Tribe of Hackers
Page 13
What is your specialty in cybersecurity, and how can others gain expertise in your specialty?
My specialty is web application security. You can gain expertise by writing secure web applications.
What is your advice for career success when it comes to getting hired, climbing the corporate ladder, or starting a company in cybersecurity?
Don’t hang around if you’re bored with a job. Get another job, change roles, start your own company. Life is way too short to stagnate.
What qualities do you believe all highly successful cybersecurity professionals share?
You don’t need to be able to code to work in security, but in my opinion, even if your role is nontechnical, to be highly successful you need to know how to code. There will be caveats to this, and I’m generalizing here.
What is the best book or movie that can be used to illustrate cybersecurity challenges?
I think GCHQ: The Uncensored Story of Britain’s Most Secret Intelligence Agency by Richard Aldrich. It illustrates the challenges in securing a state, so there is probably a lot we can learn from this book in terms of the history of security and its challenges.
What is your favorite hacker movie?
The Matrix, probably due to my age at the time it was released. It had a big influence on me and absolutely blew my mind.
What are your favorite books for motivation, personal development, or enjoyment?
I don’t read as much as I’d like to, but here’s a few of my favorites:
General security: The Cuckoo’s Egg by Cliff Stoll
Technical: The Web Application Hacker’s Handbook by Dafydd Stuttard and Marcus Pinto
Enjoyment: Ready Player One, The Martian
What is some practical cybersecurity advice you give to people at home in the age of social media and the Internet of Things?
Don’t buy those IoT devices with internet-connected microphones and put them in your house. Keep backups. Be careful what you download and click on.
What is a life hack that you’d like to share?
Remember that everything is temporary. So take the time to do the things you love, embrace the people you love. And when times are hard, remember that they will get better.
What is the biggest mistake you’ve ever made, and how did you recover from it?
I tend to learn from my mistakes and then forget about them. So I can’t remember any. ■
21
Deidre Diamond
“We now live in a work culture of teams and teamwork being the only way to achieve success. If you can’t work efficiently and positively with others, you will not climb the corporate ladder.”
Twitter: @DeidreDiamond • Websites: www.CyberSN.com and www.Brainbabe.org
Deidre Diamond is the CEO and founder of CyberSN.com, a cybersecurity research and staffing company, and the founder of Brainbabe.org, a cybersecurity not-for-profit organization. Her vision and leadership have resulted in a dramatic decrease in the frustration, time, and cost associated with job searching and hiring for cybersecurity professionals. Prior to CyberSN, Deidre was the CEO of Percussion Software, the first VP of sales at Rapid7 (NASDAQ: RPD), and the VP of staffing and recruiting for the national technical staffing company Motion Recruitment. Deidre leads with a strong commitment to transparency, equality, training, support, high productivity, and love in the workforce.
If there is one myth that you could debunk in cybersecurity, what would it be?
That cybersecurity professionals are different. We are all different in small ways and yet not different in the things that matter to success in the workplace. All humans want respect, growth, transparency, truth, training, equal opportunity, equal pay, time to decompress, and leaders who care.
What is one of the biggest bang-for-the-buck actions that an organization can take to improve its cybersecurity posture?
Have succession planning that offers training; otherwise, you will not retain your talent.
How is it that cybersecurity spending is increasing but breaches are still happening?
Breaches are happening because we are spending more money on technology than on people. According to our research at CyberSN, cybersecurity roles will sit vacant for an average of six months before the organization seeks outside staffing help. This means the organization’s current cybersecurity team members are working overtime and not feeling successful due to a shortage of teammates. This results in poor talent retention and a weakened cybersecurity posture.
“Breaches are happening because we are spending more money on technology than on people.”
Do you need a college degree or certification to be a cybersecurity professional?
The short answer is that it depends on the company, and degrees/certs never hurt. A degree is not always needed, and yet a degree does open doors that can’t be opened without one. Certifications and degrees can matter if a person is focused on obtaining a specific job title. Overall, a degree or a cert always helps and yet doesn’t guarantee a job.
How did you get started in the cybersecurity field, and what advice would you give to a beginner pursuing a career in cybersecurity?
I got started through a career in sales. Thirteen years into my career of working for serial entrepreneurs, they asked me to join their startup firm Rapid7. There, I led the building of the sales, sales engineering, customer success, and talent acquisition teams. I was employee #18 and led Rapid7 from $800,000 to $50 million in recurring revenue over a four-year time period. It was through this opportunity that I fell in love with the cybersecurity community. I am a criminal justice and sociology degreed professional, so cybersecurity is super interesting to me.
What is your specialty in cybersecurity, and how can others gain expertise in your specialty?
