Cyber Consulting Room

Cyber Consulting Room - Episode 4 - Yianna Paris

Gordon Draper Season 1 Episode 4

 In this riveting episode of The Cyber Consulting Room, host Gordon Draper engages in a thought-provoking conversation with the exceptionally talented Yianna Paris, a seasoned cybersecurity professional with a journey that is as unconventional as it is inspiring. Yianna's entrance into the cybersecurity realm, fueled by her early fascination with breaking video games, sets the stage for an exploration of her diverse and impactful career. From running her own business and inadvertently becoming the go-to tech support for hacked accounts to joining SEEK as a software developer, Yianna's trajectory is marked by a unique blend of hands-on experience and formal education, including a Bachelor of Digital Media Design and a Bachelor of Computer Science. 

As a trusted advisor, Yianna shares insights into the challenges of hiring the right consultant for the right position, emphasizing the significance of adaptability and the potential clash between traditional governance and agile environments. Drawing from her consulting experiences in the Netherlands, Yianna unveils memorable moments, including the surprising revelation that even cows can be hackers. Throughout the interview, Yianna dispels myths surrounding the consulting industry, emphasizing its diversity and the hands-on nature of the work.

Listeners are treated to invaluable advice, from pacing oneself in the overwhelming field of cybersecurity to the importance of admitting when one doesn't know something. Yianna highlights her go-to tools and frameworks, including JupyterLab, Jupyter Notebooks, Obsidian, Miro, and the power of search engines. Beyond the technical realm, she shares her favorite hacker movie, her dream of living in Iceland, and recommends three cybersecurity books, adding a personal touch to the conversation.

Gordon Draper (00:02):
Hi, I'm Gordon Draper, the host of the Cyber Consulting Room podcast. In this episode, I welcome a remarkable guest, Yianna Paris to share insights and experiences from her journey in the field of cybersecurity. Yianna's entrance into the realm of cybersecurity was unconventional. Her early fascination with breaking video games and software led her into the dynamic world of cybersecurity. A past she didn't initially know existed as a career. Yianna's educational background includes a Bachelor of Digital Media design and a Bachelor of Computer Science complimented by industry certifications such as OSCP and a range of cloud certificates. As a seasoned professional, Yianna has faced and overcome challenges in hiring consultants, emphasising the importance of adaptability and navigating traditional governance experiences in agile environments. Having consulted in the Netherlands and encountered unexpected experiences like learning that even cows can be hackers, no seriously, Yianna reflects on her diverse career and will share more in this podcast. From breaking myths about the consulting industry to sharing indispensable tools like Jupiter Lab and Jupiter Notebooks, Yianna provides a wealth of insights. Join us as we explore her unique journey, memorable experiences and valuable advice for those venturing into the ever evolving field of cybersecurity. Get ready for another riveting conversation on the Cyber Consulting Room podcast.

Gordon Draper (01:42):
Hi everyone, I'm Gordon Draper and I'm the host of the cyber consulting room. Today we've got Yianna Paris, who is an established public speaker, and she's presented at places such as a Diana initiative in Las Vegas 0xCC in Melbourne, Australia, and various other tech conferences over the years. She likes to hack systems by using its own functionality against itself and by unravelling the thread to see how deep she can get. Previously, she's worked as an offensive security engineer at Seek in Australia and is now hacking embedded systems and hardware, working as a security consultant at Xebia in the Netherlands. She's joining me today, but she's preparing to speak at the Diana Initiative in Vegas in a week's time. Thank you very much for joining me today.

Yianna Paris (02:32):
Thanks so much for that awesome intro, Gordon, and I'm super excited to be in Vegas next week.

Gordon Draper (02:37):
You're going over for the whole week and you've got a number of different events planned from the sounds of it.

Yianna Paris (02:43):
Yeah, I'll be at Diana Initiative, but I'll also be going to BSides Las Vegas and to Defcon, and I can't wait to catch up with the Aussie crew as well.

