Nick Vissari went from being an engineering dropout (he didn’t like creative writing) to tech consultant to math tutor. His penchant for fixing things homed him back into tech where he is now responsible for security at a large school district. He recently went back to school and received his cybersecurity degree as well.
- At 10 yro Dad had problems putting computer together, so he helped his dad with it
- Family never stifled any inquisitiveness he had
- Started at a Math Tutor at the school system
- Nick talks about how he had the wrong attitude in security [11:38]
- “Once you get into a position somewhere, do whatever you can to make yourself invaluable. Find the things people don’t want to do and do them. The hard problems are the ones most rewarding.” [8:55]
- “If you’re not automating right now, it’s probably because you have more resources than you what to do with.” [18:54]
- “There are a lot of people that are security professionals but they really don’t know about how a system works.” [25:22]
- “Just got to have that passion to want to learn and you can definitely jump into security.”[22:50]
- “My grandmother always said: ‘Those who don’t make mistakes, don’t do much.’ So get out there a make a bunch of mistakes.” [25:35] Tweet This!
- “Don’t be that guy that says ‘No’ to everything. You have to be somebody that says ‘Yes… and’.” [26:06]
- Nick on Twitter: https://twitter.com/nickadam
- SSLstrip by Moxie: https://github.com/moxie0/sslstrip
- Firesheep plugin: https://en.wikipedia.org/wiki/Firesheep
Getting Into Infosec:
- Checkout My Book: Breaking IN: A Practical Guide to Starting a Career in Information Security: https://www.amazon.com/dp/B07N15GTPC/
- T-Shirts, Mugs, and more: https://gettingintoinfosec.com/shop/
- Sign up for sneak peaks, updates, and commentary: https://pages.gettingintoinfosec.com/subscribe
Nick Vissari 0:00
Do whatever you can to make yourself invaluable. Find the things that people don't want to do and do them because the hard problems are the ones that are the most rewarding.
Ayman Elsawah 0:24
Welcome to getting into infosec. I'm your host, Ayman Elsawah. My guest this week is Nick masari. Nick is the main person responsible for security at a very large school district earlier in life.
Nick Vissari 0:34
Nick was never satisfied with the status quo. I remember my creative writing teacher, she had this assignment where he had to complete a statement in some poetic way and it was like the sun burns. And my response was, the sun burns is a false statement. It's fusion, a tinkerer,
Ayman Elsawah 0:49
Nick wanted to see security in action
Nick Vissari 0:51
firsthand. I would leave my horribly unpatched system online overnight, and I'll just connect it to the internet and just leave it there and then the next morning, I'd wake up And it Okay, who did what to my machine?
Ayman Elsawah 1:02
Right. He also shares with us some incredible wisdom he has learned over the years from others, as well as from his own career evolution as well.
Nick Vissari 1:09
I used to kind of hide behind my email a lot. I would send people out emails and just say, Okay, good. I've got the documentation. I was that guy that had my binder full of possible solutions. And I would just say, Oh, we need this. And we need that. If we don't have the budget, we don't have the tools and we're never gonna have these things. And that was just the wrong attitude. Man. Nick really knows how to put it well
Ayman Elsawah 1:25
check out my book. If you haven't already. It's a guide to help you when starting from scratch and are overwhelmed on where to start. If you'd like it, please review or recommend it to a friend or your school, sign up to my mailing list and check out the store at getting into infosec comm links are in the show notes as well. So just a quick heads up. The audio on my end didn't come out as well. Not sure exactly what happened. But it seems like the wrong mic got selected. I was not in my usual setting. The good thing is Nick's audio came out really well. So that's all that matters. All right on to the show. Hey, Nick, welcome to the show. Hey, man, how are you? Good. Are we doing? Fantastic, awesome. Well, so Nick, maybe you could let folks know what you do. Today in security role,
Nick Vissari 2:01
sure. So my name is Nick Ferrari. My official title is data architect and security manager. And I work for a large school district in Maryland, we have 60,000 students, 12,000 staff, about 80 sites and 30,000 devices that I have to take care of. That's like a large enterprise. Basically, it's a lot of fun. And I'm the only designated security person for the school system. And I just love my job. I really have a lot of fun every day trying to come up with really unique and inexpensive solutions.
Ayman Elsawah 2:32
Okay, and how did you get involved in the security role for that?
Nick Vissari 2:36
So before I got into security, I was a computer technician. And I was kind of delving into managing servers, and the school system hired a manager for the server team. And at the time, there was like two people on the server team that really weren't interested in managing servers. So I ended up kind of inheriting that role as a technician and I really enjoyed it a lot and It was very hacky kind of like allowed me to exploit a lot of the skills that I had acquired just by being a dumb teenager playing around on the internet.
