THE THOUGHTFUL ENTREPRENEUR PODCAST
In this episode of the Thoughtful Entrepreneur, your host Josh Elledge speaks to the Chief Information Security Officer Co-Founder of SIE Monster, Chris Rock.
Chris Rock is not your typical CSO. He's a hacker by trade with a dual role that involves finding system flaws and presenting them at conferences like Defcon.
Simultaneously, he serves as the CEO of SIEMonster, which provides security services for large enterprises. His clients range from governments to private organizations, each with unique objectives and security needs.
Chris shared some intriguing stories from his work. He's uncovered employees setting up illegal activities within companies, helped track people escaping authorities in the Middle East, and dealt with a myriad of other complex situations. These stories, while fascinating, also highlight the darker side of our increasingly digital world.
When asked Chris if there was any hope for a safer digital world, his response was sobering. The flaws he identified years ago still exist today, and the transition from paper-based systems to electronic systems has only increased the potential for security breaches.
He also recommended using account IDs and virtual credit cards instead of traditional credit card numbers to further enhance security.
Key Points from the Episode:
- Introduction of Chris Rock as CSO of Sea Monster and cyber mercenary
- Chris's work as a hacker and consultant
- Clients and objectives of Chris's work
- Stories and insights into vulnerabilities of systems
- Need for increased security measures
- Use of tokens instead of passwords for account security
- Risks of using passwords and benefits of tokens
- Importance of VPNs for data protection
- Choosing a reliable VPN provider
- Importance of encryption and protecting personal information
About Chris Rock:
As the Chief Information Security Officer and co-founder of SIEMonster, Chris has traversed the cyber landscapes of the Middle East, the United States, and Asia, lending his expertise to governmental and private entities.
Renowned for his presentations at DEFCON, the world's largest hacking conference in Las Vegas, Chris has delved into contentious vulnerabilities.
His talks covered topics such as the potential manipulation of Birth and Death Registration systems, the collaboration of cyber mercenaries in government overthrows, and innovative methods of bypassing jammers by utilizing the Earth as an antenna.
As a thought leader, he authored “Baby Harvest,” a compelling exploration of criminals and terrorists exploiting virtual babies and fabricated deaths for financial gain. Notably, Rock has graced the TED Global stage, further solidifying his status as a cybersecurity luminary.
About SIEMonster:
SIEMonster, established in 2015, is an innovative and cost-effective Security Information and Event Management (SIEM) solution. Founded by experienced hackers Chris and Dez Rock, the platform emerged from a recognized gap in the SIEM market.
With over 20 years of penetration testing and white-hat hacking expertise, the founders and their team crafted a scalable and customizable SIEM tool. SIEMonster's pricing model doesn't penalize based on Events Per Second (EPS), offering affordability and automatic scalability as clients expand.
SIEMonster incorporates automated tasks and data enrichment, reducing the reliance on external security consultants.
The vision, shared by Chris and Lead Solutions Designer Jim Bycroft, focuses on constant evolution and scalability, positioning SIEMonster as a leader in the dynamic cybersecurity landscape.
The platform's commitment to forward-thinking security solutions makes it a formidable choice for organizations seeking robust defense against evolving threats.
Apply to be a Guest on The Thoughtful Entrepreneur:
https://go.upmyinfluence.com/podcast-guest
Links Mentioned in this Episode:
Want to learn more? Check out SIEMonster website at
Check out SIEMonster on LinkedIn at
https://www.linkedin.com/company/siemonster/
Check out SIEMonster on Twitter at
https://twitter.com/_SIEMonster
Check out Chris Rock on LinkedIn at
https://www.linkedin.com/in/chris-rock-siemonster/
Check out Chris Rock on Twitter at
https://twitter.com/chrisrockhacker
Don’t forget to subscribe to The Thoughtful Entrepreneur and thank you for listening. Tune in next time!
More from UpMyInfluence:
We are actively booking guests for our The Thoughtful Entrepreneur. Schedule HERE.
Are you a 6-figure consultant? I’ve got high-level intros for you. Learn more here.
What is your #1 Lead Generation BLOCKER? Take my free quiz here.
Want to learn more about all the podcasts managed by UpMyInfluence? Opt in here.
