Tribe of Hackers
Page 14
Now, here’s the realization you’ll want to come to: the importance of a degree or certification matters purely as a business reality. It is a way of providing tangibility to a skill set that still evades academic definition. That means it matters who you’re trying to get hired by. You will hear some people swear up and down that certifications have been nothing short of magical for them. And in their career experience, it’s likely true. You’ll hear other people say that certifications and degrees are basically worthless. And in their life, in their niche, that is almost certainly true.
How did you get started in the cybersecurity field, and what advice would you give to a beginner pursuing a career in cybersecurity?
I started out in cybersecurity back in high school. I was a member of a cadet organization called AFJROTC, which is the junior version of college ROTC. As a junior, I started building a packet to apply to the Air Force Academy. One of my instructors came up to me with an offer to join a team for a new (at the time) competition called CyberPatriot. My projected career path at that point was aviation, but I figured I would give it a shot since it could help boost my Air Force Academy (USAFA) packet.
I was never one of those kids who grew up with a circuit board in my hand and my future decided. But when I learned what was possible through that competition, I was instantly hooked. I did end up turning down a shot at USAFA due to things happening with my family, and I stayed home to pursue college on my own. There weren’t any good cybersecurity programs that fit what I was looking for in my entire state. So, at the time, I was feeling really adrift.
What I did manage to find was an article about the upcoming first-ever NetWars Tournament of Champions. It mentioned on the site that for the competition SANS would be inviting people who had performed well in CyberPatriot. My team had taken second at nationals. So, I wrote an email to a contact at SANS and just straight up asked if I could come compete. They said yes. So, at 18 years old, I flew myself out to Washington, DC, for SANS CDI 2012.
I think being that young and showing up at a SANS conference is pretty much unheard of, so I made a bit of a stir. I got dropped into classes to audit and prepare for the competition. I did well in the competition, though I definitely didn’t win. But I immediately got offered three jobs with different SANS instructors at the conference. I took one of the offers, and the rest is history.
You can say that my performance in competitions is what got me where I am. Or you could argue that my age and the shock it brought with it was an influential part. I’m sure you’re not wrong. But there’s one thing that you can take away from what I did: that no matter who you are, no matter what you know, and no matter what you want, you can do it. When I saw something that I wanted to be a part of, I decided that thing was worth rejection to me, and I asked.
It doesn’t matter if you’ve never touched a terminal before. The number-one predictor of success is easily passion. Especially today, in the age of Google, knowledge and expertise are at your fingertips every second of every day. You have no excuse for not chasing the outcomes that you want, in your career and in your life. Don’t be afraid to fail. Be willing to ask.
What is your specialty in cybersecurity, and how can others gain expertise in your specialty?
I don’t know if “specialty” is a word that can be accurately applied to any one of the subsets of my InfoSec skills. I wouldn’t say that I really have any major “specialty.”
Perhaps I have a number of specialties? Primarily, I work on the red team side of the house. As part of being a penetration tester, I’ve found that I need to be proficient in nearly every aspect of everything if I want to break it. I can’t just skirt by on knowledge of a few tools. The engagements I find myself on require me to be not just a jack-of-all-trades but a master-of-all-trades. But, of course, that could be seen as my specialty—that I work on the red cell side of the house predominantly. What is your advice for career success when it comes to getting hired, climbing the corporate ladder, or starting a company in cybersecurity?
Know your sh*t. There is no end to people who use buzzwords and FUD in our industry. You can use the idea of cybersecurity to exist as a professional, but it will only get you so far. There is absolutely no substitute for real proficiency. It’s true that a ton of the field is tainted by a mythos collectively known as the “cult of the hacker.” So much of what you will encounter in this field will be driven by bluster and ignorance. Because most people don’t really know what’s going on inside of their computer or on their network, it’s really easy for confident, low-skill people to carve out a mild niche for themselves. Pay close enough attention, and you’ll see it everywhere.
But if you actually know your stuff—if people can actually rely on you to understand and solve real problems—you will go very far. Don’t fall into the prideful “cult of the hacker” trap where you start building a persona based less on your ability and more on others’ perceptions of you. The day you become happy with the admiration of the uninitiated (think: managerial types who think of you as their “cyber wizard” because you know more than they do) is the day you stop growing and start getting passed up by those who are interested purely in efficacy.
What qualities do you believe all highly successful cybersecurity professionals share?
What a great question. But before I answer, let me just quickly state that I think everyone is unique. You don’t necessarily have to fit a specific profile in order to be successful in any field, especially not in this one. That being said, here are some of the traits I’ve seen in many high-level hackers, again and again:
Curiosity: Fundamentally, hackers challenge the status quo. It would be hard to thrive in this industry without a predisposition toward radical curiosity. You want to understand why things work the way they work. You want to know if they can be made to work better, faster, more efficiently. You want to know if you can break them. You’re willing to spend lots of time and precious energy learning about things you may never need to know, just because you found them interesting.
