Tribe of Hackers
Page 10
If there is one myth that you could debunk in cybersecurity, what would it be?
That it is possible to prevent breaches. Obviously, you need to protect yourself, but also make plans to detect issues and recover from them. There is no perfect security, and making perfection your goal results in a brittle security strategy.
What is one of the biggest bang-for-the-buck actions that an organization can take to improve its cybersecurity posture?
This depends on the organization. For smaller organizations, get the basics right via a managed IT services provider. Automate updates and patching, install antivirus and anti-malware, and back up your data. (Also, don’t forget to test your backups. You’ve tested your backups, right?) Unless you have a really nonstandard threat model, smaller organizations aren’t going to be able to do this in house, and it’s going to be cheaper and better to get it from an organization that specializes in IT outsourcing for smaller firms.
For larger organizations, use the crap you already bought. I see far too much shelfware in large organizations—software packages that either haven’t been installed or are being minimally used and network appliances that either aren’t installed or are in “logging” mode only. Instead of spending a bunch of money looking to purchase more stuff (that probably won’t be used either), focus on what you already have and try to maximize its value.
How is it that cybersecurity spending is increasing but breaches are still happening?
This is a dynamic space with human adversaries who are always evolving. If you look at the value of commerce that has moved online—and continues to move online—you’ll see that it is always increasing. As value moves online, that creates an incentive for criminals and other adversaries to move online as well. Most organizations have historically underinvested in cybersecurity spending, so that has left them with a lot of security debt that needs to be addressed to decrease future breaches.
That said, to me, the important thing is that the world still works. You flip the switch, and the lights come on. You can buy stuff with your credit card. Maybe your card number is compromised, but your bank sorts it out, and everyone goes about their business. Breaches are going to happen. Spend in a deliberate manner both to decrease the risk of future breaches and to maximize your agility and ability to respond to the breaches that will inevitably occur.
Do you need a college degree or certification to be a cybersecurity professional?
Well, I do have a college degree, so I’m speaking somewhat from a position of ignorance of all the challenges that someone without one might face. That said, I don’t think you need to have a college degree or any professional certifications in order to be a cybersecurity professional. They certainly help—especially if you want to move into management and executive roles—but there are so many free resources available and such a need for more people in the industry that I don’t see it as an absolute requirement to get started.
I’ve seen a lot of people get into systems administration work without degrees or certifications, and I’ve seen these people transition into pentesting and other roles in information security. In fact, some of the most effective security professionals I’ve met were so effective in part because they had a background where they used to have to keep systems working from a pure IT standpoint.
How did you get started in the cybersecurity field, and what advice would you give to a beginner pursuing a career in cybersecurity?
I’ve always been interested in how systems work and especially how they can be broken or made to do things they weren’t supposed to do. When I started my career as a programmer, I didn’t have security as a direct responsibility, but I would always keep an eye on the stuff that the guys at the L0pht were releasing—L0phtCrack, Back Orifice—thinking that they were doing really interesting work. I also remember keeping track of what the folks at NFR Security/Network Flight Recorder were doing. I had an interest, but it wasn’t part of my day job.
Fast-forward to a couple of years after Sheridan Chambers and I had started the Denim Group, originally doing custom software development. We got linked up with John Dickson, who essentially said, “I’m a former Air Force officer, and I have a traditional security-guy background. I think the interesting problems in security are going to be centered around software development going forward, and me and all the other traditional security folks don’t understand anything about that yet.” This led me to start looking at web application security—how do web applications fail, and how can they be made to fail in interesting and useful ways? What are common programming idioms that lead to poor security behaviors in web applications? From there, we built out our application-testing practice, and a big advantage we had was that we had experience building systems, so we could think about breaking systems in general. This helped us expand our practice to look at nonweb applications and more complicated systems.
After that, I started looking at how organizations develop software and how those practices lead to security issues in applications, as well as how those practices could be evolved and augmented to help organizations more reliably create secure software. Finally, from there, I started looking at how to make those changes scale across programs for large organizations. It’s been an exciting journey.
What is your specialty in cybersecurity, and how can others gain expertise in your specialty?
My specialty is application and software security—working with organizations to help them create and maintain secure applications. I’m a software developer by background, so I have experience both writing software and working with teams of people who are writing and maintaining software.
If you want to be great at application security, I think you need to have a development background. Obviously, people with other backgrounds can contribute, but the biggest impact comes from those with experience working with teams developing large-scale software systems.
The Open Web Application Security Project (OWASP.org) is a great starting place for anyone interested in getting into application security. They have awareness documents like the OWASP Top 10 Security Risks as well as tools like OWASP ZAP that are free and available for people who want to learn more.
What is your advice for career success when it comes to getting hired, climbing the corporate ladder, or starting a company in cybersecurity?
