Tribe of Hackers
Page 15
Throwing money at problems doesn’t make them go away, but it certainly helps. Security requires an investment in people, resources, hardware, software, and research. In the federal space, cybersecurity spans well beyond a hooded hacker trying to phish Google logins; we’re looking at entire infrastructures in desperate need of funding before we can even begin conversations about hardening our networks and systems. There’s no one-size-fits-all in security, especially when it comes to securing government systems. Policy and funding are still years behind the private sector, but we’re doing our best to catch up.
What is one of the biggest bang-for-the-buck actions that an organization can take to improve its cybersecurity posture?
The defender in me immediately thinks, “logging, hardening, asset inventory, patching, detection, response,” but honestly, user training almost always offers a pretty solid return on investment. Teaching users not to click things, how to recognize phishing attempts and scams, where to download software, how to secure their personal devices, and how to avoid common security mistakes are all skills that will ultimately prevent organizations from falling victim to the most common attack vectors. If I’m being honest, all the security gadgets in the world aren’t going to help if my user gives up domain controller admin credentials to a well-crafted phishing email link. We, as security professionals, have a duty to our users to help them understand basic security concepts and how to spot (and report) potential attacks.
How is it that cybersecurity spending is increasing but breaches are still happening?
No matter how dedicated we are to securing our systems, there are folks out there with more time, energy, and money who dedicate their resources to finding holes in our infrastructures. In general, security folks wear several hats and are pulled in many different directions on any given day. Meanwhile, nation-state hackers have a single job with a single goal: breaching our systems. They spend their days crafting phishing emails and looking for holes in our networks. We can do our best to harden, patch, train, and test, but as long as people are part of our organizations, we have a weak link that can (and will) be exploited. That sounds more hopeless than it is, but we must learn from our mistakes and carry on.
Do you need a college degree or certification to be a cybersecurity professional?
I don’t believe you need a degree or certification, but neither hurts. As a woman, I absolutely believe certifications opened some doors for me in this field. I believe that in cybersecurity, as in most professions, a good training program, whether collegiate or vocational, is critical for getting a handle on best practices. It’s important to understand the rules before you break them (intentionally or unintentionally). At the end of the day, it boils down to what potential employers want to see on a résumé. Many require degrees and/or certifications. Many don’t. Figure out what you want to do and choose a path that makes the most sense for you.
How did you get started in the cybersecurity field, and what advice would you give to a beginner pursuing a career in cybersecurity?
I forced my way into cybersecurity. I worked for years helping end users with technical problems, primarily malware-related, before moving on to do system administration work and managing/securing clusters. I showed up at security meetings I wasn’t invited to and worked on security policies with folks who assumed I belonged in the room. I found something I felt passionate about, and I took my seat at the table. It wasn’t long after receiving praise for implementing new security policies that I was able to land an actual security position and could stop worrying about being kicked out of the meetings I’d been sneaking into.
The only advice I have for beginners is to find something you’re good at and go for it. Don’t oversell your qualifications. Just do the work you know how to do, seek out a mentor, and set some goals for yourself. If you feel you’re unable to move toward those goals with your current employer, look for another job. There are plenty of companies out there looking for junior analysts and mentees in cybersecurity.
What is your specialty in cybersecurity, and how can others gain expertise in your specialty?
These days, I’m focused on vulnerability disclosure, incident response, and response workflows. It’s a lot of reading, research, and keeping abreast of active vulnerabilities that potentially pose a threat to my agency. For folks interested in this type of work, it’s important to read up on vulnerability disclosure policies, gain an understanding of event versus incident, and research the ways incidents are handled within different types of organizations. I’ve spent time working in the security operations center (SOC), in the network operations center (NOC), and on detection and response (D&R). Digital forensics and incident response (DFIR) and capture the flags (CTFs) are a great way to get your feet wet and quickly figure out where your knowledge gaps are.
What is your advice for career success when it comes to getting hired, climbing the corporate ladder, or starting a company in cybersecurity?
Don’t overstate your qualifications, but don’t be afraid to toot your own horn, either. If you’re really good at something, figure out how to incorporate that skill set into your résumé. Find folks who do what you want to do. Surround yourself with people willing to share knowledge. As for starting a cybersecurity company, just because you can do something doesn’t mean you should. Starting a business, any business, takes a lot of knowledge, time, energy, and resources. The added layer of hiring and retaining security talent and building community trust is pretty daunting. There’s a special place in Hades for charlatans who spin up security companies and offer snake oil solutions to organizations that don’t know any better.
What qualities do you believe all highly successful cybersecurity professionals share?