Gordon Draper (02:52):
Yes, Yana has spent some time in Australia and she's now in the Netherlands where this is being recorded and she'll be joining myself and other people at Vegas. Thank you for joining me today. I'd just like to ask one of the first questions to get things kicked off. How did you get into cybersecurity or information security? As some people call it?

Yianna Paris (03:12):
Funny story because five to 10 years ago, I actually fell into co-founding a business, so it was in web posting and web development, and I didn't realise it at the time, but I was in information security because I kept getting calls from clients whose accounts had been hacked or sometimes they were dealing with spam, spam bots. There were a lot of WordPress sites. I didn't think of it as a career. I just thought of it as I'm responding and I'm helping out these clients. And then fast forward just a few years ago, I'm working at Seek as a software developer, but I was always security minded and I was always trying to run security events for the team, whether it was threat modelling or creating ACTF for everyone. And then I got invited by Dr. Pam O'Shea, she to join the security team and to see if I liked it and I loved it and I haven't looked back since.

Gordon Draper (04:04):
Yes, Pam O'Shea's a well respected person in the security information security industry in Australia and globally. I think she's involved with the Black Hat Organisation conferences as well. To be given that chance is very impressive.

Yianna Paris (04:21):
Yeah, she's such an inspiration to me and I think is the reason why I've always believed in lifting people up and trying to get them their first opportunity, but that showed me that it can be done and I try to do that today with other people.

Gordon Draper (04:34):
Well, that sort of answers my next question is did you always want to be in cybersecurity? It sounds like you fell into it, it dawned on you at one point where, oh, I guess I'm in cyber.

Yianna Paris (04:45):
Yeah, exactly. As a kid, I always liked to play video games, and so I was always the one looking for collision or non collision in walls. So can I teleport to another place on the map? For example, I used to love playing Spiro, the Dragon and Super Mario Brothers, so I was always finding ways to glitch past things so I could get further in the level. I thought that was a lot of fun. I didn't know that was hacking some of the things that I would do, like changing system files and seeing what they did or looking at malware just because I happened to accidentally get my PC infected. But I always found it super interesting. And then when I was at uni, I was joining different clubs and there were security clubs and I still didn't quite understand it, but I found a lot of systems and servers within the university that were open. And then I found out that some people were creating files that anybody could read and write to on their own file shares. So I was kind of falling into it, but I didn't know security could actually be a career at the time.

Gordon Draper (05:49):
I also spent some time playing in the gaming community over the years before breaking into cybersecurity and deciding to branch in this direction. So I know exactly what you're talking about. I did spend a couple of years working as a tech support for a gaming platform.

Yianna Paris (06:06):
That's super cool. And honestly, tech support people are my favourite people. They have all the goss of everything that's happening

Gordon Draper (06:13):
Usually. Well, I lean back on that for my cyber consulting background. That resonates with you as well. Yeah,

Yianna Paris (06:19):
Absolutely.

Gordon Draper (06:20):
So you talked about a degree, what education qualifications do you have and what industry certifications do you have?

Yianna Paris (06:27):
So I started off thinking I was going to be a game developer and animator. So I did a digital media design degree a long time ago. It was something that I was really proud of. I never actually finished high school. The fact that I was able to get in and showcase my skills, that was really cool. And then fast forward after I ran the web hosting business, I wanted to learn about computers a lot more. So I thought, oh, computer science sounds really cool what I jump into that degree, and I loved it, and that's how I was able to get even more software engineering jobs. Once I joined the security team at Seek, I realised, oh, there's a lot of certifications out here and they can help me learning the basics to learning more advanced stuff. So I have a handful of cloud certificates using a lot of AWS, but we've also used some Azure as well in various businesses. I have my OSCP, I have some Mitre certifications. So Mitre came out with an online platform last year and I had a look at their threat intelligence. One completed that purple teaming and they had a threat hunting one. It's all about their framework, but I thought they were quite interesting as well.

Gordon Draper (07:32):
Yeah, you can do a lot with the MITRE frameworks that they have available. Very good. From the purple and blue team perspective, being able to track the different attack also defend frameworks.

