The Ethical Hacker’s Playbook: Terry Cutler on Cybersecurity for the Modern Empire

Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
(00:00):
My next guest is Terry Cutler, ethical hacker,best-selling author, cybersecurity educator,
and founder of Psyology Labs. He's been namedone of the top 20 most influential people in
cybersecurity three years in a row. In oneminute, you'll hear why protecting your empire
starts with securing your digital life. Empirebuilders, don't miss this.

(00:32):
Welcome Empire Builders. You're listening tothe build your empire podcast, the show where
ambitious minds gather to learn, grow and create. Here we dive into the stories of entrepreneurs,
athletes, leaders and innovators who are shapingthe world around us. Together. We'll unpack
the strategies, triumphs and challenges thatcome with building something meaningful, empowering

(00:55):
you to keep pushing towards your vision. Solet's get inspired. Let's get motivated. and
let's build our empires brick by brick, stepby step. Welcome to the build your empire
podcast.
Welcome back, Empire Builders. Today, we'rediving into the world of cybersecurity with

(01:20):
a true digital warrior, Terry Cutler. He's theCEO of Psyology Labs, a government-cleared
ethical hacker, and the brains behind InternetSafety University, where over 40,000 students
worldwide have learned how to protect themselvesonline. Terry is a number one bestselling
author on Amazon and has been named to IFSECGlobal's top 20 most influential people in

(01:41):
cybersecurity for three consecutive years. Hewas also recognized on the CISO platform Global
Top 100 list during that time. From exposinginternet scams to securing Fortune 500 companies,
Terry's mission is to help you guard your empireagainst digital threats. Whether you're a
parent, entrepreneur, or CEO, this episodeis packed with insider secrets to keep you

(02:06):
one step ahead of cyber criminals. Let's getinto it.
Today we have Terry Cutler, founder of CiologyLabs. Thank you. Welcome to the Build Your
Empire podcast. are you? having me. Any betterthan I couldn't handle it. Excellent. Excellent.
Well, um, I appreciate you coming on. Um, Iwould like to start maybe for our audience.

(02:30):
If you could maybe just tell you, tell us fromthe beginning where you grew up. know you're
in Canada now, uh, but where you grew up, whereyou went to school and, um, maybe start taking
some steps into how you got into cybersecurity.Sure. Sure. Well, now we're going to go way
back. make some dust off the old brain here. So I grew up in a small town in Quebec called
Pointe Calumet. It's a very, really Frenchtown. I think it was the only English kid there.

(02:53):
So then eventually moved out of that town intoanother town called La Salle, where it was
closer for my parents for work and allowed meto go to high school and stuff there. after
high school, I've always been passionate aboutcomputers since the age of 10. So always learned
how computers work, take them apart, formatthem by accident, all this kind of stuff. I

(03:18):
still remember my first game I ever got on PC,which was Space Quest 2. I don't remember this
game. I was always passionate about computers,how it all works, then got into Bulls and Boards
services, which is now Torrent kind of thing,downloading games and these other things called
walkthroughs. It's basically the answers toa game, all the levels. Obviously, throughout

(03:39):
high school, I was always sharing how to getaround certain things with games or how to
find the cracks for these games to be able toload them. I got a reputation as the hacker
of the school, we'll say. Then once I graduatedfrom high school, I did one semester at Dawson
College and I realized I knew more than theteacher. And that's when I was like, what am

(04:04):
I doing here? So I dropped out of college andwent to a specialized school. where they taught
me about Novell networking. This is going backin the day now. Novell was the main compared
to Microsoft. They had like 80 % of what runson the internet. so ended up going eventually
to work for Novell for the software company.in around 2003, 2004, I started getting inspired

(04:29):
by watching shows like CSI and 24. RememberJack Bauer? I was like, how is Chloe O'Brien
breaking all these systems so fast? And that'swhen I found out there was a course called
the Certified Ethical Hacker. And so luckilymy boss sent me to Washington where I got to
train with the FBI, the CIA, Navy SEALs. Therewere students in the class. After learning
about hackers getting into these companies,I felt it was my duty to train a general public

(04:52):
and business owners on how to keep safe online.So fast forward to today, I'm usually a go-to
person for most of media outlets across Canada.I some massive industry awards, stuff like
that. So that's where I am now. So you startedCylology Labs. What inspired you to start
the company? Well, I had another company beforethat, but we had some fallout with some shareholders,

(05:16):
some other partners and it just didn't workout. So that company used to be called Digital
Locksmiths. So then after that, once I brokeaway from that group, started up Cylology Labs
right after that. And, but similar services,same, uh, same expertise behind the scenes
and help customers offer the best, cheapest, most affordable solutions for their business.

(05:37):
You've worked with a number of large companiesin Canada. You're very well known in Canada.
Can you share any success stories or are thoseall confidential? Sure. So no, we work with
companies as small as two employees and we workwith hospital systems, for example, that have
18,000 employees per hospital. our, our, our,most of our clients are between 50 and 200

(05:59):
employees. So we also work with municipalitiesand we work with various ports as well. So
yeah, so we work with anybody who, uh, Who needsour services. What, uh, what are some of the
biggest obstacles you've encountered in yourcareer and how did you overcome them? think
some of the biggest obstacles was like, howam I supposed to compete against the big boys?

