Book Read Free

Tribe of Hackers

Page 2

by Marcus J Carey


  Starting a company in cybersecurity has been one of the most grueling processes I have ever been through. There are typically two types of companies: those that sell products and those that sell services. On the products side, many of us see opportunities for solutions in our day-to-day lives. Your product must be able to save people time or money and ultimately make them more secure. Once you create that amazing product, you have to be able to sell it.

  On the services side, you’ll find companies that make money by charging people for their time. Once you have a certain expertise, people may be willing to pay you for your services. The hardest thing about any business is getting sales. The best thing you can do for your company is to partner with an experienced salesperson early on.

  I am convinced that sales is the most important part of our professional lives. We have to be able to sell ourselves to get jobs. We have to be able to sell our services or products to build a successful business. In short, learn how to sell, and sell well.

  What qualities do you believe all highly successful cybersecurity professionals share?

  The most successful people I know in cybersecurity are extremely curious and passionate about sharing information. In my life, I’ve learned that the people who are most willing to help others are the most knowledgeable. I also think that you can’t be afraid to look dumb. Remember, there is no such thing as a stupid question. The most successful people ask the most questions.

  What is the best book or movie that can be used to illustrate cybersecurity challenges?

  My favorite movie that reminds me of cybersecurity challenges is U-571. Although the movie is fictitious, it does have an encryption angle in it because the heroes are trying to steal an Enigma machine from the Germans. There is incident after incident, but despite all the obstacles and everything that happens, the small team of experts is able to overcome each challenge. And that is exactly like cybersecurity.

  A really good book I always recommend is How to Stop Worrying and Start Living by Dale Carnegie. This book should be on every cybersecurity leader’s desk. A great takeaway from the book is learning how to plan for the worst. If you are ready for the worst, you can handle anything that comes your way. This book is a must-read.

  What is your favorite hacker movie?

  Without a doubt, the Swedish version of The Girl with the Dragon Tattoo.

  What are your favorite books for motivation, personal development, or enjoyment?

  I am fascinated by how our brains and minds work. The following are three books that blew my mind:

  On Intelligence by Jeff Hawkins

  The Four Agreements by Don Miguel Ruiz

  The Fifth Agreement by Don Miguel Ruiz and Don Jose Ruiz

  What is some practical cybersecurity advice you give to people at home in the age of social media and the Internet of Things?

  Keep your systems up to date. Turn on auto-update on all devices. One more thing, if you don’t want your nudes on the internet, don’t take them.

  What is a life hack that you’d like to share?

  Something that I used to complete my higher education that a lot of people don’t know about is credit by examination. There are several types of these exams, including CLEP, DANTES, and Excelsior College Examinations. This life hack will help a lot of people who are pursuing a college education or who have kids in the United States. Anyone’s kids can use this to save their parents college tuition expenses.

  Here’s how it works: instead of taking a Spanish course, a native speaker can take a CLEP exam for Spanish and receive full credit. Many of these exams are good for three, six, or more semester hours of credit. These exams are cheap, certainly when compared to tuition. A lot of people do not know that these exams even exist.

  While I was in the military, I was able to take these exams for free. When I lived on post at Fort Meade, I was able to earn 115 semester hours of credit just by taking these tests. Of course, I had to take the right tests to earn the necessary credits for a degree program, but I was able to get my bachelor of science degree conferred from Excelsior College.

  I’d like to note that my case is rare. However, most people could still save thousands of dollars by taking some of these exams. It is totally possible for a college student to save a year on tuition, housing, and so on, by using credit by examination.

  What is the biggest mistake you’ve ever made, and how did you recover from it?

  I’m going to share two of my mistakes—one is personal, and one is career related. My biggest personal mistake was not getting over how I was raised, which resulted in me carrying a lot of baggage. I grew up pretty dang rough and blamed a lot of that on family. In the end, they did the best they could, and I ended up doing okay with my life. I recovered by forgiving them and moving forward.

  One of the biggest technology mistakes I ever made happened when I was troubleshooting a circuit issue while working as a network engineer at an important place. A common thing to do is to toggle a router interface to make the circuit come back up clean. I don’t know why, but this worked a lot.

  In this particular case, I shut down the router on the remote side, locking myself out of the router and, therefore, the entire site. This meant that the remote site was disconnected, and since it was about 4,000 miles away, I couldn’t reboot the router myself. Luckily, I had a colleague who’d just transferred there about a month before. I was able to call him directly and have him reboot the router. This all happened in less than five minutes—the longest five minutes of my life.

  There are many more mistakes I could share, but the lesson I’ve learned is this: if you aren’t making mistakes, you aren’t really trying. ■

  2

  Ian Anderson

  “No matter how much you train your users to identify a phishing email or some other attempt to steal credentials, there will be at least one user who is having a bad day and makes a mistake.”

