Kickstarting Your Digital Forensics Cybersecurity Career

Si Biles: Welcome, friends and enemies, to the Forensic Focus podcast. We have joining us today Sophie Powell. I spoke with Sophie recently along with Rob Black and Sarah Morris about Cyber 9/12, but Sophie is coming back to join us again. We’ve got a heads-up that you recently spoke on a TryHackMe: Kickstart Your Career webinar, so we’re going to be cross examining you about that later, which you are totally unprepared for, which will be funny.

Sophie Powell: Sorry, that’s actually next.

Si Biles: That’s after this.

Sophie Powell: Yeah, I literally come out of this podcast into the next.

Si Biles: When does that start? Time-wise from here…

Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.

Unsubscribe any time. We respect your privacy - read our privacy policy.

Sophie Powell: It starts at 5:00 in American time, so 10:00 in our time.

Alex Desmond: Oh, correct.

Si Biles: 10:00 in our time. So do you want to do a run through of what you’re going to tell them? And then we’ll try and put them to the person [inaudible 00:01:06].

Sophie Powell: Yeah, I can tell you what I’m going to tell them anyway.

Si Biles: Excellent stuff.

And poor Desi is up at the crack of dawn there, 6:07, judging by the clock on his back, and he hasn’t even had a cup of coffee yet, so this will be good.

Alex Desmond: Yeah.

Si Biles: So there we go. So fantastic. I think… We didn’t get to do a podcast towards the end of last year, Desi. You and I wanted to do a Christmas special and then for various assorted reasons like you being in the UK.

Alex Desmond: I was going to say laziness is probably the more accurate one of us not doing it.

Si Biles: I’d like to think that it was more scheduling things on our part, but actually you might be right. I might be lazy.

Alex Desmond: I honestly think that because we do a lot of podcasts where we finish, we say goodbye to the guests, and then we sit on this for another hour anyway, and we should just record it.

Si Biles: Yeah.

Alex Desmond: Because we could pull single episodes out of all of that, but yeah, we just sit around and talk shit.

Si Biles: Yeah.

Sophie Powell: You could have a bloopers [inaudible 00:02:12].

Alex Desmond: Oh, that’s the actual podcast. Yeah, we don’t need a separate one for that. Si and I make a lot of bloopers during the podcast itself.

Si Biles: Yes, this is good.

Sophie Powell: I’ve seen a couple. I think I did a couple myself last time as well.

Si Biles: It’s quite fun. I was going to say, this is going… If you’re a regular listener, please be aware there may be very little forensic content in this podcast. But yeah, we both have lives, we both have jobs, we both have ideas, and we chat about these. Desi has his own podcast as well and we’ll pick it up here for a second. And the Hardly Adequate podcast is absolutely brilliant and well worth listen to. And recently his YouTube channel on sweaty Cyber advice has taken off.

Alex Desmond: Yeah, I’ve been pretty happy with how that’s been going so far. So it’s all YouTube shorts, so it’s all less than a minute content, but it’s all just kind of general advice for career or Cyber or random thoughts that pop into my head while I’m in the gym, which is usually a lot of weird stuff and I have to edit a lot of it.

Si Biles: Yeah, no, that’s totally understandable. To be fair, when you are busy trying not to drop something on your head or on your foot, the thoughts that are going through your head are generally more personal [inaudible 00:03:37].

Alex Desmond: Or just as people do, because I just saw your video that you posted up on my Discord, deadlifting a car, apparently, is what you need to think about rather than giving out advice.

Si Biles: Yeah, that was today’s gym session. We run a strongman competition every year in the town I live in, and this year, we’ve decided to push the bows out a little, so we have some very interesting equipment turning up. And one of these pieces of equipment is a car deadlift frame. It arrived yesterday and I went to the gym today with my PT and it was like, “Right. Okay, so we don’t know how this works. Do you want to try lifting a car?” I was like, “Okay, why not? Let’s do that for a starting point today.”

So yeah, I’ve lifted a car today.

Alex Desmond: The interesting thing, what kind of car were you deadlifting? Oh, you did it. I just watched your video. You managed to do it. Two reps.

Sophie Powell: I got to see this video.

Alex Desmond: Three reps.

Sophie Powell: I was going to say, this could be a brilliant next X post of you moving cars out the way from two [inaudible 00:04:43] Cyber 9/12 BT Tower.

Si Biles: Well, hang on.

Alex Desmond: I thought this was going to be one rep, but people are giving you shit, I can see that. Oh, you went for pride. So what does the weight end up being? Can you calculate it? Does it give you…

Si Biles: I did some maths on this, and actually it’s not that heavy. I think it’s somewhere… And it’s hard to tell because the curb weight of that car, which is [inaudible 00:05:21] is about 1.1 tons, so 1,100 kilos. When the frame is 60 kilos, but a lot of the weight is in the engine. So that sits above the front wheels, which you’re pivoting over. So that’s, you’re not lifting 1,100 kilos by essentially imagination. I did some sort of eye-level mathematics on it and I reckon it’s somewhere between 170 and 200 kilos to lift.

Alex Desmond: Okay, so like a standard, not deadlift, yeah.

Si Biles: But it’s a standard deadlift.

Alex Desmond: Yeah. Okay.

Sophie Powell: Emphasis on not insignificant. I was proud of my 70 until I came there. I couldn’t even get out of the frame.

Alex Desmond: I would still be proud of that. This is a plug. Anyone that wants to join my Discord server, come along, because I have a fitness channel and this is where all size stuff goes, so feel free to come along.

Sophie Powell: I’ve got to join Discord server. I’ve been missing out.

Alex Desmond: Yeah, jump on to-

Si Biles: [inaudible 00:06:29]

Alex Desmond: Yeah, and join, find the invite link there. But yeah, we’ll post it in the show notes.

