Cybersecurity Pathways: Transforming Crisis into Expertise
Narrator 00:08
Welcome to the Executive Connect Podcast, a show for the new generation of leaders. Join Melissa Aarskaug as she speaks to a wide variety of guests that bring new insights into leadership, prosperity, and personal growth. While no one has all the answers, by building a community of open minded and engaged leaders, we hope to give you the tools you need to help you find your own path to success.
Melissa Aarskaug 00:38
Hello, and welcome to Executive Connect Podcast. I'm so excited to have Cecile Mengue here with me today. She's a cybersecurity professional, and hacker at IBM X Force Red. She got there by actually experience a personal cyber attack and it ignited her drive to get into the field of digital security, and publish her own book called Digital Security Overhaul, which equips individuals with knowledge and strategies to enhance their online security. So Cecile, thank you so much for joining us today. I'm so excited to have you on the podcast.
Cecile Mengue 01:19
Yes, yes. Thank you so much for having me.
Melissa Aarskaug 01:23
Cecile can you share this specific moment that was a turning point in your career and tell us a little bit about how you got into the field of cybersecurity?
Cecile Mengue 01:35
Where can I start? I actually went to school and got a bachelor's degree in criminal justice. I always wanted to go to law school, right. So my path has always been in some kind of liberal arts area, nothing, nothing technical. But after graduation, I just kind of find myself online, just, you know, they had like this, this revolution of make money online, do things online and make money I was like, okay, I can figure that out. So I was I find myself spending a lot of time online, just trying to be like an entrepreneur and just create different avenues to make money. So I started doing event promotion. So I did a lot of event promotion online. So one day, I get back to my computer, and I have like a ransom note on my laptop. And I was like, wow, how did that happen? So there was kind of like requesting for a $500 fee, in order to release my computer, if I needed to get my computer back, would have absolutely no clue of what actually just happened. I stopped panicking. So the only thing was now try to pay the money so that I could get access back to my computer, I didn't really think twice about it and then I went ahead and paid the money. But one thing actually happened in that process. As I paid the money, I thought that was going to be the end of my nightmare, right? But no, my attacker had already kind of like took over all my accounts was kind of reaching out to multiple other people. And because I had such a poor cybersecurity, hygiene, I will say like, I pretty much use the same password in every single card I have. So that allowed them even into my bank account, which they also end up transferring that money. So I started dealing with like, all my money being transferred, the money that I sent myself, my friends getting like different different email, different information, it was all supposed to be coming from me. Then I kind of got interested, I was like, huh, I want to have a complete stranger was just married. I wonder how easy a complete stranger was able to just get into my life and just almost pretty much take over it. Then I kind of became a trick with this. With that whole aspect. Then that kind of triggered me. I was like, I wonder what did they do? How did they do it? Then I started really studying. My very first question I remember in this space, like how to computer work, network communication, how, you know, how do we come across this? So I started looking into it myself. Little by little, that passion of trying to figure it out how I became why I became the chosen one, because I didn't feel like I was that interesting, right? Of the millions of people online that you could take. I didn't think you would take me. So when I had to add I started to understand that it probably was something about me that made it easy for them to come after me. So I start trying to figure out what that thing was. And what I was kind of like, got myself into like this, this space of trying to figure this out, I really grew an interest of now, I wonder if I could find my attacker. Now, if I'm learning all these things, and pretty much the system that they use, I start kind of trying to started understanding how the whole thing work, then I kind of said to myself, I was like, let me try and see if I can track my attacker down. Which, oh, my God, it took me a while. But just kind of dig into one of the big thing that I kind of came across that changed my life was the OSCINT framework, which kind of show you like different aspects of like open source intelligence on the internet and finding information. But this, this attack on me was actually very elaborated. It was a not a, it was just not a one person thing. It was almost like a corporation, it was very elaborate. And they took every step to cover to cover themselves. Right. Right. So but one thing would the internet like everything just kind of get interconnected. So the only thing I really have was the destination where I sent the physical money. And in first and last name, this particular person can find them nowhere online. I mean, I tried everything that I could, they was pretty much ghost, right. But I had an idea. And I was like, let me step back. They had a pretty unique last name. So I start thinking of ways