Ayman Elsawah 3:08
Okay, let's talk about that a little bit. How did you build those skills when you're younger, or just good technology?
Nick Vissari 3:14
Yeah. So the big change for me was, I guess I'd always been interested in computers from like, just pop culture and sci fi and different things that I read or whatever. And my dad was actually building a computer when I was about 10 years old. We had some IBM green screen machine that was you know, it was fun to play around with, but it really wasn't like a modern computer. Anyway, he was building something that actually ran like DOS and had VGA graphics, and it was really cool. Nice, and I was really anxious. I was like, oh, when's it gonna get done? Did you buy all the parts yet? And he was having a lot of trouble with it. So he had this thick book that he was using to figure out how to put it all together and he just handed it to me. He said, Well, here you know you're home all day you read it. Awesome. I read this book in a couple days, and I came downstairs. So take a look, you know, and I said, Oh, look, you got the cable flipped around for the hard drive. And I turned it around. That was back in the old 40 pin days where you could actually flip them over. Right? Id.
Ayman Elsawah 4:09
Nick Vissari 4:10
yeah. So that's kind of what got me started with computers. And then from there, my family really been very well they hadn't stifled any kind of inquisitiveness that I had. So if I wanted to do something, they didn't stop me. So I wanted to be a electronic engineer. That's what I went to school for. Okay. And at like 12 years old, I had a workbench and I had just components just all over the place. That's one of years old. Yeah, it harvested a bunch of components from a bunch of broken stuff that people would just throw out. I don't know if you ever had these, but like a radio shack, they used to sell these like 301 kits, yeah, which was really just a bunch of components on springs. And there was a nice big fat book in their circuit. So that's kind of where I got a lot of the initial passion for electronics. And from there, it kind of evolved into the things that you put together in a circuit is a lot similar to putting together software rather than dealing with different voltages and simple signals, you're now dealing with strings and, you know, authentication and just similar kind of situations. Yeah, that's missing.
Ayman Elsawah 5:09
input output. Right? That's right. Yeah. Yeah. That's awesome. And so having that computer really kind of helped kickstart your curiosity, I guess, or technology.
Nick Vissari 5:18
Yeah. Actually, when I was young, I purchased my own phone line so that I could have dial up all the time. Oh, nice. Yeah. One of the things that I did was, I would leave my horribly unpatched system online overnight, and I would just connect it to the internet and just leave it there. And then the next morning, I'd wake up and I'd say, okay, who did what to my machine?
Ayman Elsawah 5:37
Right? We did on purpose. Oh,
Nick Vissari 5:38
yeah. Okay. It was like a little honeypot. Right. But it was also a learning experience for me to see like, what kind of cool viruses I could capture from the internet. Mm hmm. And then I would just wipe it out and start over again. So it was a lot of fun. I mean, now I wouldn't recommend anybody do that now but yeah, you know, back then it was a little bit less dangerous to do stuff like that. What was the most interesting Quantico virus that your computer? Oh, I really enjoyed it. The registry hacks where people would change what windows would do to an executable. Like if you launched an executable it would hook another program. So that was my favorite kind of technique that came from that. And I remember years later reading an article about some This is some kind of horrible thing. And it's revolutionary. It's really hard to beat. I'm like, well, that's been happening for years. Like,
Ayman Elsawah 6:21
I saw that on my dial up machine ages ago. Yeah, that's amazing. So fast forward into the future. Did you go to school in computer science? You know, how did you get your first tech job?