My specialty is in sales and product vision and management. Salespeople are the closest to the customer, particularly the new customer. This means salespeople understand the real pain points of their customers and can articulate how to best engineer and build teams. Getting into sales is not hard if one has smarts, motivation, and high energy, along with the ability to truly care about how people think, feel, and perceive.
What is your advice for career success when it comes to getting hired, climbing the corporate ladder, or starting a company in cybersecurity?
My advice is to care about the soft skills, also known as emotional quotient (EQ). We now live in a work culture of teams and teamwork being the only way to achieve success. If you can’t work efficiently and positively with others, you will not climb the corporate ladder. On our website at CyberSN.com, you can see a list of the EQ skills.
“My advice is to care about the soft skills, also known as emotional quotient (EQ). We now live in a work culture of teams and teamwork being the only way to achieve success.”
What qualities do you believe all highly successful cybersecurity professionals share?
The ability to communicate in such a way that others feel good about the conversation, even if they had to concede or didn’t get what they wanted.
What is the best book or movie that can be used to illustrate cybersecurity challenges?
The Art of War by Sun Tzu! I gave a keynote talk at Hacker Halted in 2017, and I named my talk W.A.R. (Words Are Risk). This was a spin on the title of this book (which was the theme of the conference that year). Our words can make or break our careers. Understanding the impact of our words and the role they play in our ability to navigate work and interpersonal relationships is a powerful skill that will help you in life and in business.
“Understanding the impact of our words and the role they play in our ability to navigate work and interpersonal relationships is a very powerful skill that will help you in life and in business.”
What is your favorite hacker movie?
I don’t watch many fictional movies, but I did enjoy the TV show Mr. Robot!
What are your favorite books for motivation, personal development, or enjoyment?
The Power of Now b
y Eckhart Tolle and anything from the Situational Leadership Training series.
What is some practical cybersecurity advice you give to people at home in the age of social media and the Internet of Things?
Don’t share things that demonstrate immaturity. Your public profile will impact your career positively or negatively; it’s your choice which one it will be.
What is a life hack that you’d like to share?
For me, it was understanding that my brain is a program that chooses my emotions for me—the unconscious brain! I can choose to run the emotional program my brain has already developed at a young age, or I can reprogram it! I chose to reprogram it, and boy, did my life get much easier when I learned to consciously choose when I feel sad, mad, happy, guilty, and so on. And I get to choose how long I let this emotion live at any given time. I am 100 percent accountable to my emotions. I hacked my own brain. It was and is a constant focus.
“Leadership and life are about truthfulness and doing right by the team”
What is the biggest mistake you’ve ever made, and how did you recover from it?
Hiring executives who let fear guide their decision-making. Leadership and life are about truthfulness and doing right by the team. The only way to recover is to learn the traits of this type of individual, not hire those traits again, and move on! ■
22
Ben Donnelly
“There’s plenty of money in the world, and if that’s all it took, we would have fixed cybersecurity long ago.”
Twitter: @Zaeyx
Ben has worked as a penetration tester, as a security researcher/consultant, and as the founder of Promethean Info Sec. Previously, he served as the lead developer on the DARPA-funded Active Defense Harbinger Distribution. He is also the inventor of the Ball and Chain cryptosystem and the creator of TALOS Active Defense, as well as a host of other information security tools and methodologies. Ben has assisted in the creation of content for a number of SANS courses and is a co-author of the book Offensive Countermeasures: The Art of Active Defense. He has worked on teams hacking such things as entire states, power plants, multinationals, and prisons. He has competed in and won a variety of InfoSec competitions, including SANS NetWars. Ben has also legally hacked the Pentagon. He has presented on his own original research at DerbyCon as well as BSides Boise.
If there is one myth that you could debunk in cybersecurity, what would it be?
That the preeminent contemporary problems of the field are intractable. From years of struggling with the same issues again and again, with seemingly no end in sight, a majority of the professionals in our field have thrown in the philosophical towel. I can’t count how many times I’ve talked to highly skilled, highly knowledgeable, effective cybersecurity pros who had resigned themselves to bailing water from a sinking ship.
But we can fix these leaks! Over the course of my tenure in the field, I’ve written a plethora of prototypes as well as deployable solutions to problems that others had simply given up on. What got me there? If I had to sum it up in one word, I would simply say “hope.”
Take the example of password storage on something like a production web server. The current accepted paradigm is to store passwords using a cryptographically secure hashing algorithm. The way hashing algorithms work—and some of the weaknesses inherent in the model—is why you see gigantic data breaches in the news, in which hundreds of millions of passwords are leaked to the Web.
The security for such a model has largely been shifted to the user. Websites require passwords of a certain length and complexity in order to require additional computation (more guesses) for an adversary attempting to brute force the stored form of the password (the hash). But clearly, this isn’t working. It seems like barely a month can go by without another large data breach.