of any kind of other connections outside ourselves. So I step back, I use a call the city where my money was sent to, so they send me a phonebook and I saw like three other people with the same last name. So there was one lady that was in the phonebook, then I went back online, with what I knew at this point, but now she was helpful friend was everywhere. Her footprint was everywhere. And come to find out she kind of had she had a relation with the person that I sent my money to. So eventually, just going through her social media and different things, I find out that she had a brother who had the same name, as the person that I sent the money to. And who was in a, a band, I was able to find his phone number, her physical address, just enough information to build a pretext on where my conversation will be with her. So once I once I did, once I did all that I eventually just picked up the phone and called and directly was just asking for, for the for her brother, which she kind of was upset and was like, he doesn't live here. I say, well, he just gave me this number. We plan on a bed tonight, and I need to get in touch with him. Do you know how I can get in touch with him? We went back and forth. And she eventually gave me his cell phone number. So I call him and I'm like, hey, you know, I want no problem. But I sent you my money. Is there a way I can get the money back? And his first question was, which one are you? And I was like, Hello. So this is not just me. So this is like, and come to find out he were just a middle guy. And between a bigger scheme, right, so he really wasn't anything or he wasn't even my target. So I spoke with him. So his job was to pick up to pick up transaction, which he told me he picks up hundreds of times transaction a day. And then he forwarded to the next person. So he was through talking to him and trying to get all the information. He was able to give me the information of all the all the information he had, because at this point, he didn't even know what he was doing. Right. So I got that information. That was a little more information than I had then went back online, you know, trying to figure by the time I got to the very top person, because the operation was actually out of London, but it's how I got to the very top person. I've learned so much about computers at this point, networks, malware, build them buy them, anything, anything you could think of like phishing and I end up having to like send an phishing email to like the top person in the operation, right, and I'm having to send a phishing email, that pretty much was very precise with all the information that I have uncovered at this point. And, and then they called me. And so they called me, and they didn't do anything they call me. And we went back and forth. And that was very interesting on how I was able to track them more than you know, what they're doing wrong with, on the internet with everybody. So I kind of negotiated, I was like, if they will turn my money, I'll talk to them. And I tell them, like the closing and how I got here. So eventually, they, they, they told me, they promised me they was going to return my money. But they did at that moment. So I crafted another email now with more information on it, and I sent it directly to the, to the to the person over the operation. And then he ended up the main guy, the main the main guy, yes. So he ended up finally clicking because it was more information than what I laid on earlier, right. And he ended up clicking, so I end up kind of like taking over his whole desktop, like his computer. So now. And in that moment, I see all my money, kind of like just transferring back into my account at this point, so they give me my money, so they get my money back. Then I just kind of went to my bank and kinda like, settle with my bank and everything. But up to that point, I never, like had any other communication with them. And that kind of like got me interested. I was like, Oh, well, first of all, I felt like I had at least like a skill or a passion was my talk skill. Because I guess when I didn't think he was skilled, just yet, I had a passion. I always had a passion of kind of like protecting the good guys. And like going after the bad guy hits my original. What is it called my original degree in criminal justice, because I always had a thing about going after the bad guy, protecting the good guy and all that that's always a role that I've played. But I never really saw myself, I never really saw myself played that role within like, computer like, you know, dealing with computers. And not until that actually happened to me. And I feel like that's kind of what I you know, I can almost find my destiny in that.
Melissa Aarskaug 12:43
That story is so amazing. And just perseverance and persistence and digging in to find your money. And because I would imagine I've not had an experience with this, but I've been part of multiple engagements where similar people have been, you know, taken advantage of or taken for ransom, and it almost feels like your identity is gone, your everything about you, you have no control. And it's interesting that you've you've had this experience, and it pivoted you into a completely different field from criminal justice, to cybersecurity, which is non technical to very technical. So what are some of the challenges you faced at the very beginning when you switched from, you know, into the cybersecurity industry without technical background. What were some of the challenges?