(06:19):
Right. Because they have all the money, theexpertise, all this kind of stuff. But what
we're seeing is that a lot of companies, whenthey go to these big conglomerates, they're
getting a lot of bait and switch means likethey're promised the world. And then when they
go and sign the contract, they go into the sign,they got assigned a junior guy. And then, now
trust gets eroded services and being deliveredat the way they wanted it. So when they come

(06:44):
to someone like us, who is far more for nimbleand quicker and provide better services, it
started building up the name from there forsure. So how do you keep ahead? mean, these
threats are evolving. You and I talked a coupleof weeks ago about, um, you know, what's going
on with deep fake. How do you keep ahead ofall this? Cause it's ever changing and it's

(07:04):
changing in a much faster pace, especially withAI. Yeah. That's a great question. The advantage
I have is that I'm very well connected in thecommunity. So I work a lot with MSPs. I do
a lot of conferences, so get to talk to a lotof people and learn about what keeps them
up at night, what challenges they've had, and then eventually do more research on some of

(07:27):
these problems. For example, there was a situation,I'm sure you saw that in the news. It wasn't
none of our clients, but somewhere in Asia,I believe it was, somebody wired $25 million
to the wrong bank account, right? You mightbe thinking, what a fool, like talk to somebody
before you do this. Not only did he call somebody,he was on a Zoom call with his colleagues.

(07:48):
They were all discussing the project and said,yep, wire the money. So he wires the money.
But then we later on, we find out that all thoseemployees were deep fake. It's like, how on
earth are you supposed to combat this? So whenI was talking to some colleagues that are in
AI, they're like, oh yeah, there's some pixelationin the mouth when... When, when they talk,
I'm like, what I'm supposed to say? Am I supposedto ask you to say, ah, before you talk to me,

(08:10):
you know what I mean? So it's going to be interestingfor sure. Yeah. I mean, if that's live and
they can interact with you, what are some ofthe common mistakes that businesses and individuals
make with, within cybersecurity? I think thebiggest mistake is it'll never happen to me.
So hackers know that they don't have the time,money or resources to deal with cybersecurity.

(08:33):
So it actually makes them the number one target.So, and a lot of, especially we call them
white, gray hair CEOs that think that all Ineed is a strong password manager. need a new
firewall and I'm safe, right? It's all I need.But hackers aren't trying to waste time trying
to hack your firewall and get detected whenall they have to do is send a crafty looking

(08:57):
email to one of the employees, them click ona link that they're not supposed to, and now
they become an insider to their network. Anda lot of companies don't have the proper detection
technology in place in order to have a hackerin there. And the average time, believe it
or not, that a hacker is inside your networkis 286 days. That's the average right now.
And most companies, they find out there's ahacker in there, don't have the proper response

(09:20):
plan to get the hacker out. So while he's inthere for 200 days and over, he's in there
possibly copying out your data. He's learningyour network. And... Once he's collected all
the important information that he wants to stealfrom you, then he's going to launch a ransomware
attack against you, which is going to lock upall of your data, scramble it, and make it
completely unusable for the employees to workwith. So now the company is stuck paying employees

(09:45):
who can't work. Their data is locked up andit's usually a ransom attached to this, which
could be over a million dollars to get yourdata back. And CEOs will be like, I'm not paying
for that. Are you kidding me? But they don'trealize that the hackers also have a copy of
this. They say, if you don't pay us, you'reto pay us anyway or else we're going to leak
this data. And now you're going to be stuckwith regulatory fines, lawsuits, loss of trust.

(10:07):
Like payments could be far more than what they'reasking for. So folks like us would come in
there with a ransomware negotiation team andtry to lower that amount. So it gets very,
very messy. And that's what's painful is that,you know, we'll come in and offer you as a
service what's called a penetration test. Thisis where we get hired. to legally hack your

(10:29):
business, help you find all the holes beforethe bad guys do. So let's say that service
is 10, 20,000, 10 or $20,000. That's too expensive.And then they get hit with a ransomware attack
and it's like 10, 20 times the price they couldhave paid to avoid it. So that's, that's some
of challenges we're dealing with now is theeducation piece. you said 287 days. The average.

(10:52):
Yeah. So what are they doing? Just observing.Learning. Yep. They're observing, learning.
They're watching people's, depending on whatthey've installed, they can install what's
called malicious software that allows them tocopy out people's passwords. They can reuse
those passwords because a lot of challengesis that a lot of people use the same password
ever online. So their passwords have leakedonto the dark web and they can take that information

(11:15):
and log into their, say their email accountand download all the contents of it. And now
that makes it what's called a business emailcompromise. Cause if you're a CEO and your
inbox gets downloaded by a bad guy, like there'ssome real sensitive information in there. So
that's why you have two-step verification turnedon in order to help protect it. But these,
these advanced security solutions are oftenbecome a, um, becomes a nuisance because you

(11:42):
always get prompted for this code. Like, I don'twant this, but if you don't have it, make
it, it makes you an easier target to get yourstuff compromised. Sounds like there's an element
of, of, um, patients. with the hackers. Whenyou see Hollywood, right? You think it's, they
take 60 seconds, they're in and they go anddo their damage. They don't just sit and hang
out and observe. But I guess that's Hollywood.It's got to be dramatic. But it's interesting.

(12:04):
I mean, that's three fourths of a year. Yeah.That's the biggest misconception is that, because
we also have services for consumers as well.So they'll call us up and my Instagram account
back, it's been hacked. Can you get it back?And they think it's five minutes to get it
back. But sometimes it could take weeks, months.You'll probably never get it back. Same thing
goes for businesses. Like I said, I mentioneda lot of people, their passwords leaked on

(12:28):
the dark web because there was a data compromise.But sometimes your password may have been too
strong to crack. So what happens is they dumpwhat's called the password hash. It's like
an encrypted version of your password. And thenthey could do what's called a pass the hash
attack. And by the way, Nick, I'm not talkingabout the good old college days here. Okay,
this is an attack where you can log in as youwithout ever knowing what your password is.

