Going Deep on Active Directory - The Cybersecurity Defenders Podcast

TRANSCRIPT

Welcome to the cyber security defender's podcast episode number eighty five. My name's Christopher LIFT, and I will be your host. On today's episode, we're gonna be speaking with James Potter, Founder of the cyber security firm DSE, but first, a quick word from the sponsor of this show, Lima Charlie.

My name is Maxim Lamad Brassard, and I'm the founder of Limic Charlie. I'm the company behind the Sac ops Cloud platform.

Cybersecurity tools, do they need to evolve from the one size fits all silos into a modern tool set to adapt to the specific needs that you have?

The Secops Cloud platform works by providing you with full access to the underlying security tools and infrastructure.

Everything's on demand with no minimums, no contracts. It's an approach that's really like AWS has done in IT.

We offer a full featured free tiers, no credit cards, no contracts, nothing.

Get on the platform today, deploy EDR, start ingesting logs, build a product, start an MDR, an MSSP, whatever you can imagine We're making security flexible so you can build what's possible.

You can learn more or get started for free at lima charlie dot ai.

Thanks for being with us on the show today, James. It's a real honor. Oh, yeah. Not a problem, Chris.

Happy to be here. To kick things off, do you wanna introduce yourself and tell us a little bit about what you do? Sure. So quick background.

My name is, James Podder. I've been working with, active directory since active directory, has been around, you know, like, ninety nine two thousand time era.

And I run a cyber security company that focuses around helping large organizations defend themselves, in the active directory space. So hardening best practices, security assessments, but all very active directory focused.

On your website, It states that your company, DSE, has one simple guiding principle to do better, better by your clients, better by yourself, and better than your competitors. It seems simple on the surface, but I think there's probably more to it. Can can you expand on that? Sure.

Sure. So, well, you know, before I before I founded DSE, I did a lot of independent consulting work for the big four on, you know, you guessed it active directory security work streams. So I got to see how KPMG, EY, and PwC all all did business, and they're all pretty similar. Right?

They have very, very similar models to to how they work. And they they do deliver quality, but it comes at a cost. And, that cost help pay for office space and, you know, twenty foot Oak tables and amenities.

And those are things their clients are are helping finance, and, of the popular opinion that you know, maybe you don't wanna pay for oak tables, maybe you wanna pay more for security.

So we we cut out a lot of the fat and still deliver of the quality. And, you know, a lot of our work is private label for the big four anyway. Now our prices are the same either way. So if you go through them, you get a nice label or you can, you know, come to us direct and it's kinda like Kirkland brand. Right? So the reason I wanted to talk to on the show as mentioned is because you're a deep specialist when it comes to active directory, which seems to come up all the time in the breaches we cover on our weekly intel chat. For our listeners that may not be familiar, can you give us a high level of what active directory is and and what it's used for in an organization?

Yeah. I I hope I will put anyone to sleep here. Let's let's rewind rewind the clock a little bit and we'll we'll go back to the the the eighties and nineties. So organizations that exist today that also existed in the eighties and nineties have gone through a lot of lot of change.

And one of those big changes was, you know, computers, right, not every organization back in the eighties was completely digital. Not everyone had a computer. They they used to do their job a hundred percent while it was still manual and still paper. The nineties came along and suddenly, you know, hey, you you gotta get up to speed.

You have to be using these computers. You have to be logging in and Suddenly, okay. Well, we need security now because people are logging into computers. So there's lots of different technologies that sprung up, in those time errors for handling these user logins and storing their credentials.

And they were all compared to today's standards really, really awful.

Microsoft's n t was probably one of the the the better platforms in that time era, but it had really crazy limitations.

Basically, you could only have so many users on a specific, domain controller. They call them primary domain controllers and backup domain controllers then. And, if Ebony was falling asleep at home, I I apologize.