Cecile Mengue 13:48
Well, let's just kind of go back into, I think I was my biggest challenge, right? I was in my head a whole lot. There was so many times where I'm like, Okay, I'm going to do this, all I need to do is go back to school and just do this. Then I will go on Google and do my research. And it's kind of like, I almost felt like everybody had the same story, right? It's like, yeah, I was five years old. My dad gave me a computer. And ever since then, I've been like hacking away. And I was like, at this point, I'm like, 20 some years old, like there's no way there's no way I could compete. Right? So I started start pulling back. And to me, at the very beginning, I was my biggest my biggest threat. I will say I was the biggest I was the biggest thing that held me back because I feel like the industry can be very intimidating when you're on the outside and is in we start thinking oh, okay, then come then you you always technical verbiage. Like English is like my third language, now I need to pick up another something else on top of that, I don't think he's going to work like, you know, getting my head talk myself into our into it and out of it every day all day. So once I was able to just, and it just didn't happen that I'm just like, oh, I could all of a sudden, oh, I could do this, it was somebody else who actually saw it in me, you know, just kind of like I'm having a conversation with you right now. And I just told them and I told them, how I kind of like build my own hacking skill, just working on myself, like, I spent a lot of time building like a virtual machines, like different ones with what exploitable system and our exploit them myself and just trying to like, kind of go back and forth and figuring out just understand how things work. So I started doing my own personal project. But even then, I still didn't think I was good enough, because I just felt like I needed to start at five. And it was way too late, until I met this person, and I was talking to them. And they was like you pretty smart, you could do it. I don't know what they put in those words. But that did something to me right? To that person to tell me that I was smart. And then I was like, You know what, I could do this, then I went back and like, find must find a school and went back and just kind of took like a cybersecurity program in a university.
Melissa Aarskaug 16:42
That's amazing. It's amazing how words from people can positively or negatively affect us and literally change the trajectory of our life. And I think that's a true testament to you and your mindset. It's really key when you enter and switch from field to field. Could you share some, maybe some insights on the shift that you had and how it's helped you thrive in a cybersecurity field? Because, as you mentioned, you know, there was it sounds like some imposter syndrome right out of the gate, and wondering and questioning yourself, Could I do this? Can I do this? How do I do this, who's supporting me? Talk us through some of those shifts that you had to make in your own mind to thrive like you are right now in IBM?
Cecile Mengue 17:35
Right. Um, the first thing I really got was a really good advice, because and I see that in a lot of like, people like career change, or you just even people that want to come into the industry. It's like, we all we tend to want to be open. Because we feel like if we are open, we have more options. And sometimes I feel like that open the openness, it could be contradicting, right? Because I was the same way. I was like, You know what, I just need to get it and get me anywhere. And it took me forever to even get anybody to sit down with me and talk to me about anything. It wasn't until my mentor at that time just was like, You know what, you should specialize in an area and become really good at every single aspect of it. And that will be so easier for you to like to like to grab on and on into something, versus just being open. Right. And I felt like that that helped a lot. Because, you know, hacking was my thing. So I just kind of started, you know, learning methodologies that are being used in companies to be able to, like, make this happen, what kind of tools are they using, you know, trying to see how I could better myself in whichever area. So once I was able to understand the methodology, the tools, and just pretty much like the outcomes that needed to come in each aspect. And also very, what's very interesting is once I understood there was another thing when I understood my why, why I wanted to do this that completely changed my life. That was a game changer for me, actually. Because at the very beginning was that oh, why do you want to get paid? Really good money. You know, really, I can just go in for the money but I couldn't make money anywhere as far as I was concerned. It wasn't until ever why do you want to do that? And I had to step back and like, that's trouble. Why am I working so hard to get in this industry? Once I understood why and it goes back to like, I've always been a person who wanted to, like, protect the good guy from the bad guy go after the bad guy, and then just kind of fell naturally in that thing. And I was like, this is why this is why, because that will give me a lot of that will give me like a lot of joy that I am saving good people against the bad guy. And once I understood that, that that mindset, the mindset shifting that we have been talking about, that's really when it happened for me, once I understood what that was my mindset change. And then at this point with the, with the tools that I had, and the advice that I have, from my mentor, of like really focusing on an area working, working hard to learn everything that needs to be that I could learn in the industry, and then get some hands on experience. You don't have to wait for a company to hire you before you could start, you know, practicing and getting your and getting your experience. And I'm gonna tell you one thing, when I was still in school, there's this small TV station that streams online, there was a TV station within my city where I lived in, and I will always go there to stream. And one day I just went and I was on the website, website just looked. It was just strange, right? I was like that. That was when my smart education or like, going into like a taking these classes. So now I can see things differently than before. So I reached out to the, the website, was just missing it, we're just missing an SSL certificate, right? So I call a call the company and I was like, Hey, did you know that you don't have a certificate in this area, and then people are filling out the form to get to you, that could be a security problem and thing and ask to speak because it was a fairly small company. So I asked to speak to the to the manager of the company. And