Perseverance: There are few things under the sun more frustrating than computers—from running down an obscure bug in your code to attempting to guess the memory address for an ASLR’ed binary. You are certainly going to find yourself running into what feels like a brick wall, time and time again. To be successful, you need to have the grit necessary to pick yourself up, over and over, and continue. If you love this field enough, you won’t be easily discouraged, and you will succeed.
Passion: As mentioned earlier, the drive that will get you through all of the crummy parts of cybersecurity is going to be critical. But it’s not just about rising above the worst parts. It’s also about knowing what you want so you can seek it out effortlessly. Find what it is that drives you.
Systematizing: This one is a bit more esoteric. It’s not necessarily a character trait. And to be quite clear, it’s more pronounced in the “tech” types. You can easily fill a niche in the industry and completely lack this ability. Systematizing speaks to the propensity to form mental models based on an understanding of the component parts of a given thing. It’s the cognitive process by which an intelligence observes a thing and breaks it down through careful study of its behaviors. This is the trait that gives tech wizards the ability to understand and build upon or break existing technologies. Rather than seeing things as set in stone, they can more easily see them for what they are and, as such, are often more apt to deconstruct them.
Novelty/sensation seeking: The people you will see at the top of any field are the ones who really love the action. You need to be in it for the journey, with the “prizes” only as wonderful side effects—extra icing on the cake. You need to appreciate getting up every morning with the sun to hit the running trail. The same is true within cybersecurity. I hack for the same reason I regularly throw myself out of perfectly good airplanes.
It’s that feeling you get when you’re seconds away from escalating a web shell into a reverse shell and jump to root v
ia a kernel exploit.
What is the best book or movie that can be used to illustrate cybersecurity challenges?
Does a TV show count? Because if it does, then the answer is, hands down, Sam Esmail’s Mr. Robot—for which the venerable Dave Kennedy (also in this book) is a technical consultant. I really can’t think of any piece of media that so accurately captures and cleanly conveys the everyday realities of information age insecurity as that show. The tension is palpable, and the hacks are plausible (a huge achievement in cinema).
The show also does a great job of capturing the ways in which technology “hacks” us all every day with our manufactured consent. That you freely give your data up to Facebook or Google. That you are willing to be monitored, surveilled, and controlled. If you haven’t seen it, check it out!
What is your favorite hacker movie?
So this is actually a really hard decision for me. There are a bunch of hacking movies that I really enjoy for various reasons and in various moods. I highly recommend the following list of films:
The Girl with the Dragon Tattoo: A hacker becomes involved in the hunt for a murderer in a decades-old cold case.
The Fifth Estate: Based upon plot points taken directly from the pages of the WikiLeaks saga, this movie highlights the power of people and information. It’s a reminder that a single man can stop the motor of the world.
Snowden: Certainly you’ve heard the name, and the man is a figure of controversy. The story is well told and highlights his motivations and morality beyond just his actions. I also really appreciate this piece for putting the scale of government surveillance into context.
Blackhat: Not the best-made film by any stretch, but if you’re looking for a mildly gritty action film based around mostly realistic hacking, this is it.
Hackers: There really is no greater hacking movie than this complete classic. It’s campy, it’s ridiculous, and it’s absolutely great. If I had to choose just one hacking movie, it would likely be this one.
What are your favorite books for motivation, personal development, or enjoyment?
Anything that lets you dream. The world has grown somewhat stale. We think we know so much more than we actually do. Our trust in our institutions is largely misplaced. Read literally anything that will let you dream again. Pick up Neuromancer, and enjoy that they dreamed of a future with payphones. Read Dune, Cryptonomicon, Ender’s Game, or literally anything by Tom Clancy. Find the books that make you feel good about yourself and your internal dialogue. Forget books that give you a prescription about how things ought to be or about how they are. Find the books that let you dream.
Tangentially, I cannot recommend enough, literally, any decent book about meditation. Maybe it’s just me, but I’ve found meditation to be an absolutely invaluable skill to learn. Learning to harness the overwhelming flow of sensory information I receive has helped me to become far more effective in my everyday life.
What is some practical cybersecurity advice you give to people at home in the age of social media and the Internet of Things?
Here is a list of items you need to be cognizant of:
Location: You should never share information that reveals sensitive details about where you are, where you are going to be (exactly), or common places you visit.
This can be something as simple as posting a review about your favorite coffee shop, mentioning that you “go there every morning.” That’s not knowledge you want random people on the internet to be able to acquire. Be aware also of information revealed in pictures.
