Tribe of Hackers
Page 17
How did you get started in the cybersecurity field, and what advice would you give to a beginner pursuing a career in cybersecurity?
I stumbled into the hacking scene in my teenage years, and eventually I stuck around long enough for it to develop into a professional industry. I also took an unusual route and ended up working in the nonprofit sector. That isn’t necessarily exemplary of the financial reward that many use to define success in a profession. Truthfully, I never set out to work in cybersecurity, and my advice, particularly to younger generations, is very much consequential to that: don’t rush into finding the task that will define the rest of your life.
In other words, as Moxie Marlinspike much more eloquently put it: “Be careful not to discover a career before you’ve discovered yourself.” If cybersecurity is indeed what you really want to pursue in your life, my advice would then be to work your way through it by contributing to the larger community—be it with a tool or some novel research. For me, creating the free software project Cuckoo Sandbox was instrumental in getting my name out there and ultimately receiving the attention of all the employers I worked for.
What is your specialty in cybersecurity, and how can others gain expertise in your specialty?
I do research, primarily into malware attacks. I started becoming interested in botnets a decade ago, when Storm and Conficker were making the news, and then developed further interest in reverse engineering, malware analysis, and targeted attacks.
Malware analysts are in high demand today. Follow the public research, read other researchers’ discoveries and analyses, and try to reproduce some of their results. With practice and perseverance, you’ll get there. Luckily, there is so much malware out there that there is always something to research and analyze. Set up a blog, share your findings, and publish as you learn. Not only will this help you build a profile, but it’ll also help you better structure your research methodology and better formulate your results.
What is your advice for career success when it comes to getting hired, climbing the corporate ladder, or starting a company in cybersecurity?
Those who work in the cybersecurity field have the immense privilege of operating in not only a highly remunerative industry but one that is constantly seeking talent. Acknowledging that privilege, I am convinced that more than finding the appropriate way to “get hired” is the importance of finding the appropriate place to contribute your time. Find a company, institution, or foundation that works on issues you deeply care about, and approach them at the opportune time with a well-prepared résumé and public record. If you lack some skills for the job, develop them. Don’t be put off by a first refusal, particularly if you’re applying at a large corporation. Attempt again a year later with more experience under your belt.
“Don’t be put off by a first refusal, particularly if you’re applying at a large corporation.”
What qualities do you believe all highly successful cybersecurity professionals share?
Humility, curiosity, passion. And a bit of stubbornness.
What is your favorite hacker movie?
Antitrust (2001) was probably the first I’d ever watched. The Matrix (1999) is just a classic, but Hackers (1995) is my all-time favorite. Seriously, I just love Johnny Lee Miller. Hack the Planet!
What are your favorite books for motivation, personal development, or enjoyment?
I mostly read books on politics and society. More recently, I started collecting and reading any possible book on surveillance—from surveillance and counter-surveillance training manuals to analysis of eavesdropping technology from the ’70s, as well as academic research from the field of surveillance studies.
I do recommend, however, to read about the relationship between technology and society, as I strongly believe that we, as computer scientists, need a much stronger education on that. A classic starting point is The Real World of Technology by Ursula M. Franklin. Figure it out from there.
What is some practical cybersecurity advice you give to people at home in the age of social media and the Internet of Things?
Other than “Unplug that useless thing from the wall!” I generally recommend the typical things: keep everything up-to-date, enable two-factor authentication wherever you can, and use a password manager.
What is a life hack that you’d like to share?
Life hacks? Shortcuts? Nah, just take the long way, and get lost eventually.
What is the biggest mistake you’ve ever made, and how did you recover from it?
My adult life was built on mistakes, or rather poor decision-making. But they all turned out to be unexpected opportunities for experience and growth. Don’t recover from your mistakes, just walk right through them! ■
28
Ron Gula
“Security is not a binary state. This is a mythical goal and is always a relative answer based on what threats and mitigations you have in place of your confidentiality, integrity, and availability.”
Twitter: @RonGula • Websites: www.gula.tech and www.linkedin.com/in/rongula
Ron started his cybersecurity career as a network penetration tester for the NSA. At BBN, he developed network honeypots to lure hackers, and he ran U.S. Internetworking’s team of penetration testers and incident responders. As CTO of Network Security Wizards, Ron pioneered the art of network security monitoring and produced the Dragon Intrusion Detection System, which was recognized as a market leader by Gartner in 2001. As CEO and co-founder of Tenable Network Security, Ron led the company’s rapid growth and product vision from 2002 through 2016. He helped them scale to more than 20,000 customers worldwide, raise $300 million in venture capital, and achieve revenues in excess of $100 million annually. Ron is president at Gula Tech Adventures, which focuses on the investment and advising of two dozen cybersecurity companies. Ron was honored and humbled to receive the 2017 Betamore BETA award, as well as being named a 2016 Baltimore Tech 10 Leader and a 2013 Maryland Entrepreneur of the Year by Ernst & Young.