But long story short, you know, companies needed to find a way store these user accounts, store these computers, and have people be able to log into their computers, whether they were at office a, office b, or office c, And the the the older technologies made that kind of tricky to scale. And if you're a company of a hundred thousand plus people globally, it was a real nightmare. And then along ninety nine, early release of Active Directory came out, and this was a gigantic game changers. Effectively, it's the first wide scale replicable database that was used in an enterprise environment. When I say, it replicates, it it does exactly that. You can think of active directory as a a giant filing cabinet. Full of users, user info, first name, last name, you know, where they work, you know, what their name is, who their manager is, everything you would wanna know about a, a user.

And if that user flies from, say, New York to Paris, and there's a domain controller in New York and Paris, well, they're gonna be able to log in the same in at either location. And that was a very new novel concept back in, back in two thousands. Like, this is crazy groundbreaking stuff. And as soon as I got exposed to it, I knew You know, this is this is what everyone's going to be using. Ensure enough almost twenty five years later, the vast majority of the Fortune five hundreds in the world, still leverage active directory as their backbone.

That's interesting. It kinda almost sounds like a credential DNS and that the databases are replicated across different places, and it's sort of holds that user's information for what they can do within the organization and who their manager is and stuff. Is there issues with copying that information across domain controllers?

Well, there's there's certainly used to be. So let's, you know, another go back in time session. Know, the early two thousands, not everyone had fast links at all their sites. Right?

Some some branch sites may have had a a fifty six k card sitting on one of their networking devices and that, you know, there's not a lot of throughput through there. So there was issues in early replication. You would want to limit when replication happen because you didn't wanna saturate that link, because people couldn't log on. So it was a big problem twenty years ago, but nowadays, it's not an issue really for most organizations at all because there's fast links everywhere.

The bigger problem is is security. I mean, twenty years ago, people had put a domain controller underneath you know, Sasha's desk at the the branch office and not worry too much about it. But now the concept of having a domain controller in a non secured environment is just terrifying because it has this file on it called n t d s dot dit. It's basically the storage of all of your usernames and their associated passwords.

And if, you lose physical access to that. You lost physical access to your entire company. So, don't put it under desks anymore, please.

Yeah. My suspicion is that active directory is actually quite secure when configured and used correctly, assuming that assumption is correct what is the most common way or common ways that it becomes vulnerable to attack?

Oh, gosh. That's a that's a big question.

Let's Let's kind of start at at the top. So, Microsoft for a very, very long time when they release a new product all of the old things you used to be able to do in the previous version still work. That's kind of their, hey, are if you could do it before, you can do it now. For the most part, and backwards compatibility is king.

The problem with making backwards compatibility king is it also makes security vulnerabilities king. Because in their effort to not break your environment, they're also not exactly making the new version as hardened as possible because if they do that and you roll it out, it's going to break apps. It's going to cause issues in your environment. So you get this kind of backwards ability scope creep happening in a lot of environments where they're still using twenty five year old authentication mechanisms, like NTLM, NTLAN Manager, for authentication.

And, NTLM is still obeying on the existence of all security professionals across the active directory space. It's very sticky and cult to to get rid of. That's one part of it. The the second part is putting those security configurations in after the fact.

And actually pushing that out can be a risky and time consuming endeavor for a lot of entities, and the engineers that are pushing those out they they risk breaking something in production. And because of that, there's often a lot of hesitancy, like, okay, I could push this out. It could make things better. But it could also break something and I might lose my job and that could be bad.

So there's a lot of caution on the operation side of making these big security changes until or its organizations are are told specifically, hey, you have to go do this. Otherwise, you fail this audit or you're out of compliance and, you know, things like that. And for anyone listening at home that's in ops, engineering, doing AD work, a good place to start is, you know, CIS benchmarks. These are these are nist inspired.

They can get you a lot of the way there. And you can slow roll those in. There's a lot of good documentation on them, and that'll kind of help you get to a, a better place than maybe where you are today. The other part I wanna touch on.