In some of my work in the past, I have been tasked to perform exactly this function. I was once able to identify the location of a photo down to within about ten meters by identifying the city and approximate location in the city from an old flight simulator video I once watched. I was then able to use Google Street View and the specific streetlight in the picture to figure out exactly where it was taken.
Time: You need to be aware of the importance of specific dates and times to a potential adversary. You may not want everyone on your friends list knowing when your birthday is or your anniversary or even the year of your car. Never give specifics out publicly. Little bits of seemingly harmless information can be combined to allow an attacker to impersonate you effectively.
Future actions: You should be cognizant of the possibility of someone predicting your future actions by noticing patterns in your publicly posted behavior. If you visit the same bar every Friday or if you are always posting reviews for restaurants within a two-block radius, it may allow an attacker to predict where you will be or what you will be doing. This can, of course, be exploited in many different ways. Always be willing to throw a bit of unpredictability and randomness into your posting.
Contacts: Your contacts, the people you trust, are often a direct line to you. You should be alert to the possibility of someone trying to gain your trust by working their way through your contacts. Additionally, you need to be aware that, no matter how clean your internet identity may be, if you are constantly getting tagged in photos by your friends or if your friends are posting geotagged pictures of your house, you may be opening yourself up to attack though you’re doing everything right.
Trust relationships: Make sure you understand how exactly to establish trust over the Web. Adding someone to your social media profiles just because they have a number of friends in common with you? Not necessarily the best idea. What if you receive a message over Facebook from a friend asking you to add them again because their “old account” got hacked? How do you know the new account isn’t someone impersonating them? The internet is a dangerous place, and there is no one else in the world who wants you to trust them more than someone trying to scam you.
Here’s a secret: when in doubt, use multiple methods of communication to establish trust. It’s pretty easy for someone to make a Facebook profile that looks like your great aunt. What’s not easy is for them to also steal her phone number and her email. If something seems phishy, don’t be afraid to insist on reaching out to the person via other means. Give them a call, tweet at them. If you get a confirmation from all of the channels through which you know them, it’s almost certainly them.
What is a life hack that you’d like to share?
Binary search! We often think of algorithmic solutions as being things rightfully sequestered to the realms of academia. But you can apply computer science principles to your life in a variety of contexts. My favorite is, by far, binary search. Here’s how it works: whenever you need to search through a group of things to find a specific one, most people will use the “linear search algorithm.” That is, they will go through each item individually checking if it’s the one.
What a binary search looks like is this: you split all of your items into two groups and then isolate both groups. You then see if the effect you’re observing is still happening and which group it’s coming from. Then you look at the group the effect is still emanating from and split it again. You then perform the split in half and check operation until you’re down to just one element. That last element will be the sought element. The total number of checks you’ll make with binary search is far fewer. With a linear search, if you have eight items to check, you’ll make eight checks. With a binary search, you’ll only make three. And the gains keep accelerating. If you were checking through 1,024 items, a linear search would take 1,024 checks. But a binary search would take only 10.
What is the biggest mistake you’ve ever made, and how did you recover from it?
Believing other people were like me. This is a mistake I have made time and time again. There is a theory that the primary driver of effective cognitive empathy (understanding and relating accurately to others) is a relationally similar mental substratum—that you and the person you are attempting to relate to are reasonably similar.
While I was growing up, I never let myself really get into the “I’m super unique” talk. It seemed egotistical, it seemed unnecessary, it even seemed antisocial. As I slowly matured,
I continued to hit a wall, whereby I would sometimes completely and wildly miss a prediction on the behavior of another person. I noticed that every time I did this, it was because I was assuming they would respond like I would.
Here’s what I’ve learned. Fundamentally, talk less. Don’t be wildly open and honest with people arbitrarily. Give people space. For me, one of my stumbling blocks is in selfless motivations. People seem to have trouble understanding that I literally do things entirely selflessly, completely for the benefit of others, based on a collection of philosophical drivers. So, for me, I have had to learn to at least pretend to be selfish and seek my own ends. And to complain more. And just all the normal human things that, even if they’re mildly unpleasant, people understand and can more easily work with. ■
23
Kimber Dowsett
“There’s no one-size-fits-all in security, especially when it comes to securing government systems. Policy and funding are still years behind the private sector, but we’re doing our best to catch up.”
Twitter: @mzbat • Website: www.twitch.tv/rallysecurity
Kimber Dowsett is currently serving in the federal government, securing cloud infrastructure architecture and leading response efforts during critical security incidents. She is passionate about privacy, encryption, and building user-driven technology for the public. Named one of the 2017 Top Women in Cybersecurity by CyberScoop, Kimber has a background in information security, incident response, security policy, and penetration testing. She is an avid admirer of Chiroptera and is a connoisseur of comic books and video games.
If there is one myth that you could debunk in cybersecurity, what would it be?