Tribe of Hackers
Page 16
Cybersecurity has always been something I was interested in since I was really young. The path to get where I am wasn’t a direct line from A to B. I started working in computer repair, moved up to system engineer, and eventually became a network engineer at a large ISP before landing my first cybersecurity job. Today, a student can go to college for cybersecurity and get a job right away, but a lot of what makes me good at what I do is my background in system and network engineering.
“Today, a student can go to college for cybersecurity and get a job right away, but a lot of what makes me good at what I do is my background in system and network engineering.”
As far as what advice I would give to a beginner pursuing a career in cybersecurity, I would have to say be prepared to commit a large amount of your time to your career. Technology is always evolving, and the techniques we use in cybersecurity are constantly changing. You can’t just jump into a job and stop learning. It’s a never-ending process of developing who you are as a professional and obtaining new skills.
“Technology is always evolving, and the techniques we use in cybersecurity are constantly changing”
What is your specialty in cybersecurity, and how can others gain expertise in your specialty?
My focus and specialty is red teaming and advisory emulation. My background as a network and system engineer gives me a better understanding of how networks and systems are built and where to look for targets. To gain experience in these areas, I would suggest following current trends in malware and exploring tactics used by real-threat actors.
What is your advice for career success when it comes to getting hired, climbing the corporate ladder, or starting a company in cybersecurity?
Getting hired for your first position in the cybersecurity industry is most likely the hardest. People who have impressed me the most during the hiring process always highlight personal projects or their involvement in the community, even if it’s not purely technical. Attending conferences shows a great commitment to the industry, and I would suggest starting there if you are unsure of where to begin.
What qualities do you believe all highly successful cybersecurity professionals share?
All successful cybersecurity professionals definitely have creative problem-solving skills. It is important to be able to come up with unique approaches in order to solve complex issues. Fixes are not typically straightforward, so the capability to be flexible in your thought process is important.
“All successful cybersecurity professionals definitely have creative problem-solving skills. It is important to be able to come up with unique approaches in order to solve complex issues.”
What is the best book or movie that can be used to illustrate cybersecurity challenges?
I would say that the TV show Mr. Robot does a really good job of highlighting both the technical and human cybersecurity issues. The public often forgets that the user is the exploitable target.
“I feel like this answer is cheating, but Hackers was a big influence in my life.”
What is your favorite hacker movie?
I feel like this answer is cheating, but Hackers was a big influence in my life. It came out around the time I was really getting into computers. Since its release, I have probably watched it 500 times. Fun fact: I actually have a “Hack the Planet” tattoo.
What are your favorite books for motivation, personal development, or enjoyment?
Most of the books I read tend to be technology/work related. Growing up, I really enjoyed Takedown by Tsutomu Shimomura and The Cuckoo’s Egg.
What is some practical cybersecurity advice you give to people at home in the age of social media and the Internet of Things?
The best advice I could give is to utilize a password manager and have unique passwords for all the websites you visit. Limiting public information that is tied to password reset questions is another area many people overlook.
What is a life hack that you’d like to share?
I would say to find a hobby outside of computers and cybersecurity. This can help prevent burnout. Personally, I build and race drag cars. I’ve found that doing something away from computers can help reset your train of thinking, and you may even come up with new ideas when you aren’t expecting them.
“I’ve found that doing something away from computers can help reset your train of thinking, and you may even come up with new ideas when you aren’t expecting them.”
What is the biggest mistake you’ve ever made, and how did you recover from it?
Well, my first computer job was at a computer repair/small IT shop. A couple weeks after I started, the owner wanted me to clone his failing laptop hard drive with an external adapter. Unfortunately, with 2.5 IDE, you can easily hook it up backward and toast the board that controls the hard drive. Luckily, the owner had made similar mistakes, so he was understanding, and I learned to double- or triple-check things in the future. ■
26
Robert Graham
“How much you spend on security relates very little to the quality of that security.”
Twitter: @erratarob • Website: blog.erratasec.com
Created: [BlackICE, IPS, sidejacking, masscan]. Doing: [blog, code, cyber-rights, internet-scanning]. Unethical coder, according to the EFF.
If there is one myth that you could debunk in cybersecurity, what would it be?
That it’s some magic power that can be wielded without much training. As a well-known hacker for two decades, I regularly get queries asking to be taught “how to hack without all that unnecessarily complicated stuff.” The queriers are looking for some button to press to instantly grant access to somebody’s Facebook account, for example. That’s not how hacking works. If it were that easy, then everyone would already be doing it. Instead, the ability to hack comes from studying that “unnecessarily complicated stuff.” It’s the very fact that people avoid the complicated bits that enable the few who actually study it to have extraordinary power.
What is one of the biggest bang-for-the-buck actions that an organization can take to improve its cybersecurity posture?