(12:50):
That's where it becomes really dangerous. That'sremarkable. So you have an app called the fraudster
app. that help individuals or corporations? Yeah. So, so the fraudster app essentially
is, was designed to help individuals stay upto date with the latest frauds and scams to
watch out for. So what happened is we would,you in the app, you can submit some scams to

(13:12):
us. We'll analyze it. And, uh, if it's, ifit's legit and all this stuff, we'll share
it with the rest of the community inside theapp. So it's like, almost like a crowdsource
crime fighting system, we'll say, but some ofthe challenges that we see also is as like.
By the way, that app was seven years in themaking because, I have a, as you know, I have
a book online. I've got a course, have YouTube,I have my blogs, all this kind of stuff. So

(13:34):
a lot of people were coming up to me and saying,Terry, I don't have time to watch your videos.
I don't have time to read your book. I don'thave time for this. don't have But if I had
you in my pocket, it'd be so much easier. SoI'm like, so I spent five years or six years
like how on earth am I supposed to like provideso much value and utility to people through
this app and make it totally useful? So, sothat's, so that's a seven year in making that,

(13:57):
that we can, you know, we can push notify youthat, watch out for this scam. And here's,
here's what it does. Here's how to, how to avoidit. So it's kind of like crowdsourced intelligence
and some, guidance. Correct. Yeah. That's howwe've been able to do it. Is it geared more
towards individuals or for business or both?Both. So it actually has three components in
it. When you're inside the app, there's a tabfor, you a consumer or your business or are

(14:21):
you a tech? So when you're in consumer, whenyou hit the consumer tab, all the blogs and
stuff are categorized for consumer. Same thingfor business. Now, some of the scams and the
attacks are kind of cross-linked where it'llaffect the business owner as well as the consumer.
So they'll appear in both columns. But there'sa third column, whereas if you're a tech, you

(14:43):
can hit that and see all the trending topicsrelating to all the hacks that are happening
in the industry and what to watch out for. It'llbe more technical, of course. Wow. So what's
more important? trying to stop everyone fromgetting in or assuming people are going to
get in and figure out a way to either cordonthem off, you know, and prevent them from getting
anywhere further or getting them out. What'smore important? They have to understand that

(15:06):
there is no silver bullet to stop a hacker.You can only make it as difficult as possible
for them to get in. So a lot of times whenbusinesses realize that, you know what? We
don't have the manpower, the resources of theknow-how or even a budget to deal with this
stuff. What do we do? So someone like us cancome in with a managed service solution where
we can monitor your network, your endpoints,and your cloud connections all in one dashboard.

(15:31):
So we do all the work for you and triage allthese alerts that these techs are receiving
on daily basis. Some of these technicians arereceiving hundreds or thousands of alerts a
day on top of his current job. So these techshave no time to look at this stuff. So they're
just collecting these events that are occurring.So because they don't have the time to look

(15:53):
into it, they might realize that, oh man, wegot breached seven months ago because we looked
in the logs finally. So all this time, youknow, they would have known about it. someone
like, so a team like ours would go through allthis noise and say, by the way, Johnny, you
know, we've noticed that this guy is tryingto log into his account now from Nigeria using
a low reputation VPN client. Maybe your passwordshave been compromised. You know, is this a

(16:18):
legit thing? Maybe lock the account first andthen send a note to the IT administrator say
manually look into this. So, know, for now,cause all we know, like maybe he installed,
you know, a VPN to watch Nigerian Netflix forall we know. Right. So we don't know. you assume
that they're, they're going to get in and thenfigure out a way that they're in, we got to
find a way to cut them off. Correct. Yeah. Limitthe damage. Right. Because a lot of times a

(16:42):
lot of people use the same password ever online.So let's assume as an example. they registered
an account with a real estate website. So insteadof using their personal Gmail account, they
use their corporate email address. So now what'shappened is that real estate website gets breached.
So all these things, the passwords get stolenfrom it and they get decrypted. So if your

(17:03):
password is lousy, like a John one, two, three,it's gonna end up on dark web. People are gonna
start reusing it. So a lot of people use thesame password ever online. So they might people
log into their Instagram accounts, change theinformation on it and now hijack it. Or they
can get access to your business Facebook, uh,administrator page or the marketing page where
they can, you know, start spamming the, uh,the other, the other followers. So we don't

(17:29):
know what we're going to find, but they haveto learn how to create strong passwords is
basically the thing. I didn't install two-stepverification, set that up. Okay. So you wrote
the book insider secrets to internet safety,which people can find on Amazon, right? What
maybe your three tips or three things peoplecould take from that book and hopefully people
will go out and buy it. Yeah. So the biggestmisconception is that this book is not for

(17:54):
techies. It's not for cybersecurity people.That's the biggest comment I get. Well, Terry,
I'm not in cybersecurity. I don't need thisbook. No, this book was designed for Mr. And
Mrs. Nobody at home that doesn't know anythingabout computers or tech. And it's kind of like
a distilled version of the course. So all thefundamentals are in it, how to protect your,
your, your, your self online, how to, how tocreate an unbreakable password, how to, how

(18:17):
to know how to patch your system and how, sohow to, uh, keep track of your kids online,
how to protect your kids online is all in there.Um, so that book is for absolutely the non-technical
person. Okay. So really anybody, Perfect. Youalso run internet safety university and you
have what 40, 50,000 students. It's over 40,000now. Um, and who's this program for and what

(18:39):
can people get out of that university? exactsame concept for the book. the book is the,
is the short version of the course, becausewhat happens is the, in the book, there's all
the fundamentals, but then if you want more,you can jump into the course and where you'll
also get a three, a free three-part video series,which addresses about 90 % of all the problems
that we get. So was like, you know, how do Ilock down my computer? How do I know if my,

(19:03):
my, uh, my spouse is spying on me or all thesethings? All that gets addressed for free in
the first part of the course. But then if youwant more, like how to know if your email's
been hacked, how to know if your computer'sbeen hacked, or internet safety for kids, that's
all in the paid version of the course. So they'llhave access to about six hours in total of
content. Okay, and how much is that course?Right now it's going for $79. Okay, excellent.