I define success by how much a professional contributes to the community at large. It’s not enough to talk about change or complain about the current state of cybersecurity; successful professionals recognize the need to mentor the next generation of talent, teach them about our generation’s successes and failures, and train them to take our jobs. Success isn’t defined by how well known we are or how much money we make. At the end of the day, it’s defined by the generation that comes after us. Successful professionals understand it’s our job to share information, not hoard it.
“Successful professionals understand it’s our job to share information, not hoard it.”
What is the best book or movie that can be used to illustrate cybersecurity challenges?
The Hunger Games series is a pretty good metaphor for cybersecurity. All the districts are dominated and overpowered until they come together, share knowledge, and fight for a common goal. There is currently a direct assault on democracy as we know it, and it’s going to take a large collaboration of researchers to preserve the sanctity of our rights as voters. I hope, one day, security researchers are able to come together to work for the common good.
What is your favorite hacker movie?
The Imitation Game. (I’ll fight anyone who tries to argue it’s not a hacker movie.)
What are your favorite books for motivation, personal development, or enjoyment?
I frequently turn to passages in Quiet: The Power of Introverts in a World That Can’t Stop Talking when I’m feeling overwhelmed. I strongly encourage introverts, particularly in our field, to give it a read. For enjoyment, I love the works of William Gibson. Neuromancer is one of my favorites.
What is some practical cybersecurity advice you give to people at home in the age of social media and the Internet of Things?
For the everyday person, I’d say use a password manager. Avoid password reuse. These two things alone will improve your security posture. Don’t download attachments from folks you don’t know, and even then, proceed with caution. Don’t put your entire life on social media, and periodically monitor your privacy settings to make sure you’re not sharing content with unintended audiences. Set up a separate email account that’s tied to your social media profiles. You shouldn’t be ba
nking with the same email login you use for Facebook. If you’re feeling tech savvy, set up a separate home network to isolate your IoT devices. Your light bulbs and security cameras shouldn’t be on the same network as your home and work computers. No good will come from that setup.
“Set up a separate email account that’s tied to your social media profiles. You shouldn’t be banking with the same email login you use for Facebook.”
What is a life hack that you’d like to share?
I travel quite a bit, and my favorite travel hack is to remove lids from my liquid makeup and toiletry bottles, place a piece of cellophane over the opening, then screw the lids on over the cellophane. I only wish I’d known about it before the Great Makeup Incident of 2014.
Another life hack for me involves social interactions. When I’m feeling anxious, I remember “HALTS” (hungry, angry, lonely, tired, stressed), and try to avoid interactions and confrontations when I find myself in a HALTS situation.
What is the biggest mistake you’ve ever made, and how did you recover from it?
I probably haven’t made my biggest mistake yet, but the first thing that comes to mind is a minor mistake that quickly turned into a major problem. Someone on our team enabled a Slack integration with Google Docs, not realizing that all linked docs and their content would become part of our public Slack record. We caught the mistake pretty quickly and killed the integration, but the damage had already been done. Sensitive docs had been exposed, and although there was no indication they were compromised in the brief period they were publicly available, our team dealt with the backlash of that one-hour experience for nearly a year following the incident. It was brutal. That said, be careful with your application integrations, folks. A minor change is almost never as minor as you believe it to be. ■
24
Ronald Eddings
“Once you ask, don’t forget to keep coming up with new questions.”
Twitter: @ronaldeddings • Website: secdevops.ai
Ronald Eddings is a Silicon Valley–based cybersecurity expert, blogger, and digital nomad whose ingenuity, dedication, and ambition have all earned him the reputation as a trusted industry leader. Over the course of his career, Ronald has garnered extensive experience working at various Fortune 500 companies and mentoring a multitude of fellow professionals. In addition to cybersecurity, he is well versed in software development, DevOps, and artificial intelligence. Currently, Ronald serves as a cyber fusion engineer at a cybersecurity startup and is an active contributor to several open source projects. He also holds a BS degree in information technology and an array of cybersecurity certifications.
If there is one myth that you could debunk in cybersecurity, what would it be?
That macOS can’t get a virus.
What is one of the biggest bang-for-the-buck actions that an organization can take to improve its cybersecurity posture?
Phishing! I’ve seen the best and the worst implementation for protection of phishing, and the gaps are quite large.
How is it that cybersecurity spending is increasing but breaches are still happening?
Analyst/engineer fatigue. There’s not enough time in the day to exhaustively cover all aspects of an environment. I’ve seen a lot of competitive pay but little in the way of personal incentives. I think if there were more incentives—that an analyst or engineer could feel better about personally—they’d be more inspired to go to trainings and leave no stone unturned.
Do you need a college degree or certification to be a cybersecurity professional?
I did not have one starting out. I barely needed a high school diploma. Thanks to Marcus Carey, I’ve learned that this industry demands talent.
How did you get started in the cybersecurity field, and what advice would you give to a beginner pursuing a career in cybersecurity?