If there is one myth that you could debunk in cybersecurity, what would it be?
Security is not a binary state. This is a mythical goal and is always a relative answer based on what threats and mitigations you have in place of your confidentiality, integrity, and availability.
What is one of the biggest bang-for-the-buck actions that an organization can take to improve its cybersecurity posture?
Keep track of what is on your network and what is used, even if it isn’t yours. If you don’t know what you have, it is really hard to defend it and even harder to defend something you don’t know you need to defend.
“Keep track of what is on your network and what is used, even if it isn’t yours. If you don’t know what you have, it is really hard to defend it and even harder to defend something you don’t know you need to defend.”
How is it that cybersecurity spending is increasing but breaches are still happening?
It is several factors. As we consolidate more and more data to single applications, they become harder and harder to secure because an adversary is willing to wait longer or spend more resources trying to get to the target.
Many organizations still have poor cybersecurity and cyber hygiene and are easy targets for crypto-ransomware. They’ve always been hackable, but until the advent of anonymous ransom paying via bitcoin, it wasn’t profitable.
Do you need a college degree or certification to be a cybersecurity professional?
Yes, absolutely! Cyber is the only profession where our experts claim you can do this without training. It does not occur with doctors, architects, pilots, or lawyers. Our field is so young that many of our role models don’t have certifications or degrees in a cyber or network security discipline; however, for the next several generations, certifications and degrees are required.
How did you get started in the cybersecurity field, and what advice would you give to a beginner pursuing a career in cybersecurity?
I was a geek in high school and had an IBM PCjr (with the i
nfrared wireless keyboard) as well as an Atari 400 with the membrane keyboard. I went to school for electrical engineering at Clarkson University, which was one of the first schools that required students to have a PC (a Zenith 286). I started reading Phrack while in the Air Force right around the time TCP sequence prediction attacks became popular. I was really interested in this and applied for an Air Force position at the NSA at the same place that Cliff Stoll reached out to in his Cuckoo’s Egg book. While there, I fell in with a group of pentesters and got exposed to some of the smartest folks in cyber I’ve ever met, even though it wasn’t called “cyber” until many years later.
What is your specialty in cybersecurity, and how can others gain expertise in your specialty?
I like to think I can see where people and the industry need to go and communicate this in a way that is easy to understand and motivating. I’ve been lucky enough to recruit some of the best people in the industry to help at companies like Tenable Network Security, and now, as an investor, I’m working on the next generation, trying to help build feedback loops where the executives of today become the mentors and investors of tomorrow.
What is your advice for career success when it comes to getting hired, climbing the corporate ladder, or starting a company in cybersecurity?
Only you can define what success is for you. There are many different paths you can take in cyber, all of which can be rewarding intellectually—making it harder for hackers and evil-doers to succeed—and all of them can be great careers. You should try to be exposed to as much cyber as possible and then commit to being good at something for a few years. We have many generalists in our field, which is necessary because of the immense amount of experience and technology that must be learned, but I really believe you should start out at something you really like— such as pentesting, incident response, IT help desk, etc.—and be good at it before you move on to bigger and better things.
“Only you can define what success is for you.”
What qualities do you believe all highly successful cybersecurity professionals share?
They all have the ability to communicate and understand perspective. They don’t speak in marketing jargon, and they know that cyber is really difficult to quantify or measure. The great cyber professionals whom I respect also make it a point to train the next generation.
What is the best book or movie that can be used to illustrate cybersecurity challenges?
Spoiler alert—if you plan to read The Three-Body Problem, skip my answer.
There are two. First is a movie called Colossus: The Forbin Project (from 1970 mind you!) where an AI put in charge of our nuclear weapons has a hacking attempt made against it, and the scientists attempting the hack are ordered shot by the military police. The message here is that cyber is having increasingly real implications.
Second is a book from China called The Three-Body Problem. In it, a scientist figures out that the universe is actually a very scary place with advanced civilizations basically hiding and waiting to wipe out less advanced civilizations when they discover them. The same scientist figures out how to spoof a “We are here, is anyone else out there?” message from the home star of a race with a fleet on its way to attack Earth. Within a few years, that star is destroyed by an unseen, much larger advanced race. This is the model of cyber going forward. Every nation-state operates unseen in cybersecurity space. We don’t know what they’ve recorded and what they have access to, and each is motivated by a variety of laws and national interests.
What is your favorite hacker movie?
