I concede that many security offices don’t have the technical expertise to provide technical cybersecurity, but resources should be redirected and security personnel educated and trained.
How is it that cybersecurity spending is increasing but breaches are still happening?
Breaches continue to occur despite the spending on cybersecurity due to greed. In today’s market, you have to be first with new innovations and products to be successful. Build that new widget or app to help productivity and efficiency. Unfortunately, to build security into the product and completely test that widget before it’s put into the marketplace would be costly; plus it would take much longer, giving your competitor the advantage. They will be first in the marketplace and thus able to charge a cheaper price. Most companies let the public beta test their products for them. Consumers pay for the product and then have to perform the beta testing for the company. Unfortunately, consumers are not yet sophisticated enough to demand security in their products up front.
Do you need a college degree or certification to be a cybersecurity professional?
You don’t need a college degree to be a cybersecurity professional, but it helps. Many military cybersecurity professionals go to tech schools to learn their trade and are far more competent than folks right out of college. But even the military is emphasizing degrees and certifications now. You can still get a good-paying cybersecurity position with a technical school certificate and practical work experience.
How did you get started in the cybersecurity field, and what advice would you give to a beginner pursuing a career in cybersecurity?
Well, I’m really in the cybersecurity field by default. I was first a systems administrator in the military and then a programmer analyst before becoming a cybercrime investigator. Cybercrime investigators were called in when cybersecurity failed and there was a compromise or an intrusion. You learn a lot about cybersecurity as you investigate what worked and what didn’t and what allowed the crime to occur in the first place—as well as the tactics, tools, and procedures (TTPs) used by the bad guys to exploit the system—and also the TTPs that failed for the owner of the compromised system.
What is your specialty in cybersecurity, and how can others gain expertise in your specialty?
My expertise was in cyber investigations and digital forensics. These are not cybersecurity disciplines but are critical to cybersecurity. The cybercrime investigative and digital forensics disciplines are extremely undermanned. This is a great opportunity for readers. There are more than 18,000 different law enforcement agencies in the United States alone. Every city, county, state, campus, tribe, and federal agency has multiple law enforcement agencies. There definitely aren’t 18,000 cyber cops and digital forensics examiners in the whole world. That means every agency may not even have a capability at all. Especially at the state and local law enforcement levels, there is a dire need for this capability.
In today’s world, digital forensics is not limited to law enforcement. Companies and organizations also require a digital forensics capacity and expertise to conduct internal investigations that they don’t want to go public or for investigations that don’t reach the threshold for a federal law enforcement agency to even take an interest. State and local law enforcement organizations don’t have the capability to help at all, leaving companies and individuals on their own.
Colleges and universities have finally started to create courses in digital forensics, but not many criminal justice programs have cybercrime investigations as more than a footnote yet. Great opportunities in cyber investigations and digital forensics abound.
What is your advice for career success when it comes to getting hired, climbing the corporate ladder, or starting a company in cybersecurity?
Progression in life isn’t necessarily linear. It’s more like a spring. Sometimes you have to go backward or laterally to be in a position to move forward. In my career, I always looked at every promotion as my last promotion. That gives you a sense of freedom. I could then make decisions and operate with that sense of freedom to do what I thought was right, no matter what my bosses thought. Always do the right thing—what’s right for the country, not what will get you promoted. Don’t be a political yes man. Smart bosses may not like you, but they will respect you. The others will look foolish in the long run.
What qualities do you believe all highly successful cybersecurity professionals share?
The qualities successful cybersecurity professionals share are a deep technical knowledge, continued education and training (because it’s a moving target), and a tenacious attitude. You must also be an educator. You must enlighten your co-workers, friends, and customers about the growing and ever-changing threat—and do it in English that a non-geek can understand. You can’t just be a geek. You have to be able to communicate in a manner that everyone can understand. Educate, communicate, and never give up.
What is the best book or movie that can be used to illustrate cybersecurity challenges?
I’m a bit prejudiced about the best book and movie involving cybersecurity challenges. My first case as a cybercrime investigator was presented in Dr. Cliff Stoll’s The Cuckoo’s Egg from back in 1986. This was the bible for cybersecurity professionals in the ’80s and ’90s. It’s the true and accurate account of how the Soviet Union hired five West German hackers to break into Department of Defense computers for two to three years. All still relevant today.
What is your favorite hacker movie?
The best movie for me was Live Free or Die Hard with Bruce Willis, because the writer, David Marconi, asked me to develop and write the infrastructure attacks used by Gabriel to wreak havoc on the critical infrastructure of the United States. The Smithsonian Channel also did documentaries on the real stories behind hit movies like Saving Private Ryan, Braveheart, and Live Free or Die Hard. A British film crew spent a day in my office going over the different infrastructure attacks and whether they could actually occur. The bottom line was that Hollywood made it look much easier than it would be. Each separate attack was possible, but the magnitude and the coordination and speed at which they happened would have been extremely difficult to pull off.