Sophie Powell: I think the best ideas come to you in the gym though. I was watching the Forensic Focus podcast in there last night on the treadmill, getting ready for today, thinking like, “Let me get ready, yeah,” and thinking about what I had to say. So I think the gym’s a good place to think and do that type of thing.

Si Biles: I’ll be honest, the reason I started going, well actually no, the reason I started going to the gym was because I was horrifically unfit and it wasn’t good for me. But I find it… So I do two things, and I know that we sort of touched on mental health aspects of things, and especially in the digital forensic side of stuff where we deal with some things that are incredibly unpleasant, which is [inaudible 00:07:26] so, it is what it is.Occasionally it does good to be able to practice something… It’s referred to as mindfulness, often, whereby you are focusing and concentrating on something else.

Now I do two things. One is I am a photographer, I take photographs and the idea of attempting to get a composition is all encompassing. You’re trying to get a shot, you’re trying to get the camera settings to work, you’re trying to line it up, frame it properly, capture the moment, and all of this. So it is a very mindful exercise that helps you to maintain your mental health.

The other one is I go to the gym and I lift heavy things because there’s very little else you can think about when you are busy trying to lift a car. You can only really think about trying to lift a car. So whatever else you’ve dealt with in the day is something that you can put aside, and I personally find a hugely helpful mental health tool to maintain it.

And the other thing is we work in an industry which is very sedentary. We sit at a desk all day, we sit still.

Sophie Powell: Yeah.

Si Biles: So getting out and moving, you will never catch me on the treadmill listening to any podcast.

Sophie Powell: I started on gym again recently just because I’ve moved. And it makes a difference, especially when you’re remote working because I feel like the only reason I go on the treadmill is I just sprint because I have so much pent-up energy. I need to just get out. And then you sit there and only it’s suddenly empty, and there’s nothing to think, nothing to do. You can’t breathe. So you try to breathe first and then you can get your thoughts back after. And it’s quite nice, in a way.

Si Biles: Yeah.

Sophie Powell: Yeah, good for mind [inaudible 00:09:11].

Si Biles: Exactly that.

Alex Desmond: Do we want to talk about career stuff now? That’s kind like what we…

Si Biles: [inaudible 00:09:16].

Alex Desmond: Yeah, I think that’s the main point. So let’s do that and then I’m sure we’ll tangent into something else again afterwards. But maybe, Sophie, if you want to give us all the good information from the TryHackMe webinar so that we can steal all their audience…

Sophie Powell: Of course. So TryHackMe [inaudible 00:09:38] for a while, so they were brilliant in… They’ve given us lots of prizes for different events for some women groups, and getting to know them, they invited me onto the panel, which is about kickstarting your career, so I know a lot about that, considering I’ve basically just done it. So I did myself have quite a interesting road in… Well I struggled with the normal graduate scheme roles based on the fact that I found myself getting knocked out in pretty much every single gamified assessment that there was because I couldn’t quite get the right balance between how much risk you should take and what little risk you should take versus what the company were looking for. It just wasn’t adding up for me.

And then the interviews-

Si Biles: Let me just interrupt briefly and say this lady has a first degree in Cyber security from one of the Russell Group universities in the UK. So the equivalent of the Ivy League in the US is our Russell Group. So it’s not like she’s short of some things going on up top. And I think you and I have talked about this previously, about the fact that gamified assessments are not necessarily a good way of finding staff.

Sophie Powell: I could talk [inaudible 00:10:58] about why gamified assessments are just a generally bad idea. It’s a very nice, easy way for them to file out applicants, yes, but there’s never a right answer. And one of them, I was sat there for a minute, “How many times can you hit a spacebar?”

And I was like, “Well, now I’ve just got hurt thinking that.”

Si Biles: That was a test for your job?

Sophie Powell: Yes.

Alex Desmond: That was a question.

Sophie Powell: How many times can you hit a spacebar in a minute? And you physically had to sit there and just hammer your spacebar for a minute. And then you’ve got a score.

Si Biles: I’m feeling that it wouldn’t be wrong to call out this employer as [inaudible 00:11:35]

Sophie Powell: It’s most of them.

Alex Desmond: No, but it’s probably… So this is the problem, right? When you said gamified, because seen some, and I honestly think some gamified’s really good if you’re going for a technical role. This is another thing within the industry I think is that Cybersecurity, while there are entry-level jobs and you can teach people things, and I’ve spoken about it on my podcast, is that, in general, it’s kind of not Cyber security because there’s so much free information out there to get yourself a leg up over the competition within the industry. So gamified can be really good if it’s practical for whatever job you’re going for, if it’s just a general job. But the companies themselves are just paying a third party to create these training systems, and those companies have no Cyber people in them and have no… They’re just like, “Oh, we’re just going to create games based on computers,” by the sounds of it. That’s the first time I’ve heard that kind of question in a survey.

Sophie Powell: Yeah. So I’ll give you a little bit of an overview. So basically the reason that I had an issue with them is you did your application, you do your CV, you did your cover letter, and then you immediately got put through to this gamified assessment where some people started getting filed out. But it wasn’t gamified assessments where you are doing stuff related to Cyber. So I think one of them was you had a pound. And then you had to either press the up arrow or the down arrow, and it would go up or down. And then if you press a down arrow and you’ve got an extra pound, are you going to press it again or are you going to take the risk and go up to see if your decision’s going to change?

Alex Desmond: That’s so dumb. Yeah.

Sophie Powell: Does that make sense?

Alex Desmond: Yeah, that’s so dumb though.

Sophie Powell: So it’s stuff like that where I’m like… Actually all you are seeing here is a panicked student from another end not really knowing what you are looking for other than, “Do I take the risk,” and pressing down. “Or do I just press up and get on with it?”