Nick Vissari 6:30
Yeah, so I went to school for electronic engineering, and I dropped out because I just couldn't handle some of the garbage that you have to do when just getting through a program. So I really did not enjoy a creative writing at all. I remember my creative writing teacher, she had this assignment, we had to complete a statement in some poetic way and it was like the sun burns. And my response was, the sun burns is a false statement. It's a fusion
Ayman Elsawah 6:58
Awesome, awesome. Yeah. She did not like that. Yeah,
Nick Vissari 7:03
actually, I just got back into school. I graduated back in March. So that was just like few months ago. Oh, yeah. So now I have an actual you know, bachelor's degree in cybersecurity. Okay. But you know, that's really just a piece of paper. I've just always kind of thought, Oh, I need to get this someday and someday is finally come. So
Ayman Elsawah 7:21
okay, so you dropped out engineering? Did you just use Mac's work with the agenda doing
Nick Vissari 7:26
during that time for a little while I had my own business. It was a small business that helped other small businesses with computer problems. And I was living with my girlfriend now my wife and I didn't really like doing the small business stuff. You know, I really hated trying to like chase people down people that don't pay their bills and doing the whole contract negotiation parts just wasn't for me. So she suggested just get some job in the school system because it's a great place to work. They have fantastic health benefits. And you know, once you get your foot in the door, you'll just work your way up. So I said, Okay, you know, find something. I found a math tutor position at a middle school. That was like Just as entry level as you can get. And I was like, well, I like math, so why not? Nice. So I took that job. And as I was there, I saw a bunch of broken machines laying around, you know, there's all these open tickets, and they would put little post, it's on the computers that said, like, Oh, this computer is sick, like, nobody can use it right now. So I just started walking around going like, well, what's wrong with them? You know? Yeah. So I packed them up and take a look at them. And I started fixing them and closing out these tickets. And the computer technician that was assigned to the school. She was on like one week rotation or something like that. She's like, well, who has been closing out all of these tickets, you know? Yeah. And so the person who was managing that he introduced me, and she said, You have to come work for us. So I didn't have that math job very long. And then I went to be a computer technician. And sure enough, my wife was right. She said, just get your foot in the door and you'll work your way up. So I've been there ever since. Since then. I've been there for 15 years now. Pretty cool. It's it's been pretty awesome. So
Ayman Elsawah 8:54
you saw a problem. So fix it, right? Nobody told you to go ahead and do it.
Nick Vissari 8:57
Yeah, yeah, that's kind of always my dead longtime He said, once you get into a position somewhere, just do whatever you can to make yourself invaluable. Find the things that people don't want to do and do them. Because the hard problems are the ones that are the most rewarding. Wow. Yeah, that's
Ayman Elsawah 9:11
great. Great. Good wisdom. That's awesome. And so now this morning, I'm doing dev sec Ops, right? maybe explain to the audience what devstack ops is exactly. Sure.
Nick Vissari 9:20
So I mean, I can tell you kind of what from my perspective with dev sec ops is? Yeah, of course, there are so many different interpretations of what it means. Thank you for that.
Ayman Elsawah 9:29
Yeah. That is true. Yeah, sure.
Nick Vissari 9:31
Yeah. From my perspective, let's just talk about DevOps in general. Okay, before we throw the security in there. Yeah, DevOps is really kind of this evolution of development, where you started with this time when you would have developers and they would make a piece of software and they kind of chuck it over the wall to a bunch of operations folks and the operations folks, they try and figure out how to get it to run in production. And that's where a lot of tension, a lot of lines would occur, because, you know, hey, it works on my laptop, and they're saying, Yeah, but your laptop isn't anywhere near production in your heart. insecure, blah, blah, blah. And there's just a bunch of finger pointing going on. Yeah. So DevOps, it's easy to kind of think of it as a suite of tools, because there are so many tools that help you achieve these goals. But it's really about developers accepting the operations side of the house and operations accepting some of the development side of the house. So it's this what I like to call a cross modernization of different departments. So they learn about each other stuff. And it's really about maintaining interfaces between systems and departments. So as an operations side of the house, we'll say, Well, you know, we have Docker and if you can run in a Docker container, then that's fine. We can get it running in production. It's not really all that new because the same kind of happened with like Java rights. If it worked in Java, then we can get it to work in production. That was kind of Java's big thing. Yeah, is you could write once and run anywhere. So anyhow, it's really just about the different sides of the house, learning each other's trade and security, of course, now gets infused into that, where people are used to writing software and they're used to now writing it in a state specific type of environments so that they know with some confidence that it runs in production. But is it secure? So how do we infuse security into that same development pipeline, and we can use automated tools to do that. But it's really again, just that cross modernization, I have to talk to the operations, people about security, they got to talk to me about the operations stuff, and vice versa for development. So we can all kind of contribute to the same problem or contribute to the same solution, I should say, Yeah, because at the end of the day, we're all trying to solve the same problem.
Ayman Elsawah 11:27
You know, I guess maybe a little historical context is before security used to be telling folks Hey, this is what you need to do to secure XYZ. We're now in the sec ops model. They need to be part of the solution. We just noticed, right?