Yianna Paris (07:43):
Yeah, exactly. And because I was so deep in offensive, but at the same time I had this sort of blue side to me as well because I had built software and I knew what it was like to be a developer, but also I knew what it was like to triage things. So I don't just like to find things and break things. How do you actually fix that? Where do you go from there? And then being able to see the other side of it where there are frameworks that actually help give you a language to talk to other people too. So instead of us talking totally different things, we suddenly now can understand each other by using something like Mitre attack.

Gordon Draper (08:17):
How are you going with communicating with developers on application security, source code reviews and things like that. You'd be slotting right in and be able to chat with them. It's not a different language necessarily.

Yianna Paris (08:29):
No, that's the interesting side for me as well as I've worked in these really fast paced environments, I know how that fits with agile traditionally. Sometimes some security doesn't always fit in that way. And so when I speak to developers, I'm really trying to get into their mindset and thinking back to my experience, what was that like being in a team? What were the dynamics? How do we do code review in the first place? How do we use version control? And that helps me sort of bridge that gap of like, well, I can understand this world now. So let me try to introduce you to some of the security parts of that as well and how it relates to your work.

Gordon Draper (09:05):
Very nice. What challenges do you come across in the hiring of the right consultant for the right job? Are you assisting people with job interviews? On the hiring side of things,

Yianna Paris (09:16):
I did a lot of hiring in seek, and so I knew what it was like to try to find the right people to get into an internal team. I also know some of the challenges that we've had at my current consultancy at Xebia because we are a bit of a different consultancy. We have a very interesting culture that doesn't really look at hierarchy. We treat everyone as seniors, and so you can talk about something and we'll treat you as an expert in there, but we'll also be able to challenge each other and talk about each other. And one of the biggest challenges we have with hiring in general is trying to make sure we have the right person who is adaptable to those kinds of situations. Because you can be working for really highly regulated organisations to startups and the type of person that may have done governance for say a regulated like a banker, an insurance company, that personality can be quite different to someone who, like me has worked in agile software dev environments where we're all critiquing each other's code and we're just trying to push and get things out there.

(10:19):
So yeah, that adaptability is a tough one, and I think ego is a really hard one as well because people always want to try to prove themselves, whereas I'm the kind of person that is what you see is what you get. I know this much stuff, I might not know some of the other things, but I will learn about it and I'm okay with that. So yeah, those are the kinds of challenges that I find.

Gordon Draper (10:38):
So that's given us some perspective as to where you are with consulting and finding the right consultant for the job. Did you spend any time as a security consultant? This is a generic question for people of all types, and which countries have you spent time working in as a security consultant or otherwise?

Yianna Paris (10:58):
As a internal security, I worked in Australia and as a security consultant specifically, I've worked in the Netherlands, but a lot of the companies that we've worked for or with are international as well. So we've kind of had to look at not just Dutch market, but also the European one and how that fits into the huge global ecosystem. A lot of my experience has come from Australia though. And while it wasn't traditional consultancy, running my own business felt like I was a consultant as well. I was sales manager and accountants manager and sales consultant all in one, and then the engineer as well, having to actually do the work.

Gordon Draper (11:35):
So you've seen what it's like to have to catch your own feed.

Yianna Paris (11:39):
Yeah, absolutely. When people talk about wearing many hats. Yeah, I know exactly what that's like.

Gordon Draper (11:45):
What is one of your most memorable experiences consulting on cybersecurity?

Yianna Paris (11:50):
It's actually been one of my most recent experiences and it was learning that cows can be hackers. I'm in the Netherlands, we have a lot of agriculture here, a lot of farmers, and there are robotics for farms and they're super, super cool, but cows are super clever as well. Cows know how to get more food or maybe let their friends in to places that they shouldn't be letting their friends in, and I can't say too much more, but learning that a cow can be a threat actor that makes me laugh every time.

Gordon Draper (12:25):
Your threat model is not my threat model

Yianna Paris (12:28):
Exactly as they say.