I'm sorry I'm going on such a tangent here, Chris, is virtualized domain controllers. So early two thousands, virtualization didn't exist. Yeah. Everything was a was a physical entity or, when we got into the the later, two thousands, it became, blades.

Right? And then blades were eventually. Blades were just one u servers, very, very skinny server, single purpose. And then we moved into virtual machines, and VMware came on the space.

And this changed a lot. Everyone's like, holy crap. We can throw all of our servers on one virtual machine and replicated and This is great. And our DCs aren't physical anymore.

If we lose a power supply or authentication going down, what a what a game changer?

But there became some problems there. Because at that time period and still now for a lot of orgs, your your users that are managing VMware, hyper v or of your favorite hypervisor is, often they're managing it from their desktop computer, which has internet access, it has email access, and a lot of these orgs might not even be using credits. So when Josh, the VMware admin, you know, opens an malicious email of visits website, gets an malicious ad, and their machine gets compromised, Now the bad guys immediately have VMware access. And as we saw with MGM, bad guys getting VMware access is very bad for your enterprise.

And it leads to everything being ransomware very quickly, and it it doesn't go well. And you can you can prevent this by isolation. Right? So those domain controllers Man, don't put those on your shared, VMware infrastructure, hyper v infrastructure, segregate them off to the side, limit who can get there and put some security controls around it.

So that that did file we talked about earlier doesn't get compromised because you lose that did file and you lost the org.

Mhmm. Yeah. Hyper V is a very popular target Ransomware threat actors, for sure. And I do like what you said about, the reluctance to update, and I can imagine in a giant org you know, like you said, hundreds of thousands of people, where updating active directory might lock everybody out, which is what I imagine what happened if if you did something wrong and and broke active directory.

Yeah. A lot of it is is breaking the apps. Right? So, especially we start start talking about security protocols.

Like, everyone wants to turn NTLM off, but the problem is there's so many things that still rely on NTLM legacy applications, even even newer applications cause it's much easier to dev for NTLM than it is to dev for kerberos. And if you're a a small startup, you're taking the path of least resistance if security isn't really a concern for your consumers. So you do what's fast and easy. And because of that, there's a lot of wildly and secure apps that are running around in these organizations, that are critical to them generating revenue.

So you you you have some challenges in that space. I think you mentioned it active was first previewed in nineteen ninety nine and then released with, Windows two thousand server edition, which makes it old enough to buy a drink.

I don't know any technologies that hold up that well over that length of time is part of the problem with active directory that it showing its age. Like you mentioned, sort of this historical backward compatibility problem, but is there also just, you know, general maintenance issues or or the fact that everything around it's changing so fast. I think it's a a combination of things. And and one of them is is finding good engineers and security professionals to work on the space. You gotta figure since it dates back to two thousand. If if you learned active directory when you're in your mid thirties or mid forties, Well, fast forward twenty, twenty five years. And, you know, you're you're retired or getting ready to retire.

And, for the past decade, Microsoft hasn't really been teaching people active directory. The the certs are more focused around cloud and and Azure. Because that's a a much more profitable stream from Microsoft. Right?

You sell one server license. Okay. That's, you know, x amount. But you sell someone a subscription on that server license along with compute and memory, and, you know, that's ten x, the the revenue.

So, of course, they're going to try and push the the the Azure side more. But because of that, people are learning Azure, but they're not necessarily learning active directory. So new active directory engineers and architects aren't coming on the scene. And the the older ones are retiring.

They're they're rolling off So finding people to support your active directory is becoming, more and more difficult over time. And that's a that's a real issue, I believe. Yeah. And for anybody listening and looking for specialization, you know, the the more rare a commodity is the more it's worth in the free market.

So Imagine I imagine it might be a niche niche specialty. Some people might wanna add to their CV. Hey. We, we we have to kinda grow our own engineers.