Nick Vissari 11:40
Yeah, yeah, absolutely. And meeting with them, I used to kind of hide behind my email a lot. I would send people out emails and just say, Okay, good. I've got the documentation. I was that guy that had my binder full of possible solutions. And I would just say, Oh, we need this. And we need that. If we don't have the budget, we don't have the tools and we're never going to have these things. And that was just the wrong attitude. You know, so I've read a couple of books about DevOps that I recommend the primary one would be the Phoenix project. That's a fantastic book. And it's not really about security, the guy that wrote it, he's very much into security. But the security kind of ends up as a small chapter towards the end,
Ayman Elsawah 12:16
Nick Vissari 12:16
which I think is pretty funny. But regardless, it's a really good book, it steered me in a different direction. It solidified some of the things that I had learned trying to implement security in different areas of the house and the operation side of the house and the development side of the house. It really doesn't work. If you just come down with regulation and say, well, you must do it this way. You know, you really have to be part of the solution. You have to walk them through it and show them why it's a problem. I remember when SSL strip Yeah, a really cool tool. Moxie marlinspike came out and was that other tool, it was a plugin for Firefox. And it was really when SSL started to become like the standard they were everybody said, well, you have to be SSL by default is firesheep. Okay, cool. So I remember when SSL strip had just come out, and I was trying To explain to people that you really have to have SSL on by default, you can't have this port 80 redirect to go from unsecure to a secure connection. Because someone could just sit in the middle and downgrade the connection back to http.
Ayman Elsawah 13:13
Nick Vissari 13:14
I had a boss at the time, he was a gray beard. And he was like, Ah, that's nonsense. It's never going to happen. I said, Okay, well, that's fine, you know. So I fired it up. And I said, Go ahead, type in your password. And he's sitting on the Gmail login page. And just like everyone else, he didn't bother to check to see whether it was secured page. So he typed in his credentials, and I said, Well, there you go. There's your password. And he said, Oh, my gosh, I'll be damned, you know? Yeah. And after that time, like we had turned off Port 80 on almost everything, right. This was before hsts had come out. Yeah. So there really wasn't a good way to prevent somebody from having an in the clear connection.
Ayman Elsawah 13:47
Yeah. What do you think about is just Yes, I like it. But I think the industry started moving away from it because of deployment problems. But
Nick Vissari 13:54
yeah, so with hsts that's a pretty good example. You know, dev ops now have to kind of jail Well together, because hsts will work perfectly if your development team knows about it, right? If there is some type of a redirect that relies on it going back to an unencrypted channel, then over hsts is never going to work. Yeah, that's true. So because your browser will throw an error, and the developers have to realize that, like, their connection needs to be encrypted all the time. I mean, it can be unencrypted the first time Yeah, that somebody goes to it. But after that, it has to accept encrypted connections. Yeah. And the real trouble with it is that software is always changing. So you might have it working one day, and then some patch comes out, that fixes a problem, and all of a sudden, it breaks hsts because they just yes becomes this edge case that barely gets tested. So that's part of why you really have to have, you know, a development pipeline that includes testing and testing all these edge cases. So that whenever the new version does come out, you can say, Oh, no, it's not my deployment that's broken. It's your implementation, right? You're supposed to be supporting hsts and you Dropped support for hsts. And you didn't put that in your release notes. Yeah.
Ayman Elsawah 15:02
Cool. So any interesting story in your days of security?
Nick Vissari 15:07
Okay, so one of the nicknames that I've acquired is Rube Goldberg, which originally it was meant to be a kind of an insult, because some of the solutions that I proposed just seemed to be really backwards and hacky. But I took it as a badge of courage. Because the problems that were coming up, were really, from the professionals, quote, professionals, they were just unsolvable problems, it was just impossible, right? To solve these things. And I said, Well, that's not impossible. If we really contort your mind, and you can come up with a solution. It might not sound very clean, but it works, right. And one of the Rube Goldberg solutions that I'm pretty proud of was we were migrating email providers. So we had an old email provider that was really kind of off the wall, just weird. It was a client server architecture. So people actually had to install a client and to get to kind of the email but but the email, it really wasn't like an email system. It was more like a wiki Where there was a folder for your email. It was really a bizarre system. But the school system had it for years. And everybody was used to it by now everybody enjoyed it. And we were switching to exchange. Okay, so we had hired some vendors to come in and propose a solution. And there was only one vendor that actually said that they had a solution to migrate. And it was the vendor that we were working with to kind of support the software. So we already had a relationship with them. So they came in and they fired up their solution. And it was just a horribly slow, it just was never going to work. It took hours to migrate a single mailbox. And the solution was single threaded. So we had at the time, 9000 mailboxes to move, and it was just going to take years to get everything migrated well, so we went back out and we asked a bunch of people, nobody would come up with a solution for this thing. And I was just sitting there thinking like, I'm kind of mulling over the problem as well. And like, I don't know how we can get this mail migrated. And then it dawned on me that they actually have like a web interface where you can check your mail. And I just thought, Well, I mean, I know how to scrape webpages and of course, the web interface is meant to run in parallel. So I wonder how fast we can do this if we did it over the web? Oh, that's hilarious. Yeah. So and I had like, read a book years back about PHP. So I thought, well, you know, I'm not really the best scripting language, but I know how to use PHP, I'm comfortable with it. So I'll just see what I can put together with PHP script. So I wrote something, I was able to get a mailbox migrated in six minutes. And of course, because it was over HTTP, it could be as parallel as I wanted to be, I could just keep on spinning up more servers, because they're just web servers. You know, they're not like this weird client server architecture where you can only have one session. So it worked really well. It took me about six months to get everybody migrated. And that was like, you know, working overnight, calling up a location say, okay, you're going to be migrated on this day. And it was a huge coordinated effort. Wow. I mean, it worked great. And everybody was pretty happy with solution. I can't say it was like perfect on the first go, which is also part of the DevOps culture is that you have to kind of get started with something that mostly works and then as the requirements You just be nimble and be able to change them. So the first couple locations, either they said, Oh, we got problems, like, you know, I think one of the problems was people expected their mail to be unread from, like, ages ago. And I was like, that's really weird, but Okay, we'll figure out how to support that. So I put a flag on there to make sure that if the message was unread, it stayed unread. And wow.
