill pickle flavored ice cream because I feel like people have been dill pickling everything lately.

That would be pretty horrible.

[Kyser Clark]

Yeah, I agree. I like a little bit of dill pickles. I'm not like crazy about them.

Like, I like to eat like, you know, maybe a couple of chips or maybe like half a pickle. That's kind of my thing. But I can't go more than that.

And I know like some people like they just drink pickle juice from the jar. I'll never do that. No, that's a little much.

So, I agree with you there. When I see this question, the first thing that comes to my mind, I don't know why, but the first thing that comes to my mind is mayonnaise. Mayonnaise flavored ice cream.

I, yeah, I feel like that'd be like the worst one. That would be like something someone might actually pitch because it's, you know, food.

[Nick Aures]

Yeah, that's, that would be horrific.

[Kyser Clark]

Okay. So you said the tool I secretly hate using is Ettercap. So I know you was under pressure and there was time there, but is there any reason why you said Ettercap?

[Nick Aures]

So I don't know that I have any issue with the tool, but it's funny that you get to ask this because it connects two things that you asked me in that little section there. One was what happened the first time I destroyed something in prod or took something down. It was with Ettercap.

So that's, I think that's why I married that. Like, okay, I don't have a problem with the tool, I guess. It was really more user error.

But now every time I fire it up, I get, you know, a better cab or Ettercap, I get like, okay, hold on. What had happened was I was in a, I was in a pretty sensitive environment and was just getting frustrated with like no internal progress on this pen test. And so I was scoping like bigger amounts of traffic and bigger amounts of traffic to do ARP spoofing.

And eventually it just became like too much traffic to just shove through the VM that I had on site. And so it just started dropping tons of traffic. And obviously there's tons of production, we'll just say SCADA systems, for example, that we're just like no longer able to communicate through the gateway because I was just trying to put like gigabytes of data through my virtual network interface with Ettercap.

So that's why.

[Kyser Clark]

Nice. Yeah. Yeah.

So I don't have too much experience with Ettercap, but I would say tool that I secretly hate using would probably be like OSINT tools. I'm not a huge fan of OSINT. A lot of people love it and I just don't really care about it.

I mean, I do it for like external pen tests because it's a requirement for external, but I just don't really, I'm not, I don't really like it. I feel like I enjoy finding like the security vulnerabilities in the technicals, you know, like when I'm in an internal, maybe this is because I was a system administrator and I can understand a little bit better. But I, yeah, I don't really enjoy that part of pen testing is OSINTing.

Luckily it's typically not a major part, so I can get through it kind of quickly. But yeah, that's one that I, those are the tools I secretly hate using. Sure.

[Nick Aures]

Sure. Yeah, that makes sense. I know.

I always feel like I'm kind of like snooping on people when I'm going pretty hard with the OSINT and I'm like, what, you know, what does this person for breakfast this morning? Maybe that's their password. You know, I hear you there.

[Kyser Clark]

All right. So back to our main discussion here. So as someone who has submitted bugs to Tesla and USA, what is an approach to a bug bounty that sets you apart more specifically?

Like what, what's the difference between like a successful bug bounty and a non-successful bug bounty that you could throw out there to, to help other bug bounties that might be listening and watching or people who want to become bug bounty hunters?

[Nick Aures]

Yeah. Yeah. I mean, there's two big ways that I always looked at it.

There's people who are already very well experienced in this field. They're probably doing it for some extra money and maybe to keep learning. I mean, that's, I definitely love to use it as a learning tool as well.

But I would say if you're on the side where you're more just trying to get into it definitely use it as a learning tool. Don't try to use it to replace your income or anything, not saying you won't. But I think that if you kind of have a level of desperation, cause you're like, oh, I know I have a computer.

I know I know some hacking stuff and I know bug bounty will pay me. It's, it's almost going to make it harder. It's almost like you're trying too hard in a way you're going to miss probably something slowing down and just paying attention to very, very subtle details is probably the best way to, in my opinion, find things that a lot of other bug bounty hunters may miss.

And the reason I say that is because I think there's a, with tools like nuclei and even just burp and burp has, you know, all the, so many good scanning pieces to it. And now there's the enhancements with AI and stuff. I think you could start to cover a lot of land pretty efficiently and a smaller amount of time with the efficiencies of these tools.

But I think that because people are becoming more confident in how much land they're covering, they're almost not knowing what they don't know. And there's still going to be a lot of little missed details, you know, requests that are only off by a few bytes. Why did they change in that size?