Honestly, we will we'll bring in, new new analysts, new engineers, and we we train them in house because the training that's out there right now is is all very specific on security or it's more specific on, Azure active director or or intro, you know, whatever we're calling it this this year. So it's it's tough. We end up having to do a lot or in how training. We've even been thinking about doing our own certification programs around active directory because we we feel the ones that are out there are not as comprehensive as they they should be for space.

Oh, interesting. Yeah. It always makes me wonder too. There's gotta be maybe three dozen fortran programmers out there, and I know some banks still They still have their back end written in these old languages and and those guys, yeah, it's a it's a interesting skill to possess.

Yeah. Yeah. You gotta bring in the gray birds or or gray beards when something like that breaks. Like, it's it's it's tough.

Like, no. I I've literally seen people pulled out of retirement to go go work in these environments, even in an active directory. Right? So, a company's AD architect will retire.

And then three years later, they'll get a call, like, hey. Do you wanna come back. Like, no. Not really.

I'm enjoying retirement, like, well, do you wanna do it as independent consultant? And this is your hourly wage? And it's like, oh, yeah. I could do that part time.

Yeah. It's interesting too. Like, I've spent my whole career working in, you know, early stage startups and, things move fast and technology changes quick. I imagine at these giant organizations, it's just like, once something's really embedded across the organization, it's it's very slow to change, if ever.

Yeah. It's it's a much different beast. It's, the the cruise ship versus the jet ski. Right?

Yeah. In some of the research I was doing for this interview, I read active directory does not work well with orgs that are mostly remote or orgs that have shifted to being primarily remote. Is that true? And if so, what kind of solutions are orgs transitioning to to solve this problem?

Yes and no. I would say it depends on the org. Their their business model and their size. If you're a smaller organization, like, sub five hundred people and you're distributed globally, you know, traditional on premise act directory, doesn't really make as much sense for you, especially if you're you're brand new and you're you're starting things fresh.

You have a lot of cloud options there. You can you can leverage Azure services o three sixty five, and and that's gonna treat you pretty well to, a certain point. Same thing. There's other offerings from from GCP at Google, and AWS has their own flavor of it as well.

Kinda depends which one you like the best. But for smaller, more nimble, global companies. I I think the cloud offerings are are much more powerful. Eventually, you'll reach a size and, sophistication level where you're gonna be hosting your own servers and your your own infrastructure.

And at that point, you kinda need to think about what your long term fees are gonna be. Because what we're we're seeing in the the cloud space is it was very, very competitive for a long time, but now that these larger cloud providers kinda know that they have their customers locked in. You know, once you kind of have a stranglehold on your customers like that, you can start raising your prices over time. So I don't think cloud's going to get cheaper.

It's already, you know, more expensive than hosting on prem. I I think it's just gonna get more and more because these cloud providers know how much it costs to host on prem, and they can place their services at just the right amount. So it doesn't quite make sense to migrate because the migration itself is a huge cost.

That's interesting. You bring that up. It's, business process. I've seen happen across a bunch of different spaces where, you know, new technology comes out, has a lot of benefit, it's cheaper than what already exists.

And then companies move on to these platforms, and then lo and behold, two, three years in. All of a sudden, the the cost effectiveness, does it doesn't look right anymore. Yeah. Yeah.

It's it's it's tricky. It's tricky too because if you're making these decisions, you wanna do what's best for the company. And, hey, if I can save thirty percent I should totally do that. Right?

But that kinda gets back to this this corporate way of thinking in, like, year or two years and not five years or ten years. Because even executives have a lot of lot of turnover at these larger organizations.

Kinda kinda similar to to politics here in the States. There's a a very short attention span and short time span and not a a longer time span. For some of these decisions. And, that that's detrimental over time. Mhmm.