  Twitter: @ian_infosec • Website: medium.com/@ian_infosec

  Ian Anderson is a security manager focusing on the relationships between information technology and operational technology and how those relationships work to defend industrial control systems. He is also interested in risk and governance and identity management within enterprise environments. Ian is a graduate of the University of Oklahoma and maintains GSLC, GCIH, and CISSP certifications.

  If there is one myth that you could debunk in cybersecurity, what would it be?

  Attackers are human, and as humans, you can conjecture that they are not perfect. Some attackers are good, but they are still human. This may seem trivial, but I believe that when you start to view attackers as human with human goals, you begin to unravel the things that make cybersecurity intimidating. Perfection doesn’t exist for defense or offense. That is the way the game is set up. There are steps all attacks must progress through to be successful. This means there are a series of steps where an attacker may make a mistake. As defenders, we need to seize upon these opportunities to detect, respond, and build back our controls to prevent the next attempt. I hope this leads people to feel optimistic—optimistic that our task of securing our systems and networks is an achievable one.

  What is one of the biggest bang-for-the-buck actions that an organization can take to improve its cybersecurity posture?

  I think the instinct here would be to say “user training.” But the rate of return on training isn’t good. No matter how much you train your users to identify a phishing email or some other attempt to steal credentials, there will be at least one user who is having a bad day and makes a mistake.

  The best bang-for-the-buck action a security team can implement is adopting a framework like the Critical Security Controls or the NIST Cybersecurity Framework. A framework will help you understand your organization’s cybersecurity maturity as well as help you plan future initiatives. Something that all of us struggle with is where to spend our limited resources. Frameworks take out a lot of the guesswork and show you, often with supporting evidence, wh
ere to apply the pressure. Similarly, planning and implementing a framework can help you understand your operational maturity level and provide metrics that’ll feed back into your organization. Security isn’t simply one team’s job—it is all of our jobs. With that said, security teams need to be the ones to lead the effort to improve the overall capabilities of an organization’s security deployment.

  How is it that cybersecurity spending is increasing but breaches are still happening?

  I think organizational cybersecurity maturity is still fairly low across most organizations. We are spending more money now because cybersecurity hasn’t always been a priority. Many organizations have security teams that are relatively new. With a new security team, companies are going to do what companies are going to do—throw money at the problem. So, security budgets increase, and we buy millions of dollars’ worth of blinking boxes. At issue is our reliance on security products to save us from our own inability to identify, develop, and utilize human capital to defend against human attackers. The adversary is human…so why aren’t we making our humans more capable of defending?

  Another issue with being overly reliant on our vendor partners is that we think we can skip over the fundamentals of organizational cybersecurity. “No need for an accurate inventory; I’ll just buy this fancy new IDS that is really expensive and uses ‘machine learning.’” It’s not that these products are bad—they’re not—we just aren’t ready to use them properly.

  Do you need a college degree or certification to be a cybersecurity professional?

  Nope, but it helps. There are tons of really talented and qualified cybersecurity professionals out there who have no certifications or degrees. What they likely do have is some other sort of professional recognition, such as research, GitHub projects, or something that shows they know their stuff and have contributed to the betterment of the security community.

  Admittedly, it is aggravating when you see entry-level security positions opening up that require something like a Security+ or a CISSP. When you see that, it generally indicates that HR doesn’t quite understand how security differs from other disciplines. But it is important to consider HR’s perspective as well. It’s common to gripe about HR and their understanding of security, but it happens in nearly every other field as well. Just ask someone in information technology what it’s like hiring a developer, or how about someone in research and development? You’ll find that the experience in hiring aligns with many other fields. I’m not demonizing HR at all. HR has to show that they’re finding appropriate candidates for the open positions. Having base requirements is part of how they perform their due diligence. Security managers need to develop relationships with hiring teams to ensure the appropriate requirements are identified. Having a strong relationship with HR will only help ensure you’re hiring the right person for the job.

  How did you get started in the cybersecurity field, and what advice would you give to a beginner pursuing a career in cybersecurity?

  I got lucky. Security wasn’t nearly as popular as it is today. I was in college and got a job as a student tech. Out of pure luck, I got assigned to the security team. It was a watershed moment in my career and in my life. I was always interested in sneaking around and creating mischief with computers, but never did I think I could get paid for it. I had the chance to learn how some pros practiced the art of defense. Really, my job was to help track down students causing problems on the university network. Working in a university security shop gave me the opportunity to see some really clever work as well as some not-so-skilled “bad guys.” After graduating, I kept my roots in security, but I made sure to round out the rest of my skill set. I spent time as a developer, system administrator, NOC analyst, and internal auditor. All of these experiences blended together to give me a more complete view of not just security and how it works technically but also how security works as a component of an organization. My advice is this: focusing on security is good, but having a well-rounded skill set will make you a better security professional in the long run.