And I’d sit there and I’m like, “Okay, fair enough.” They were Cyber-related if you were giving me Cyber questions to do, or even like a piece of code to write that could be tested against some AI-generated thing that could then file us out on something that is remotely skill-based.

Alex Desmond: Do you know who the… Not the companies that you’re applying for, but do you know the company that was running these? Because it just sounds ridiculous.

Sophie Powell: It is. Off the top of my head, I can’t remember the company itself because you just click on them and you go through, but it’s not uncommon practice to see that in graduate schemes anymore. A lot of them that we saw, you either went straight to the video interviews or you go straight to the gamified assessments depending on how many applicants they had.

Alex Desmond: So I’d be interested for anyone-

Si Biles: Do you get Black Mirror in Australia? Because this sounds [inaudible 00:14:26]

Alex Desmond: Yeah, that’s what it sounds like. I was going to say, and I’ll reach out to my network, but if anyone’s listening from Australia, let us know if, in the comments or send me an email or something, if you’ve seen this anywhere else, because this is very interesting. I don’t see this in Australia because I know a lot of people that interview for graduate roles and some of them do have gamified learning, but it’s very targeted. It’s not…

Sophie Powell: Yeah.

Alex Desmond: Like no one seems to be using… Even big four companies which kind of just use whatever, I haven’t seen that in Australia.

Sophie Powell: Yeah, I would never have an issue if it was based around Cyber. If we were doing something that use skills I would need in that job to pull out if it’s gamified or not. But it’s more… They’re clearly testing how risky a person you are, your reaction times, bits like that which it seems a little out of place for a graduate scheme in Cyber, especially when we’ve got all of these technologies that really could test all things.

Alex Desmond: Yeah.

Si Biles: It sounds a lot like the snake oil salesman of some testing company turning up and going, “I can deliver you a candidate who will work harder to press a button, who will be less risk-averse when making a decision.”

First of all a, it’s a load of bollocks.

Alex Desmond: Yeah.

Si Biles: There’s nothing that you can judge by how fast you can press a spacebar except perhaps whether you spend a lot of time on video games or not. It’s hardly a character judgment or anything of the sort.

Alex Desmond: Although, if they’re not doing this in Australia, there’s a gap in the market and welcome to the highly adequate gamified interview testing done by me. Each company can pay 50K to have access to my platform and that’ll be my new job.

Si Biles: And we will tell them how fast their pressing space pass. Yeah, [inaudible 00:16:23].

So anyway, sorry.

Sophie Powell: No, it’s okay. It was just one of those things that I did not see coming when I started applying for jobs.

Alex Desmond: That’s nuts.

Sophie Powell: We saw, “Oh, gamified assessment section,” and we were like, “Oh, this would be fun. Gamified assessment, I don’t have to do an interview. And then you get hit with that, and it’s all fun games because you’re not really using your brain, you’re reacting based on what is initiative to you, what comes first? And then you sit there and you think, “How am I being judged on that? Have I been too risky? Have I been too nice?” But that’s a whole other ballpark really. And then you get your video interviews, which, yeah, they’re intense as well.

Si Biles: I was going to say cue the next level of this, it will be Squid Game for interviews. It’ll be how willing are you to push somebody off a cliff in order to get the job?

Sophie Powell: Yeah, I don’t think… The interview side of things, the recorded videos I think are the closest things we’re ever going to get to interviews where you’re doing it online and you can’t physically have someone talk to you. So again, didn’t see it coming though because when we went to the graduate scheme, we just assumed we’d all be called for interviews and team schools. We never even considered the fact that it might be a video-recorded self assessment, which was another.

Alex Desmond: So I’ve definitely done those before and they’re the worst. It’s so off-putting talking to the camera.

Sophie Powell: Yes, those ones.

Si Biles: I’ve heard a rumor that those aren’t being judged by human beings anymore. They’re being fed into a machine learning algorithm that pixies looks for your keywords and looks for other aspects of it, which we all know how good machine learning is. So that’s obviously another great way to hire staff. I would say, I have the advantage of being infinitely older than both of you, and therefore, I have never seen any of this.

Sophie Powell: It is. Go for a grad role, Si. Go and apply and see how you do.

Si Biles: I’m not qualified, I don’t have a cyber degree. I want to get in.

Alex Desmond: Yeah.

Si Biles: [inaudible 00:18:44] me in the first cut.

Alex Desmond: That’s the funny thing as well when you think about it. A good litmus test is if you put someone who is in the industry already through one of these tests, will they get through and get a graduate role as with the skill set that they have now? I think if companies answer that question and it’s no, then it’s a bad test.

Si Biles: Yeah, absolutely. I remember one interview I did, well, it wasn’t an interview, I didn’t even get to the interview stage and I was talking to a recruitment agent and this is a fair few years ago, and he was like, “Do you have an MCSE, so a Microsoft Certified Systems Engineer qualification?”

I was like, “No, I wrote the course material for it, but I don’t have one of those qualifications,” because you can’t have the job. I was like, “Well, hang on… What exactly are you looking for here?”

Alex Desmond: But I wrote it.

Sophie Powell: Yeah.

Si Biles: So yeah, it is truly an insane way of trying to hire people.

Alex Desmond: Yeah.

Sophie Powell: It is.

Si Biles: But we interrupted you.

Sophie Powell: No, sorry. I do sit here and I’m being a bit hypocritical, because if I was a big company and I put out grad role and you can get thousands of grads applying to this, how would you go about starting to bring them down without using excessive manpower and checking everything on CDs, because it’s not unrealistic to expect people maybe [inaudible 00:20:09]?