Ayman Elsawah 18:21
Nick Vissari 18:22
it was some fun time. So and that was a pretty big Rube Goldberg solution. Yeah, it worked out really well. And people were really happy with it. Wow.
Ayman Elsawah 18:29
That's pretty good. Yeah. Cool. Nice. So tell me about managing security in school districts. So how do you deal with either just managing things day to day from an internal perspective or restricting access to certain websites? How does that work?
Nick Vissari 18:43
So it's really all about automation. I mean, you got to automate as much as possible. And I wouldn't say that's necessarily most important for school systems. Because if you're not automating things right now, it's probably because you have more resources than you know what to do with. So Do you just have people do jobs that really could be automated? Yeah. And sometimes I find point products that they really should be automated, but there's just enough of an interface that somebody has to log in and click something. And you're kind of looking at it like, Well, why, like, why isn't it just fully automated? And then you start asking about API's and things like that. So from my day to day is really just what can i automate? The biggest kind of daily interaction that I have is with the identity management system. So that has been fully automated for Geez, probably about 10 years now. And it's not a custom solution that I wrote, and I currently maintain, I've been working with other people to try and get them to migrate over to the operations department say, hey, it's just a PowerShell script. I'm sure you guys can learn a thing or two about PowerShell. I'll be your SME and you know, we can really kind of get this thing off the ground, or at least in your wheelhouse. So that's been a lot of fun. So I spent a lot of time kind of mentoring them and teaching about how to maintain that system and improve it because there's always new requirements coming.
Ayman Elsawah 19:57
And you know, I don't think we actually got to talk about it. But how did you actually switch into security? You started off in, I guess, 19. But then how did you transition into security like officially?
Nick Vissari 20:07
Sure. So I had a pretty good mentor at the school system. And he had hired this server team. So I applied for the position as just a server support specialists because I didn't have her degree, I really couldn't get a better position than that
Ayman Elsawah 20:21
was up because of requirements.
Nick Vissari 20:23
It was really just because of the norm of, you know, if you're gonna have a security professional, they really have to have a degree at the time. I think that's kind of dwindling a little bit. Where you know, you don't necessarily have to have a degree if you have street cred that'll pass. But yeah, at the time, it was just like any kind of security position was just not going to happen. So I got the job as a server specialist, and we had deployed a couple hundred servers during a pretty short timeframe was about a year and a half. And that worked out really well. And we were done with that project. So it was just kind of a maintenance. At that point. It was keep active directory run and keep all the file shares running. So it was really boring for me. And the next kind of thing that was coming around the corner was security policy. So as a school system, you know, we didn't have a security policy, and we were just kind of looking at, like what the state had as a security policy. So that was a new initiative was that we were going to have a security policy, we're actually gonna put down some requirements and then start holding people to it. Okay, so another position was made available as a security analyst and I applied for it. Got it. That's mostly through my experience. You know, I knew everything about how the systems are deployed. Yeah. And all the vulnerabilities that were there. Some of them I might have put there myself. Yeah, right. Wink wink. Yeah. So yeah, I got the position as a security analyst and just huge, like imposter syndrome. After that, you know, I think everybody kind of gets imposter syndrome when they first get into security. And that abates. As you learn about others in the security field. I talked to a lot of people that are really just kind of security on paper. They're more about audits, and you know, what kind audit requirements were there was not a whole lot of understanding of the system and the vulnerabilities themselves. And I always look at that as being like a kind of a personal barrier that people just put up for themselves. I think I hear a lot of people say like, Oh, I don't know about computers, or I don't know about this, or I don't know about that. It's like, well, when you put that barrier up, they just say, like, you don't know about it. Yeah. I mean, of course, you don't know about it, but you can look, you know, you can read about it. It's not like it's unattainable knowledge. And there are a lot of people that are there security professionals, but they really don't know about how a system works and how vulnerability works, how an exploit works. And so you know, if you have any kind of imposter syndrome, just know that there are people out there making a lot of money.