I started in cybersecurity when I was working at a public access TV channel—where I met MJC, Joe McCray, and Johnny Long! As a kid, I was starstruck to see three hackers in the flesh. I’m glad I seized the moment and told MJC that I was interested (the rest was history from there). My advice would be to not hesitate and ask. And once you ask, don’t forget to keep coming up with new questions.
What is your specialty in cybersecurity, and how can others gain expertise in your specialty?
Fortunately and unfortunately, I have no specialty. My skills focus on threat intelligence, DevOps, and artificial intelligence. Maybe the new buzzword will be “fusion analyst.”
What is your advice for career success when it comes to getting hired, climbing the corporate ladder, or starting a company in cybersecurity?
To get hired/climb/create, you must continually be present with your connections, have value to share, and, most importantly, apply yourself to problems you’re passionate about solving.
What qualities do you believe all highly successful cybersecurity professionals share?
Being organized. If you’re not organized, buffer overflow of tasks occurs.
What is the best book or movie that can be used to illustrate cybersecurity challenges?
Mr. Robot (minus some of the Hollywood razzle-dazzle), especially when looking at this TV show from a defense perspective—very tough to kick the hacker out.
What is your favorite hacker movie?
Hackers.
What are your favorite books for motivation, personal development, or enjoyment?
The ONE Thing by Gary W. Keller and Jay Papasan. How to Talk to Anyone: 92 Little Tricks for Big Success in Relationships by Leil Lowndes.
What is some practical cybersecurity advice you give to people at home in the age of social media and the Internet of Things?
Use two-factor authorization (2FA) and any other enhancements to force confirmation of identify whenever possible.
What is a life hack that you’d like to share?
Learn and watch videos at 3× speed.
What is the biggest mistake you’ve ever made, and how did you recover from it?
Not being mindful…I was constantly chasing the next technique/idea rather than reflecting on what projects fueled my passions in cybersecurity. Creating a calendar with daily events associated with accomplishable goals put my life back on track to feeling fulfilled and accomplished. ■
25
Justin Elze
“People who have impressed me the most during the hiring process always highlight personal projects or their involvement in the community, even if it’s not purely technical.”
Twitter: @HackingLZ
Justin Elze is the red team lead at TrustedSec. He has more than 10 years of experience in the information technology industry, specializing in enterprise penetration testing, network security, social engineering, and red teaming. Prior to joining TrustedSec, Justin was a senior penetration tester for AccuvantLabs, Dell SecureWorks, and Redspin—where he led numerous red team engagements and penetration tests. Justin has worked in various industries, including at internet service providers, hosting, DoD contracting, and services consulting companies.
If there is one myth that you could debunk in cybersecurity, what would it be?
I would say that the biggest myth about cybersecurity is that spending more money makes you more secure. Many companies are willing to spend their money on expensive products when they should focus their efforts on hiring educated and talented employees. Having a network that is properly engineered and run by knowledgeable employees has more value than purchasing products and then failing to use them properly to maximize their potential.
What is one of the biggest bang-for-the-buck actions that an organization can take to improve its cybersecurity posture?
Securing its workstations. This area is often looked at last; however, it’s the main source of the majority of breaches. Companies can get creative with the desktop configuration and leverage available Microsoft features to immediately reduce end users’ exposure.
How it is that cybersecurity spending is increasing but breaches are still
happening?
“More often than not, organizations find themselves in a situation that forces them to react versus taking proactive measures to prevent the breach from happening to begin with. This type of thinking leads to the mind-set of “We have to do something.” ”
More often than not, organizations find themselves in a situation that forces them to react versus taking proactive measures to prevent the breach from happening to begin with. This type of thinking leads to the mind-set of “We have to do something.”
Unfortunately, this ends up with organizations tossing money at a problem without understanding how the problem occurred—and without hiring the most knowledgeable personnel to handle the breach. A disconnect happens between where the money is spent and how organizations actually get breached. Companies tend to fall down rabbit holes, allowing vulnerability management or other initiatives to entirely consume a department while ignoring areas where they have more exposure.
Do you need a college degree or certification to be a cybersecurity professional?
I think it really depends on the area of cybersecurity you want to pursue. In today’s society, it is common for many professionals in the cybersecurity field to not have college degrees because they can show their mastery of skills through practical means, such as developing code or contributing to open source projects.
Personally, I don’t have a college degree, and it has never held me back in my career. The Offensive Security Certified Professional (OSCP) certification helped me land my first information security job, or at least got me an interview. So taking certification courses may be a better way of not only getting your foot in the door, but also exposing you to different opportunities in the future through networking and staying up to date on new technologies.
How did you get started in the cybersecurity field, and what advice would you give to a beginner pursuing a career in cybersecurity?