Tribe of Hackers
Page 12
What is one of the biggest bang-for-the-buck actions that an organization can take to improve its cybersecurity posture?
Signs around the office that stress proper OPSEC/baseline security awareness for employees. Hanging up a poster on the ramifications of clicking a phishing link, not backing up their data, or even allowing someone to piggyback their way into a restricted area. This allows individuals to remind themselves of these issues every day. At a past internship of mine, I noticed that when many of these posters contained simple messaging, such as “Trust but verify,” even employees quoting the poster in jest became far more mindful about clicking phishing links. Super simple, really cheap, and pretty effective.
How is it that cybersecurity spending is increasing but breaches are still happening?
Legacy systems, unpatched systems, and human error. Unless money is being spent on good training or system updates, no amount of cybersecurity spending can fix an unpatched system running Windows XP or an easily guessable password. For attackers, there are free tools available for download in multiple places on the internet that exploit both of these issues. (There’s even an entire operating system that comes with these tools for free—Kali Linux.)
Do you need a college degree or certification to be a cybersecurity professional?
This really depends on the work environment, who the hiring managers are, and what type of work the organization does. When I worked at a federally funded R&D center, I was reading PhD-level papers to apply certain concepts to projects and (personally) would not have been able to do so without my college degree. While working there, I was told by a women’s mentoring group that not only did I need a college degree but I needed to have one more degree than most men to be taken seriously. I believe this is an extreme perspective—and is not necessarily an accurate representation of most cybersecurity roles—but it’s important to know that it does exist. This is especially relevant if you’re hoping to work for a government organization.
In contrast, the startup I work at currently has individuals from incredibly varied backgrounds, and my education often does not directly impact my ability to get a project done. I firmly believe that college degrees and certifications display a conventional knowledge of the field that may not be necessary if you can prove your expertise in other ways (jobs, projects, etc.). Degrees and certifications are an easy thing to point to when someone doubts your credentials (and this is likely to happen, especially if you’re a woman), but it’s nearly impossible to beat the real-life training that you get through experience.
How did you get started in the cybersecurity field, and what advice would you give to a beginner pursuing a career in cybersecurity?
I was studying international relations when I took an “Introduction to Computer Science” class. As I explored the intersection of these two fields, I realized that cyber-threat intelligence was a natural fit. I found state-sponsored cyber campaigns fascinating, and I enjoyed explaining technical concepts to nontechnical people—and it felt like I was making a positive impact. However, before finding this niche, I spent a good chunk of my college career figuring out paths in cybersecurity that I didn’t want to take. I had some technical internships, competed in capture-the-flag competitions, and did compliance research for pro bono projects. At some points, it felt like I was randomly choosing career paths, only to be disappointed by each one. I assumed that I was narrowing down my career path by choosing cybersecurity, but I was totally wrong.
This field contains careers with a range of technical and nontechnical flavors, each with its own industry-specific jargon. If I could give advice to someone starting out in this field, I would tell them to explore as many options as possible and to not be discouraged by ones that don’t appear to be a good fit. It took me a few tries, but I’m incredibly happy with the path I’ve ended up on.
What is your specialty in cybersecurity, and how can others gain expertise in your specialty?
I am an Asia-Pacific threat intelligence researcher. Aside from conducting research that fills knowledge gaps for customers and the public about cyber threats originating from or occurring in East Asia, I’m also responsible for tracking, maintaining, curating, and improving coverage of these threats for my company. I’m able to combine my technical skills with a wider geopolitical and cultural understanding of the Asia-Pacific region when researching cyberattacks originating from that area.
I find technical resources in multiple languages for my analysis and occasionally interact directly with threat actors within the region. It’s a really fun job and definitely a specialized part of security. It’s really about honing nontechnical skills as much as the technical skills. I read the news as often as I read technical reports, practice my language skills, and try to be involved in both the foreign policy and cybersecurity communities.
What is your advice for career success when it comes to getting hired, climbing the corporate ladder, or starting a company in cybersecurity?
While studying computer science in college, I found that most individuals would frantically submit résumés to tens, if not hundreds, of job portals while studying obscure coding questions for possible technical interviews. While this approach worked for a number of fellow students, it is also an incredibly exhausting and disheartening process.
Instead of adding my résumé to the pile, I started attending security meetups and conferences in my city. (I would highly recommend the Boston Security Meetup, BSides Boston, and Women in Tech conferences in general.) I cannot overstate how rewarding this experience was for me. I recognize that going out and meeting new people—especially when you’re just getting into a field—can be both intimidating and overwhelming, but it’s highly effective and often gets easier over time.