They really don't know about security either.
Ayman Elsawah 22:45
Nick Vissari 22:46
And you really just have to have that passion to want to learn and you can definitely jump into security and that's really the most important thing. Yeah. And what made you want to go into security position. Oh, I think it was probably pop culture and sci fi I remember the movie The net Sandra Bullock. Okay, I really love that movie I love like, I'm we're watching it for the first time being like, Wow, she's ordering a pizza on her computer. It's really cool. And then, of course, they ruined her life just by, you know, making some changes and some databases somewhere. And it was like, That's amazing, man, it was really cool. So that was one of the things that really got me kind of turned on to security. I've just always enjoyed, you know, this kind of hacky stuff, mostly for utility, but also just kind of novelty, right is like seeing what somebody can do with a system and it's really not supposed to do it. So that's kind of what got me started with security are really interested in security, I should say, you have an example of
Ayman Elsawah 23:35
a life hack. Maybe they did from your inner years. It could be a technical or non technical, but just kind of a life hack that you use to get out of a situation or improve a situation.
Nick Vissari 23:44
Yeah. And there's something there was this user interface that required lots of clicks to get through. Yeah, and it was just some automated process of you know, let me click and right click Edit and then hit space a few times and types of numbers right. Then move on to the next one, increment the digit move on to the next one, do the same thing to a few other numbers. So that was like my introduction to or when I saw that problem. I looked at autofit or autohotkey. It was one of the other I can't remember which one. Yeah. But when I found that on the internet was like, Oh, this is perfect. Like, I can automate key clicks. So I wrote just a simple little tiny script that just did that one thing for me where I could just type a hotkey, and then it would run a string of characters. And I use that for a lot of little stuff. And then I had something like really important that had the same type of flavor, where it was like, we really have to get this data off the system. And all it is a bunch of clicks and a GUI and it's old, archaic system that nobody understands the back end to. And we know it's an oracle database, but nobody has the schema for it. Yeah, they can't really reverse engineer this whole application. So I applied the same solution. It was just like a GUI click and you know, click on a certain field and it would take a screenshot and then it would compare the MT five of the two screenshots to say oh has this little square of the screen hasn't changed from what it was before to what it is now. And anyway, it was fantastic. Like I put all that together and the application ran for like three weeks. And it pulled down thousands of records off of this system. That to me was like, wow, like even something from ages ago, where I just did it to organize my music collection. Now I can apply this to like a real concrete problem that somebody is having. It's costing them like $30,000 a year.
Ayman Elsawah 25:25
That's really awesome. Just putting your mind to something right, getting it done.
Nick Vissari 25:28
Yeah, a lot of it just comes from experience. I know my grandmother always said, Those who don't make mistakes, don't do much. So get out there and make a bunch of mistakes.
Ayman Elsawah 25:37
There you go. That's awesome. I wanted to chat a little bit and kind of talk about, I guess how you handle security from a culture perspective, either in your day to day job. How do you teach security culture at your school? Or the district is just you It seems at least the means security advocate. How do you deal with like people who want to block all the things right, or handling up? How do you deal with that?
Nick Vissari 25:58
Yeah. So I think The most important thing is to first Don't be that guy that just says no to everything right? You have to be somebody that says yes. And or Yes, have you considered and really be engaging and helpful? Because nobody wants to go to the person that they know, they're just going to come back and say, No, you can't do that. It's risky. Well, of course, it's risky. Everything is risky. The question is, how risky is it? Right. So you really have to be the person that is approachable. And I've become approachable by just helping people solve their problems. That's where I started, you know, as a technician, and moving up through a server support person is just I'm always solving people's problems. So they just come to me and they say, Hey, I have this problem. And as they're describing their problem to me, I'm like, I've got this little tally list in my head of like, Oh, yeah, that could be exploited. Oh, boy, I wonder how you're handling passwords here. Oh, geez. And I just keep those in the back of my mind. I don't stop them. I let them continue. I let them play out the whole thing. And then I'll say, Okay, cool. First, let's solve your problem. You know, blah, blah, blah, whatever it is, and then As we're doing that, have you considered like, how are you handing out these passwords? You know, and I'll just ask questions like that. And it gets us on the same page, right? They're getting what they want by me helping them solve a problem. But also, I'm getting what I want by implementing security or trying to inject security into the system. And it's worked out really well for me, because I've seen the other side I've seen where people just say, Oh, no, you know, you can't do that. Yeah, it's impossible that we could allow NTP out of our network, because I've heard that it could be hacked.