Yeah. Okay. So I think you mentioned some of this earlier when you mentioned isolation, but, one of the questions I had is for somebody who's running IT and security for, you know, a smaller organization that's leveraging active directory, what what are the things that they need to stay on top of to keep things as secure as they can be? Like, is their process, like, making sure you delete old accounts and stuff like that. Yeah. I mean, you're rolling off people that are no longer working at your company, definitely, you know, provisioning and deprovisioning very important. Identity is is security.

And there's if you abstract things a little bit, there's there's three different, tiers of credentials that are are out there. You have your your tier two credentials.

These are your, you know, workstation admins, your your account operators, that kind of stuff. They have your tier one. It's like your server admins, your your database admins, that kind of stuff. And you have your your tier zero.

And these are people that manage your your PKI stack your ADCS boxes, your your active directory, and protecting that tier zero should be kind of your number one priority, from the security If you're a smaller org and you you have maybe two or three people that are kind of doing everything and they're all domain admins, that's not necessarily a bad thing. But you just want to limit where those dummy admins can log into. Now let's explain why that's a problem here. So if you have separate accounts.

So, you know, Bob has his end user account that he uses on his workstation to email and productivity, and then Bob has his domain admin account. Any uses them both on that machine, and he jumps straight from that workstation to jump on the dummy controllers and, you know, fix whatever he needs to fix. If Bob's workstation gets compromised, now domain admins are compromised. And that's that's the whole enchilada.

Threat actors will get in, set up contraumatic control notes, c two notes, and they will jump immediately to the domain controllers, extract that debt file, and they they have everything they need in the org. They can ransomware you a hundred ways through Sunday with no issues. They can even we've seen them pushing out group policies to actually execute the ransomware, and those who own the don't know group group policy is a Microsoft methodology for managing servers and workstations in an environment that was introduced back in, like, ninety nine two thousand, and it's still working and and running today.

But basically, you wanna isolate those those domain admins. So some simple ways to do that is a, a separate workstation called a Paul or a saw depending on, your your nomenclature. For those don't need admins to leverage that doesn't have email access, doesn't have productivity, and you remove the ability for those domain admins to actually touch tier two resources. You make it so they can't log in to workstations, make it so they can't log in to servers, So the only thing they can do is log in to main controllers, and that isolates those credentials from breach.

So now back to our previous example, you know, Bob's end user workstations get popped, and the bad guy has Bob's account. He can look at email and they can send teams messages, but they're limited in scope. They have to now move laterally around the environment trying to elevate themselves to get domain admin access And this gives your security team more time to find the threat actor and remove them from the environment because the name of the game isn't, you know, perfect security. That's that's impossible.

The name of the game is to delay and slow down the threat actors as much as possible. It's like, building a a sandcastle at low tide Eventually, the waves are gonna get you. You just need to buy time.

Yep. Making the job harder for them at every step of the way. Yeah. Make them make mistakes, give them opportunities to trip up and, you know, trigger logs and alerts that may find your security team and the security team can then remove them from the environment.

If I remember correctly, the recent MGM attack that, I think you referenced earlier too, that was done when the threat actor convinced somebody the third party desk to give them access to somebody's credentials, which then allowed them to go into active directory. And if I understand correctly, they were creating extra admin accounts that they then used after the access to the first account was cut off. Was that how that worked? Yeah. Yeah. So this this effectively they they social engineered their way and to, administrative access to the hypervisor infrastructure.

There's some steps in between the two, but the the long, the short of it is a phone call led to these, threat actors having admin over the the hypervisors.

The supervisors had to bring controllers on them. They had everything there. So the bad guys were able to do kinda whatever they wanted. Now if if those credentials had been isolated properly, that wouldn't have been as big of an issue.

The DCs would have been on their own virtualization stack isolated away. And if there was no way for account operators to, manage doing controller domain domain admin accounts, that would have been fine. One one thing we we see a lot is people have, organizations who I have teams that reset password. Your account operators at help desk, and often they'll have the ability to reset passwords on privileged accounts.