Many conferences have career fairs, and I would get to meet the same company recruiters throughout the events. By attending talks at these conferences, I developed a better understanding of what skills allowed individuals to succeed in the field I wanted to go into, and I picked up some valuable technical skills along the way. Most importantly, I got to meet people who were already in the industry at these events, talk to them about their jobs, and hear some incredible stories about our industry. Another common misconception for students is that, to get a job out of college, they have to demonstrate their knowledge outside of the classroom with multiple personal projects to supplement their résumés. Some of these projects, like developing a mobile application or contributing to an open source security tool, are definitely crucial to displaying passion and technical prowess. However, many also believed that these personal projects had to be one-person projects, and they’d spend hours by themselves developing large-scale programs for the sake of résumé building. I want to stress that there are many other ways to put personal projects on a résumé. Hackathons are great opportunities to build a cool, fun project with friends. Offering your technical services to an organization you care about makes an individual project so much more meaningful and fun (it also technically counts as a job!). Personally, I love group projects and competition, and I sought out high-pressure competitions throughout college that I could coerce my friends into. Most recently, I roped some of my co-workers into participating in the DEFCON threat intel capture the flag with me (personal technical development shouldn’t stop once you get a job)! Essentially, focus on finding part of this field that you love and can work on instead of trying to find things that make you “employable.”
What qualities do you believe all highly successful cybersecurity professionals share?
A love of learning, a passion for the field, and a desire to help others. It’s as simple as that. Our field evolves at a rapid rate to keep up with (or keep abreast of) new technologies, and I believe these three traits keep a person motivated and successful regardless of how quickly or dramatically the industry changes.
What is the best book or movie that can be used to illustrate cybersecurity challenges?
Catch Me If You Can is based on the true sto
ry of Frank Abagnale, Jr. (now a security consultant), who successfully performed cons worth millions of dollars using social engineering tactics and by finding weak points within a series of systems. Simply by purchasing a pilot’s uniform at a Pan American World Airways retailer (third-party supply chain risk, anyone?), he was able to trick his way into impersonating a Pan Am pilot.
Abagnale also eventually started to use his fraud skills to assist the FBI, which shows that individuals with skills in fraud can use their gifts for the common good.
When it comes to high-level overviews on issues in cybersecurity in literature, Bruce Schneier’s Click Here to Kill Everybody and Joel Brenner’s Glass Houses are two of my favorites.
What is your favorite hacker movie?
I know it’s a TV series and not a movie, but I’m a huge fan of Black Mirror. So many of the technological components the series revolves around exist (hacked web cameras, social credit scores, even robot bees), and the show does an excellent job of warning about how individuals and societies can exploit this technology.
What are your favorite books for motivation, personal development, or enjoyment?
Most of my reading material is for professional development or enjoyment. When I’m not reading science fiction or short stories, I’m reading policy reports, DoJ indictments, or news articles. I highly recommend Can’t and Won’t by Lydia Davis, and I’ve currently been poring over the Foundation series by Isaac Asimov, which has been on my list for a while. When it comes to motivation or personal development, I usually listen to podcasts instead. I follow quite a few, and I listen to them as I’m getting ready in the morning. I would recommend The CyberWire for cybersecurity, TechBuzz China and Reply All for technology-related news, and Intelligence Matters for national security analysis. These podcasts offer deeper dives into really interesting topics, and it’s motivating to hear accomplished individuals talking about their experiences in the industries I care about.
What is some practical cybersecurity advice you give to people at home in the age of social media and the Internet of Things?
For Internet of Things devices, I recommend doing the prerequisite security research and weighing your choices prior to buying. While it has become incredibly convenient to use an internet-enabled house thermostat or alarm system, there are many devices that have well-disclosed vulnerabilities that, upon Googling, can be alarming to an average consumer. Here’s a helpful level set: if a company is prompt in responding to new vulnerabilities, practices coordinated disclosure, and has a robust system for patching, it’s a good sign they’re on top of things. When you see companies dodging the issue, denying, or refusing to provide a timeline for patching, it’s right to worry, and you’ll want to steer clear.
“As for social media, “checking into” locations or sharing location data indefinitely is a bad idea.”
As for social media, “checking into” locations or sharing location data indefinitely is a bad idea. Short term, depending on your security settings, sharing location data can enable any of your social media contacts—some of whom are definitely not close friends—to show up at your exact location. Long term, it allows anyone with access to your geolocation data (not necessarily just your contacts) to figure out your habits and routines, which can be great for illicit activities ranging from social engineering to burglary and kidnapping.
What is a life hack that you’d like to share?
Reading before bed. I realize that this is incredibly simple, but it’s one of the few times I can sit uninterrupted to read anything from cybersecurity research to a good science fiction book, and I get better sleep than I would have had I been watching Netflix.
What is the biggest mistake you’ve ever made, and how did you recover from it?