(19:28):
People are a lot of comments like, Terry, thisis so inexpensive, it's too cheap, you should
be selling this thing at over 200 bucks. I'mlike, you know, we're here for the... Make
sure it's affordable for everybody. do theyget access to work? And they find that. Yeah.
So obviously everything, starts off at terrycutler.com or you can go to the app in the, in the mobile,
you know, an Apple play store or the, um, inthe app stores, look for fraud store or Terry

(19:53):
Cutler or psychology. You're to find that app.But the courses at either terrycutler.com
or you can go to internet safety university.com.And once you're in there, you can opt in and
you'll have access to a ton of stuff. Thankyou for sharing that with so many scams out
there. do people recognize phishing emailsand social media scams? Yeah, it's very, very
difficult because a lot of times they'll say,it'll show an email. It looks like it came

(20:15):
from Microsoft and it shows Microsoft.com likeTerry. It's legit. I'm like, no, if you hit
reply, it goes to some random Gmail account.So, so inside the course we deep dive in layman's
terms, how to, how to break down a phishingemail, how to know if it's a scam. Because
a lot of folks are receiving jokes from theirfriends and they... Here's a perfect example.

(20:38):
This happened a couple of weeks ago. Somebodyreceived a joke inside Facebook Messenger.
So they clicked on a link, then it asked themto log in to Facebook again. So what they do,
they go and log in again. But when they do that,they give the username and password to the
bad guy, including the two-step verification.Because there's 13 ways to bypass two-step

(21:00):
verification now. So they give all the informationto the scammer and now the scammer logs in
your account, changes all the information, kicksyou out, and now you can't get back in because
all the details have changed, including thepassword and the phone number. So we show you
how to avoid all this stuff. Today's stoicquote, an ounce of prevention is worth a pound
of cure. Benjamin Franklin. This timeless quotefrom Benjamin Franklin perfectly mirrors Terry

(21:26):
Cutler's mission in the world of cybersecurity. In a digital age filled with hidden threats,
online scams, and data breaches, Terry remindsus that proactive protection is far more effective
and less costly than reacting after damagehas been done. Through his work as an ethical
hacker, educator, and CEO of Psyology Labs, Terry empowers individuals and organizations

(21:48):
to take preventative steps, whether it's understandinginternet safety, training teams, or using
tools like his fraudster app. Like Franklin'swisdom, Terry's core message is simple. Protecting
your empire starts long before the first attack.
This week's stoic quote is brought to you byCzar Clothing, the most sustainable athleisure

(22:11):
wear for men and women. Build your empire withstyle and purpose. Build your empire with Czar
Clothing. Visit CzarClothing.com and use thecode Czar25 for 15 % off your cart. Excellent.
So you're known as a white hat hacker. Forthose unfamiliar with that terminology, can

(22:31):
you explain what that is? Yeah. So white hathackers essentially a, an ethical hacker.
there's a course again, as I mentioned, it'scalled the Certified Ethical Hacker. So it's
a legit title. So the biggest difference withus is that we get hired by you and your company
to legally hack you because there's all kindsof contracts we sign, what's in scope and all
this kind of stuff. And at the end of the project,we provide you a report of all the findings.

(22:57):
Here's all the high, medium, low vulnerabilities.Here's what's been found. Here's the impact
of it. Here's how to fix it. And here's theevidence of what we found in case you're doubting.
So we provide all these reports to help youfix up your environment. The bad guys are not
going to provide that. That's the biggest difference.Are you starting to use AI to do some of your

(23:18):
work? Yeah. Oh yeah, for sure. So here's anexample of that. lot of times when we do these
penetration tests, a lot of the same commandsare always the same all the time. So we use
AI and automation to kind of like front loadall that. repetitive tasks. So once those tasks
are complete, then the human, human elementkicks in and we review what was found, maybe

(23:41):
do some retests and then provide the final reportonce we're done. Well, I like the fact that
you're incorporating the human element becausethe bad guys have AI, you have AI, it's kind
of an equalizer. And I think the human elementis the one thing that can differentiate or
be able to see something. Cause sometimes thingsget through, right? Things can get through

(24:02):
AI. And I think the human has that capabilityto be able to, because humans are inconsistent,
think recognize that inconsistency that theAI may not see because AI seems to get patterns,
right? And those anomalies sometimes may getthrough and that's where human I think is
important. It's got a good side to it, but also the human error element of it is what usually

(24:22):
causes a lot of these data breaches now. Yeah.It's your weakest link. If you've got a hundred
thousand employees, it also takes as one. you know, assistant secretary, VP, CEO to click
on one thing and the whole house comes crashingdown. one thing we do often for especially
larger enterprises. We, we provide fishing andtraining simulations. So every other week or

(24:42):
every month we send out these phishing emailsto various employees, but we time them differently.
So they can't say, Hey, Jeffrey, did you getthis email? It looks like a scam. They can't
tell each other. So we, we time it out differently.So we look for what's called the clicky clicky
people. Those are the guys like to click oneverything. Right. And so we don't those guys
first, you know, break them over the head. Make sure you make sure they understand that

(25:04):
this is wrong. And we've seen cases where,you know, these employees have failed the exam
four or five times and they get fired. Likeyou're going to jeopardize this company, you
know, because we think this is an IT problem,but it's not, it's an everyone's problem. Right.
And I mean, it's just the mathematical odds.If you have a hundred thousand employees, what's
the percent that one, two, three, four or fivepeople are going to click on something bad,