You know, just paying attention to very, very subtle details, I would say beyond anything besides maybe curiosity are the big things for bug bounty.

[Kyser Clark]

Yeah, that's, that sounds good. I don't have any bug bounty experience, so I don't really have anything to really add there. Cause I just haven't had time to do bug bounty.

I choose to make content my free time. If I wasn't content creator, I probably would do bug bounty. I always say like, I want to get into bug bounty, which sounds good, but man, the content creation takes up all my extra time.

And I don't, I really enjoy being a full-time pen tester. So I don't, uh, never really, never really dove into bug bounty like that, but it's always good to hear, hear you, your perspective from, and from other bug bounty hunters too. And I know a lot of people listening and watching the show, you know, they want to know that stuff because there are a lot of people that want to get into bug bounty.

[Nick Aures]

Yeah. Yeah. It's an interesting world.

That's for sure.

[Kyser Clark]

So as a speaker, what topics are you most passionate about when you share knowledge publicly and why?

[Nick Aures]

Um, I think it's always something different. And I think that goes back to what we talked about, about just like not having that routine kind of same old, same old. Um, I will say like the first year that I did all my public speaking that I should say, the first year I started to public speak, um, it was, I think three or four times that one year.

And realistically I, it was group, different groups of people, you know, same type of audience, but different actual people. Um, so I relied on the same content and kind of just upgraded it, realized what I could have did better and kind of built that into the slide deck, stuff like that. Um, so for the first year it was really like, here is three different ways I can make it to domain admin.

You know, here's the easy way I made it to domain admin. Here's the medium way and here's the hard way. And here's how you'd remediate it.

And really the point was remediation for none of them was like, make sure you have a firewall and make sure you have antivirus. Like, yeah, you should have those things, but that wasn't going to fix the people that gotten, you know, um, compromised in those scenarios, had those things. Um, so it was really more of a security and layers talk with technical demos, I guess you could say.

Um, and so that was like my whole first year of, of talking. Um, and then this past year I got, um, I just, like I was telling you before we started recording, I spoke at Buffalo B-sides a couple of weeks ago. Um, I actually didn't even, um, uh, do the call for a presenter.

I got invited by, um, somebody I knew to be on their first panel ever. Um, and the panel was, it was awesome because it was very focused on helping people who are trying to get into a specific, uh, maybe, maybe even are already in cyber and want to switch to a different part of cyber or aren't in cyber yet and want to get into cyber. But I kind of from like a red team pen test perspective, um, was obviously very passionate about that sort of stuff.

Um, there was a gentleman, uh, with me who spoke about similar stuff. We had a, uh, GDPR person and we had like a blue teamer as well. So it was kind of cool to, um, talk to groups of people about all the different ways you could be in security, all the different ways it could be fun.

Yes. You know, 10 times out of 10, you're going to ask somebody like, what's the cool thing to do in cyber? I was going to say hacker, but there was some really cool defensive stories.

There was some really cool, even GDPR type stories, believe it or not. And so it was, um, uh, I just, I don't know. I don't know if I have a favorite thing.

I just kind of like being immersed in it. You know, whatever's new this year, I'll get into it.

[Kyser Clark]

Yeah. Which, which is great because there's always something new, which is why the seals, um, treats people like me and you so well, because I'm, I'm the same boat. Like, man, I, I don't like a routine in my work because I've had, I've had dead end jobs where I was doing the same thing every single day.

Like there was zero change. I'm like, dude, this, this is awful. And that's actually what made me decide like, yeah, I need to change my life somehow.

And then, uh, that's what prompted me to go in the military and, uh, in cyber specifically in the military.

[Nick Aures]

Yeah. Yeah. That's super cool, man.

A lot of respect for that. Thank you for your service, by the way.

[Kyser Clark]

Thanks for the support. Of course. So in your experience, what are some of the most common blind spots clients have when it comes to often security assessments?

[Nick Aures]

Um, that's a good question. I think this is starting to change with more and more people throwing everything in the cloud. Um, but I think historically and still to this day, the biggest, it's like when something is wrong, the biggest thing that could be wrong, in my opinion, is you have an on-prem web application facing the general public that hasn't been patched or that has some crazy vulnerability that isn't like, you know, maybe it has been patched.

Uh, maybe it's a windows server and you have all the windows patches, but there's insecurities in the code or something, you know, point being when you have this on-prem app and it's not in a DMZ, it is like the shortest path from the internet to taking over your entire active directory and network. Um, the DMZ model exists for a reason. There's probably a five other models that you could go on that talk about not having a direct route from a publicly accessible asset to your domain controller.