Alex Desmond: I would say mine, and this is based on my conversations with other people as well, but have key qualifications really low because a grad role, so you don’t have many requirements to come in. If you want the degree, sure, like that must-have degree, whatever.

And then preferred qualifications, if you’re getting thousands, just have a list of easy, preferred qualifications that could be like know a programming language, like the basics of, or I’m purely thinking technical role here. But have a few things that are free that people can go and do. And then that way, because what I’m saying with it’s not quite entry-level. Like if people really want jobs, they’ll do a little bit of those, their own research. And then at least that thins the herd a little bit because it shows motivation for people really wanting the job.

But then realistically after that, I’ve got friends who, they dread it, but they look through hundreds of applications and it’s kind of the only way to do it well is have a human eyeball those applications and then pick out the ones that they want to interview.

Si Biles: There was a colleague that I worked with at Warwick who filtered the applications for the degrees because it’s the same actual levels of things. You get hundreds of applications for a handful of places on a degree course. And Peter, who Sophie is very fond of, Peter, had a very basic fundamental thing was that you must deliver your application in this format of this many bytes, when it was this many bytes long, this format, and it had to have this title for the document title.

Sophie Powell: Yeah, exactly.

Si Biles: And if you mess that up, you were binned immediately. And actually, it just showed it thinned the-

Alex Desmond: Attention to detail.

Si Biles: … crowd by about 50% just on attention to detail. And that is actually just a fundamental thing. If you applying to every grad scheme, you are not going to be doing this kind of thing. If you really want to work for a company, you’re going to put in the effort to look at these little details. And the other thing is that if you’re actually putting stuff in, and I’m sure that you sent your CV over, which was probably one of the things, but you probably also filled out a 50-page form online that has asked you a whole bunch of other specific questions about yourself. And you’re right, you can weight it. It’s like, “Yeah, okay, so yes. Do you have a degree? Yes/no? Do you have experience of Python and/or C and/or Assembly Language or whatever?”

And then you can say, “Okay, have you entered any competitions while you’re at university? What are your other hobbies?” And you can start to weight these things that if you happen to have a life outside of university and compete or do things in the cyber society or start a cyber women group or something like that. You should get extra points for passion for your industry. And that’s not hard to do in an automated way. It’s something that you can easily program something to look at and start to assign points on. And then yeah, you can’t cull bottom third again and start looking. But to start that culling on the basis of how many times you can press a space bar, it’s ridiculous.

Sophie Powell: Yeah, tell me about it. The problem is then you have grads who are just fighting for a space at this point. It goes from being well enough to think, “Oh, I’d like to work in this specific area in this specific role,” to very quickly realizing you have to go for every single role that is being advertised to even get a chance of possibly getting an interview at one because you’re getting filed out so quickly and there’s so much competition.

So I do feel for grads, and I got so lucky with how I ended up with mine that… And I know people that went through the schemes, and some of them went for one, and they got it straight away, and they were just the perfect fit. Everything worked in their favor. And I know people who have been applying for over a year and a half on graduate schemes, and they have still got nowhere. So it’s really difficult. It’s a really difficult experience.

Si Biles: Now a loaded question that is not necessarily one to answer for you, but graduate schemes are fine and they’re cool. But the people actually applying for jobs as, not jobs [inaudible 00:24:40], graduate scheme isn’t a job. It’s a job. But just like ordinary advertised jobs, are they only looking for graduate schemes?

Sophie Powell: I think generally because of this, there’s a whole thing going around at the minute with the entry level being two to three years. So a lot of the junior roles now the people are advertising. So junior or maybe entry level, what people are calling, are asking for two to three years experience, which is difficult to me because they’re going to follow you out as soon as you see that you’ve not even graduated from university yet if you’re applying in January because you won’t have the experience.

Some people did. So some people may have taken the gap year before university and done that, so they would be absolutely fine. For the people who have done college or six form university and then going straight out to a job immediately, probably not going to be considered, so where do you spend your time, if that makes sense? So I would naturally spent my time on the graduate roles where I didn’t need the experience beforehand to be considered. That’s my personal experience. Other people would’ve done other things

Alex Desmond: In the UK, are the graduate roles that you’re seeing at the moment, are they requiring a specific cybersecurity degree? And where are the graduate roles? What kind of companies are they going into? Are they like the big four, big consulting? Is there smaller companies that are doing graduate or is it mainly those ones?

Sophie Powell: So generally, the pattern that I saw, and again this is very subject to opinion, is you have the big four and the corporates and the big ones that you automatically will go for and just put your name in to see how far you get. And then you have the smaller companies that do do them, but you do have to dig a bit harder for them to find them. So where I’ve ended up, I thought they’re not the biggest company in the world, were only about 130 people, but they happened to be starting their graduate scheme on the year I was going through, and their recruiter reached out to me to ask a couple of questions. We got talking from there.

So I didn’t actively go out and find that one. That one found me, which I’m very lucky to have. So yeah, I think there’s… Graduate schemes are becoming more popular because people are starting to realize the benefits of having a graduate jump around your company, do the bits and pieces that pick up on the things that maybe they aren’t doing or could be doing better, start to bring in newer, fresher ideas, and kind of creative out-of-the-box, things that maybe they hadn’t considered before. And it’s definitely becoming more popular, I think, but it’s still got a little world to go in terms of… Yeah.

Alex Desmond: And sorry, I missed that. So are they requiring degrees, like specific cybersecurity degrees?

Sophie Powell: Not massively.

Alex Desmond: Okay. So they’re still not requiring a degree to apply?

Sophie Powell: STEM degrees, they like. So obviously apprenticeships are going to be here as well.

Alex Desmond: So they’re like preferred.