(25:27):
right? That's why it's really important tohave the proper detection technology in place
to know the hackers in there. So there's someadvanced software that are out there that
can look for weird behaviors. Like, you know,this person doesn't log in at one in the morning,
usually nine to five. So that could be a littleflag there. And then all of sudden now he's
trying to use these tools that will scan thenetwork. That's not normal. So eventually all

(25:54):
these things will actually result in shuttingdown the account. Wow. Uh, you've been named,
I guess, a number of times, top 20 most influentialperson in cybersecurity a number times, what
three, four or five times. What does that recognitionmean to you? when I, so the first time I heard
about this, I'm like, okay, this is interesting.Cause in 2018, they named me number one most

(26:16):
influential person in cyber security worldwide.I'm thinking, I can't even influence my kids
to come to the table without an iPad. What isthis? And, when I dug deep into. what's involved
in this decision, there's over 50 judges aroundthe world that critique my work online. They

(26:36):
see how much contribution I've done to the community,blah, blah. There's a whole bunch of variables
that get brought into this, which are completelyout of my control. not like I can buy off a
judge. And they all unanimously said they votedme number one. So when I saw that, I was like,
wow, what an honor. There was a lot of workover, this is 20 years of grinding. So I'm

(27:04):
really happy to see that it's paid off. You'veconsulted all the products that you have to
help others. I think it's well earned. You'vecertainly developed a pretty significant reputation
for yourself. was one award we just got thisyear. So 2024 was a very challenging year.
People were losing their jobs. Companies aregoing bankrupt. Budgets got cut. So there was

(27:29):
a lot of like survival last year between us,even competitors were calling us to try and
work with us, but we're trying to work together.So in January, I get a nice message out of
the blue saying, this is from Canadian SME saying,you just got named top tech company of the
year 2024. I'm like, wow, okay, that's prettycool. And then I get a letter in the mail from

(27:53):
the federal government. congratulating us onthis achievement. And that's when it all kicked
in like, Holy moly. You know, you're, you're,you're working so hard with your head down.
You don't, you don't realize what's going onaround you. And then all of a these accomplishments
are popping up and I'm like, wow, okay. It'spretty cool. Yeah. Well you've earned it right
over the number of years. Um, you're prettyactive traveling the world in speaking circuit,

(28:16):
right? In different conferences. What, uh,what topics are you most passionate about?
The biggest, my, my, my, um, My main presentationis the insider secrets to how and why hackers
are getting in. So what I do in this presentationis I kind of walk them through what goes on
in the ethical hacker program. Here's what'sgoing happen in the first phase. Share some

(28:37):
war stories. Then once they've done this, nowthey're going to go to phase two, they're going
to do this. And then phase three and phase four.And then I kind of show them what my job consists
of, but in storytelling. And it's been so dumbeddown that anybody can follow along. So it's
done in layman's terms. So usually at the endof the presentation, either I'll make an offer

(28:58):
to them if they want to get a free scan to seewhat hackers can see about their business online
from the outside. I'll make that proposal tothe audience. So my largest audience live is
2,500 people. That was very interesting becausethere was a live demonstration in that thing
and I had 16 minutes to pull this off, whichmeans any problem in a demo, it lights out,

(29:20):
it's over. You look like a fool in front ofall these people. So that actually really scared
the pants off of me. So now all of my demo stuffhas always been pre-recorded in advance. So
this way, if there's any internet problems ortechnical glitches, none of it's going to be
affected. Right. So we do all that. then, soI'm going to be keynoting another event called

(29:40):
Managed Engine that's coming up in May. There'sanother event I'm doing called Channel Next.
Where's Managed Engine at? That's going to bein Toronto in May. Okay. I believe it's May
6th and 7th. Okay. And then there's, there'sa channel next, which is an MSP event that's
happening in April, end of April, 28, 29 in Montreal and Sage Silver Quebec. These people

(30:04):
typically seek you out. They do. So yeah. So I'm fortunate that, um, my entire business
is brand powered, which means I don't do anypaid ads. don't do any cold calling and you
know, stuff. It's all referrals. And so that'show it's been for the last 15 years. But now
there's a challenge where some of these partners,for example, now want to spin off their own

(30:29):
cybersecurity service in-house. So now thispartner becomes a competitor. So now I have
to differentiate myself more against these guysbecause a lot of companies that have been working
with these partners for 10, 15, 20 years, theyjust trust them blindly. And now because they
offer like one cyber security solution, whichis one piece of the puzzle, they think now,

(30:51):
oh yeah, we're a cyber security firm now. Butthe part of the companies, the, the, customers
don't know any better and they're not beingfully protected. So there's a whole reeducation
piece that we're really focusing on now to,uh, to get some awareness. If there's some
young people out there that are wanting to getinto cyber security, do you have any advice
or recommendations for them? Maybe where toget started? Yeah. So there's, No, that's

(31:14):
a loaded question too, because I actually hadthis call a week ago. There's a person that
was in construction that wants to jump intocybersecurity. I'm like, dude, you can't just
go from one extreme to the other. Cybersecurityrequires an understanding of how computers
work, how networks work and all these things.You can't just jump into cyber. And cyber on
top of it is a kind of like an umbrella term,because underneath cyber, you've got ethical

(31:39):
hacking, you've got computer forensics, you'vegot policies and procedures, like what type
of role do you want under cybersecurity? Youcannot know it all. So the best thing to do
is you gotta start from the ground up. So let'ssay that your COMTIA A plus course will teach
you how computers work. Then you can jump upto network plus, which is how networks work.