But I still had, again, it's starting to slow down, but I would say most of my pen test career, the last six, seven years, um, the, the worst, the most shocking or eyeopening things I brought to clients were like, Hey, we walked right in through a web application that was sitting on the network, not too far from the domain controller. So, um, I think that's, I don't even know if it's a blind spot. I just, uh, it's just like advice that isn't, um, taken.

I think a lot of times when people think of their, their network architecture.

[Kyser Clark]

Interesting. Yeah. So I've only been a full-time pen test for a year.

I'm not seeing a lot of that. So maybe it's cause it's slowing down, like you said. Um, but yeah, that's, uh, I would say for me, yeah, I don't, I don't see a lot of that.

Uh, but it makes me wonder like, man, I wish I would've got in pen testing a little bit sooner to have more fun. Cause there's a lot of pen tests, man. Like a lot of my clients are, I would say they're, they're pretty secure.

I would say, you know, in my position, I'm pen testing things that's already been pen tested like five, six times over already. And like, I feel like every pen test more times than I don't get wrong. There's been some times where we got DA and you know, I found some high end criticals, but I would say more times than not, like I'm bashing my head against the wall.

My dude, how do I break into this? Um, which is good, uh, for the client and good for the overall security of the internet and, and these companies. But as me, the pen tester, I just feel like, man, like, do I just suck?

Like that's one thing that I struggle with pretty much all the time. And like I said, there's occasional where I find like some severe vulnerabilities and that's where it gets fun. But then the, the bad part about it is like, nah, I have to go to a client and be like, Hey, you guys are not looking good over here.

Even though I had a field day in your environment. And you know, you can't like, cause the goal is not to like pwn them. Right.

You know, I deliver by the client and, um, the clients, they don't really take the news, that news very well in my experience.

[Nick Aures]

Yeah, yeah, no, you're two good, two good points there. Uh, yeah, you definitely get all sorts of client reactions. I had to, I had like tore apart a web application once and then went and delivered.

It was for a school district and, um, basically every other school districts in that same area, like had used some commercial product, but for whatever reason, this one had this homegrown application and the dev had worked there for like 20 years, maintaining and growing and building this thing. And I just came along and it was the first pen test that ever had. And it just tore this thing apart so bad that they were like, you got to move to a commercial app.

You cannot continue to maintain, uh, this in-house one. It'll cost too much money. And, and the guy's look on his face was like a ghost, like he'd seen a ghost or something.

And I felt horrible, but like, I'm just doing my job. I'm securing the school district. I have to remind myself that like, feel bad that I tore this guy's app apart.

He probably worked for half his career on it. And I just, you know, it's like awkward. Um, and then the other thing that you mentioned that was a really good point is, um, about like, man, do I just suck?

Um, I think every pen tester has days like that. Um, a colleague of mine who has been pen testing as long as me, he may have been pen testing even longer. I'm not sure about the same time.

We'll just say he just posted a blog for the company I work for about imposter syndrome and all about that. Like just how, no matter how many times you pwn something, how many times you know, something that, you know, 150 people in a room wouldn't know. Um, you still have days where you're like, man, am I cut out for this?

So that's a, that's a tricky one to deal with. I still, we all have those days.

[Kyser Clark]

Yeah. It's good that you highlight that. Cause yeah, imposter syndrome is real.

My good friend of mine, he just transitioned from a security analyst to a senior security analyst to a, uh, not in the same company. He, he changed companies and he was like, here's my 10 days of work update. He was like, job is cool, but imposter syndrome still exists.

That was like what he said. So that was a, you know, they hired him as a senior cybersecurity analyst and yeah, every, it's, it's inevitable. It just happens.

Um, but then you get those occasional ones where like I'll find a vulnerability in an app and then the client will be like, wow, this has been in production for 10 years and this has been pen tested several times and no, no one's ever brought this vulnerability to us. And those are like, yes. Especially when they take it well, they're like, they'll be like, thank you.

Those are the best clients in my opinion. Like we're like, thank you so much for bringing this to our attention and we're going to work on this right away.

[Nick Aures]

Yeah. Yeah. I mean, like we talked about earlier, it's, we're trying to help secure and we, you know, I'm sure there's some organizations that do the hacking and the remediation.

I think most do the hacking and the suggestion towards remediation. Um, but usually it's up to a lot of the clients themselves to do the remediation. So when they're grateful you found it and they go ahead and patch it, you feel like you've really accomplished your mission.