Transcript
Josh (00:00:05) - Hey there, thoughtful listener. Would you like consistent and predictable sales activity with no spam and no ads? I'll teach you step by step how to do this, particularly if you're an agency owner, consultant, coach, or B2B service provider. What I teach has worked for me for more than 15 years and has helped me create more than $10 million in revenue. Just head to up my influence and watch my free class on how to create endless high ticket sales appointments. You can even chat with me live and I'll see and reply to your messages. Also, don't forget the thoughtful entrepreneur is always looking for guests. Go to up my influence and click on podcast. We'd love to have you. Well, this ought to be a fun conversation. I've got Chris Rock. No, not the Chris that Chris Rock. I've got Chris Rock, who's the CSO of Sea monster CSO, by the way, CSO, in case you don't know what that is, that's the chief information security officer of a company called Sea Monster.
Josh (00:01:17) - And that's as I monster. And Chris, you're also a cyber mercenary. But as I was just saying before we started recording, you've got about the nicest personality for someone I'd refer to as a cyber mercenary that I've ever met. So, Chris, it's great to have you.
*Chris * (00:01:33) - Thank you so much, Josh. Lovely to be here.
Josh (00:01:35) - All right, well, listen, I just want to have you kind of share your story in the work that you do, and I think you're going to be quite interested in this topic. Chris, give us an overview of your impact in the world today.
*Chris * (00:01:47) - So I am a hacker by trade. So a cyber mercenary keyboard for hire. And I have essentially have two roles in this world. I look for holes in big systems, which I then present in front of the world. So Defcon is the largest hacking conference in the world. So I present flaws in systems. So I did a talk on how you can kill somebody virtually and how to birth somebody.
*Chris * (00:02:10) - I did a talk on how to overthrow a government digitally with a mercenary called Simon Mann back in 2016, and we use the country of Kuwait as an example. And then last year, I did a talk at Defcon on how you can circumvent military jammers. That's my what we say day job. But my my other job is I am the CEO of a company called Sea Monster. That does seem services for large enterprise companies. That's essentially how I split my load between day and night.
Josh (00:02:39) - Yeah. So what work do you work then as a consultant for for companies?
*Chris * (00:02:44) - Yes, I work for governments, private organizations and everyone in between.
Josh (00:02:49) - And who hires you and what is their objective.
*Chris * (00:02:53) - So this multi-objective. So it might be a government needs to pay like a jailer in another country so that a female citizen gets feminine hygiene products. It might be a company that suspects their employees of embezzling money. So they get me to go in digitally to find out where the money's going, but stealthily. And so just get a tap on the shoulder, mostly from Middle East countries, to say what's going on here.
*Chris * (00:03:18) - And then. Then it's my role and my team trying to find out what's going on.
Josh (00:03:23) - That is just fascinating. So naturally, I think we all want to sit back and say, Chris, tell us a story or two. I've got.
*Chris * (00:03:33) - Many stories. Josh, look, I've got stories that will blow your mind. I've got stories where I've got employees of setting up another company within a company, moving money from the company to their company, and then, you know, doing illegal activities. And then I've been asked to find out what's going on and then follow their whole lives inside and out, what they're up to. I've seen people escape countries in burkas. I've seen people, you know, on jet skis in the Middle East go from one country to another to escape authorities. And I've seen everything, Josh. Everything.
Josh (00:04:07) - Yeah. You know, I think what you're talking about makes it feel like, gosh, we live in kind of a scary world sometimes, and there's so many vulnerabilities among us.
Josh (00:04:19) - I hope you come with a bit of a message of hope.
*Chris * (00:04:23) - Unfortunately not. Josh. Oh, it's really bad out there. That's why I do these talks at Las Vegas. Defcon is just to show how bad it is. And so I'll find a topic of interest me and I'll present it. That birth and death one for me was really bad and had to present that it's essentially I could kill you and then take all your assets virtually, of course. And then I own all your assets and you are now declared dead. I could then create a thousand fake Josh's and then kill a thousand fake Josh's and put have a life insurance policy on all of them and then take all that money. And for me, that was a flaw that was not only in the US, but it's a worldwide flaw. And then I just wanted to show the world that this is bad, because you do not want a million fake people virtually walking around, because, I mean, anyone who's listening in the audience have got kids.
*Chris * (00:05:08) - You know, you buy car from people and you don't trust them in the first place. But at least you can tell the cops, here's the email, here's this. Here's there's a person at the other end of it for the police to arrest. But if it's a virtual person, there's nobody, you know, you're paying for a car that doesn't exist. You know, the kids pay for a deposit and it's gone. There is no coming back from that because it's a fake. You've got a fake bank accounts, fake driver's license, fake firearms licenses. It's chaos. And hence why I presented that topic.