  What is your specialty in cybersecurity, and how can others gain expertise in your specialty?

  It used to be application security, but now it’s management. I used to be cool. The way I developed security management skills hinged on my ability to find a few security managers and convince them to mentor me. My success in this area is directly tied to the relationships I’ve built with other managers. None of the things I do are solely my own. I am fortunate to have learned a lot from some of my new friends. I’ve also been fortunate to have managers who truly cared about my success and who were willing to let me take chances.

  The best way to gain expertise is to teach others or speak at conferences. I’ve gotten to speak at a few large conferences on things that I’m certainly not an expert in, and in preparing for my talks, I probably learned more than just the limited knowledge set required to actually perform the work. This exercise bore much fruit because of the prep time required and the connections it made by forcing me to get up and talk about it. By speaking about a topic, you inevitably talk to people who attended your session, and you’ll end up hearing about a unique experience or perspective that furthers your understanding. I highly encourage everyone to go speak (or even blog) once a year about stuff that interests them. It’s part of the security community’s overall belief that we share our discoveries to make the whole better.

  What is your advice for career success when it comes to getting hired, climbing the corporate ladder, or starting a company in cybersecurity?

  It all boils down to desire and how hard you are willing to work to put yourself in the right situations. In 2003, during Operation Iraqi Freedom, I was a mechanic in a CH-47 Chinook unit. All I wanted to do was be part of the flight crew. I looked at the group of professionals in the flight suits, and they seemed to have their stuff together. I knew that was the group I belonged with. During the deployment, the mechanics all worked at night, and the missions ran during the day. Almost every day, I would hang around after work and help prep the aircraft for the day’s missions. The prep work included cleaning windows, sweeping out the cabin, opening up all the cowlings—all the required work that honestly wasn’t a lot of fun. It showed the flight crews that I was serious and was willing to do my part to be a part of the team. From there, I got the chance to fly on some missions when there was a spot open for the day’s flight crew. When we got home, a few guys got out, and they were looking for the next generation of flight engineers. Luckily, my number got called, and I got to join the flight platoon. My commitment to my own job, but also the extra effort I put into expanding my role, helped set me apart. And it put me in the position to advance when the opportunity came about. High-performing teams are normally a little selective about who they invite to join the team. If you’re in the orbit of one of these teams, there are tons of ways that you can build the relationships that may get you a shot to join them.

  For me, success in getting hired and climbing the ranks really depends on two factors. The first factor is to figure out how to move beyond your work. What I mean is that managers hire people to help figure out how to solve problems or perform tasks. If you’re not working on these two fronts, and doing it in a way that allows the work to be scaled and automated, you may struggle to advance, since you can’t really move beyond your work. The second thing is adaptability. There’s a saying that comes from a great book: “What got you here won’t get you there.” The lesson is straightforward. To advance, you will have to adjust and adapt. This is the mark of someone who is capable of progressing. Not every organization looks at advancement like this (we’ve all seen the engineer promoted to management only to struggle), but it’s an important concept to grasp.

  What qualities do you believe all highly successful cybersecurity professionals share?

  Curiosity. Maybe a little bit of a wild streak. Someone foolish enough to think they can when everything in front of them says they can’t.

  Being a sel
f-starter and having the capability to teach yourself new tricks and techniques are vital skills. A lot of the work going on in tech, and especially cybersecurity, is innovating new ways to meet current and future challenges.

  I would also say compassion. Compassion because the things that we help protect people against can have direct and devastating effects on people’s lives. How we defend also matters. If you go into an enterprise and just start laying down the “cyber law,” you’re going to have a bad time. Compassion for how others work and what their goals are helps you craft an effective security posture rather than just the black-and-white security model.

  What is the best book or movie that can be used to illustrate cybersecurity challenges?

  The gold standard these days has to be Mr. Robot. I think it’s a little heavy on some of the plot lines, but the hacking they do is dead-on. I knew from the first episode when Elliot was hacking into a guy’s social media account that this was a different model. The show portrayed how Elliot called the target, got him to respond to questions because of the urgency that his account was “under attack,” and, in doing so, gave Elliot information he needed to compromise other accounts.

  What is your favorite hacker movie?

  Hackers. The over-the-top antics and nods to counterculture endear it to me. A close second is WarGames. I love how the whole movie stems from a kid messing around war dialing and seeing what he can get into.

  Believe it or not, this was more realistic than most care to believe. Honorable mentions include Antitrust and Swordfish for me, although they aren’t nearly as good as Hackers or WarGames. Hack the Planet!

  What are your favorite books for motivation, personal development, or enjoyment?

 

‹ Prev