What are your favorite books for motivation or enjoyment?
Motivation: The Cuckoo’s Egg by Cliff Stoll
Enjoyment: By Force of Patriots by Cameron Reddy
What is some practical cybersecurity advice you give to people at home in the age of social media and the Internet of Things?
Like TV judge Marilyn Milan from The People’s Court always says, “Say it, forget it; write it and regret it.” The internet and social media are like your wife. She never forgets!
What is a life hack that you’d like to share?
I spent most of my career in and around the traffic jams of Washington, DC, and Baltimore, MD. The best life hack is to always stay in the lane that is blocked. All the way up to the point where the two lanes finally have to merge. People always bail out of the blocked lane, which allows you to move up faster. Americans are polite and will almost always alternate, letting cars merge at that final point where the two lanes merge. Stay in the blocked lane; you’ll get through much quicker.
What is the biggest mistake you’ve ever made, and how did you recover from it?
I’ve made so many mistakes in my life that I surely can’t remember them all. But recovering from them is a different story. First, you have to recognize and acknowledge your mistake and then apologize for it. Own it. Contrition is key. Real contrition, not just providing lip service. If you need to repair the situation, do it. The sooner the better. You have to have a short memory sometimes, like a Major League pitcher who just gave up a 450-foot home run. Apologize, learn from your mistake, and do better on the next play. ■
14
Ian Coldwater
“What hackers do isn’t magic; it’s logic, and it can be taught and learned from.”
Twitter: @IanColdwater
Ian Coldwater is a DevSecOps engineer
turned red teamer who specializes in containers and cloud infrastructure. She has spoken about Kubernetes security at conferences including DerbyCon, O’Reilly Velocity, and SANS SecDevOps Summit. In her spare time, she likes to go on cross-country road trips, participate in capture-the-flag competitions, and eat a lot of pie.
If there is one myth that you could debunk in cybersecurity, what would it be?
People think hackers are wizards, and we don’t do a lot to debunk that. I like shiny zero-days as much as the next hacker, but the dull truth is that most cybersecurity breaches stem from far less sexy causes, such as misconfigurations, logic failures, and defaults that never got changed.
It’s not as much fun to talk about the basics over and over, but scaring people doesn’t help them fix problems. What hackers do isn’t magic; it’s logic, and it can be taught and learned from.
What is one of the biggest bang-for-the-buck actions that an organization can take to improve its cybersecurity posture?
I think one of the biggest bang-for-the-buck actions an organization can undertake is to threat model well. Organizations that know what they’re trying to protect and whom they’re trying to protect it from are more likely to think strategically about their cybersecurity posture and be able to make better decisions from there.
Without a threat model, organizations can’t build an appropriate security road map. They might throw resources at problems they won’t realistically face, while failing to deal with issues that could actually impact the assets they care about.
How is it that cybersecurity spending is increasing but breaches are still happening?
Cybersecurity spending may be increasing, but the base problems causing breaches remain. On the technical end, everything is broken. Everyone who has ever worked as a programmer has horror stories about their code base. The internet is held together with popsicle sticks and Elmer’s Glue, patched with duct tape for good measure.
On the human end, most people mean well, but they’re tired, on deadline, and wanting to get on with their days. Humans tend to be imperfect, complicated, and prone to error. Combine this with the state of technology today, and disaster is bound to happen somewhere.
No amount of money spent on vendor solutions and blinky lights is going to fix these issues. They’re systemic and probably not entirely solvable. To the extent that these problems can be solved, they’re going to require people getting together to radically rethink the way we do things and doing them differently from the ground up.
Do you need a college degree or certification to be a cybersecurity professional?
I sure hope not, because I don’t have one! I do think you need to understand how things work to be a cybersecurity professional, but there are lots of ways to get to that point. Formal education is certainly one way, but self-teaching and on-the-job experience can also help give you the knowledge you need. The InfoSec community is helpful, and there are a ton of free resources for motivated people to learn from. You don’t need to spend thousands of dollars on tuition and textbooks for that.
How did you get started in the cybersecurity field, and what advice would you give to a beginner pursuing a career in cybersecurity?
I started hacking when I was 11. I was kind of a bad kid who had always liked computers but never liked rules. When I found out that you could do interesting things with computers that could break rules, I knew that was exactly what I wanted to do with my life.
I took a fairly circuitous path to get there. I dropped out of high school, had kids very young, and spent most of my adult life raising my family in poverty, making it work by a combination of resourcefulness, hustle, and sheer force of will. I never did lose my love for computers, and when the kids got older I dedicated myself to getting a career in tech. I started out in web development, moved into DevOps from there, and combined that with my interest in security to do what I do now.