Getting hired:
Find a place where you’re a culture fit.
Do your research before the interview.
Climbing the corporate ladder:
Focus on solving problems.
Do what you say you’re going to do.
Keep learning.
Starting a company in cybersecurity:
Do something that your customers are truly going to value—not just something you’ve convinced yourself they’ll pay for.
What qualities do you believe all highly successful cybersecurity professionals share?
One key thing I’ve noticed is that highly successful folks focus on solving problems, not just pointing them out. That’s a common mistake—especially among too many folks in the attack-side crowd. “Look at how stupid this company is—they have all these vulnerabilities” isn’t a super-helpful attitude. “I found these issues. Let’s talk about how they came about and how you might fix them” is a helpful attitude. Decisions that impact security get made for a variety of reasons. Default-assuming that someone did something because they’re dumb is usually wrong, and further investigation will reveal that there was a perfectly logical set of steps that led up to the outcome. The outcome might not be ideal from a security standpoint, but at least there are reasons.
“Highly successful folks focus on solving problems, not just pointing them out.”
What is the best book or movie that can be used to illustrate cybersecurity challenges?
The Cuckoo’s Egg.
What is your favorite hacker movie?
Sneakers.
What are your favorite books for motivation, personal development, or enjoyment?
Rogue Warrior by Richard Marcinko and Zen and the Art of Motorcycle Maintenance by Robert M. Pirsig.
What is some practical cybersecurity advice you give to people at home in the age of social media and the Internet of Things?
For the consumer-based Internet of Things, take at least a quick look at the default settings to look for stuff that you might want to lock down, and make sure everything is set to automatically patch and update itself.
For social media, take a quick look at the default settings to look for stuff that you might want to lock down, and watch what you post.
Basically, just take a moment to think about what you’re doing and you’ll probably have better outcomes.
What is a life hack that you’d like to share?
Wake up early to work out because it gives you a great head start on the day. Four days a week, I get up at 4:45 a.m. and start lifting weights by 5:30. Nobody who has the authority to mess up my day is willing to wake up that early to do it, so this gives me great consistency, which is key for making progress. If you have the physical aspects of your life in line—diet and exercise—it makes the mental aspects far better, and other stuff just tends to fall in line.
What is the biggest mistake you’ve ever made, and how did you recover from it?
I sold my first company in September 1999, and we negotiated a deal that left us completely trapped and totally unprotected against the dot-com crash in 2000. I went from being “retired” at age 23 to needing a job at 24. I recovered from this by starting the Denim Group in 2001.
Or maybe my biggest mistake was that time I typed rm –fr * in the root directory of our main server—and we didn’t have backups. I recovered from that by apologizing to a lot of people and manually recovering a whole bunch of data. The lesson? Back up your stuff, and make sure you can restore it! ■
16
Kim Crawley
“This is purely anecdotal, but I would say more than half of the cyber threats that corporations face involve social engineering at some level or another.”
Twitter: @kim_crawley • Websites: threatvector.cylance.com/en_us/contributors/kim-crawley and www.linkedin.com/in/kimcrawley
Kim Crawley is a regular contributor to the corporate blogs for Tripwire, Cylance, Venafi, AlienVault, and Comodo. She has previously written for Sophos’s Naked Security and CSO and has also appeared in 2600 Magazine. She loves JRPGs, black clothing, Swedish Fish candy, her weird boyfriend, and her equally weird platonic friends. Sometimes while researching cybersecurity topics, she can go through three cans of Red Bull in one sitting.
If there is one myth that you could debunk in cybersecurity, what would it be?
That it’s all highly esoterically technical. Computer programming code and quantum computer science definitely pertain to cybersecurity. But I’m someone with the mind of a sociologist, so I’m really happy to write about topics like social engineering, scams, and cyberattacks that involve deceiving human beings. Or how effective UI design can help users use their software in a more secure way. Both of those areas have a lot to do with psychology and very little, if anything, to do with cryptographic mathematics, you know?
What is one of the biggest bang-for-the-buck actions that an organization can take to improve its cybersecurity posture?
That’s an excellent question! This is purely anecdotal, but I would say more than half of the cyber threats that corporations face involve social engineering at some level or another. It would be a great idea to train all of an organization’s employees and contractors on how to spot and avoid social engineering attacks. That includes not only email, social networking, and phishing websites, but also social engineering attempts that could be made in person or through a phone call. Train your employees on how to avoid social engineering at least twice a year. That’d be the absolute best bang-for-the-buck of anything you could do.
How is it that cybersecurity spending is increasing but breaches are still happening?
