Heath Maverick Adams is a cybersecurity mentor, internet entrepreneur, keynote speaker, and the CEO of TCM Security.
He often speaks at security conferences, makes YouTube videos on cyber security, discusses ethical hacking in addition to providing cybersecurity solutions such as web application testing, vulnerability scanning, and social engineering.
Adams has been doing this for many years, beginning his career as an ethical hacker at TCM Security. He decided to strike out on his own and break free from corporate shackles.
He created The Cyber Mentor to assist cybersecurity enthusiasts in learning ethical hacking, becoming certified in various disciplines, and enabling penetration testing on a daily basis.
Today, we’re going to talk about how Heath Adams is shaking up the cybersecurity industry with a slew of incredible online certifications, ethical hacking, network penetration, and more.
Question #1: Why did you leave Twitter? Do you want to concentrate on TCM Security, or are there other reasons?
Heath: To me, Twitter was always a means to an end. When I first started using Twitter, it was because it was a great place (and still is) to stay up to date on recent cybersecurity news. I never really intended to use the platform to communicate with other people but to lurk on breaking security news and see the latest hacking tools. That was until I started making content on YouTube and found Twitter to be a great resource for pushing content and interacting with viewers.
As my popularity grew, I started to see Twitter in a different light. I realized that I wielded a lot of power. For example, I could tweet how upset I was at something, like a product, and other people would latch onto my statements and now be upset with that product too. They now disliked it without having ever used the product, simply based on my words. That was way too much influence.
I saw a lot of accounts, especially in the cybersecurity realm that had similar influence and used it to target people, organizations, etc. for personal or influential gain. It seemed that every day there was a new topic that people were upset about or a new person that they had to be angry at. It was unhealthy.
While Twitter has a lot of positive things going for it, it just did not outweigh the negativity it presented me with when I’d log into the app. Deleting the app has not only removed that negative energy from my life but given me back the four to six hours a day I’d typically spend on Twitter that I can now focus solely on TCM Security.
Question #2: Data breaches cost businesses millions of dollars, whether they are conglomerates or SMEs. Do you believe that educating employees about cybersecurity and security auditing can aid in the prevention of data breaches?
Heath: Yes, of course. At the end of the day, in my opinion, people are the weakest element of any organization’s security. While organizations can implement prevention and deterrent systems, it still can lead (and often does) to data breaches. For example, an organization can have the best policies, detection software, security systems, etc. in place and that can all be bypassed by a human mistake. We’ve broken into billion-dollar organizations, that spent millions on their security, solely because of social engineering.
As an organization, it is important to continuously train your employees on the potential threats to your organization. Teach your employees that it is okay to be suspicious. Show your employees what phishing emails look like. Conduct frequent phishing assessments to determine how well training is going and where improvements can be made.
People are inherently trusting and that can be a downfall of an organization. Beyond phishing assessments, we often conduct physical engagements where we are tasked to break into buildings. We’ve bypassed so many great security systems just because an employee was being nice and did something as simple as holding the door for us.
Question #3: As ethical hacking becomes more common, do you believe it has the potential to improve or, in your words, disrupt the cybersecurity industry?
Heath: Certainly. We are seeing a large swing, positively, in how the world outside of the cybersecurity industry views ethical hacking. Just recently (on May 19th, 2022), the US Department of Justice changed its policy on the prosecution of ethical hackers. They will no longer be prosecuting hackers that act in good faith under the Computer Fraud and Abuse Act. That’s a big win for our industry.
Multiple regulatory bodies are now requiring annual penetration tests for organizations to meet compliance standards. That’s also a big win for our industry.
The more awareness and acceptance we can bring to this field, the better. We (ethical hackers, after all, are trying to find vulnerabilities before the bad people do. Acceptance of what we do goes a long way towards accomplishing that.
Question #4: How many people sign up for your TCM security certifications each month? How useful are certifications for newcomers to the cybersecurity industry?
Heath: Our active student base hovers at around 100,000 students on our Academy website. We currently average about 100 certification exam attempts per month, which is pretty awesome given that our certification program only recently turned a year old.
Certifications can be incredibly useful for newcomers in the industry. IT (and cybersecurity) is one of those career fields where you do not necessarily need a college degree to find work or be successful. If people choose to not go the degree route, that knowledge can instead be supplemented by certifications.
Having an A+ certification can be useful for finding a help desk job, for example. Doing a more hands-on certification, like the PNPT, could be great for finding an ethical hacking or cybersecurity job, as another example.
At the end of the day, certifications can demonstrate knowledge on a resume, especially for those without experience or degrees. Most certifications are not as useful later in your career, as experience dominates certifications in the hiring process, but they are most certainly useful early on in a career.
Question #5: Most businesses are migrating data to the cloud without adequate security. This enables cybercriminals to target sensitive data, encrypt it, and demand a ransom. How do you believe businesses should address this emerging issue?
Heath: A little security awareness goes a long way. For example, a strong password policy and Multi-Factor Authentication (MFA) can thwart unmotivated attackers looking for an easy win and a quick payday. Knowing to implement that is half the battle. We always recommend that our clients do some sort of security awareness annually.
In terms of the cloud, most cloud providers provide their customers with security best-practice checklists and configuration guides, which should be followed and implemented from the onset of migration. A lot of our time at TCM Security is spent auditing these cloud configurations and honestly if an organization does not feel comfortable with its security implementation, having a consulting firm review the implementation is a good idea.
Question #6: Because of the widespread use of BYOD (bring your own device) at work, many employees are working on personal devices with little to no security. Furthermore, cybercriminals are using Smishing attacks to specifically target mobile users. Is there a tool or application you use to avoid this issue?
Heath: We at TCM Security are a BYOD company. We work remotely and do not require the use of a shared network, which does limit some attack vectors.
To stay protected, we developed policies around protecting our organization from the risk of BYOD. As an example, all our computer hard drives are encrypted, we have an incredibly strong password policy, we enforce MFA on all applications, and client work is performed in the cloud to prevent any sensitive data from being stored on personal computers. These are all great at preventing attacks and data breaches.
Yet, and this seems like an ongoing theme throughout the interview, our most important ‘tool’ has been training. We were recently the victim of an attempted smishing attack. Our brand manager was sent a text message from someone claiming to be me. In this instance, the attacker was asking our brand manager to acquire Google Play cards for a new project we were working on. Through our training, our employee was immediately suspicious and correctly reported it to our team. Without the training, who knows what could have happened.
As an aside, a VPN app on a mobile device could also add a layer of defense in regard to smishing. By utilizing a VPN, you can spoof your location and appear like you are somewhere else. If an attacker reaches out to you based on your spoofed location, it can indicate that something is off, and an attempted attack is underway.
Question #7: How do you forecast the future of cybersecurity five years from now?
Heath: In the grand scheme of things, I do not see much changing from a technical standpoint in the next five years. Sure, there will be new technology and better defenses, but there will also be new attacks to get around those things. It’s a forever cat and mouse game and we never know when the next zero-day will be.
What is important, and what I do believe will happen, is acceptance and awareness around cybersecurity. We’re currently in a severe talent shortage. We need more people on the good side and we need more organizations (and governments) to be open and accepting of cybersecurity. This acceptance has grown tremendously over the past five years, and I would expect it to grow even more rapidly over the next five years.
We admire your effort Heath for the interview. Our readers will benefit from your Expert knowledge and Techniques. As for our readers, you can follow his YouTube Channel The Cyber Mentor.
PureVPN
November 24, 2022
1 year ago