Gordon Draper (12:29):
That's definitely very interesting. I mean, you're consulting at the moment. Would you consult again at a higher level? Would you consider being a virtual sizer in the future?

Yianna Paris (12:41):
I look at some of my colleagues who are consultants and at a very high level and I'm like, wow, that's amazing. I'm still having a lot of fun. I get to break things without too much responsibility on my shoulders. I get to help translate things, but I'm not directly responsible for things just yet as well in the sense of being at board level. But I still have to report to the board, and I still like knowing what it's like to translate security into a language that makes sense for higher management so that way I can get it to the software developers, the people that are actually creating the thing, but not just software developers, different departments as well. How do we get legal and finance and everyone involved? So from that perspective, when I think of running a consultancy, I'm like, yeah, I would really love to run something where I get everyone involved in some way and show them that security can be really approachable for them as well. So I don't know if it'll be my own, but maybe helping out a friend for now and seeing where I go.

Gordon Draper (13:41):
Yeah, it's interesting to see that you need to communicate in different ways to the board, to upper management, to legal sales, marketing as you've seen that you've had to try to do that all yourself under your own hat. And as you see, as you get into different consulting positions, you need to communicate both internally at different levels and potentially even externally. So when you're at a certain position, you may need to be speaking to the upper management executives the client has asked you to.

Yianna Paris (14:13):
Yeah, exactly. That's something that happens so regularly as well. And how I demonstrate impact to say c-suite, like your CEOs, your CFOs is so different to how I demonstrate that impact to developers, for example. So the language that I use, the way that I present that visually, so I have a background in design and I make sure that it's not just slabs of text when I have the time. I like to create something that's more visual and digestible in a language that people understand as well. I think that becomes really underappreciated. And so I always tell people who have those skills, please come help us in cybersecurity. We'd love that.

Gordon Draper (14:52):
It comes out in your presentations as well at industry presentations. The slides are well put together. They're not just a slabs of text on a wall.

Yianna Paris (15:01):
Thank you. Yeah, I love to tell a story and I think bridging that visual gap, that's how I can help show people I'm bringing emotion to that and everything that comes with it.

Gordon Draper (15:12):
What have you seen or heard at conferences recently that really stands out and I guess what are you looking forward to in this Vegas week?

Yianna Paris (15:19):
So the biggest thing that I've realised has been a bit of a trend the past few years, A good trend is more conference talks from people who didn't traditionally come from a hacking or security or even a tech background. I want to hear how they're helping cybersecurity. So I've been to a talk where it was a project manager telling us about their process and how they help teams and become more effective deliver value, show that they are delivering that kind of value. I hate saying that, like I know how valuable our work is, but having someone being able to demonstrate that that's something that I would pay lots of money for all the time, but also to help me keep on track because I have ideas always and these are the kinds of people that help me shape those ideas, create a plan, and then actually execute it as well.

Yianna Paris (16:07):
I am hearing a lot more talks of people with how they're trying to become more approachable as a cybersecurity professional as well. So they still talk the technical security stuff, but they're also trying to reach out to a broader audience as well. So using language that everyone can understand, bringing them into our world, and I think that's a really good strategy or way to introduce people who wouldn't have ever been able to understand security, let's say 10 years ago, but now this trend of like, well, we need everybody. It's true. It's coming out in the conferences.

Gordon Draper (16:43):
Well, that's good to see. I've seen a couple along the lines of privacy, et cetera, but I haven't seen that in my particular run of conferences. So that's really interesting to see your project manager or your slightly different one-off perspective is providing these sorts of information.

Yianna Paris (17:00):
Yeah, definitely. I think there was one at Kauai Con as well. There were actually quite a few there that were not just your pure straight up exploitation, which I love as well of course, but trying to break down, for example, the covid response in New Zealand and how that relates to cybersecurity as well. It's not specifically an incident response in cybersecurity, but it kind of is on a national level. Right. Yeah, I thought that was quite fascinating.

Gordon Draper (17:25):
I was a little bit distracted. I was playing the capture the flag.