I would advise beginners who are interested in pursuing a career in cybersecurity to first figure out exactly what they want to do. It’s a broad field with a lot of choices, a lot of acronyms, and a lot going on. Once you figure that out, go play! There’s so much to do and learn. Getting a Twitter account and following people you admire in your chosen discipline probably doesn’t hurt either; a lot of them will post resources, and you can learn from them too.
What is your specialty in cybersecurity, and how can others gain expertise in your specialty?
I specialize in DevSecOps, specifically cloud, container, and Kubernetes security. There’s an order of operations for gaining expertise in this stuff. If you’re interested in DevSecOps as a cultural concept, I recommend reading about DevOps principles first and then moving on to DevSecOps from there. If you’re interested in container security, I recommend learning about Linux administration in general, then learning about containers (they aren’t tiny virtual machines!), and then learning container orchestration frameworks like Kubernetes after that. It’s helpful to know what a container is and what you might want to use one for to be able to understand the process of orchestrating a lot of them, and it’s helpful to know how all the moving parts work in order to be able to secure the whole thing well.
What is your advice for career success when it comes to getting hired, climbing the corporate ladder, or starting a company in cybersecurity?
Network like crazy. Get involved in the community, and make sure to give back. Going to meetups and cons is great, but organizing and volunteering are better. You’ll meet good people that way, and if you’re friendly, dedicated, and willing to put in the work, people will notice. It may not happen right away, but over time, you’ll more than get out what you put in.
Never stop learning, and show people what you know! This can look like speaking or writing, teaching or mentoring, creating or sharing tools or resources. You don’t need to be an expert to do these things. Every single one of us has something to teach and something to learn.
“This isn’t an industry where you can coast, but it is one in which there’s a lot of good to be done. Being a part of that will do good things for both you and others.”
Basically, demonstrate that you care and go above and beyond. This isn’t an industry where you can coast, but it is one in which there’s a lot of good to be done. Being part of that will do good things for both you and others.
What qualities do you believe all highly successful cybersecurity professionals share?
Curiosity, a high frustration tolerance, and a refusal to give up when things are hard. A healthy dash of paranoia probably doesn’t hurt either.
What is the best book or movie that can be used to illustrate cybersecurity challenges?
The Cuckoo’s Egg was written in 1989, but it holds up amazingly well with time.
What is your favorite hacker movie?
It’s cliché to say, but Hackers stands out, both for the relatively accurate depiction of hacker culture by Hollywood standards and for its characters’ amazing fashion choices.
What are your favorite books for motivation, personal development, or enjoyment?
How to Win Friends and Influence People isn’t just for social engineers! The writing may be old-fashioned, but the advice it contains is timeless, and putting it into practice will enrich both your personal and professional lives.
I also really enjoy magical realist fiction because there’s so much beauty in the world, and thinking about it in new ways can help you see what’s in front of you.
What is some practical cybersecurity advice you give to people at home in the age of social media and the Internet of Things?
Be careful what you post on social media, especially on public accounts. Small, seemingly innocuous pieces of information can be put together to paint much larger pictures than you might think. What you put online is out there forever, and not everyone is as friendly as you may be. Being thoughtful can make a real difference in protecting yourself and your loved ones from potential attackers.
“Be careful what you post
on social media, especially on public accounts. Small, seemingly innocuous pieces of information can be put together to paint much larger pictures than you might think.”
What is a life hack that you’d like to share?
If you want something to happen, you don’t need to wait for permission. Amazing things can be accomplished by determined people in small groups. Get a few friends together and go make it happen.
What is the biggest mistake you’ve ever made, and how did you recover from it?
I’ve done a lot of things with my life that I think people would consider mistakes. I’ve lived my script out of order, had kids too young, dropped out of school, became homeless, went on welfare. When I was younger, I used to tell people I made a good cautionary tale.
But I also think I’ve made a damn good tale of resilience. I’ve worked my ass off to get where I am today, and I’ve brought those experiences with me, using everything that they’ve taught me. I wouldn’t be who or where I am without them, and I’m grateful for that.
“Girls like me weren’t supposed to make it, and I’m glad that I can show people that it can be done.”
Girls like me weren’t supposed to make it, and I’m glad that I can show people that it can be done. If you’ve ever worried that it’s too late or that you’re too weird or that you don’t belong…I promise, it’s not, you aren’t, and you do. ■
15
Dan Cornell
“There is no perfect security, and making perfection your goal results in a brittle security strategy.”
Twitter: @danielcornell • Website: denimgroup.com/resources/blog/author/dancornell
A globally recognized application security expert, Dan Cornell has more than 15 years of experience architecting, developing, and securing web-based software systems. As chief technology officer and principal at Denim Group, Ltd., he leads the technology team to help Fortune 500 companies and government organizations integrate security throughout the development process.
Tribe of Hackers Page 9