There is none. That’s the “magic pill” fallacy that there exists this one thing that can be done to defend yourself. It’s a variation on my answer to the previous question—that there is no easy path (to either attack or defense) that avoids all the complicated bits.
How is it that cybersecurity spending is increasing but breaches are still happening?
How much you spend on security relates very little to the quality of that security. For example, the weight loss industry is a $20 billion industry because people want to buy products to fix things rather than do what’s necessary to lose weight (eat less, exercise more). The same is true of the cybersecurity industry, where customers are willing to throw money at vendors rather than do what’s necessary to fix their own problems themselves. Such spending has “decreasing marginal returns.” A little money can make a difference, but the more you spend, the less additional difference it makes. Most companies have reached the point where additional spending has no added benefits. This is especially true because they spend that money on the wrong things.
Security is only as strong as the weakest link. Weak links, like desktop computers hooked to the corporate network, continue to be ignored. Companies spend a ton of money trying to protect desktops rather than spending less money protecting the corporate network from compromised desktops.
Do you need a college degree or certification to be a cybersecurity professional?
No. All you need is a burning interest in technical details that most people avoid because they are too complicated and frustrating to understand. The wild talents of the early years of cybersecurity were solely those kinds of people because there was no degree that matched cybersecurity and no certifications.
“All you need is a burning interest in technical details that most people avoid because they are too complicated and frustrating to understand.”
With that said, college can be val
uable in creating a more rounded person, forcing us to be exposed to concepts we’d otherwise have no interest in and forcing us to learn important details we’d otherwise skip.
How did you get started in the cybersecurity field, and what advice would you give to a beginner pursuing a career in cybersecurity?
I first started by being an expert programmer in computer networks. Both networks and programming are important skills. I then made a network security product and moved on from there. Starting first as a programmer or a sysadmin, a netadmin, or a Windows admin will teach you how systems work, which is an important step in learning how they break. I recommend several years doing one or more of these things before getting into cybersecurity. I have a low opinion of pundits/personalities in our industry who don’t actually understand how any of this works.
What is your specialty in cybersecurity, and how can others gain expertise in your specialty?
My specialty is networking. Being a network administrator setting up routers and switches is a good start for that. Becoming a programmer who writes low-level network code is another way. (I mean, not creating a website using PHP/JavaScript, but something more low-level.)
What is your advice for career success when it comes to getting hired, climbing the corporate ladder, or starting a company in cybersecurity?
For getting hired, be able to point to your previous accomplishments. If you’re in school, accomplish something. If you have programming skills, create a GitHub account with your code. If not, describe something that you did during an internship.
As for climbing the corporate ladder, it’s hit or miss depending on the leaders above you. For some organizations, vile things will serve you, like backstabbing your co-workers, taking credit for other’s work, and brown-nosing the boss. For other organizations, being an exemplary employee is the route.
The number-one difficulty in being an exemplary employee is figuring out how to deal with the fact that you’re right and nobody can see it—and the fact that people won’t listen to you. This frustration will burn you out and cause you to behave in ways that make everyone else unhappy as well. I could write a book on how to deal with this, but the short version is this: they (the wrong people) have the same frustration.
The simple social engineering trick is to listen to them. By this, I mean sincerely listen to them, ask honest (not leading) questions, get 100 percent of their argument out of them until they have nothing left. Then still tell them you disagree, but don’t tell them why. Most of the time, they’ll get on your side—not because they understand your argument, but out of the sheer gratitude that somebody, finally, listened to them. Nobody is really going to listen to your ideas, so yelling at them isn’t going to help. And you don’t need that anyway. Instead, displaying confidence in your own ideas, without trying to make others listen to you, gains you their trust.
I’ve gone into meetings where I’ve simply asked honest (not leading) questions of the opposing side, never discussing my own ideas, and walked out with easy consensus for my ideas. Of course, I likewise have some failures, but those were usually caused by factors wholly outside of my control, such as political push from some executive in the company who isn’t even in the meeting.
As far as starting a company, start with friends you can trust. We all have weaknesses, and indeed, often our weaknesses are also our strengths. For example, I like learning many things, which makes it harder for me to focus on one thing. Conversely, one of the co-founders of my company focuses too much on one thing at the expense of the bigger picture. People whom you can trust, who are honest and honorable, are also important. If somebody brags about how they cheated somebody else, eventually they’ll get around to cheating you, too.
What qualities do you believe all highly successful cybersecurity professionals share?
Superior technical knowledge and the ability to not be such an ass about it. To be fair, there are a lot of successful charlatans, but the real successes come from people who have technical excellence. Over the decades, I’ve watched how many of the early pioneers have eventually started their own successful companies or climbed the ladder. It’s generally those with the best technical expertise who have done the best professionally, even as they’ve moved into managerial, sales, marketing, or executive roles.