“The security for such a model has largely been shifted to the user. Websites require passwords of a certain length and complexity in order to require additional computation (more guesses) for an adversary attempting to brute force the stored form of the password (the hash). But clearly, this isn’t working.”
If you walk up to most industry professionals and ask them to tell you about password security, they will generally read back to you “the book.” (Obviously, there is no one single “book,” but it feels like we’ve all read the same thing on what exactly one “should do” to secure a password.) The conversation will often end with a discussion on how “the problem” is users. Users need to have longer, stronger passwords. But is it really fair to put the onus for the security of an organization on people whose main areas of expertise are completely unrelated?
Certainly, within the currently accepted password-storage paradigm, it is true that there really isn’t much more the security team can do other than work with users. So, I made an algorithm that supersedes password hashing. I don’t think I’m particularly magical for having done so. I think my secret is youth and, if nothing else, (at the time) inexperience. I wrote this algorithm as a sophomore in university. I was young enough that the monotony of the day-to-day grind of securing an organization hadn’t yet gotten to me. I hadn’t learned to sit back and accept that the way things are is the way they need to be.
Since then, I’ve gone on to design a number of other such technologies in a variety of cybersecurity subdomains. I can say with complete experiential confidence that I’ve probably solved issues that your organization still thinks are here to stay. And I’m completely sure that there are many more paradigms waiting to be broken. These mountains can be climbed; these challenges can be met. It sounds cliché and silly to say, but truly all you fundamentally need is a little hope and an open mind.
What is one of the biggest bang-for-the-buck actions that an organization can take to improve its cybersecurity posture?
Hire good people. You will never spend money on something more effective within this domain than talented people. Cybersecurity is not a problem that can be easily solved by the application of money. There’s plenty of money in the world, and if that’s all it took, we would have fixed it long ago.
Technology advances every second of every day. What worked a few months ago won’t work for long. What was secure a few months ago isn’t necessarily secure today. Then there’s the issue of sensory mapping. As humans, we’re just not designed to interface with the virtual world we’ve created. Packets fly far faster than we can ever be expected to keep up with. Data is literally streaming down wires and through the air around you. Add on top of that the issue of abstraction and understanding—that virtual worlds are nothing like anything you’ve likely ever known. The execution flow for a selection of code is nothing like riding a bicycle or reading a newspaper.
You need digital Sherpas. You need people who can think rapidly and creatively, through layers of abstraction. These are the people who can actually build a solution to a complex security dilemma within your organization. These are the people who can keep track of all the latest patching requirements and standardized recommendations for all of your in-house tech solutions. These are the people with the energy and focus to predict, isolate, and mitigate likely attack vectors on your network. Always invest in people!
How is it that cybersecurity spending is increasing but breaches are still happening?
Cybersecurity as a field sits at an interesting intersection of two worlds. Due to the complexity of the underlying subject matter, there is a divide between the people who operate within the domain and those who make the decisions upon which their operations depend. That is to say, executives and decision-makers often truly do not understand the threat landscape with the level of detail necessary to make decisions that will directly repel adversaries.
A lot of our talk about threats and technologies boils down to low-resolution definitions and loose analogies. Bridging that gap between the techies and management takes effort on both sides of the table. This is compounded even more by the fact that, fundamentally, cybersecurity is not a business goal as much as it is a support
activity.
When the company doesn’t pocket money because your security team happened to repel an attack, it can be tempting to try to just “solve it.” I’ve seen advertisements that target exactly this, sitting in airports, hunting for executives to walk by. They read things like “cybersecurity, solved.” They’re incredibly tempting. But what you have to remember is this: your adversaries do make money directly from this field. If you’re an executive decision-maker, to you, cybersecurity might be quasicustodial. But to the threats facing your organization, this domain is a form of fundamental cash flow.
Your organization should be exactly as involved in the game as your opponents are. Just throwing money at the problem, hoping it will go away, isn’t gonna solve it.
Do you need a college degree or certification to be a cybersecurity professional?
Absolutely not. What you need is know-how, nothing more. Of course, do degrees and certifications help? You betcha. At a minimum, having a selection of certifications to call from can certainly give you a hand up in the application process. When a recruiter or hiring manager reviews your résumé, they may or may not be able to parse all that you’ve done. Having a degree that reads “University College says he can do the cyber” instills a ton of confidence. And the same goes for certifications, although, I would argue, to a slightly lesser/more specific degree (pun intended).
But do you need a degree? Do you need an array of certifications? You absolutely, positively do not. Cybersecurity as a field is incredibly young. Academia is largely still playing catch-up in regard to how to properly train and assess individuals in the requisite skills. I know that, for me, when it came to having a degree in cybersecurity, it simply wasn’t an option. I looked around for any program that seemed to meet what it was that I was looking for, and I couldn’t find any. It seemed like all of the “cyber” degree options I was able to find had more to do with management or business realities than they did with cyberspace operations.