Josh (00:05:34) - Yeah. You're the author of the book The Baby Harvest How Virtual Babies Became the Future of Terrorist Financing and Money Laundering. Well, I hope, Chris, that you know what you're sharing and what you've been sharing stimulates activity, right? And it says, oh, look, there's a security gap. Hopefully folks are taking action. Action on what's presented at Defcon and other areas where this is being talked about and revealed and shared.
*Chris * (00:06:06) - Your assumption is spot on, Josh. But the answer is no. Nothing. Nothing actually changed in, you know, since eight years since I presented that topic, it still exists today. The exact same flaw. Nothing has changed at all. I can still become a doctor online in about five minutes, get their registration number, their office address and their phone number and become a doctor to kill somebody off. And I can do be a funeral director in five minutes to do the other part of killing somebody, as in burying a person as well. So you can do that online. So ten minutes you could kill somebody and officially off the record.
Josh (00:06:37) - Okay. So this is all very fascinating. What do we do with this information you're sharing?
*Chris * (00:06:42) - The whole idea is to show that the problem, when governments want to go from a paper based system to an electronic based system, and they want to make it easy for doctors and funeral directors to go down that path, don't assume that just because you make it easier for doctors and funeral directors, then people like myself, hackers, pen testers, anyone in between will then look for flaws in that system along the way.
*Chris * (00:07:01) - So you need to be aware that there's people like me looking at these sort of policy changes and then looking for flaws in these paper based systems or electronic based system. We're always looking for something's changed. Let's look at the security of this situation.
Josh (00:07:16) - Yeah. And in terms of like let's say you're just talking to a room of we're not in security necessarily. We're just, you know, regular run of the mill business owners doing the best we can, trying to help good people and, you know, make a living. Are there any best practices? Are there any things that you'd recommend? Listen, you know, if I could to that audience, if I were, if I were to give you a charge to do 2 to 3 things in your life, here's what I'd recommend. Is anything come to mind there?
*Chris * (00:07:43) - Yeah, there's a lot of things and I'll go through the list. But the most common one we see is where a hacker will penetrate an email system of your vendor. So if you're buying, you know, an Oracle subscription and offer subscription, you know, maybe some new office equipment for your business that if you must, someone in the business from the payment team must speak directly to the person you're buying and confirm those bank account details.
*Chris * (00:08:09) - Because we see, the most common thing we see is scammers hack into the email system of a vendor. They'll then send an email to the company saying, hey, we've changed our bank account details. Please pay here and not here. Instead, the company then will transfer that money. You know, the whatever figure that is to the fake vendor and the money is then gone, completely gone. So always do that to check system for any payments. Have somebody from payroll or accounts receivable make those phone calls. If you get an email with an invoice on it, don't use the phone number on the invoice. Go through an outside channel and verify. That's the biggest saving of saver business is make sure you ring out what we call out of bounds, that vendor to make sure you're paying the right account. That's the first thing that I would suggest. Yeah for businesses. Second thing is something called one password. Or there's a last thing called LastPass. Make all your users use this software so they don't have the same password for all their systems.
*Chris * (00:09:03) - So you might have a user at work and also at home they may use let's say they use a Sony, for example Sony PlayStation. They might have a password. They use the same password at work Sony gets compromised. And then that user password can be used for your work. So make sure your staff use different passwords for work at home. They don't even need to know their password, it's just stored in a wallet. And also two factor authentication for everything. Yeah, I can't stress that enough. 2 or 5 or any work related thing is, in this day and age it's a must have. And if it doesn't have to, if it's not worth using, it's just wait till 2 or 4 is available.
Josh (00:09:37) - Are we. And I've seen some headlines. I haven't read the stories yet, but I think it was a Google or someone who was, you know, really trying to champion. And maybe this is well underway, but are we going to get to a point where we can kind of evolve from passwords?
*Chris * (00:09:52) - We're getting there now very slowly.
*Chris * (00:09:54) - I mean, we've been, you know, as a hacker myself, mercenary. I've been using user password for a long time. You know, I've been doing that for 20 years. And now coming up against 2 or 5 over the last probably eight years, it to answer your question, it's evolving just but very slowly.
Josh (00:10:07) - What is the future. Where do we go from beyond passwords.