Sophie Powell: But you’ve got to have some-

Si Biles: Yeah, I was going to say on the apprenticeship front, my son told me just before this recording, actually, he pointed out that it’s actually National Apprenticeship Week this week in the UK.

Sophie Powell: It is.

Si Biles: He has an apprenticeship, he finishes it this year, and will come out as a chartered town planner. He’s got a Master’s degree in the chartered town planner qualification out of Southbank University in London while working, while not building up any debt, while doing very well for himself and having a job and like that. And the idea, I’m a big fan of apprenticeships because certainly the ones that I’ve been involved in and I worked for delivering an apprenticeship into one of the government agencies in the UK, he says very carefully choosing his words. And you are choosing people and then bringing them up to what you want them to be in your business effectively.

Sophie Powell: Yeah, exactly that.

Si Biles: And that’s a fantastic way to go because you are getting a lovely, fresh, blank, enthusiastic canvas who isn’t building up thousands of pounds of university debt, which is actually a really big issue in the UK. I don’t know what it’s like in Australia, Desi. How is education funded there? If you are doing a degree, are you building up huge amounts of student debt or is it a bit better funded?

Alex Desmond: You do, and it was essentially interest-free other than you paid like an index every year. But now, with the rise of… Like it’s tied to the rates, I think. So I never researched it because I managed to pay mine off before the economy went to shit again.

But then the other side of it is the government changed the contributions. So you accrue… What it’s called is HECS, so H-E-C-S, which is Higher Education Compensation Scheme, I forget what the C stands for. But you accrue HECS-based per subject and it depends on where it sits within like whether it’s STEM, arts, whatever. So before, it used to just be pretty standard across the board. You would pay more if the course needed more resources, so if you were doing a practical subject that consumed stuff, your course would cost you more. But if you did a course that didn’t, so like philosophy, it would be slightly cheaper.

But then the government tried to change the whole scheme to make it so that it was trying to fill shortages in job roles. So obviously education, engineering got discounts whereas arts got more expensive, which personally, I don’t think was a good idea. I don’t know. The government’s seeing the balance sheet that way, but it didn’t change anyone’s preference because they just accrued more HECS debt because it wasn’t seen as a loan, it was seen as this debt. But then realistically, earning potential for an engineer versus an art student on average is much higher for the engineer.

So realistically, if they wanted more money, people were still going to do engineering. They should have just put up the cost of engineering. And I’m saying that as doing an engineering degree. So I don’t know, that was kind of [inaudible 00:31:20] but that’s where it is currently, I think.

Si Biles: I was crying the other day because there was an article pushed out in the UK about the least valuable degrees to have because the earning potential was so poor and absolute confession time. I have a photography degree, I got it during lockdown, I got it during COVID, but apparently that’s the worst degree that you can have in terms of earning potential, so I was slightly miffed at that. But anyway…

Sophie Powell: I logged into my student finance account the other day and I will never ever be logging in ever again until that number is back down to zero. Oh, my gosh! The way that accrues and you don’t even see it.

Alex Desmond: Yeah.

Sophie Powell: Never again.

Alex Desmond: Yeah, it’s depressing. I was so happy when I paid mine off. I was like… Especially because it’s government-controlled. It’s the same as… I don’t know whether you guys have the similar thing over there, but super. Essentially it’s your forced retirement fund. It’s like a 401k in the US equivalent.

Si Biles: Yeah, we kind of do. It’s called national insurance. And it’s basically worth shit.

Alex Desmond: Yeah, it’s the same over here. Again, it’s like money that you’re putting away that is yours, but the government essentially controls it and what they’ve done recently is they keep upping the retirement age. So it’s like it keeps pushing it later for when you can access those funds. Yeah, it’s like anything that’s government-controlled, I’m like, “Eh…”

If it’s a debt, I would have paid it off quickly, because if they change the rules and make it interest-based, then you’re kind of screwed.

Si Biles: I’m going to say, if there’s one thing we can give the young people starting in the career to take away from this podcast, it’s start your pension as soon as you can because compound interest is definitely on your side and the British government will do bugger-all for you in terms of your retirement, so make the most of whatever your company is offering you.

Alex Desmond: Yeah.

Si Biles: So yeah. [inaudible 00:33:32]. There we go.

Alex Desmond: Not that we’re financial advisers, and definitely seek your own advice. But in general, anything with compound interests is a pretty good idea.

Si Biles: Back to employment again. So yeah, you are now gainfully employed. But as a graduate, how are you finding the graduate scheme?

Sophie Powell: So I really actually enjoy it. When I started, I finished the cybersecurity degree. And I kind of sat there and I was like, “I still don’t quite know what I want here.”

So I remember talking to you, Si< about some of the applications that I went through, and wording, and bits like that. I’m sure you read a few of my cover letters before they went off. And I was writing the cover letters, still thinking, “I’m still not sure if I want to go here,” and spend my time in this one specific role in cybersecurity. So the benefit of mine is the rotational side. So I rotate around four different departments. So I get to see Red Team, Blue Team, Consulting, and GRC, which is where I am now, which is absolutely excellent because it’s meaning I’m getting little bits of experience where I am. And it’s seeing where my skillset’s best.

So I think, if you guys haven’t already guessed, quite good at talking, quite like talking, probably talk to a brick wall if someone put me up to it, client-facing will probably be something that would benefit me well, so it is kind of finding that side and where I’ll sit. And if I go out to companies and go and help them and I have a bit more of a standardized role and kind of do something within a company itself, it’s kind of that so I’m really enjoying it. It’s good fun so far.

Si Biles: So have you done a full set of rotation yet or are you still waiting for one or two?