For style and entertainment, Swordfish. For technical accuracy, an Italian movie called The Listening, in which a manual for an intelligence device created by a government contractor that can listen to anyone’s phone calls falls into an unsuspecting public’s hands.
What are your favorite books for motivation, personal development, or enjoyment?
Right now, I am reading Jordan Peterson’s 12 Rules for Life and have liked what I’ve read so far. This is the first “self-help” book I think I’ve read. I also enjoyed Moonwalking with Einstein, which is about memory and has lots of tips on having a better memory. My favorite business book to recommend to people is Ray Dalio’s Principles.
What is some practical cybersecurity advice you give to people at home in the age of social media and the Internet of Things?
Your home network is probably safe, but for some of us it isn’t. To protect yourself from this, get an iPad or Android tablet that connects only to 3G and use this for your banking, secure email, secure file saving, etc. Never use social media from this device, play games, put it on your Wi-Fi, etc.
“Your home network is probably safe, but for some of us it isn’t. To protect yourself from this, get an iPad or Android tablet that connects only to 3G and use this for your banking, secure email, secure file saving, etc.”
What is a life hack that you’d like to share?
Have multiple interests, especially if you’re not that great in something else you enjoy. It keeps you humble and young. For example, I’m learning and practicing the keyboard now because I enjoy it.
What is the biggest mistake you’ve ever made, and how did you recover from it?
My biggest mistakes are too personal to put into a book here. For the big ones, though, the best way to recover is to be honest with everyone involved and figure out the best way forward such that they won’t burn you up inside or keep a grudge going with anyone.
“My biggest mistakes are too personal to put into a book here. For the big ones, though, the best way to recover is to be honest with everyone involved and figure out the best way forward such that they won’t burn you up inside or keep a grudge going with anyone.”
A mistake I do like to tell folks, because it affected my college experience, was when I was trying out to be a “resident advisor.” We did one of those group study exercises where we were all on an island, all had a skill and a liability, and all had to figure out who lived and died. This was my first time doing something like this, and I did not really understand the liability part and was told that I was to play the “important architect.” But I misheard it as “impotent architect.” I did not get the RA job, but I listen much more attentively now and tend to assume (as in Ray Dalio’s book) that if something isn’t making sense, it is much more likely that I don’t understand something than that someone is really being evil or deceptive. ■
29
Jennifer Havermann
“Do the hard work to document your enterprise and identify your information “crown jewels.” ”
Twitter: @Cyberjenny
Jennifer Havermann is a Deloitte client relationship executive located in Annapolis Junction, Maryland. She leads client relationships, strategy, and business development for Deloitte Central Maryland, including the intelligence community and Department of Defense clients within the community. Jennifer has more than 30 years’ experience in both industry and government as a practitioner and leader in many cyber disciplines. She holds a BS degree in information assurance, a network engineering certificate, and technical certifications including the Certified Ethical Hacker (C|EH) and Certified Information Systems Security Professional (CISSP). She is an active volunteer in both the industry and community for STEM and cyber.
If there is one myth that you could debunk in cybersecurity, what would it be?
That you can just go get a degree or certification in cybersecurity and get a job right away because there are all of these unfilled jobs. Cybersecurity was a follow-on career/specialty for those who had other systems backgrounds—whether in system or network administration, programming, systems engineering, or other technical roles—that provided the necessary foundations to build cyber knowledge upon.
What is one of the biggest bang-for-the-buck actions that an organization can take to improve its cybersecurity posture?
Do the hard work to document your enterprise and identify your information “crown jewels.” You can’t improve wh
at you don’t know exists. So many organizations will have a breach and then try to pull information on the impacted systems(s), only to find that it’s either nonexistent or woefully out of date.
How is it that cybersecurity spending is increasing but breaches are still happening?
Money doesn’t solve all problems and doesn’t address the complexity of securing an enterprise; securing an enterprise requires hard work and attention to detail. The defensive professionals have a much harder job than the attackers. Defensive needs to secure everything, whereas an attacker only needs to find that one opening.
Do you need a college degree or certification to be a cybersecurity professional?
It depends on the role that you plan to fill and the knowledge you’ll need to do your job. Honestly, as quickly as technology evolves, it’s the lifelong learners who tend to do best in this field and have the best opportunities and longevity.
How did you get started in the cybersecurity field, and what advice would you give to a beginner pursuing a career in cybersecurity?
I was lucky to start while in the federal government, doing systems administration and becoming a “jack-of-all-trades” back when there were fewer specialties. I had an interest in cybersecurity, so I started self-teaching, taking classes, reading, and engaging with other professionals already in the field. As far as advice: never stop learning. Technical resiliency is important. Don’t restrict yourself from learning different technologies. Do the reading.