So this means, you know, a help desk employee on their first week might have the ability to reset the password on a domain admin account. That's a real problem. Because they can get fished, they can get manipulated, or they can be actively malicious as an insider threat and now elevate themselves to tier zero. So you wanna limit, the service desk's ability to manage those privileged accounts and have some checks and balances in there.

Right? So, you know, you say Todd from the help desk wants to reset a domain admin. Okay. They put a request in, you know, maybe the manager of that domain admins team has to check a box and say, okay, this is legit.

This is fine. Go go do this thing.

But you just have to have those barriers, those kind of checks and balances in place to ensure that there's not a direct path there. And that's around tiered isolation at the account level. Yeah. Fascinating yet.

Hopefully I didn't put anyone to sleep with that one. Nice bit bit long winded. No. I think it's the right audience for these questions or at least I hope it is or else I'm doing the wrong show.

Okay. The last one I have for you is the one that I ask for everyone that comes on the show. It can be as wide or as narrow as you want Do you have any predictions for the future of cybersecurity?

Oh, interesting.

Well, so far, since our reports that are coming out, are indicating we're having a a twenty percent higher number of tax this year over over last year.

And, I I attended some talks over the past couple weeks, where some representatives from the US discovery were were speaking And the major threat for the US is is still China. So China, for each cybersecurity statesman we have working working for the government, China has ten.

They're not all expertly Let's, what's the right word? They're they're not all top level experts, but they do have many, many top level experts that are very, very good. But then they also have lower level staff that are new and and not quite as, adept. And those are the individuals that tend to tend to make mistakes, but I I still see cyber cyber espionage and cyber threats from from China and and Russia being the biggest threat to the US. We we highlight that in our in our own threat report. I don't see that changing from a trending standpoint. I agree to see maybe less ransomware and more extortion because extortion's a lot easier to do than ransomware.

Especially if a lot of the new SEC laws that are out around public disclosure. So, basically, if you're a public company and you get breached, you have a very short window to disclose that breach. And this is something you have to throw in your your your filings, right, if you're a public company. And if you don't, there there are repercussions not just for the organization, but potentially for for CSos. The the solar wind seeso is, has a SEC prosecution going on right now. And all publicly traded companies sees those are watching that right now, because that's gonna determine, you know, personal liability for not disclosing and how that disclosure's done. So if the SEC is successful in prosecuting, that's gonna mean every CSO at a publicly traded company from here on out as soon as they're aware of something, if they don't report that up to the CIO and CEO, then they're personally liable.

So a lot of companies have this bad history kind of sweeping things under the under the rug keeping it quiet and just solving it, but I don't think that's gonna happen as much because of that personal liability aspect. Because that things are gonna be bubbling up a lot more to the CIOs and be bubbling up a lot more to the CEOs, I think there's be a lot more spend in this space because of that.

Yeah. I think the, SCC filing requirement is four days, and I was just gonna check. I can't remember if it comes into effect on the twelfth or the fifteenth of December, but I figure by the time this podcast comes out, that will be the law.

Yeah. I ever everyone's watching this. This is a big big change for the environment. It's gonna have repercussions for for probably a decade out. Yeah. I actually was talking with my friend about starting a investment fund that investing companies immediately after breaches in the dip because a lot of times they come back up to close to where they were before.

Yeah. Yeah. It certainly can. There there's there's also some companies that have long term financial penalties from from their breaches, like the, The target breach, they had to sell off their their pharmaceutical arm, which was wildly, wildly profitable.

So if you get hit hard enough and and bad enough, like, it It it can be bad. I mean, some very small organizations have completely disappeared because of, threat actors. Regional hospitals have been ransomware into oblivion where their accounts payable and accounts receivable was no longer functioning, and their order couldn't function and hospital disappeared. Like, no more hospital.