Sophie Powell: I’ve done the team, so I went into the pen-testing team and they were lovely. And pen-testing and technical, while you do CTFs, pen-testing a company is a completely different story because you can’t do all the stuff you do. So naturally, within Red-teaming, what I found when I did CTS is you have to try and hide yourself on the network, which you absolutely cannot do there. So that was a bit of a shock to the system of watching people and going, “Ooh, can’t do that here.” So that was actually quite probably good practical experience. And then I’m currently just finishing my rotation in GRC, so auditing and chasing people around Francis and all of that jazz type thing.

Si Biles: How have you found GRC? I reckon you will have enjoyed it, but I might be wrong.

Sophie Powell: So I enjoyed it to an ex… There was an extent to which I think, so I did the internal GRC. So it meant I got to meet a lot of different people in the company, which I really enjoyed. So again, chatting to people, kind of understanding that a bigger oversight of how the company runs, which was really good.

Generally, I think there’s a lot of decisions to be made by quite a lot of people. And I like to do things quite quickly. If I set my mind to something, there isn’t much you can do to stop me from going and doing it pretty much immediately or I’ll start to move on to the next thing and forget about that and forget to come back and it’s all a mess. So when there’s lots of processes it has to take, that is where I think I started to struggle because I was like, “I just want to get this done now,” but then you can’t because you’ve got to wait and go through the motions and go through the process and it would have to be something I would have to get used to a lot quicker if I was going to do a career in GRC.

Si Biles: Fair enough. I can see that on reflection, I can definitely see that, yeah.

Okay, so what’s up next? Is it Consultancy or is it Blue?

Sophie Powell: Yeah, I’m heading into Consultancy next, so I’m excited for that one because that’ll be external-facing clients. So yeah, that’ll be good. I’ve never explored that one before, so it’ll be interesting to see where I end up there.

Si Biles: So the last time we spoke on the podcast, we were talking about Cyber 9/12 and the competition. Is it relevant to what you’re doing?

Sophie Powell: So Cyber 9/12, generally yes, because I think if you want an incident response career, an absolutely excellent route to look down with Cyber 9/12 because all of these policies, and these things, you have to be aware of, naturally will play into what you do. So where I am at the minute, it’s probably not a fair representation because I’m not responding to anything happening. I’m bringing change around, but it’s change that we want to make instead of change been forced upon us by the scenarios that Cyber 9/12 team put together.

So I think, yes, definitely. It gives you a good, wide understanding of cyber and the people to involve. So that’s a big thing as well. The people, it’s like which departments are you pulling in? Who do you need to advise? Who do you need to speak to? Who do you need to action? But I will update you on that when I’ve finished the rotation and see what I feel then because I’ve still got two to go. One of them is Blue-teaming, so yeah.

Si Biles: Yeah. No, that’s fair.

Sophie Powell: Competition’s coming up quickly now.

Si Biles: Yeah, week after next. We will have a conversation offline about where the hell we’re sleeping. But yeah…

So yeah, no. Again, we talked about it. It’s been a very… Actually, when this goes out, the competition will probably be done so I can talk about the scenario. So Desi, you probably quite like this one. So it’s a mixed scenario that’s been put down in front of us. We have both a-

Sophie Powell: And I’m just going to say the [inaudible 00:39:41] 9-12 team, this is completely fictional. Nothing is true, nothing that’s recorded anywhere is true.

Si Biles: You say that, but it’s terrifyingly plausible. And I think that’s where this competition actually has been, for me, something that I find relevant because the scenario is this, that there is a vulnerability in SCADA systems, which we know exist. The Stuxnet make a prime example of vulnerabilities in SCADA systems that is being exploited in water distribution network or in water networks. It doesn’t necessarily say distribution, but water processing plants and water distribution and waste distribution networks. Simultaneously, there is a general election going on in the UK, which will happen later this year. Please, God, let it happen later this year. We need to get rid of the current idiots.

You can fight me over this one, whether you’re Tory or Labour or whatever, I don’t care. The current government are idiots, it doesn’t matter. The rest of it is irrelevant. But there’s an election going on and they’ve got a leak, or they’ve had a data compromise and they have had some false created data injected into that gate compromise, which is going to impact upon the credibility of the government. And the team has had to come up with a set of recommendations and suggestions to take to the government. And what we have, something called the COBRA committees, which sits in its Cabinet Office Briefing Room A, isn’t it?

Sophie Powell: Yeah.

Si Biles: So that’s COBRA. And so that’s the highest priority government briefings that we get. And effectively, the team has to come up and do a briefing to government about what their suggestion is that they should do at this point in time.

When Sophie did it, they suggested that basically we should put tanks on the streets of London and mobilize the Army. And frankly, I think it’s a great plan. At the moment, my team has, although they didn’t put it in writing, suggested that perhaps we should bomb one of our neighboring countries. Was it Serbia? Serbia, yes. Because one of the threats seems to have come out of Serbia, they’ve suggested that we should nuke Serbia. I’m glad to say I don’t think that made it into the final document when it was sent off, although I didn’t actually see the document before it was sent off, so I’m not entirely sure.

But it is a fantastic thing because in reality, we see these things constantly. We see SCADA problems, we see data breaches, we see fake news being created. There was a thing in the press very recently about fake audio of Joe Biden making calls in America, or… Joe Biden himself wasn’t making calls, but they were calls that were purporting to be Joe Biden with faked audio, so that’s a very realistic problem. We’ve seen fake images left, right, and center, and again, an article that came out in Forensic Focus recently was about the problems of the sheer volume of data that police forces are trying to process with regards to IIOC, so child imagery, because there’s so much fake generated imagery now, actually doing protection work to identify real subjects and real victims is actually becoming a problem in terms of just sheer volume of data. So these are very realistic world problems that are being put forward and we’re looking at the next generation of graduate students to come in and find solutions to these problems. It is really fascinating.