What is the best book or movie that can be used to illustrate cybersecurity challenges?
None that I can think of. Mostly, I’m likely to discuss how books/movies teach the wrong lessons about cybersecurity.
What is your favorite hacker movie?
I’m going to go with Hot Millions, a 1968 movie starring Peter Ustinov. It’s a surprisingly comprehensive hacking movie—including social engineering, computer hacking, and money laundering—from before any of us were born.
What are your favorite books for motivation, personal development, or enjoyment?
I recommend re-reading To Kill a Mockingbird, looking not at the angry injustice of the wrong conviction but the way the author describes the good in people who are the “enemy.” Likewise, re-read Orwell’s 1984, not for what it says about government but for what it says about the common people that led to dystopia—such as the “duck quacking” concept of repeating political slogans because everyone agrees with them, not because they’ve put any thought or critical analysis into them.
Or, re-read Fahrenheit 451, paying attention to how censorship came not from the government top-down but from the people bottom-up wanting to get rid of everything that offended them.
My favorite sci fi, strangely, is Lois McMaster Bujold’s Vorkosigan Saga series of books, which appears on the surface to be standard space opera fiction but is surprisingly complex underneath. What I like about the series is the concept of “honor” when all choices are dishonorable. As a cybersecurity professional, you are frequently faced with dishonorable choices, such as a client asking you to edit your pentest results or a client who you can see is clearly breaking the law.
What is some practical cybersecurity advice you give to people at home in the age of social media and the Internet of Things?
IoT vulnerabilities are hype, don’t worry about it. Social media is a cancer—you like/repeat memes because you agree with them, not because you’ve critically evaluated their veracity/worth. Look before you repeat.
What is a life hack that you’d like to share?
Don’t use your work email for personal things; get a personal email account. Don’t use your personal/work account for financial/important things; get a separate financial email account. That way, when you get that “PayPal password reset” message on your work or personal account, you know it’s a phishing attack because it wasn’t sent to your financial account.
“Don’t use your work email for personal things; get a personal email account. Don’t use your personal/work account for financial/important things; get a separate financial email account.”
What is the biggest mistake you’ve ever made, and how did you recover from it?
The real answer is that when hitchhiking through Germany in college, I didn’t abandon my friends and go wherever the hot 30-something blonde was going in the red Porsche who offered one and only one of us a ride.
The more practical answer is the Witty Worm—a network worm in 2003 that took down the DoD network because of an obvious vulnerability in my code. “Recovery” was done by regression-testing code coverage—and by going on a worldwide apology tour to all our major customers. ■
27
Claudio Guarnieri
“Ultimately, there is no shortcut; you might decide to sweat it out through a master’s degree or through publishing research and code on GitHub, but either way, you’ll have to earn it.”
Twitter: @botherder • Website: nex.sx Image: Wikipedia / Tobias Klenze / CC-BY-SA 4.0 / https://creativecommons.org/licenses/by-sa/4.0/
Claudio Guarnieri is a security researcher, artist, and human rights activist. He researches the use of technology as a means for repression and p
rovides assistance to human rights organizations, journalists, and activists with issues surrounding computer security, privacy, and surveillance. He also plays music, creates art, and writes.
If there is one myth that you could debunk in cybersecurity, what would it be?
The most recurring myth I encounter is that security isn’t everyone’s problem. The reality is that using secure and privacy-enabling technology isn’t just beneficial for yourself, but it is, in practice, an act of solidarity. If we demand technology to be better and safer, and for security to be taken seriously, we contribute to building a global ecosystem that’s to everyone’s benefit—including you, the company you work for, the public offices that provide you services, as well as a journalist reporting on corruption on the other side of the planet.
What is one of the biggest bang-for-the-buck actions that an organization can take to improve its cybersecurity posture?
Hire good people. They’re worth it and can do a lot more for you than any box you could possibly buy.
How is it that cybersecurity spending is increasing but breaches are still happening?
The same question sounds like a definition of a bubble. We’re doing a horrible job at actually building better and safer technology. We are fixing and monitoring things too much rather than investing in building more resilient foundations. Additionally, it is quite simply an industry that’s being built on top of scandals and fear, and those who are exploiting this climate for a quick buck outnumber those who are genuinely in it for the long run and trying to change things.
Do you need a college degree or certification to be a cybersecurity professional?
The value of a strong education is undeniable, but it’s not a prerequisite to becoming a cybersecurity professional—let alone being successful at it. Your skills, passion, and the quality of your work go a very long way. My academic career has been complicated and short-lived, and yet I managed to carve my own path. Friends of mine have pushed all the way through to a PhD and also found their way. It is very much a personal choice. Ultimately, there is no shortcut; you might decide to sweat it out through a master’s degree or through publishing research and code on GitHub, but either way, you’ll have to earn it.