Yianna Paris (17:28):
Oh, nice. Yeah, it's such a hard choice whenever there's a CTF or capture the flag or the talks at a conference, which one do I do? Or I then sit there soldering and picking locks for the rest of the day. So that's always fun.

Gordon Draper (17:42):
It's always a fun time too

Yianna Paris (17:43):
Conference. Yeah.

Gordon Draper (17:44):
What's one thing in your consulting history that the consultancy did that you didn't expect?

Yianna Paris (17:50):
The biggest surprise for me since joining Xebia was that they intentionally tried to be different to your traditional sort of consultancy. So we really stressed that services shouldn't just be, here's something that we preconceive, it's streamlined, it's out of the box and this is what you're going to sell to people. My personality is always I want to know why something is happening, and it's not just the technology. Humans use that technology, so how are we using it? Why are we using it in that way? And then we start to think of things that more of an ecosystem level. So how do people interact with each other? How do we interact with our systems and our processes, and then how does that shape development or an organisation or cybersecurity and where that fits. Being encouraged to use my out of the box different way of working and thinking is the biggest surprise for me because in the past I've always been told, don't boil the ocean or just stick to this or just push out this process or policy. And that always felt a bit too, if that makes sense. It was solve gut solutions.

Gordon Draper (19:00):
Exactly. I agree. You are finding that the consultancy that you're working with now is a little bit different than your standard cookie cutter consultancy?

Yianna Paris (19:10):
Yeah, definitely. We not only tell people to knowledge share, but we create a platform that people can do that in. So upcoming on Tuesday, first Tuesday of the month, we all get to share something, anything. I'm practising my talk for Vegas, so I can't wait where people will sit around, give me feedback, listen to it, but also you don't have to share knowledge on something you're doing at work. We've had people who were doing beer tastings. We had people who were introducing others on how to use the coffee machine at work because a super, super special barista quality kind of coffee machine people have made pizza. So it's a very sort of, we're here to help each other learn how to communicate better, how to present, but also be passionate about it. Show us what you're excited about and we get excited about that too.

Gordon Draper (19:59):
Sounds like a really positive environment.

Yianna Paris (20:01):
Yeah, it's good. I mean, every organisation we have ways that we can improve, but with these kinds of things, I think the people really care about each other and we really want to see each other succeed.

Gordon Draper (20:12):
What is a common myth about the consulting industry?

Yianna Paris (20:17):
There's a couple here that I want to touch on. One of them I sort of mentioned before was that one solution sort of fits all. We've seen this a hundred times, so this is the way that it should be. You must do your architecture in this kind of way. So for example, architecture for a software system, otherwise it's just never going to work. Or you must have this specific security process, otherwise you're not doing security, whatever it might be. I don't believe that one solution fits all. I think that there are trends and commonalities that we can see between organisations and I think it's up to us to really figure that out, really figure out where the business is at that point in time and see what works for them. And the other one was I always heard, and maybe this is just in my circles, that consultants don't always get their hands dirty.

(21:06):
They don't really know what they're talking about. They've sort of just, yeah, maybe they've made it up, whatever it might be. The biggest thing for me is that we're always learning something new, and that's what got me interested in security in the first place, wanting to stay in the industry, is that one day I might be learning a new programming language, for example, or a new framework, and that's okay. That's super exciting. Being able to jump in and actually make something with it and then tell people about how I've made it and guide them on the process to making it themselves. That's my favourite part of the job. Not all consultants are consulting from 10 feet away. There's many of us who just like to actually do the thing, engineer something, and then share that with the rest of the world as well.

Gordon Draper (21:51):
Very impressive to be able to just pick something up and then be able to adapt and learn and be able give the expert knowledge reasonably quickly.

Yianna Paris (22:03):
Yeah, I think that if anyone wanted to be in security specifically, if you like to go broad and deep, this is the place for you because you get to share that back and use that as much as you can.

Gordon Draper (22:15):
I guess that leads into the next question, which would be, what is the most important lesson you've learned over your career?