(32:02):
Cause you need to understand how a computertalks to another person via TCPIP, is the language
that it talks to. And then you need to understandhow security works. So could do the security
course. But then after that, now you can jumpinto something more advanced. You wanna do
an ethical hacking course. You wanna do a forensicinvestigator course. You can start jump into

(32:23):
that. But I would suggest you do one year oftech support if you can at a company. Even
if you intern there, you need to understandhow computers work and basically the tech support
calls that you typically would get. That's gonnahelp you build up your troubleshooting skills.
Because in cyber it's... Unless you're fullypassionate about this field, you cannot make

(32:44):
it. You're going to burn out. You're going tobe depressed. And, you know, a lot of people
are jumping into this field because they're,Oh my God, it makes so much money. But, uh,
it's a very, very, uh, ruling, uh, industry.Yeah. So, so Terry, how has cybersecurity changed
since you first started? Oh, man, it's changedquite a lot. So back in the day, it used to

(33:07):
be all about, well, if I have a strong firewall,you know, they're not going to be able to get
in. So now it's like they're coming in fromall angles. They're parachuting in. They're
sending phishing emails. There's so many moreways to break into a company right now than
back in the day. what's difficult for us isthat we have to protect every single door and

(33:31):
window to prevent the hacker from coming in,but they just need one way in. It could be
game over. And cybersecurity has splinteredinto so many different areas and discipline,
so many different types of security, cloudsecurity, API security, right. And it's just,
it's proliferating and it's making it significantlymore difficult, right? I mean, it's almost

(33:53):
exponential ways for somebody to get in. Theyjust need to get, it right once. That's one
of reasons why we, um, you know, cause solagesis, is, is fairly small as a core company,
but with our partners. we could deliver overa thousand technicians from right around, across
Canada. Within one hour, I could tell you ifthose texts are available, within four hours

(34:16):
I get them on site. So we're all, I guess theterm is called loosely consistent. So instead
of us hiring all these people and giving youa monster bill, right, or a quote, we can now
really get aggressive with pricing and I canjust use those resources as I need. So I could
be teamed up with, a forensic specialist ora managed service provider or a virtual chief

(34:42):
information security officer. So I can justpull these people in at will to provide service
to the client. So it allows you to kind of triagea situation. If you have an emergency situation,
large company is breached and it's evolving, which is kind of alludes to my next question.
Have you ever been in a situation where a cyberattack has been unfolding in real time where

(35:02):
you're seeing it happen? Yeah. Yeah, so actuallyback when I started, this was back in 2008,
we were doing an assessment on a company. Andas we're doing a penetration test on them,
they were noticing that other attacks were occurringat the same time. So at the time, I didn't
necessarily have a digital forensic investigatoron hand. So what we were able to do was deploy,

(35:27):
I guess you'd call them active defense technologieswhere we can install a honeypot. to see what
the attacker is doing so we can get more familiarwith the person. And then from there engage
a forensic firm to come in and find out what'sgoing on. Is that referred to as offensive
security? Correct. Yeah. So, but, the forensicfolks, what they're going to do is they're

(35:47):
going to go in and install specialized softwarejust to kind of contain the breach. And they
want to see, you know, what this person didon this computer. Uh, where did he go next?
Um, what did he take? What did he access? Sowe want to, the goal is to find what's called
patient zero. We want to see where it all originatedfrom and how it got in there. Okay. What's

(36:08):
the toughest cyber hack or cyber incident you'vehad to deal with so far? Um, there was a large
organization that had about 400 employees and,um, actually I have a couple of these, a couple
of situations like this. So this one had 400employees and this poor guy, it was this, I
think it was the seventh month on the job. Sohe took over from past IT administrators. who

(36:29):
didn't leave any documentation for this guy.They didn't leave him where the installation
software was or the license keys. Nothing wasdocumented. So it gets hit with a ransomware
attack. So because he's not trained in cybersecurity,he's an IT guy, worse is just the IT manager,
he started going around the 400 computers andstart unplugging them all. He unplugs the network

(36:51):
jack, which in one way is good, but on the otherside, it makes it extremely difficult for forensic
investigators to go in. and start installingour software to contain what's going on because
usually we can install an automated softwarethat pushes this agent out to all the computers
in one shot, but now we've got to go manuallyone by one to every computer. So that extended

(37:13):
the thing by almost two weeks. so once we'reable to collect the evidence, then we to do
all this triage stuff offline. So they alsogo ahead with a ransom note, which I think
was close to 2 million bucks. And, uh, we managedto get away at 400,000. I believe the number
was we'll drop from 2 million at 400,000. Whatdid you think about the Las Vegas hack? What

(37:39):
18 months ago or so that brought down a numberof the hotels. Um, there's been a few, is
this the one about the fish tank? Um, it wasthe one, think they, they, someone with an
administrator or somebody had called in. Andwas able, I guess, to give them the hacker
some password. was basically a vishing attack,from my understanding, but they brought down
all the hotels. couldn't literally, could notget into the rooms because the key cards are

(38:04):
affiliated with computer systems, right? Causeyou can program those on the fly. you literally
had to manually get people into rooms and manuallycheck people in. Um, that's pretty significant
and very visible. Right. So an attack like thatdoesn't take five minutes. That's months of
preparation. And, um, so that's, so that's it'sjust goes to show you that. It's not a technological

(38:24):
problem. They just called up the IT help guy,help desk guy, who probably didn't get the
proper training and they tricked him into divulginginformation or resetting a password and they
were able to get in. So, but there was anothersituation too in Vegas, somewhere in Vegas
where they were trying to hack a casino andthis casino brought in a glorified fish tank

(38:47):
that had a sensor on it. It's totally hackedinto the sensor to gain access to the network.
So this is another example of how what's calledIoT can be a problem for you as well. Because
you can't secure these things properly. It'svery difficult. Right. You just look for the
weakest link.