*Chris * (00:10:11) - That's a really good question. I think tokens is probably the best one. So you have a token on your phone. Like like you probably a lot of your users will use things like authenticator apps and stuff like that. You don't use a password. It's essentially it's a password or token that's good for 30s and then moves on to the next one. I don't think passwords are actually required. I think the token is the best way.
Josh (00:10:31) - So if someone's not familiar with what I've got through LastPass, they've got now a separate token app that that I use. Can you explain that just a little bit more? Because if that's an option generally, would you say, well, that's a little bit more secure than a password?
*Chris * (00:10:47) - Uh, the answer is yes because it's always changing.
*Chris * (00:10:49) - It's not a static thing. It's not something you write down on a piece of paper. It's not something that's sitting on a word document on your computer. It's not something that you give to your kids to access something. And then all of a sudden, all their friends have got it as well. It's essentially a it's a number that changes every 30s it can be anywhere between 6 and 9 digits, and then it's not good. In the same token, I think credit cards are stupid as well. I don't think we should be using credit card numbers as well. I think we should have. I think we should be using an account ID, and then we have 20 virtual credit cards that are only good for one use on every card. But businesses want credit cards, so they're on file. So you can do repeat charges and stuff like that. For me it's we don't need that anymore.
Josh (00:11:29) - Yeah I agree. Yeah. In fact I've got the Apple Card and this is the very first card I've gotten.
Josh (00:11:34) - There's no number on it. And I'm like, yeah, what do I do? I don't need a number on there. I'm just going to swipe it or, you know, use the chip anyway or, you know, just make a virtual transaction. I'm like, why are why do we still have numbers? And again, it's.
*Chris * (00:11:47) - Silly, silly you Josh, you go to Hawaii on holidays and you got a hotel and you give them the number, you give a reception, and all of a sudden that number's written down on a piece of paper and given somewhere else and sold on the black market. We don't need mean that's old school technology. We really need to move from that sort of stuff.
Josh (00:12:01) - Yeah. You know, I think, remember, you need a number with the raised numbers so you could, you know, slide it through the credit card thing. Like, we haven't used those in 20 some years. So you don't need a number with raised you know all that stuff on there.
Josh (00:12:14) - So only a backup if the other stuff doesn't work, I guess. But. So, Chris, how can I help you? I mean, who can I help connect you with? Or, you know, who might be listening to us right now that that should engage with you. And what does that look like?
*Chris * (00:12:28) - Yeah. So great question Josh. So how have we got into the same business. We're hackers by trade. And a team is essentially a piece of software that monitors the inside your company's environment. So the common flaw that we saw when we were hacking into companies was we'd hack into a company and we'd produce a report maybe a month later saying, we hacked in here and we did XYZ. And the company would say, we didn't even know you're inside. We had no visibility into our own network to say what you're up to. And then that's where we then went into the same business. So we created software so that you could actually show people that if someone gets in, you can actually follow their path.
*Chris * (00:13:03) - So if you're thinking the physical security world where you've got proximity cards and, you know, door locks and door codes, in the event of a breach and cameras, you can actually follow the path. You can see someone swiped in with a, you know, stolen proximity card. There they are on camera X, they went into the staff room, they stole some cakes out of the fridge. And you actually have some evidence. So this seems software essentially does that evidence trail used for things like forensics purposes. And also it clobbers attacks as well. So if anyone's in the same business, we created this thing to essentially protect people's networks because we we're the perfect person to come up with this software because we hacked into companies. And so we're essentially creating what we call a blue team tool to show people what we were doing inside the network.
Josh (00:13:47) - And again, I e m what does that stand for?
*Chris * (00:13:52) - Yeah. Security information event management. So it essentially, you know you've got a computer Josh right in front of you right now.
*Chris * (00:13:58) - It creates logs. Where do those logs go. You probably don't know. Probably nowhere. But in a business situation those logs go to a central team. And then that collects all events from routers, firewalls, printers, the works. And then it analyzes that and looks for flaws. So Josh, if you click on a link and it's a ransomware link, you know the scene will get a record of that. And then the same can make a choice. Do we then just kick Josh off the network so we can no longer create any more havoc when, say, Josh, someone that you've clicked on an email, of course, and then the team will actually make a decision. Let's remove Josh's computer from the network. Let's notify the guys that there's something on Josh's machine, and let's take a forensic image of Josh's machine so that we can take it to the next level, and lawyers and all that sort of stuff.