Yianna Paris (22:21):
The most important lesson is when you're asked something that you don't know, say you don't know, it's not a weakness to be able to admit that you have a gap in knowledge, that we don't expect you to know absolutely everything. In fact, the most important thing is that you're willing to learn it, and if you're not, do you know anyone who knows about it? I can refer it to them, but for the most part, a lot of the time, even for my interview, I was asked, do you know much about container security? I'm like, oh, actually not really. That wasn't something that I had focused on up until that point, and they decided to make the interview all about it because I was like, yeah, why not? Let's chat and see where it leads my ability to sort of reason with the information that was being presented, but also admit I haven't learned about that, but that's something that I could surely learn about. It made a much more positive experience, and it showed that I'm willing to learn, listen, take on feedback back and forth. And I think that's one of the reasons that they hired me as well.

Gordon Draper (23:20):
I think that's a very good advice because to someone starting out that you're heading into cybersecurity, that's going into job interviews, be accessible. Do not just simply say, I don't know, and then clam up. Unfortunately, that happens to me. It happens to a few people, but it's being able to admit that you don't know something and then follow up with, but I know how to find out.

Yianna Paris (23:42):
Totally. And that's one of my mentors really showed me that your ability to find information, my ability to be able to find the right information and then present that back. That was the biggest thing that has helped me succeed this far. And one of the things that I have seen that are super awkward in meetings is when someone tries to double down on something they don't know about and it's awkward for everyone, it doesn't look good. And it would've been way better if they were just like, yeah, not sure about that, but I'll let you know tomorrow once I give myself the evening to read about

Gordon Draper (24:17):
It, I've had to use a few times. It's like it's okay to say you don't know.

Yianna Paris (24:21):
Yeah, exactly.

Gordon Draper (24:22):
Just to let people out of the stopgap solution that they're trying to dig a hole in.

Yianna Paris (24:26):
And this goes back to the trouble with hiring is the ego. Sometimes it gets the better of people. They just don't want to be embarrassed by something, but we're all human. It's okay.

Gordon Draper (24:39):
That's good advice. We were actually going into a question about what advice would you give to someone starting out in cybersecurity?

Yianna Paris (24:46):
Yeah, so definitely, yeah, I don't know, but also it's overwhelming security. There is so much to do with it in so many different domains and fields that you cannot wrap your head around it. Even for me, I was told, don't try to learn everything you're going to want to, and trust me, I tried. But it leads to burnout really, really quickly. You don't have to work 18 hours a day to be brilliant. You don't have to work over time like weekends to be able to do something really well. When I think back to my degree, I had a strategy for when I did exams because we had all these exams and assignments that were all packed into a really short amount of time, so there's tonnes of deadlines, super stressful, burned me out constantly until I started taking a step back, going out for walks, not thinking about my studies at all, intentionally sleeping.

Yianna Paris (25:36):
So sometimes I'd have naps in the middle of the day and just refresh my brain a little bit, and that helped me way more because suddenly I wasn't drowning in all this information that no longer made sense. I was able to clear my mind and then I had way better problem solving skills after that. That's not something that I would've had if I just let myself dig deeper and deeper into the hole. And I think security is exactly the same even now. There's tonnes I want to learn about, and I only have so many hours in the day, and I like going for a bike ride. I like going out into the city and meeting up with friends and having lunch. If I was just studying, I wouldn't be able to get any of that.

Gordon Draper (26:14):
Cybersecurity is a marathon, not a sprint, like your working career in general, but cybersecurity just has a learning curve that takes a long time and years before you get to the point where you're like, ah, I actually know enough now to be able to have confidence in what I'm doing and be able to pass that on to other people. That's some really good advice for people starting out. What underrated tools or frameworks are indispensable for your job?