And that's, that's pretty crazy. Yeah. And I think threat actors can be existential quite often for small, medium sized businesses, you know, You look at email business compromise and a ransom of fifty thousand dollars or eighty thousand dollars getting directed through a wire transfer or something mistakenly.

Can can end a small business. So, yeah, we don't like the bad guys. That's one of the most common things for business email companies or or BEC that threat actors do. They impersonate exact and then try and get, you know, false, invoices paid and, you know, get a quick fifty, hundred thousand dollars.

And, alright, that's that's a w. Because if they can't extract any data, that's a really easy thing to do. And for a lot of these, accounting departments, they get an invoice, and they they'll just pay it. It's especially if it comes from an exec.

Yep. Yep. Yeah. We don't like the bad guys and we don't like to make out what they're doing to be very cool.

You know, I see a lot of these bigger companies will, you know, kinda mythologize them in a waving, and I just don't agree with that at all. They're They're not good humans, and, we should be out there stopping them. No. Absolutely.

And that's that's the mindset that kinda needs to happen here. And anyways, if if these young individuals are looking to to make money in the space, it's a lot safer to make money being the good guys and the bad guy. Right? There's a lot less consequences and, it's only as high as you want to try and the effort you wanna put in.

You don't need a four year. You don't need a masters or a peach. D, you wanna get into security, you wanna get into IT, you know, pick up a handful of certs and start start talking to people, start networking.

You can get into this space. Anyone can do it. I I myself, I'm a high school dropout. I I don't have a four year.

Right? All my education is the certificates. That's it. And, you know, people that are new to the industry, you you could do it too.

I mean, you don't need a four year. Yeah. And there's definitely a lot of support from the community. I know there's lots of people out there like Gerald Ozier and other people I see all over LinkedIn and YouTube that create educational content and trying to help lift people up.

And I I love seeing that. I think it's a great way to build a community and help us all with the mission of keeping the lights on and keeping business running so we can feed our families and and enjoy life.

It could be a precarious space for, someone new to the industry, you you kinda have to be careful. Like, all the free trainings absorb everything you can. Just be very cautious about anything you have to pay for because, you know, keep in mind these certificates are like two, three hundred bucks a pop, you don't need to spend ten, fifteen thousand dollars on a training program. You buy the book for a hundred bucks, buy the cert for three hundred, schedule it in two months, and just, you know, buckle down and, you know, study and save yourself a lot of money.

And that's that's tough for some people. That's not, a way a lot of people can learn. There's a lot of free stuff out there. Corsera has tons of cyber Tons of IT security out there.

I'd really encourage anyone new to kinda start with the the foundations, learn learn networking. Once you know networking, that's gonna help you so much with everything else and learn infrastructure, right, know how servers operate, know how they talk to each other, get that get that background, that that experience. And once you kinda have that as a, kind of a baseline, then move into security. Right?

Look, look at your security plus, your your OCSPs, those kind of things. And that'll help round out your certifications quite a bit. When when I see resumes that just have, like, security certs on them and know like networking or server experience.

It it's doesn't carry as much weight. Now when I see someone that, you know, has been in the industry for three years and they started help desk, they maybe moved up to administration, and they have a a nice well round refer to our search, that's a lot more attractive to me. Mhmm. Yep.

Yep. It's a field where breadth tops, depths, depths, in a lot of ways. I I agree. Hundred percent.

Awesome, James. I really enjoyed this conversation.

It was great to meet you, and I hope we get to do this again one day. Just let me know. Happy to be on the show. Okay.

Take care, sir. And that concludes this episode of the cybersecurity defenders podcast. You have any feedback or ideas for future topics, please send an email to defenders at lima charlie dot I o. You can access the intel we talk about the show in real time and join the conversation on the Lima Charlie community slack channel at slack dot lima charlie dot I o.

If you've enjoyed the show, please consider sharing it with someone or leaving a rating or review. And don't forget to subscribe on whatever platform you're listening from. Thanks for listening in. We'll see you on the next episode.