Tribe of Hackers
Page 4
What is your specialty in cybersecurity, and how can others gain expertise in your specialty?
I guess my specialty now is building security programs and security teams for companies that lack one or the other (or both). In the past, it’s been either TVM or AppSec, depending on the company, and I did a bit of game security for online games—which it turned out I was good at.
So, getting into security management has been interesting. It’s a whole new ball game; you start to realize that all of our issues in security are people problems. Tech isn’t hard, process isn’t hard; we can do those. It’s people that are difficult.
So, learn how to deal with people. Learn what makes the people around you tick, what motivates them, what is important to them. In security leadership, you will be negotiating with either your team, your peers, or your leadership over a great many things. You have to learn to balance the technical stewardship of “securing all the things” with understanding the motivations and drivers of the business, and you have to figure out how to get everyone to take ownership of the security of their products and systems. It’s a constant cycle of negotiation and influencing others, often without being in the right place in the organization or having the right resources. So pay attention to the people around you, above you, and below you.
“Tech isn’t hard, process isn’t hard; we can do those. It’s people that are difficult.”
What is your advice for career success when it comes to getting hired, climbing the corporate ladder, or starting a company in cybersecurity?
Be passionate about security and learn everything. Listen to others around you and get invested in what your company does. Understand the business side deeply, and learn how to express security concepts in ways businesspeople understand. It can be hard to translate some things, but businesspeople understand risk, just often not cybersecurity risk. At the end of the day, though, if you can articulate risk in terms of impact to things that are important for the business, you are most of the way toward getting them to understand your world.
What qualities do you believe all highly successful cybersecurity professionals share?
Passion. Curiosity. An ability to learn. A solid grasp of the foundations of technology. That last one is hard for some people, but if you have it, adopting new things is not as difficult because, under the covers, things in the digital world—just like those in the physical world—have a set of “laws” that need to operate in a certain way. And if you can understand those laws, you can understand how new things relate to existing things and then adapt your process and thoughts to new things.
“Be passionate about security and learn everything. Listen to others around you and get invested in what your company does. Understand the business side deeply, and learn how to express security concepts in ways businesspeople understand.”
What is the best book or movie that can be used to illustrate cybersecurity challenges?
Probably The Phoenix Project, but I’m not that security guy. The security guy in the book learns and changes a great deal, adapting to do better at supporting his business.
What is your favorite hacker movie?
The original TRON or WarGames. I’m an ’80s/’90s child.
What are your favorite books for motivation, personal development, or enjoyment?
Ready Player One is awesome. I also reread the entire David Eddings series every year (all 16 books of all four series). For personal development, I highly recommend The Subtle Art of Not Giving a Fuck, because, in our line of work, accepting too much blame/responsibility causes lots of stress, and that leads to being sick.
“Use a password manager, patch your devices, and run some kind of basic antivirus—either what the OS has or something you and others trust. In this day and age, if you want to have the benefits of our connected lifestyle, you are going to have to give up some of your information and privacy.”
What is some practical cybersecurity advice you give to people at home in the age of social media and the Internet of Things?
Use a password manager, patch your devices, and run some kind of basic antivirus—either what the OS has or something you and others trust. In this day and age, if you want to have the benefits of our connected lifestyle, you are going to have to give up some of your information and privacy. That is the currency of “free things.” Just make sure you know what, and how much, these free things cost you. ■
5
Cheryl Biswas
“Attackers are the problem—as are ignorance, complacency, and convenience. Hackers are problem-solvers, troubleshooters, and among the best people I know.”
Twitter: @3ncr1pt3d • Websites: whitehatcheryl.wordpress.com and www.linkedin.com/in/cherylbiswas
Cheryl Biswas loves being a threat intel analyst with TD Bank in Canada and assessing threat actors, vulnerabilities, and exploits. She is a political science graduate, is ITIL certified, and took the long way to InfoSec. She actively shares her passion for security online as a speaker, volunteers at conferences, and champions diversity as a founding member of The Diana Initiative.
If there is one myth that you could debunk in cybersecurity, what would it be?
That hackers are the “bad guys.” Attackers are the problem—as are ignorance, complacency, and convenience. Hackers are problem-solvers, troubleshooters, and among the best people I know. Their curiosity and determination have often been misunderstood, fabricating a detrimental stereotype. In this community of learning and mentoring, hackers share what they know and encourage others to try, creating a welcoming space for many people who don’t feel they belong anywhere. They dare to probe and poke holes in digital frameworks, to ask the questions big corporations want ignored, and to uncover the truth about how secure we really are.
What is one of the biggest bang-for-the-buck actions that an organization can take to improve its cybersecurity posture?