Yianna Paris (26:40):
So I'm going to go a little bit out of left field here, and I'm going to talk about some of the tools that I love to use that I think are super underrated. So Jupyter Notebooks, they're gaining more popularity now, but when I did my data analysis and data science courses many years ago, I realised this is such a strong tool. I've got my runtime environment here. I can have documentation in here. I can have full reports and data analysis of things that I didn't even dream of because before I was using a lot of text documents to write all my notes and not able to fit those all together. So Jupiter notebooks for short, if you can find a way to use it, use it. At the moment, I'm using it for recon, so I have a lot of scripts that are automated to kick them off, find some information that I know I will usually find, and I'll still do my manual search in parallel with that as well.

Yianna Paris (27:31):
It also does some data analysis for me with some predefined things that I've set up, but I'll also draw some of that in a manual way so that I can pick out the things that maybe my scripts missed. The next one would be obsidian. So for markdown documents, it actually is a really powerful tool. So I use this for all my note taking. I like it because I can have my really nicely formatted things that can be hosted online such as GitHub. I have a GitHub repo of all my obsidian notebooks. And in there I can also in the actual obsidian software, see a graph of everything I've tagged with particular words and see how they link up to my whole knowledge base. So I can see super concentrated areas of knowledge and maybe gaps in my knowledge as well. So I know, oh, okay, I need to write or find a bit more documentation in these areas because I have a gap there.

Yianna Paris (28:27):
So for example, I have my methodologies in there about maybe how I do web reconnaissance. I'm learning embedded software and hardware hacking at the moment, so I have a whole new section all about that. I link out to my documentation and courses there as well. It's a super great tool to use. I also use miro, which is a diagramming and whiteboard tool, and I find this is a really nice way to get lots of people brainstorming together. We do threat modelling in here. We create architecture diagrams or diagrams of things so people understand what we're talking about, and then we start to talk about threats and what the risk is to our systems or whatever. It might be

Gordon Draper (29:07):
Impressed by the obsidian markdown notebook and quite strong in their connective capabilities and being able to, you mentioned identify potentially gaps in where you don't have the documentation potentially if you're treating it as a knowledge store where you can improve, that's pretty strong.

Yianna Paris (29:24):
Yeah, you should definitely give it a go if you haven't yet.

Gordon Draper (29:28):
Moving to books and movies, what's the last hacker or cybersecurity movie that you've seen?

Yianna Paris (29:34):
So this might be a bit of a cliche, but when I first joined a security team, people were making comments to things and references to things that I just could not understand. One of those was to the Hackers movie, yes. Shock. I didn't watch that when I was younger. And the last one that I watched was War Games, which I loved. I thought that was such a funny, fun, but also kind of real concept. I could totally see that happening and I want to see that happen. No, actually, I don't want to see that happen.

Gordon Draper (30:04):
Yeah. Yeah. I remember hearing a story that Reagan stole the film and then went to his chief of military and basically said, look, can this actually happen? I guess that can happen. All right. We need to bring in some things such as the Computer Fraud and Abuse Act, which I think came in shortly after that.

Yianna Paris (30:23):
I like that you bring this up because it sort of shows the sort of connection to how we depict things in our sci-fi films, for example. So I did a lot of work in augmented reality and virtual reality and the things that we sort of described in movies even 20 years ago. We start to see that design influence us here and now, whenever I see a transparent video screen, like computer screen, I'm like, oh my God, that would be terrible to use the resolution on that and being able to see everything behind it. But we're trying to do that with augmented reality. You can pin things around yourself, and it's just YouTube hanging on one side and a digital lamp hanging on the right hand side. I think that's super cool to see that connection between our fiction and our real world.

Gordon Draper (31:11):
So what do you think of the new Apple augmented reality headset?

Yianna Paris (31:16):
I haven't tried it myself. No, neither have I want to though. I did see a really fun meme, I think all like a comic strip that was, you've put this on, you're looking at your bank account and your bank account is basically like minus $4,000, and it's like the person just crying in real life because yeah, I thought that was funny.

Gordon Draper (31:34):
Yes, equipment is expensive. Oh,

Yianna Paris (31:36):
Yes.

Gordon Draper (31:38):
If you could live anywhere in the world, where would it be?