Sophie Powell: Yeah. Deep fakes themselves, they’re coming up everywhere now. It was something I was looking into yesterday on the treadmill, and it’s impressive how you can get something so close to reality. And it kind of raises the question of at what point are they going to become so authentic that we are not going to be able to fully be able to confidently identify that they are deep fake or not is the real question now because technology [inaudible 00:44:26] growing and [inaudible 00:44:27] to be getting better.

Si Biles: The real issue I think for me is that at the moment, technically we can do it relatively quickly.

Sophie Powell: Yeah.

Si Biles: And it’s not technically that matters. It’s the when I look at a picture, does it ring true for me or not?

Sophie Powell: Yeah.

Si Biles: And that’s what happens on X, and that’s what happens on Facebook is those pictures get posted. It’s not analyzed by a professional that then goes, “Actually, you know what? This looks a bit dodgy. I don’t think it’s right.”

It’s instantaneously broadcast to the world, and everybody goes, “Oh, yeah. Look.”

Sophie Powell: It’s scary.

Si Biles: And even if you turn around and tell them it’s fake, it’s in their mind already. It’s the propaganda game. It’s not a technological problem, it’s a psychological problem, it’s a propaganda problem.

Sophie Powell: Facebook actually looked, Facebook put policies through to ban them back in 2020. So technically you’re not actually meant to post deep fake videos, photos, et cetera on Facebook now. But it’s even coming up in, what did I watch? Netflix Fool Me Once, the new series out.

Si Biles: Yes.

Sophie Powell: There was something in there like a disclaimer, if anyone’s about to watch it, and they mucked around with the cameras making [inaudible 00:45:51].

Si Biles: If you haven’t watched it already, I’ve seen this one. So for a change, I’m not spoiling something I haven’t seen. But yeah, there is a nanny cam that’s set up in the house in question. We’ll give you an opportunity to stop listening at this point in time. But there’s a nanny cam set up in the house in question, and it’s deep faked with images taken from a wedding video. And somebody who is dead is then seemed to be alive and starts to psychologically mess with the protagonist in the film. And it’s very well done. And it’s plausibly done because, actually, if you watch the clips, the way they’ve done them, the movements are the same. So it would have worked. I was watching it with quite a fine-toothed comb and a magnifying glass when I realized that was what they were doing. I was like, “Ooh, go on then.” And yeah, it would have.

Now Martino, over at Amped would’ve run that through and to authenticate, he would’ve gone, “Hell, no. That’s fake,” almost instantaneously because of the fact that there would be a whole bunch of technical aspects that didn’t show up. But the reality of what that woman saw, for her, was real. And she thought she was going… And that’s what we would all have done. We would’ve all reacted the same way and ended up getting pepper sprayed in the face. So it was a very… There was one a few years back. I can’t remember what it was called, but again, it was about the editing of CCTV footage about a guy who got off a bus or killed somebody on a bus or did something to do with a bus. But yeah, you still see him step out and it’s not him, it’s somebody else. And it all gets very messy.

But even then, CCTV footage is so poor quality, professionally. We look at it, it’s so poor quality that a simple edit to… You can’t tell. You’ve seen… Sorry, you won’t have seen, Desi, probably, but we had a terrible attack recently in the UK of a caustic substance being thrown over somebody. And the attacker was also covered in the same substance. And there are some CCTV images that have been put forward of him leaving the scene. And you can barely make it out. It’s terrible. It’s absolutely pointless. You can see that he’s been hurt by this, but if you asked me to identify him in line up, other than the fact that half his face was missing, I wouldn’t be able to tell him from anybody else. It really is such poor quality stuff.

Sophie Powell: Yeah.

Si Biles: So the effort required to turn around something plausible of that level of quality is simple. It’s not difficult.

Sophie Powell: And then it’s the fact that the public just don’t have access to the software either. So it’s not like we can look at something and go, “Hang on, let me check a second. Is it a deep fake?” There’s not going to be that. It’s going to be either you’re told on the news that it’s not or you believe that it is until you’re told not if it’s that realistic and not true. So I’m sure there is software out there that is accessible to use if you really wanted to, but whether people would or not, that’s another question.

Si Biles: Yeah, exactly.

Sophie Powell: [inaudible 00:49:30] because deep fakes are new. It’s not a thing that’s been around for ages.

Si Biles: Yeah, it is that. Would you think to do it? But also, there’s the whole thing of just the idea of the conspiracy theory. And it’s an amazing thing that you have this concept that is, to a normal person, and I say this carefully, but to a normal person, completely bleeding ridiculous. There’s no way on Earth that the world is flat. But as soon as you start to tell someone who believes that, their ideas are tainted by the idea that you are either a stooge of the state who is trying to control their mind or that you have been fooled by the state into thinking that this is the truth when it really isn’t. Counteracting conspiracy belief is an incredibly difficult thing to do. And if you’ve seen a video with your own eyes that shows something, who are you going to believe? The person who is telling you that what you’ve seen isn’t real or what you’ve seen?

Sophie Powell: Yeah. Exactly that, and it’s doubting yourself then as well. And it’s psychological play, really, of how much you believe yourself versus realizing that actually what you’re seeing in front of your own eyes isn’t true. And that’s difficult to explain to somebody as well, like, “Oh, yeah, I know you saw it, but it’s not right.”

Alex Desmond: I wonder, this, again, is way off digital forensics topic, so we’ll never… Maybe I’ll get someone on my podcast to talk about this like a psychologist or something. But are most humans susceptible to conspiracy theories because their parents lie to us about Santa Claus when we’re young? Let that sink in. From a young age, we’re told to believe in something that we never see. Does that affect our adulthood?