(39:09):
If someone want to improve their personal securitytoday, what are the first three things that
they should do? Um, okay. The first thing todo to do is, um, you want to kind of do a
self audit. If you're, if you're using passwordslike a John one, two, three right away, that's
bad. So you want to create an unbreakable password.So the create an unbreakable password, we have

(39:31):
a mixture of uppercase, lowercase and symbolsin the password. And to create a strong password,
you want to have between 16 and 25 characterslong. Let me know what you're thinking, right?
Is this guy crazy? Like, is he nuts? Like, howdo you remember a password this long? So if
you can think of song lyrics or phrases, it'sgoing to help you. So a lot of examples I give
in live events is let's take a simple phrase.I had a great day at work. Twenty twenty five
exclamation point. Right. Pretty simple. Removethe spacing, capitalize each letter of the

(39:56):
word. That password alone will take 10 yearsto break. But if you replace the O's with a
zero and the A's with an add symbol, that passwordwill take 30 30 something, 39 centuries to
crack. But that's until somebody hacks intothe server and dumps the passwords and they
can log in as them without ever knowing whatthat password was. So you need to have the
two-step verification security system enabledon your devices, on all your accounts, your

(40:20):
email, your Amazon, your bank, all that hasto be there. Not only that, I advise you to
go a step further. There's a thing called theport-out scam, also known as SIM swapping attacks.
You may have heard this term. It's where somebodywas able to clone your SIM card. And now he's
got a duplicate of your phone, kind of. Andany password or two-step verification that

(40:44):
goes to your phone can also go to his phone.So what they did was, in this one example,
this woman who appeared on my live show, shehad two-step verification turned on all of
her accounts except for one, her Hotmail. Andshe didn't really care, it was all junk mail
in there. So they managed to get into her Hotmailaccount. They saw a list of all of her security

(41:04):
questions and the answers to it. They managedto log into her phone provider and change the
provider from one to another. And when he didthat, all of her two-step verification numbers
went to the scammers phone. So they logged intoher bank account and drained it, bought stuff
on Amazon and eBay. And they did this all ona Friday night after hours. So she would have

(41:25):
had to wait till next business day for the bankto really step in. so she describes it as
living hell. for two and a half days. Wow. Isthere any insurance to protect from that? No,
unfortunately not. Even the banks, they'regoing as much as they can to say, if you're

(41:50):
a victim of a phishing email, sorry buddy, you'reon your own. But you know, we've had to go
to court against the banks saying that, Hey,you know what? Okay, fine. He was foolish to
click that link. But at the same time in yoursystem, you should have known that, Hey, this
guy's usually logging in from Montreal. Nowhe's logging in from Croatia. That's not normal.
You guys should have stopped it and at least call up the person saying, are you trying

(42:14):
to wire $15,000 to the wrong bank account? So in a case that we did, they wired $440,000
to Mexico and the banks didn't even stop itbecause it was pre-authorized for half a million
dollars. That's another thing too, is if you'rea small business especially, There might be
a chance that you're preauthorized for a reallyhigh limit that you typically wouldn't do.

(42:38):
So you want to make sure you lower that limitto what's more realistic to your threshold.
That's a good point with VPN technology today.So that makes it difficult for people to know
that, this IP address came from Czechoslovakia,but the person could be in Russia, China, Spain,
right? They could be anywhere. Is that correct?So it makes it difficult to trace. Yeah.

(43:00):
So it makes it very, very difficult, but Soin some, some VPN providers, they keep logs.
So they find out who your originating IP addressis and what you've been doing, where you've
been connecting to. So if we can find out whothe destination IP was, and we see it belongs
to, I don't know, know, Nord VPN, for example,well, we be able to send us a Pina to Nord

(43:25):
VPN to find out what that address is. I see.So a bank should see like my Chase bank account
should see that. With my name, my phone number,I'm logging in frequently, checking my balance
once a week, depositing, Withdrawing stuff.And then they see a phone in Nigeria or Spain
or Argentina. That's got to send a flag, right?You think, but they don't have it all equipped.

(43:49):
Unfortunately. Cause I mean, like when I wentto South America, I went to Chile. Um, you
know, I called credit cards and let them know,Hey, you're going to start seeing some charges
in Santiago here for the next two weeks. Right.And I think that's, that's good. And hopefully
it sends some flags to them that, Hey, you know,he's been doing this stuff in Dallas and all
of sudden there's somebody in Spain or fromMorocco. Logging into his bank account with

(44:12):
drawn funds. Yeah. There needs to be more user.It's called user activity monitoring. So there
needs to be more of that in place to help securethe consumer because a lot of times they're
left holding the bag. They have nowhere to go.They'll call someone like us to help them out,
but you know, it's, it's too late. The money'sgone. mean, how you want me to get that back?
Same thing for like when people call us up thatthey sent out inappropriate photos or videos.

(44:36):
How do you me to get it back? We're not allowedto go and hack that other guy's phone. It's
illegal. I see. So we talked about your book,insider secrets to internet safety. They can
get that on Amazon. Right. And so where elsecan people go? I guess if you can give us maybe
your information on. The internet safety universitywhere they should go is, is terrycutler.com.