It's like, of course, yeah. It could be hacked. Yeah. But how risky is it? Right. That's awesome.
Ayman Elsawah 27:33
I couldn't have said it better. That's really good. Just to offer like threat modeling, right. So
Nick Vissari 27:37
now you're right. It is threat modeling. It's just I don't go through the formalities of writing it down as a threat model. Yeah. Probably some of my failings on my side because when the auditors come around, and they ask Hey, do you do these things? It's like Yeah, we do but unfortunately, I didn't bother to write any of it down. So I guess I'll make a note for next year.
Ayman Elsawah 27:53
Well, no, I mean, you are threat modeling in the sense that it will you just about blocking into p blindly because I've heard etc, etc. Right? Right, but like for your environment, does that apply to your environment? Right? Yeah, you're right. Yeah. The following is a PSA of how not to do security. Once upon a time there live the curmudgeon king and queen who'd lived in an ivory tower all day the peasants would come and ask for help, but they would just make them create JIRA tickets. They declined meetings and would only respond with processes and policies. Tired of the lack of compassion, the peasants left and went to another kingdom, where the rulers were fair, empathetic, and open their doors with welcoming arms. The castle was made of glass and gave the peasants transparency into their decision making the rulers listened to their needs, and were solution oriented. The king or queen of the compassionate Kingdom sent their army to capture the rulers in the ivory tower with no army to defend them. They surrendered and we'll put to work at IT help desk, resetting passwords cool man. So You have any juicy incidents that you can talk about anonymously? I mean, we all know where you work. So yeah, I know that limited. But you know, any incidents from the past security incidents that Sure, yeah,
Nick Vissari 29:12
one big incident that we had a few years ago. I think a lot of people have experienced this because the FBI actually published a notice about it. But there's this. I mean, everybody knows about business email compromised, right? a phishing email go out, and they'll get your credentials. And what we were seeing a lot was like, Yeah, they would get the credentials, and then they would take over your email, they would just start spamming other people. And we were like, okay, that's really bad. We'll go around and shut them. And there's even some automated tools that prevent that from happening, right. They see a flood of outbound email, they'll just shut the account down for you. And that was kind of the way that we were handling them for a while until all of a sudden, we found out like, hey, a bunch of people that get paid one pay period. And we're looking at this problem like, Whoa, what's going on? And it turned out that a whole bunch of people had their direct deposit modified in our Europe. So looking at that problem, I was like, oh, This is different. I haven't seen this before. And thankfully, like when the attacker had gotten in and started changing the direct deposit information, we were already in the midst of a payroll run. So I think that there were 15 or so accounts that were changed, but only six or seven of them actually applied before the payroll run had actually occurred. So it was just like a timing thing that it didn't turn out as bad as it could. I mean, it was still pretty small numbers, but just the fact that that occurred. It was fascinating to me, because I'd never thought like, Oh, yeah, like, you could just go change the direct deposit on somebody's DRP login. Wow.
Ayman Elsawah 30:37
So they removed two different accounts, right.
Nick Vissari 30:39
Yeah. Yeah, the direct deposit money was moved to a different account. Exactly. Wow. So you know, we lost a little bit of money from that. And even then I think insurance is taking care of it or something like that. It wasn't a whole lot of money. But there was the question of what do we do about this now? Yeah, like what kind of solution can we actually apply to this problem? And the earpiece system has a single sign on component which I maintain and the RP system is a SaaS solution, we really can't do anything to modify it. And this solution didn't have real time logging, that we could really kind of respond to an attack that was already in progress. So I was really left with this like, Well, what do we do here? So I could get the authentication side because of single sign on. And I thought, well, you know, I can't do multi factor authentication. I just No, I can't, not enough of her people have devices, and I can't really force them to use the device. And we don't have the money to purchase five keys for everybody. So you know, what can we do?
Ayman Elsawah 31:28
We can implement it through even SMS or even Google?