I think more and more of our data is online than ever before. I’m not just talking 2018 versus 1998—even in the past few years, the amount of our online data has exploded. That’s largely due to the growth in the popularity of third-party cloud services like AWS, Google Cloud, and Microsoft Azure. Then, on the consumer end, a lot of us use a few online accounts to authenticate into dozens or even hundreds of online services and apps through vectors like OAuth. I’m as guilty of that as anyone else. So, if my Google account or my Twitter account was breached, it would spell doom for me. The way we, both as individuals and as enterprises, use data through the internet has gotten exponentially more complicated. So, securing our organizations and our lives is inevitably much more complicated too. The added complexity and volume of data have made security more expensive and the attack surface much larger.
So, that’s how more money spent doesn’t eliminate breaches. Absolutely nothing is completely secure anyway; it’s all a matter of risk assessment and mitigation.
Do you need a college degree or certification to be a cybersecurity professional?
I’m living proof that the answer is no! I got my GED when I was 25. I’ve had a few CompTIA, Cisco, and EC-Council certifications over the years, all of which I self-studied for, and pretty much all of which have since expired. Now mind you, the nature of my job is highly unusual. I study cybersecurity in general, I contribute to the official blogs of several vendors, and I write for computer technology magazines. The majority of people who do what I do have a day job as some sort of technology practitioner. I haven’t had a hands-on IT role since I was laid off from my last tech support job in 2011. I work completely in words and theory. Now, if you want to know if it’s possible to be a network administrator or malware researcher without formal credentials, you’d have to ask them. I not-so-secretly envy people who have university degrees in computer science. But, I’ve managed to become someone who’s considered knowledgeable without massive, crushing student debt.
How did you get started in the cybersecurity field, and what advice would you give to a beginner pursuing a career in cybersecurity?
I’ve been fascinated by computers for as long as I can remember. In 1988, 4-year-old me was intrigued by my older half-brother’s Commodore 64, an impressive toy for its time. He wouldn’t let me touch it, and I was very sad. In 1993, the Crawley household got its very first Windows PC. They were often called IBM compatibles back then. Ours ran an OEM version of brand-spanking-new Windows 3.1. Dad let me play with it when he wasn’t doing his work as a novelist. I became adequately adept to provide him with tech support, such as LPT1 issues. By 1995, we had internet access through a Prodigy Online trial offered with our 9600bps modem. I used IRC and Mosaic a lot. After Mosaic, I moved on to Netscape Navigator, and so on, and I watched the Web rapidly evolve from there.
So, I’ve been online since I was 11. But back then it was unusual to have internet access at home, so I got a head start. I was interested in computing, but I didn’t see myself with a related career of any sort. I started to struggle with math, and my teacher told me that I had to be a math whiz to work with computers. I think she thought all computing jobs were like cryptographer roles or programming in assembly. She also probably thought that she was encouraging my math to improve rather than discouraging me from IT and computer science. She was wrong. I didn’t start studying IT properly until I was 25 because I was so discouraged by sexism and my nonverbal learning disorder. To make a long story short, I became a tech support agent. I got loads of malware-related tickets, and my curiosity about security grew from there. I was working on a Toronto Star political journalism project. One of my colleagues had connections with a cybersecurity blog and highly recommended me. That was back in 2010. Once my foot was in the door, I had tech magazines and vendors asking me to work for them. I’ve been very fortunate, and I’ll never forget the people who helped me along the way. I think my career is my career for life now.
“I’ve been very fortunate, and I’ll never forget th
e people who helped me along the way. I think my career is my career for life now.”
What is your specialty in cybersecurity, and how can others gain expertise in your specialty?
My job makes me be a generalist in cybersecurity, because the more topics that I can research and write about, the more work I can get, and I’m paid purely for the work that I produce—no wages, no salaries. As a practitioner, you’ll probably have to specialize a lot more because being a jack-of-all-trades means you’re a master of none. I still have favorite areas, though. Social engineering fascinates me, as does malware in general. Whenever I write about trojans, I get to luxuriate in both! And I just wrote about Fortnite Android trojans for Comodo’s corporate blog, so I got to write about video games as well. It was pure bliss.
What is your advice for career success when it comes to getting hired, climbing the corporate ladder, or starting a company in cybersecurity?
Unfortunately, capitalism has made the job market a harsh, cold, dog-eat-dog world. There’s nothing you can do to guarantee success; there are only things you can do to improve your odds. People are susceptible to making hiring decisions based on social bullshit. So, network a lot, and be nice to everyone even if you have to fake it. Find events and groups where people in your industry are, both online and offline. This pertains to starting your own cybersecurity firm as well because you’ll need investors, clientele, and word of mouth.
What qualities do you believe all highly successful cybersecurity professionals share?
Curiosity, most definitely. You can’t learn anything effectively without it. You also need the right mind-set, a very paranoid mind-set. How can people use this technology to do bad stuff?
What is the best book or movie that can be used to illustrate cybersecurity challenges?