they were and they allowed me to go in. So I went and I was like, Hey, I'm in school, I'm studying cybersecurity, I will be glad to, you know, to try to see, you know, what you guys have in place, and trying to help you in that area, because I only find that they have one IT person. And and nothing was I mean, they there was no security focus at all. Yeah, from somebody who were just learning security to I could see it straight. So when they agreed to like work with me in like trying to help them kind of like create, like a syst put a system in place. So that so that the system could be more secure. I have no clue what I was about to do. I was oh. So I was like, oh, you want me to do it, now I don't really know what I'm talking about. So but I went back to my teacher at the time. And I kind of explained to them. And he was like, yes, you should, you should absolutely take it. And what he did at that moment was kind of just give me like a, he pretty much did most of the work as far as putting all the framework in place. And just kind of like I was the hands and you know, and the body doing the activity. But he pretty much helped by putting all that together. So once I was able to do that. And they was very happy, they gave me a recommendation letter. So once I was done with that, and I contacted the neck, then I contacted a church, then I didn't want to church and I did it with another church. So I kind of I went out there and find my own experience like to build my own skills. And then of course at my own home build a network. And like I was saying, like download many different machines and try to attack them in between to figure it out, just so I could get a hands on experience, build my own network, secure it, and things like that. So that really helped me to that when I was able to like come in front of somebody for an interview. And and by the way, IBM was like my very, very first job I had as coming into the industry.
Melissa Aarskaug 24:39
That's amazing. I love you use one of my favorite words the M word mentorship. It's such a big word that sometimes we find mentors sometimes they find us I feel like in my life so many of my pivot changes came from somebody saying something to me or somebody's saying, Hey, you're good at math, you should look at engineering, but you really followed through. And I think it's one thing to be mentored. And it's a whole nother thing to follow through, to listen to your mentor to ask for their help, and for them to hold you through that process. And having somebody that you can bounce things off of like, it sounded like you were able to say, here, I have this thing, I need your help, here's what I'm thinking. They made suggestions to you, and you went and then had the confidence to go do something which says a lot about your personality, and you were able to leverage them as a resource, while you were building your own skills. And I love that because it's one thing to have somebody give us advice, and but it's a whole nother thing for somebody to take it back and say, Okay, what's my why? Why am I doing this? How can I make this better? How can I learn? How can I help others? And you really took that directly to heart and made those changes? So for our listeners, what advice would you give them? If they're contemplating a career change into cyber security or any other technical field? Especially if they lacked technical background? Like what would you suggest to them?
Cecile Mengue 26:25
Well, I would the first thing I would say, you could do it, like, believe in yourself, like that will take you a long way. Believe in yourself, do not listen to that little voice that will come and try to tell you other things. The second thing is, I mean, understand, I always say like, know your why, right? Sometimes we want to jump into things because it's the hard thing to do, right? It's training, it's, it's what's going on, but then we find ourself in it, and it just kind of, you know, I could have done something else. Knowing why you want to do this will really give you not only the passion that you that you that you need to get this through, it will give you the conviction. And it will also allow you to be able to talk about yourself in a in a more in a hot like in a more convict come like you will be more convicting when you speak, or when you try to sell yourself to even a company to hire you. Because you will be so solid within like, what, within yourself that this this skills, we could always learn the skills, right? A lot of time, a lot of time I say right now I'm working for this company. Like now if I go in, and I've been doing this for a while, now leave and then go to another company, guess what I will have to be trained over there for another system for other thing. So the skills are always you can always learn them. And just as the industry kind of just always moving forward, always stay up to date. Pretty much I will always say focus on an area to at the beginning. May I'm not saying that this is if you if you started here as if I'm starting as a hacker, this is where mistake, but focus on a particular skill set that that will really be that you could be able to sell yourself, oh, that will make it a lot easier to you know, to get into the industry. For example, when I was let's say applying for jobs at the beginning, it was just like whatever job I put us so many resume, so many resume, and nothing was almost coming back at me. And then when I had to when I die back and I was like you know what, I don't want to do just anything in cybersecurity. I know exactly what I want to do. Ethical hacking is my space, this is what I need. And then when I kind of just focused on that every other resume that I put out there was coming back with a hit. Hey, we want to talk to you. Right if you know that I was brand new and I would just come in into the field. And by the time I actually got into a company I had couple offers and that that flip just change it just what they mean. Believe that, you know, the direction of like being being an expert in a certain area versus like kind of just trying to like know, know everything in that master a particular thing could play against you if you are trying to get into the field especially if you're coming to a port from a place that with no technical background, right, somebody who's been doing who've been having multiple technical skill, I know network I know this, I know that they probably will be a lot better for them to be open to the expert, but especially with time constraint, and you try to make it make it happen is, to me it is very, very important that you that you choose an area a niche, where you actually going to shine and learn everything that you need to learn, know your why. Practice, practice, practice and practice and stay up to date with everything.