Sophie Powell: When I was younger, I caught my mom out because she’d written Santa Claus’s label in the same writing as she’d written her own label, and I put them next to each other and I was like…

And then I think that’s when [inaudible 00:51:54].

Alex Desmond: And did that bring in your career in STEM from there? You’re just like an analyst.

Sophie Powell: Yes, that’s actually where I began, at the age of very young.

Si Biles: The other question though is that as part of this, is it to blame for that? Or is it actually just that there is an innate human need in order to believe in things, in order for us to be able to cope with a world which is what it is, whether it’s… I think perhaps there’s a sort of deep-seated genetic, evolutionary trait in, “I don’t understand what lightning is, and therefore, I’m going to create a God that throws lightning bolts in order to explain it so that I can get on with my day, as opposed to hiding terrified in a cave because I don’t know what’s going on.”

And again, there is perhaps we need to go and find a psychologist and bring them up to have this conversation with us.

Sophie Powell: It would be interesting.

Si Biles: Yeah. Definitely a fascinating…

But the psychology of computer use is brilliant anyway, isn’t it? When we look at it, everything from user interface design about how you put buttons in the right place so that people can find them, and you will get people who say… And I say this again from having responded to something on Twitter today. People who will tell you that Windows is by far superior to macOS, which is by far superior to Linux because the buttons are in the right place. Come on. The whole thing is just Vi versus Emacs versus Nano, all of those arguments.

Sophie Powell: Yeah.

Si Biles: The whole computer belief system, and people choosing passwords in certain ways or… The thing is, at the end of the day, isn’t it? It is that we’re all human. And what we actually do isn’t computer security, it’s human security that just happens to bounce around some electronic objects in the middle. So yeah, that is my philosophy for the day until this wrapping up to my bedtime [inaudible 00:54:22] philosophy.

Sophie Powell: I love listening to people’s thoughts or the stuff like this, like how it works, what itches your brain, that type of thing.

Si Biles: Yeah, this is why podcasts work. It’s because you’re not the only one.

Alex Desmond: Yeah. You find your niche of people.

Sophie Powell: Yeah, I can imagine.

Si Biles: Well, we will call it a day, you and I, Sophie. As you will call it a start to a day and go and get a cup of coffee at last after having a piece of toast or something.

Alex Desmond: Yeah.

Si Biles: And thank you very much for joining us on this mad ramble of an evening. I’ve had fun. I don’t care whether you enjoyed listening to it or not, I’ll be brutally honest. We do plenty of serious stuff. This was just a laugh and I thoroughly enjoyed it. You can find this podcast if you do want to listen to it on any of the good podcast players. Why do we say this at the end? If they’re already listening to it, they’ve heard it. They must’ve picked it up from somewhere.

Alex Desmond: Si, you’re the one saying this. Maybe let’s put that at the front from now on.

Si Biles: Yeah. Desi, we picked this up from Krista when we started. This was the way she did it. She introduced it and then she closed it.

Alex Desmond: Yeah.

Si Biles: And we’ve habitually done it since.

Anyway, you can find this podcast on any of the good podcast sites, Spotify, Apple Podcasts, we’re on YouTube, subscribe, and like, I think is the things we’re supposed to say if we’re on YouTube, isn’t it?

Alex Desmond: Yeah. And comment. I think the new algorithms comment. Comments would be good. And this one’s probably a good one to comment on. Do you believe in Santa or not?

Sophie Powell: The only correct answer is yes.

Si Biles: Yes, of course. Yeah. And yes, the trends. This will also be available on the Forensic Focus website where a transcript will also be available if you wish to search for any particular terms that we may have used. I would say we’ll put relevant links in, but I don’t think we have any relevant links to put in. I don’t think we referenced [inaudible 00:56:28].

Alex Desmond: I think there was a few, and my Discord, if they want to watch you do a car deadlift.

Si Biles: Oh, well, I’m sorry. No, I take back. There is the critical link that will be put in this to the Discord channel. And Desi’s his podcast and his sweaty cyber advice, which is worth listening to.

Alex Desmond: Oh, and probably the webinar link for Sophie doing the TryHackMe thing.

Si Biles: Yeah, webinar link for Sophie’s Cyber Women Group, we’ll put in Cyber 9/12, we’ll put in a whole bunch of stuff that’s going to drive Zoe around the bend because we’ve just started referencing it now. And we’ll call it a day. Thank you very much, Sophie, for joining us. It’s been an absolute pleasure.

Sophie Powell: My pleasure.

Si Biles: I personally will see you in a week or two, and yeah, I will be having words with you about the team that you’ve put me with because they’re bonkers. I think that’s just the simple thing to say on this front. They’re brilliant and they’re bonkers, and yeah. We’ll talk about that.

Sophie Powell: Absolutely.

Si Biles: Desi, always a pleasure. Thank you so much for being up at this stupid time in the morning for you.

Alex Desmond: Always.

Si Biles: All right. Take care, everyone. We’ll talk to you later.

Alex Desmond: Thanks, everyone.

Sophie Powell: Thanks, Si. Take care [inaudible 00:57:45].

Leave a Comment

Latest Videos

Digital Forensics News Round-Up, June 19 2024 #dfir #digitalforensics

Forensic Focus 19th June 2024 2:46 pm

Digital Forensics News Round-Up, June 19 2024 #dfir #digitalforensics

Forensic Focus 19th June 2024 2:14 pm

Digital Forensics News Round-Up, June 12 2024 #dfir #digitalforensics

Forensic Focus 12th June 2024 5:51 pm

This error message is only visible to WordPress admins

Important: No API Key Entered.

Many features are not available without adding an API Key. Please go to the YouTube Feeds settings page to add an API key after following these instructions.

Latest Articles