(44:59):
Is that the centralized place to get your differentapps, your book and get access to all that
information? It all starts at terrycutler.com.It's all about me. It's all about me, from
there they can join, uh, you know, some Facebookgroups that were on, can watch us on YouTube.
I provide a lot of tips and tricks there. Andso if a business wants to leverage your services

(45:21):
or. You for speaking event that your website,terrycutler.com is the best place to reach
out to you. Yeah. Our business is psychologylabs.com and, uh, that's where they can see
a list of all our services. And, you can alsosee a lot of it on terrycutler.com as well,
but you know, you can go to either place. Isthere anything else you'd like to share with
the audience that you think is viable or interestingor a piece to walk away from? They have to

(45:45):
understand that cybersecurity is everybody'sproblem. Right. And because you're not. You
might not be a proficient in computers or cybersecurity, that makes you a number one target.
So you gotta make sure you have the basics inplace. Make sure your computers are always
up to date. Um, make sure you create a strongpassword, you know, do you gotta do a self
audit on yourself to, see, know, what's valid,what's vulnerable about you online. could be

(46:08):
taken advantage of. Well, thank you for that. Uh, two, two questions. Um, have you seen
the movie beehive? Yeah. Jason Statham. That'sa very good movie. It originates from a hack,
right? I guess a vishing attack or fishing.We need more of that, especially when you
get, you know, you get a call from John Smithwith his thick Indian accent, who's actually

(46:29):
in India and his call is on there. You know, there's so many scams going on right now.
It's really unfortunate. One last question.This is personal. What's your favorite hockey
team? You're in Montreal, right? Got to go withthe Canadians. Okay, they lead in Stanley Cups
still to the state right they do yes So I soI'm also a big fan of Colorado, especially

(46:52):
when Patrick while you was there. Yep. So SoI actually I like the Golden Knights They're
pretty cool. So well, they have a great opportunitywhen they get started to basically pick the
best players from every team Yeah, right andhad a pretty good good start. Yeah, and some
great players came out of Canadians. I'm likeLudwig I don't know if credit like we're okay

(47:14):
Cause he was part of the Dallas stars championshipteam when they won in 1999. Uh, and De Carboneau
also was a Canadian that was part of that team.but the Canadians are definitely the best,
historically the best hockey team ever. So,I look at our gold medal, right? That was a
great game. got a bit, that was a nail, butI have no more nails, man. Well, in, in Canada

(47:36):
seems like the one of the best places to getthe best hockey players. mean, Russia's pretty
good. But I think, uh, definitely in the NHL,think Canada leads in providing the best source
for players. I mean, it's rare in America.mean, Mike Modano was the highest us born
score, right. But, that's few and far between.And it's pretty limited to a few States, right?

(47:59):
Minnesota, Wisconsin, a few of the NorthernStates, right? Cause you don't see a whole
lot of best players coming out of Texas, NewMexico and Arizona. So I appreciate you joining
the build your empire podcast, Terry. Definitelywould like to stay in touch with you. And
I think you're going to be starting your ownpodcast here pretty soon too, right? Yeah.
So it's going to be called the interrogationpodcast. I rock that to use AI for this one.

(48:21):
It's like, how do I create a podcast? I wasalways doing live streams. I want to create
a brand around my name that relates to cyber.Like what you can come up with. So it came
up with in interrogation, but had my name inI N T E R Y Gation. So like, Oh man, perfect.

(48:43):
Signs still delivered. When will you be launchingthat? I said I was going to launch it in January,
but I, but I have my, I've got my interviewsall set up. So now I'm hoping to do it in the
next month or two. Okay. Well, we'll be on thelookout for that. I appreciate it. Thanks for
having me. really appreciate it. This is great.Yeah. Thank you. I greatly appreciate you joining.
You're just a wealth of information of all thebusinesses, the books, the apps, right. And

(49:07):
your university. your wealth of information.So I hope in five years, man. Well, with all
the information that you have, it does not surpriseme that you're probably up till five in the
morning reading books or something. But I greatlyappreciate your expertise and coming here and
definitely would love to stay in touch withyou. Thanks for having me. Thank you for tuning

(49:29):
in to the Build Your Empire podcast. Producingthe show takes time, money, and resources,
and we deeply appreciate your support. Hereare three simple ways you can help us keep
this broadcast going strong. Number one, visitour website at buildyourempirepodcast.com
to join our email list. Stay updated on futureepisodes, exclusive content, and everything

(49:52):
happening in the Build Your Empire community. Second, If you'd like to make a small donation
to support the podcast, can do so at buymeacoffee.comslash buildyourempirepodcast. Every contribution
helps us continue to share inspiring storiesand valuable insights. Thirdly, maintain
the build your empire mindset with some comfortableand stylish athleisure wear from zarklothing.com.

(50:17):
Whether it's for you or a gift for someoneyou care about, you'll find apparel designed
to empower you to build your empire. Use codeCzar25 for 15 % off your shopping cart. And
finally, if there's a specific guest or topicyou'd like to see on the podcast, I'd love
to hear from you. Drop me a line at Nicholasat buildyourempirepodcast.com. That's N-I-C-H-O-L-A-S

(50:43):
at buildyourempirepodcast.com. Thank youfor being part of this journey. Together,
let's keep building empires. We'll see youon our next podcast.

All Episodes

Episode Transcript

Popular Podcasts

24/7 News: The Latest

Stuff You Should Know

Crime Junkie

.css-15opob5{left:0;position:absolute;top:0.8rem;} All Episodes

.css-14f5ked{margin:0;word-break:break-word;display:-webkit-box;-webkit-box-orient:vertical;box-orient:vertical;-webkit-line-clamp:2;overflow:hidden;}The Ethical Hacker’s Playbook: Terry Cutler on Cybersecurity for the Modern Empire

Episode Transcript

Popular Podcasts

.css-r6mb8g{margin:0;word-break:break-word;display:-webkit-box;-webkit-box-orient:vertical;box-orient:vertical;-webkit-line-clamp:1;overflow:hidden;}24/7 News: The Latest

Stuff You Should Know

Crime Junkie

All Episodes

The Ethical Hacker’s Playbook: Terry Cutler on Cybersecurity for the Modern Empire

24/7 News: The Latest