So yeah, definitely feel you there.

[Kyser Clark]

So for people trying to break into red teaming or bug bounty or pen testing, what skills or habits do you think matter the most more than certifications?

[Nick Aures]

Um, more than certifications. Uh, you're probably going to have to write a lot of reports. It's like the less glamorous side of pen testing.

I remember the first time I hit that awkward, like the first really good pen test I had with like a ton of findings. And I'm just like, it's in the back of my head. Like, man, I'm gonna have to write all this, man, I'm gonna have to write all this.

And it's a lot of details and the clients don't always have the same level of knowledge. In fact, they usually don't have the same level of knowledge. It's why they hired you.

Um, and so not only do you have to explain it in a way you have to understand, you have to explain it in a way they understand. So that could be tricky. It's why an IT foundation can help a lot, or at least just being familiar with the concepts.

Um, that would be the number one skill I would say, besides just communication. Um, again, to connect another story we talked about when I took down some of that network by ARP spoofing a little too hard, I had to immediately fess up to it. Right.

And it was a matter of communicating exactly what network I was on, exactly what I was trying to achieve, obviously apologizing, but also saying like, you know, we're doing our jobs. It's not like we were trying to be malicious, but yes, obviously this was not intentional. So, so, um, writing, you know, even if you have to lean on a Grammarly a little bit, I know there's people who are very talented pen testers who aren't great writers.

And I lean a little bit on Grammarly. Um, I think that's acceptable for most people. There's it's still hard to find high quality pen testers.

So if you could communicate good, um, you're pretty technical and you're good with your writing. You're probably already in the top percentage right there.

[Kyser Clark]

Yeah. And that first thing comes to my mind when I see that kind of question is, is also communication, but more specific, more specifically, I would say customer satisfaction and customer service, because, um, customer service is definitely a skill that a lot of people in our field don't have. And if you have it, then it definitely sets you apart.

And if you are good at communicating and you're good at delivering bad news, that there's an art to delivering bad news, uh, clients, you know, they'll give you good feedback and they'll want to continue to work with you.

[Nick Aures]

Yeah. Yeah. I don't think that you, I think there's somebody who could show up and find five zero days.

And while that is probably a more desirable technical trait, I think that if you come across as arrogant, if it's so technical, somebody can't understand you, like the client's going to want to work with somebody they like working with. And that's not a cyber thing. That's like a, just the general thing, right?

Like if, if they like you, if you're doing the job, it doesn't have to be the best job. It has to be a good job and they have to like you, you know what I mean? And, um, that's, I think basically what you're saying.

So I'm just agreeing.

[Kyser Clark]

Yeah. And it's, it can be hard sometimes cause I mean, you got, there's so many technical skills you have, and then you have to work on your soft skills. And so I tell people, you got to build both of them up at the same time because they're both equally important.

Cause like you said, if you are the latest hacker of all time and you can't communicate, then it's basically worthless. Your skills are not, are not, it's not being used the right way, unfortunately.

[Nick Aures]

Yeah. Yeah. I mean, yeah, go ahead.

I apologize.

[Kyser Clark]

No, go ahead. If you have something to add, I was just going to dive into our final question. So go ahead.

[Nick Aures]

Yeah, I was just going to put a bow on it and say same thing, even yes, pen tester to client, but even pen tester applying for a role. I know I was, I was told at one of the jobs that I applied for at one point that, um, you know, there was a extremely technical, very high rank, like top 10, I don't know, bug crowd or one of the hacker one, you know, had applied for this role before you and was certainly qualified, but came across as somebody who thought like, I'm a top 10 bug crowd person. I deserve to be recognized as such.

And, um, maybe that's the case, but I, I wouldn't suggest carrying yourself in front of clients or in front of potential employers that way, even if it's the truth, you know what I mean? Even if you are super good, let's just have a little bit of humbleness.

[Kyser Clark]

Yeah. That's that's facts. Yeah.

Yes. They humble. Cause I mean, at the end of the day, there's always someone better than you, let's be honest.

There's always someone better than you. There's always going to be someone that knows more than you. And even that person has someone that's better than them.

So, you know, there's no one can know everything about everything. So it's absolutely essential to stay humble. Cause when you, so me and my friend was actually talking about this the other day, he, uh, this is a different friend.

He's a, uh, he used to be a cybersecurity engineer. He is now a, um, forensic and incident responder. And we were talking about imposter syndrome.