Asset management. Do you know what you have, what you value most and why, and where it is right now? You can’t protect it if you can’t find it. Likewise, you can’t secure what you don’t know, and as BYOD has become commonplace, infection by ignorance should not become an unavoidable risk.
How is it that cybersecurity spending is increasing but breaches are still happening?
There are so many more devices that connect. And there is so much data already out there to be reused by criminals for fraud. It’s a numbers game, and we are on the losing side. No shiny, blinking boxes are going to protect us from an army of SOHO routers with default passwords that get co-opted into massive botnets. AI can’t help us authenticate against the voluminous growth of stolen credentials available from dumps and on the dark web.
Do you need a college degree or certification to be a cybersecurity professional?
I will say no, especially since I do not have a degree in technology or a cybersecurity certification at this time. Rather, my degree in political science has been useful because I do threat intel, and understanding international relations is a key component.
What really matters is a passion for your field, a curiosity that drives you to learn, and the commitment to continue to learn and grow as technology and threats do. Can you communicate effectively, ask questions to get the answers you seek, and collaborate with others to build effective solutions? Because that’s what’s important.
“What really matters is a passion for your field, a curiosity that drives you to learn, and the commitment to continue to learn and grow as technology and threats do.”
How did you get started in the cybersecurity field, and what advice would you give to a beginner pursuing a career in cybersecurity?
I had returned to work after being away raising my kids for 10 years. I took what I could get—an admin role with a small managed services firm. I remember reading the Kaspersky newsletter, learning about Stuxnet, and falling in love. When I was given the Twitter account to manage, I fell down a rabbit hole of wonder and learning, and I’ve never left. I read everything, followed l
inks to learn more, and met people who sincerely encouraged my interest and shared their experience. Eventually, I began submitting talks to conferences, writing blog posts, and developing the security role where I worked. A friend asked me for my résumé, and I was hired at a large company in an actual security role. My advice: follow your passion and do not let others tell you what you can’t do.
Listen, learn, and find ways to build your opportunities through writing, volunteering, or speaking.
“I am fascinated by how nations interact, what lengths they are willing to go to in order to further their agendas, and how tensions influence economies and our daily lives.”
What is your specialty in cybersecurity, and how can others gain expertise in your specialty?
My specialty is threat intelligence. I am fascinated by how nations interact, what lengths they are willing to go to in order to further their agendas, and how tensions influence economies and our daily lives. Sunday morning news shows and a pot of coffee are my weekend treat. But threat intelligence is so much more, and I have made a consistent effort to read and learn all I can from experts in our community who share their knowledge and insight. Start by reading. Twitter is a wealth of information with wonderful threads and blogs. Google what you are interested in and see where it takes you. Ask people who do what you are interested in to tell you about it and how they got there. Find something, research it, and then share a blog post or white paper or give a talk; these are all great starting points.
“My specialty is threat intelligence. I am fascinated by how nations interact, what lengths they are willing to go to in order to further their agendas, and how tensions influence economies and our daily lives.”
What is your advice for career success when it comes to getting hired, climbing the corporate ladder, or starting a company in cybersecurity?
Learn from everyone, be humble, and listen with your mouth closed. Have projects to show how you are learning on your own and what you can do: blogs, conferences, mentoring, writing, your own labs, makerspaces, building badges. Confidence is important, so believe in yourself and that you have a contribution to make, because you will be told “no,” and that is hard to hear. Don’t let that stop you. Believe in your passion and the abilities that led you here, because there are not a lot of people who do what we do.
“Confidence is important, so believe in yourself and that you have a contribution to make because you will be told “no,” and that is hard to hear.”
As your career progresses, treat everyone with respect. Always take the time to say thank you and to remember what someone may have done for you. You’ll be glad you did.
What qualities do you believe all highly successful cybersecurity professionals share?
The qualities I’ve seen consistently are curiosity, passion, focus, drive, and determination. These people are also respectful of others, willing to share what they know, and able to communicate what they know and need. They give back and help build the community.
What is the best book or movie that can be used to illustrate cybersecurity challenges?
I really liked The Cuckoo’s Egg by Clifford Stoll. It’s an engaging mystery that introduces many security basics as the tale unfolds. You’re drawn into the “everyman” vantage point. I devoured Countdown to Zero Day by Kim Zetter. This is the story of Stuxnet, but it reads like a political thriller, presenting countless twists, the lengths to which nation-states will go for control against the backdrop of nuclear weapons. I still reread certain parts.
What is your favorite hacker movie?
Sneakers! It was so ahead of its time, with a terrific cast.
What are your favorite books for motivation, personal development, or enjoyment?