During college, I submitted a poster to the Women in CyberSecurity conference (WiCyS). The research I had done was my own analysis of Chinese military cyber-espionage campaigns based on multiple threat intelligence reports and news articles. The poster was accepted, and it was then that I realized my poster was going to be judged against a rubric and compared against other posters in the session. I decided that the rubric was going to judge me poorly because my poster was not a traditional technical paper, and I withdrew my poster from the conference—completely out of fear. I walked into the conference a few months later and realized how much of a mistake I had made. Because I was scared of being judged as an imposter, I missed an incredible opportunity to discuss my research with women in security from various backgrounds.
I work in an industry where it is incredibly easy to feel unqualified. It’s really hard to shake “imposter syndrome”—it’s honestly something I still struggle with regularly. However, I remind myself constantly that I love this field precisely because there is so much to learn and so much room to grow—and there always will be, for everyone, regardless of how long you’ve been in it.
And here’s the thing: if this field didn’t scare the hell out of me and challenge me daily, would I really want to be in it? ■
20
Ryan Dewhurst
“Take a look at the biggest companies around today—Apple, Facebook, and Google. They all use bug bounty programs with security in mind and dedicate a lot of resources to them—even after their software has been developed. That’s because bug bounties work.”
Twitter: @ethicalhack3r • Website: dewhurstsecurity.com
Ryan Dewhurst has been professionally testing web applications for security issues since 2009. He has a BSc (Hons) in ethical hacking for computer security that he completed with first-class honors. Ryan is active in the information security community, contributing to various OWASP projects and releasing his own popular tools, such as Damn Vulnerable Web App (DVWA) and WPScan. In 2013, he was recognized by his peers when he was awarded the European Information Security Magazine Rising Star Award. Ryan has also appeared on the BBC and in many magazines and online publications for his work. In the past, he was known for identifying security issues in companies such as Facebook, Mozilla, Apple, and others while conducting independent security research.
If there is one myth that you could debunk in cybersecurity, what would it be?
Nothing is ever “secure.” There is always going to be someone smarter than you and with more resources. You could have done everything by the book—used a security development lifecycle (SDLC), had the software tested by a third party, implemented robust hardening, defense in depth, etc. etc. What you are doing here is making the software, or system, more secure, but you can never claim that something is totally “secure.” And to anyone who claims their product is totally secure, what they really mean is “secure enough.” And then you have to ask yourself, “Secure enough against what threat actor? Script kiddies, disgruntled employees, skilled hackers, government agencies, organized crime, and so on.”
A good example of this is why the bug bounty industry exists. Take a look at the biggest companies around today—Apple, Facebook, and Google. They all use bug bounty programs with security in mind and dedicate a lot of resources to them—even after their software has been developed. That’s because bug bounties work. There’s always someone smarter or with more resources who, with the right incentives, will look for and identify security issues.
So, the next time someone claims that a product is secure, ask yourself, “Secure against what, or whom?”
What is one of the biggest bang-for-the-buck actions that an organization can take to improve its cybersecurity posture?
Brain power. Seriously. The more an organization’s employees think about the security of their products and the security of their organization, the more secure it will be. Of course, they will need to do more than just think about security; they’ll need to take action too. But by making design decisions with security in mind, they will ultimately be more secure. And to get your organization to start thinking about security, it needs to come from the top. The employees need to know the value of security, and that can come only from adequate
training and creating a security culture.
“The more an organization’s employees think about the security of their products and the security of their organization, the more secure it will be.”
How is it that cybersecurity spending is increasing but breaches are still happening?
I don’t know. Perhaps the money is not being spent in the right places?
Do you need a college degree or certification to be a cybersecurity professional?
No, you do not need a college degree or certification to be a cybersecurity professional. But I do think that degrees are useful, depending on the financial cost. My degree helped me personally, in a lot of ways. It taught me how to research, how to write scientifically, discipline, and much more. I didn’t finish compulsory secondary school due to my inherent anti-establishment teenage mind. I didn’t enjoy school; in fact, I hated it, so I left as soon as I was old enough for anyone to employ. University gave me, personally, a sense of achievement that I did not have before graduating, which ultimately led to greater confidence.
How did you get started in the cybersecurity field, and what advice would you give to a beginner pursuing a career in cybersecurity?
I had always had an interest in security since the first day I dialed up to the internet. The first real job I got was over Twitter. While in my first year of university, the owner of a security consulting business, not far from where I was living at the time, asked me if I was looking for work. I went down to their office and got the job. Had it not been for my tweeting about security and my involvement in the security community, I doubt I would have gotten a job so early on. At the beginning of your career, I would advise getting involved, sharing your thoughts, creating projects, and contributing to others’ projects.