Josh (00:14:39) - Yeah, well, Chris Rock, let me share again. You're the CTO of Sea Monster swim monster one sea monster.
Josh (00:14:49) - And then your personal website is Chris Rock hacker.com. Chris has been a fantastic, fascinating conversation. Great having you here. And is there anything else you'd recommend someone that's been listening or a conversation of kind of their next steps?
*Chris * (00:15:06) - The only other thing that I missed out, Josh, is VPNs. Make sure that your staff members within the company use VPNs both at work and home. So if they're using a work computer, VPN also at home, so they're not using your, you know, they're not using company information at coffee shops on free Wi-Fi. So use a VPN. A VPN essentially protects the traffic between your machine and your company's network. And they're very cheap.
Josh (00:15:25) - Yeah. Okay. So VPNs for me are a little confusing in that I just see so much. Bait about? Oh, use this one. No, don't use that one there. Hackers use this one. No, don't use that. Like just it's been confusing for me to know who a good VPN provider is.
*Chris * (00:15:41) - Any commercial VPN provider based in the US is fine.
*Chris * (00:15:44) - If you don't use anything, you're essentially you think of a hose and water. If you don't have the hose, everyone can see the water. Who cares who makes the hose? We can get in the debate of who makes the best hose or whatever, but at the end of the day, you're using a VPN. It's protecting data from your company's network. Go with, you know, any top five US VPN provider surf patrol, Norton Nutcase. They all do. NordVPN. They all do a great job.
Josh (00:16:08) - Oh, okay. That's really because I went down that rabbit hole. And unfortunately, I think there are a lot of YouTubers that get paid by certain providers. And so then they start putting out misinformation and stuff. It's okay. Thank you. That's great to hear. And the VPN, would you recommend that for folks that are doing all their company business from home as well?
*Chris * (00:16:28) - Yes, it definitely mean a home user using that on their own network is probably safe, but as soon as you leave the home with your laptop and I use VPNs on my phone as well, essentially anyone can then see those communications go between yourself and your company's network, or even personal.
*Chris * (00:16:44) - If you want to protect your banking information, you know your emails. I would recommend a VPN because if you travel overseas, you can't assume the same laws are going to protect you. In the US, you go any country in Europe you know you're going to get down over. I guarantee your credit cards are going to get done over. Your information is going to get stolen. It's just yeah, I travel the world a million times and if I don't have a VPN, I know about it.
Josh (00:17:05) - So on your phone in particular, like the same thing like especially if you're connecting to public Wi-Fi, make sure that you've got a VPN installed on your phone because you're going to be, especially if you're I guess maybe I don't know if it's any more safe or less safe on, you know, your cellular connection as opposed to if you're starting to join hotspots and Wi-Fi. And that's certainly a little bit more vulnerable. Right?
*Chris * (00:17:26) - You spot on, you spot on. Josh. But the beauty is I mean, we trust AT&T, we trust spectrum.
*Chris * (00:17:31) - We trust Verizon in the US. But when you leave the US and you go to another country, you can't assume that that government is not listening to all comms. Hence why encryption.
Josh (00:17:40) - Beeping.
Josh (00:17:41) - Yeah Chris Rock fascinating conversation. Thank you so much for joining us again. Your websites see Monster.com. We've got these links in the show notes. You just click around. You'll find that. And of course your personal website Chris Rock hacker.com. Thanks, Chris.
*Chris * (00:17:54) - Thanks, Josh. Thank you so much.
Josh (00:18:02) - Thanks for listening to the Thoughtful Entrepreneur Show. If you are a thoughtful business owner or professional who would like to be on this daily program, please visit up my influence slash guest. If you're a listener, I'd love to shout out your business to our whole audience for free. You can do that by leaving a review on Apple Podcasts or join our Listener Facebook group. Just search for the Thoughtful Entrepreneur and Facebook. I'd love even if you just stopped by to say hi, I'd love to meet you. We believe that every person has a message that can positively impact the world.
Josh (00:18:40) - We love our community who listens and shares our program every day. Together, we are empowering one another as thoughtful entrepreneurs. Hit subscribe so that tomorrow morning. That's right, seven days a week you are going to be inspired and motivated to succeed. I promise to bring positivity and inspiration to you for around 15 minutes each day. Thanks for listening and thank you for being a part of the Thoughtful Entrepreneur movement.