Women in Tech by Tarah Wheeler and all—to be inspired and encouraged by wonderful role models. Defensive Security Handbook by Amanda Berlin and Lee Brotherston because a great defensive stance is key. Tom Clancy and Michael Crichton novels (Jurassic Park mixed dinos with computers!).
What is some practical cybersecurity advice you give to people at home in the age of social media and the Internet of Things?
Check and change your default sign-ons. Do not feel obligated to have everything connected. Free Wi-Fi comes with hidden costs, so use a VPN. Use Malwarebytes and an antivirus on your personal computer to guard against online threats.
“Do not feel obligated to have everything connected. Free Wi-Fi comes with hidden costs, so use a VPN.”
What is a life hack that you’d like to share?
Smile. It makes you feel better when you do, and it helps people feel welcome and at ease. A smile opens doors and opportunities. It’s something that is uniquely ours to give, a simple act that has great meaning. We don’t always feel like smiling, but that can be when you need to do it most to create a “mind over matter” moment.
“One of my biggest mistakes was believing I was not capable of learning math or computer science when somebody important told me I was not good enough.”
What is the biggest mistake you’ve ever made, and how did you recover from it?
One of my biggest mistakes was believing I was not capable of learning math or computer science when somebody important told me I was not good enough. I was struggling because I learned differently than everyone else. So, I focused on my strengths: communications and arts. Thankfully, that changed when I was working as an admin/receptionist, and I happily volunteered to take apart and upgrade my boss’s computer because that was way more interesting. I also learned all the new software, the database package, all the challenging tech stuff that scared people off. Plus, I taught the people who were afraid of tech how to do stuff and helped them feel confident to do more. That led to a backdoor into a terrific help-desk role. I use this lesson to help people every chance I get. ■
6
Keirsten Brager
“Whatever work was not being done, I always viewed that as opportunities, regardless of role or title.”
Twitter: @KeirstenBrager • Website: www.keirstenbrager.tech
Keirsten Brager is a lead security engineer at a Fortune 500 power utility company and was recently named one of Dark Reading’s “Top Women in Security Quietly Changing the Game.” She is also the author of Secure the InfoSec Bag: Six-Figure Career Guide for Women in Security. She produced this guide to empower women with the strategies needed to maximize their earning potential. Keirsten holds an MS in cybersecurity from UMUC and several industry certifications, including Splunk, CISSP, CASP, and Security+. As an active member of the Houston security community, she has participated in a number of panels and public speaking engagements, promoting strategies for success. In her free time, she loves sharing career advice on her blog, cooking New Orleans food, and convincing women not to quit the industry.
If there is one myth that you could debunk in cybersecurity, what would it be?
The biggest myth is that we are one technical solution away from solving all of the industry’s problems.
Every year, vendors are touting next-generation shiny objects that will automate all the things, reduce head count, and keep the hackers at bay. Meanwhile, organizations are understaffed with partially implemented tools while investors cash out and go on to the next hot technology. Brian Krebs reports the next breach; we all Kanye shrug. It’s a vicious cycle.
What is one of the biggest bang-for-the-buck actions that an organization can take to improve its cybersecurity posture?
Empower the sysadmin to implement the secure configuration settings available natively via GPO settings, especially around administrative privileges. This limits the actions authorized or unauthorized users can take without additional tools or costs to the business.
How is it that cybersecurity spending is increasing but breaches are still happening?
Is the spending increasing? Or are we witnessing companies that never (or barely) invested in security finally allocating money for this function? That’s a conversation no one wants to have.
&
nbsp; Many companies are operating in deep technical debt, running legacy applications and systems that cannot be secured. The need to appease stock analysts and shareholders has historically influenced decisions around product time to market, using cheap foreign labor for development, and running “lean” IT shops. As a result, security is an afterthought or not a thought at all. The retail industry is notorious for this.
Moreover, when companies do get money to invest, they want to skip the basics and either go for the shiny toys or perform “reduce the scope to check the compliance box” security programs. All of this leads to gaps in posture. Therefore, the people, process, and technology fail…leading to continued breaches.
Do you need a college degree or certification to be a cybersecurity professional?
There are many people who found success in the industry without degrees or certifications. However, I encourage people, especially members of minority groups, to pursue credentials as a way to open doors to leadership opportunities and multiple sources of income in this industry. Do not disqualify yourself or give anyone an excuse not to give you more money and power.
How did you get started in the cybersecurity field, and what advice would you give to a beginner pursuing a career in cybersecurity?
I did the work no one else would do. Technical people tend to like tools, but they do not always like creating/maintaining documentation, interacting with auditors, and working in cross-functional capacities that involve dealing with people. I happen to be technical and a people person, so I took on projects that required both.