Nick Vissari 31:32
Well, if I did, there would be significant resistance. And that was really the problem is I know that there's enough people that would say, I shouldn't have to use my cell phone to log into a system, I shouldn't have to use my cell phone or my cell carrier or my text messaging or whatever, you have to provide everything that I need in order to use the system. So I just thought, is there a solution that we could come up with where there wouldn't be so much resistance and it's not multi factor authentication, but it's just a second something you know, so The first thing you know is your password. And then if it is a computer that I've not seen before or browser that I've not seen before, all of a sudden you get this second question posed, right, have some question and answer that you choose. And you've probably seen these in like your bank, your bank probably has one. Yeah, my bank had one. But they got rid of it. And I think is kind of interesting. But yeah, so if I don't, so if I don't if I've never seen your browser before, you have to answer a security question. Yeah. So we put that in place and knock on wood. We haven't had that type of attack. And I can't imagine that people haven't gotten into the RP system since then. Because of course, there's been credential compromised since then. And they probably did login to the earpiece system, but they just got hit with a second question, and then they just move on from there. So it's that old adage that, you know, you don't really have to outrun the bear, you just have to outrun your friend catch.
Ayman Elsawah 32:48
That's funny. And then would you add some sort of like detection system to look for logins from IPS that were never like, you know, is there is there anyone? Yeah,
Nick Vissari 32:58
so there was a solution. And that was put in place kind of immediately after the attack where we were actually looking at the source IP address and seeing, okay, what geolocation is associated with this. And if it wasn't anything within the region, we just dropped the connection. And we sent out a notice and said, Okay, if you're traveling, you're not gonna be able to get on the earpiece system. And we can do that, because we're local. And, you know, we kind of make sure that everybody that works for us is also local, you know, they have to drive to their location every day. Yeah, but I know that's not the case. For some, you know, if you have remote workers, that's not a real solution for you. Plus, if we supported ipv6, which maybe someday we might, I don't know, maybe never. There wouldn't be a solution either. Right. So it was in place and actually later it came back to bite me because I was chasing after this problem. I was like, why can't people log in? Like, what is wrong with this thing? And I was like, Oh, it's because I put that thing on. I forgot about it, like ages ago. Wow.
Ayman Elsawah 33:47
And it's really interesting to see the private sector, it's totally fine to use your personal device for like second factor, but the different mentality, I guess, of a government institution, like hey, I'm not going to use this for You know, you have to provide everything the different things, I think we've only scratched the surface about security life in school district versus private sector.
Nick Vissari 34:08
Well, I also think some of it is balancing. I can't think of a nice PC way to say this, but there are people that just love to be resistant. Where if they see that there is some challenge so that they can say, hell, you know, here's the thing, this is how they're going to get us, right. They're going to be resistant to that. So they're just constantly looking for those issues that they can bring up. And that's the kind of thing you have to respect that they're coming from a certain position where like, that's how they've gone through life, right? They've gotten to this point where they are now by being this way. So you kind of have to respect that. I remember a long time ago, I was talking to a teacher who was really interested in having your classroom set up a specific way. And I mean, it was about something completely inconsequential, but it turned out she was like a flower child from like the 60s and she was just always about fighting the man, you know, saying anything that come up, that was a problem. And she was like, Oh, it's the man again, you know? So I kind of had to respect like, okay, you know, we're not Man, we're not trying to get you or anything like that, you know, you kind of have to come to some middle ground. And that's really
Ayman Elsawah 35:05
challenging to find that middle ground is that is exactly right. Cool. Well, Nick, thank you so much for your time. Any advice for folks out there looking to get into security? What are your parting words?
Nick Vissari 35:16
Well, there is only small incremental change and elaborately planned failures. So make small incremental change, don't plan a lot. You can plan a little, but don't plan a lot. So when you're trying to implement change, you want to come up with a plan, you know, you want to say, okay, we're at this point in our journey, and we want to be at this part way out in the future, right? Like five years from now we're gonna have all this amazing stuff. Well, you can play a little bit of that. But if you start getting lost in the minutiae, and you start making these really big, elaborate plans, you're gonna fail. The only kind of change that you can affect is small, incremental change. People can accept small incremental change, they can't accept big monolithic changes. You'll just have so much resistance and it'll be a failure. You might still call it a success, but there'll be a lot of angry people. Yeah.
Ayman Elsawah 36:05
And what about advice for folks looking to get into the security industry? What advice you have for them?
Nick Vissari 36:11
Just go out there and make a lot of mistakes. Don't be afraid to break things
Ayman Elsawah 36:14
cool without breaking the law. Cool. Well, Nick, thank you for your time today. It's been really enlightening. And I look forward to meeting in person one day. Awesome. Thanks. Amen. All right, thank you. As always, if you like the show, please thank my guests for their time and let others know about the show. Intro Music is Cascadia by trash at trashy comm check out the website getting into infosec comm for show notes, clickable timestamps, a preview of my book and more and stay in touch on Twitter for more getting into infosec refreshes. Every week I let my guests pick their outro music this week. It's double helix by Ethan makes so
He also said
Transcribed by https://otter.ai