Cause that's, you know, I think that's a good thing to talk about with your, your good friends. Cause we all experienced it. And he was like, you know what?

I honestly don't trust people who don't have imposter syndrome. Cause like, if you don't have any imposter syndrome, it's hard to trust you because when you act like a know-it-all, um, that's scary because we all know that no one knows at all.

[Nick Aures]

Exactly. Yeah. Yep.

Couldn't, uh, couldn't agree more.

[Kyser Clark]

All right, Nick, let's go ahead and get into the final question. This is one everyone gets. So do you have any additional cybersecurity hot takes or hidden wisdom you'd like to share?

[Nick Aures]

Uh, you know, I will say my hot take always is, and it maybe isn't super hot take. I'm sure I'm not the only Pentester who feels this way, but, um, I've always had a chip on my shoulder about vulnerability scanners. Um, and it's unfortunate because they are efficient, right?

When we talk about being efficient, um, they can cover a large amount of area fast. Um, but I just wonder how much time you actually are saving. If you have to then go back through this huge list and determine which actually have value, which are false positives.

Um, and, and it will never say, I don't want to say never, I'll never say never, but like right now, most of them aren't going to be like, Hey, take these two mediums and pair them together. And it's actually going to have a bigger impact than that one TLS. That's a high, you know, that I'm not saying is not exploitable, but, um, so, so my hot take is that vulnerability scanners for too long have been trusted as a source of like, Oh, if there was anything really bad, the scanner would have found it.

Um, but I mean, the reason I think that I had that hot take is because when I started the whole hack the box journey, there wasn't a single challenge you would complete in there with this vulnerability scanner. You could run commercial or open source vulnerability scanners on every single challenge. And I mean, most of them were not going to solve the challenge for you.

So that told me something. I was like, okay, that's to me, that's where the money is in pen testing is what, what a computer can't find. And eventually they're going to make this, the vulnerability scanner is going to be doing things that the cutting edge people are doing before the vulnerability scanner always, you know what I mean?

So, um, are they important? Should you be doing vulnerability management? Yes.

And yes. Um, but that's, that's not a replacement for pen testing by any means.

[Kyser Clark]

Yeah, a hundred percent. I, I also started using Nessus on hack the box machines and they don't catch nothing. And you're like, there's a way, there's a way to root here and it's, it's left vulnerable on purpose and it's still couldn't find it.

And that's, yeah, that's when I realized that vulnerability scanners, you know, they're I think it's a starting point. Um, and they can show you stuff, but it's not always, I would say more times than not, you know, it's, it's not the end all be all.

[Nick Aures]

Yeah. Yeah, exactly. You know, again, I, every time I try to have some sort of beef with them, somebody humbles me and it's like, well, no, you know, I'm like, okay, you're right.

You know, we need them. We need them. They're valuable.

They wouldn't be around if they were, but that's my hot take is like, I'll leave the scanning to somebody who wants to put in the IPs and hit the scanner and read the results. Like I want to go do like the thing, the scanner won't find personally. So nice.

[Kyser Clark]

And I mean, plus, I mean, there's more satisfaction when you find something that the scanner missed too. So there's that.

[Nick Aures]

Yeah. Oh yeah, absolutely. Yeah.

Like I beat it. I beat the computer.

[Kyser Clark]

It's like beating the, the bot on chess.

[Nick Aures]

Yeah, exactly. Exactly. Yep.

[Kyser Clark]

All right, Nick. Well, thank you so much for being on the show. Where can the audience get ahold of you if they want to connect with you?

[Nick Aures]

Sure. Yeah. The easiest way is probably LinkedIn.

Um, uh, on there is Nicholas hours, uh, a U R E S. Um, you'll probably find my full name there. Um, I have some content on, um, my blog as well.

I would say I don't update it very much, but when I do, it's usually cause I have something cool to talk about. Um, and that is, uh, N O U R five S E C at medium. No, sorry.

Not at dot medium.com. Holy smokes. Uh, so it's now or sec N O U R five sec.medium.com.

Um, every once in a while I drop blog posts. They're, um, pretty inconsistent though, if I'm being honest. So, so LinkedIn is your best bet.

[Kyser Clark]

I'll, I'll drop that in the description of the show and also your LinkedIn as well. Awesome. I really do appreciate that.

All right, audience. Thank you so much for watching. Thanks for listening.

Hopefully I see you on the next episode. Until then, this is Kyser signing out.

[Nick Aures]

Thanks guys. Bye guys.