Yianna Paris (31:42):
I would live in Iceland. I love Iceland so much. I love the people there. I love the country. I really connect with the environment. I think that it's just super unique kind of being battle tested for that weather as well. The weather can change super quickly. It can be super windy. You can have ice storms, it can snow. I've driven through blizzards there, but also you could be climbing volcanoes that are still active and then find some amazing restaurants in the middle of Rey, the city there. So I just think, yeah, I feel at home and at peace when I'm there.

Gordon Draper (32:17):
Very interesting. Very changing, very explosive potentially. Obviously, there's been a few volcanoes over the years. Sounds like a very nice, very interesting environment.

Yianna Paris (32:28):
I like that you said, chaotic my brain all the time. So to live in an environment like that totally suits me

Gordon Draper (32:35):
So Chaotic Good then? 

Yianna Paris (32:37):
Yeah, Absolutely always.

Gordon Draper (32:39):
What are three cybersecurity books you would recommend?

Yianna Paris (32:43):
Yeah, this is a hard question because there's always the classics that people will go to that teach you about maybe web packing. And one of the more recent ones that I went through and have been recommending and actually gave away the book to a few people was Bug Bounty Bootcamp by Vicki Lee Tasty through a really nice methodology. It gives you an overview of tools. If you're new to bug hunting, web hacking, anything like that, I would really recommend this book. The second one is Threat Modelling, designing for Security by Adam Tack. I use tacks for questions for threat modelling quite a lot. The way he thinks about things really resonates with me, and I've been able to adapt that in a lot of situations. And this is also a book that I've bought for clients and for other people because I just think here, if you don't know anything about threat modelling or how it can be incorporated, read this for some inspiration, think about it, and then maybe put it into one of your processes.

Yianna Paris(33:41):
It doesn't need to be done one particular way. We all threat model in different ways. And so this is a really good one. And the third one, which I was recommended like many years ago by Pam, she was Deep Work by Cal Newport. So it's not specifically cybersecurity, but I bring it up because I think it will really help you with focus and learning. So for me, I'm ADHD, I struggle to focus. I need to find my own ways to do that. And this was a book that put things in perspective. So it's not going to give you a prescriptive way of how to do things. It will tell you some stories about different people and how they get into their deep work and their focus, and you can think about that for yourself and see where you might be able to fit that into your own life.

Gordon Draper (34:24):
Just wrapping up, where can we find you online? Where can listeners find you online?

Yianna Paris (34:29):
So I've kind of reduced the amount of output and input I guess I have online, but you can definitely find me on GitHub. It's a EOF, N-E-K-O-S-O-F-T. You can find some repos there. You can follow me, share your repos with me. I want to see what tools or documentation you're creating that would be really cool. And also on LinkedIn, I'm always open to connect and chat with people, so you can look for me, Yana P or Salter Hash.

Gordon Draper (34:55):
Well, thank you very much for sharing your time today and being able to express what you may be able to provide some assistance to people starting out in cybersecurity and what life looks like for a cybersecurity consultant working at Zea. So thank you very much for sharing your time today. We're looking forward to Vegas.

Yianna Paris (35:15):
Thank you for having me. I can't wait to party Oh and learn a lot of stuff. Of course.

Gordon Draper (35:21):
As we conclude this episode of the Cyber Consulting Room podcast, I extend sincere gratitude to our wonderful guest, Ana Paris, for generously sharing her insights and experiences in the dynamic world of cybersecurity. Ana's unique journey. From breaking video games a child to becoming a distinguished cybersecurity professional has undoubtedly left a lasting impression on our listeners. We're immensely grateful for the depth of knowledge and wisdom she brought to the table from addressing challenges in hiring consultants to dispelling common myths about the industry. To our dedicated listeners, thank you for tuning in and being a vital part of our engaged community. If you've found today's episode as enlightening as we did, don't forget to subscribe, rate and share the Cyber Consulting Room podcast. Your continued support fuels our mission to provide valuable insights and perspectives in the ever evolving landscape of cybersecurity and consulting. Stay tuned for more enriching conversations, and until next time, stay cyber aware and keep consulting.


People on this episode