Melissa Aarskaug 30:45
I love it. Ceclie you are such an inspiration to so many people in cybersecurity and as a woman in STEM myself, I am so happy to have you on the call today you motivate me to relook at my life for so many things and look at you know, the mentors that have come into my life and how I can be a support and you mentioned ethical hacker, be a good guy be one of the people that helps to move communities forward. I love this about you and the and it's your third language, English, unbelievable. Third language or non technical and you've done you've been able to shatter all these ceilings. And I just love your energy. And I think one last question for you if I can, what are your future goals and aspirations in the cyber security field? And what do you hope to achieve in years to come?
Cecile Mengue 31:45
Oh, my aspiration within the industry. Since working as as a hacker and having to get into company system in many different ways, then company will fall for like two. And this also kind of touch back to like, how I got here in the beginning. Personal data is like a big deal to me, right? I feel like it is like given enough attention, especially with so many data breach data are going that are going out out there. And this how easy it is for people to collect people's personal data, and which is that information that nine times out of ten end up getting companies a breach so it's very we've been on the internet for so long, a lot of us the majority of has been on the internet for so long, we have shared so many we have shared so many things online. And it just not about just what we sharing is what the third parties are sharing what the data breach are saying the about us and everything it just all over the place. And now attackers including myself understand the value of this information. And we actually now using that information to attack companies, whether it's through phishing, whether it's through credential stuffing, whether it's through you know vishing over the phone, like I remember when the MGM attack happened, and somebody and I read a comment and somebody was like, now who's gonna give that information over the phone, I said, Do not underestimate a hacker with the right information, you just cannot, that could be anybody. So I'm very passionate about just bringing that education to the average person to the everyday users, people that are on a computer, people that sit behind your organization behind your networks, a lot of time to authenticate most of us in a company, company use personal data. So if the personal data is not protected outside of the workspace, that could turn around and become an issue and just kind of be like really doing a lot of research in this aspect. So is there a way we can actually stop the attack from happening by by kind of like reducing the information footprint of every single person that is within a company? Or is it just like it I'm just to a process of trying to which I've learned a lot in this area and I also do a lot of as also focus on open source intelligence and my job open source intelligence take me and social engineering and I know the places I go to get this information and why is this not becoming more of a priority because as as we go. Every consumer, we continue to see attacks. I feel like it's going to come more, more and more and more from personal data. And I believe it was Verizon, they wanted the statistics, say like 60% of breaches now happen, because personal data and this is only going to grow at this point.
Melissa Aarskaug 35:22
Yep, I absolutely echo that. I think it's, you know, we talk a lot about AI. But if we can't figure it out now, with AI, and in more advanced technologies, we're in a big, big challenge there. You know, I get asked a lot about AI. Should I allow chat GPT and all these things? And I'm like, well, I mean, it depends. It depends on the strategy. But if you can't get it right in, like, on in an on prem environment, it's going to be harder to get things more secure in the cloud. So I know I want to be mindful of our time. And I thank you so so much for being here. I love everything about you. And I appreciate your time. And I just feel like you keep shining girl, keep shining. Keep reading, keep sharing. And I thank you so much for being on the podcast today. And thanks for being here.
Cecile Mengue 36:21
Oh, thank you. Thank you so much for having me and giving me this platform and opportunity to talk to you. You're very sweet. Thank you.
Melissa Aarskaug 36:28
Thanks. Have a good day.
Cecile Mengue 36:30
You too.
Narrator 36:33
You've been listening to the Executive Connect Podcast. If you have questions or ideas on how to bring leadership to the next level. Email us at executiveconnectpodcast@gmail.com And don't forget to subscribe so you can catch every new episode. Until next time,