Tribe of Hackers
Page 18
What is your specialty in cybersecurity, and how can others gain expertise in your specialty?
From years of practice, I have several specialties. I’m constantly evolving in the field. Gaining expertise in any specialty requires hard work. When I did vulnerability assessment and penetration testing, I lived in that field. I learned as much as I could about different technologies, tools, and techniques. I ran a home lab with a lot of different systems in it so I could try tools and techniques in my own safe environment. I worked with a lot of others and still refer to them as my “tribe.”
These people were experts in particular technologies. I’m still connected to those people to this day. Commit to the specialty you want, but be flexible about the experiences that will get you there; sometimes it looks like a lateral move, a step back, or taking on additional work.
What is your advice for career success when it comes to getting hired, climbing the corporate ladder, or starting a company in cybersecurity?
For getting hired and climbing the ladder: a willingness to do whatever is needed, grit. Those things are necessary for any career success. Be open to different work experiences, different customers (industries), or different missions (government). Look for ways to augment your experience.
For all three areas: cyber is not just about technology or solutions; it’s also a business about people, so don’t neglect developing your business skills. Learn contracts, how customers advertise the work, and networking. Learn how to write proposal responses, how to engage clients, effective communication skills, and project leadership/program management. Also, do both technology and business reading, as well as keeping up on current events and policy.
What qualities do you believe all highly successful cybersecurity professionals share?
Commitment to the discipline and a desire to make things more secure and safer for all of us
Commitment to lifelong learning
Commitment to bettering the community and giving back, helping the next generation make their way
What is the best book or movie that can be used to illustrate cybersecurity challenges?
I’m having a hard time thinking of a “best.” I will say that The Net (1995) was probably ahead of its time in addressing identity theft and covered a plethora of issues, albeit simplistically. It was a good overview of possibilities for its time.
What is your favorite hacker movie?
Hackers, of course. So cheesy…“Killer refresh rate” cracks me up every time I hear it.
What are your favorite books for motivation, personal development, or enjoyment?
I have a large reading list, but also look to podcasts. In the “Tribe of” spirit, I’m a huge fan of Tim Ferriss and Tribe of Mentors, but I also listen to the Tim Ferriss Show podcast and subscribe to his “Five Bullet Friday” emails. I also subscribe to a few industry/special-interest email distros that keep me abreast of what is happening in the marketplace and technology. I also use things like Coursera to take classes for my own interests.
What is some practical cybersecurity advice you give to people at home in the age of social media and the Internet of Things?
Less is more. If you don’t need the IoT-enabled device, then go low-tech. If the convenience outweighs the risk, then go for it. Just remember, when using the IoT-enabled devices, there is a risk trade-off here. And less is more on social media as well. Be cognizant of how what you post could either enable a malicious actor or come back to haunt you.
What is a life hack that you’d like to share?
I’m still figuring those out! This won’t sound like a life hack, but I tend to take copious notes. I figured out that my learning style involves the act of writing it down. That’s the way I best learn and retain information. Using technology (laptop, tablet, etc.) doesn’t have the same effect. I think “learning how to learn” has probably been my best life hack so far. You can check out Coursera’s course of that name on Coursera: https://www.coursera.org/learn/learning-how-to-learn.
What is the biggest mistake you’ve ever made, and how did you recover from it?
Not getting my degree (checking that box) earlier. I think having the degree would have opened some alternative doors for me earlier in my career. I eventually got it, but I did hit the ceiling where the lack of a degree was the only barrier to other opportunities. I found a school and program that worked for me and earned a lot of credit through documenting how I obtained my experience/learning. I went full-time and worked full-time, hacking my personal schedule to knock it out as quickly as I could. It was the best investment. ■
30
Teuta Hyseni
“To develop a successful application for today’s ecosystem, security must be every member’s responsibility—from managers and engineers to QA—throughout every stage of the software lifecycle.”
Twitter: @TeootaHyseni • Website: www.linkedin.com/in/teuta-h-hyseni-12bbb42b
Teuta Hyseni is a security engineer at Microsoft. As a security engineer, she is responsible for leading application security projects, assessing potential flaws within applications, and reviewing the architecture of applications. Teuta started her career as a software engineer at Rackspace. After that, she moved to Denim Group, where she began working on the cybersecurity side and became fascinated with it. Teuta is committed to educating others outside of the industry on security threats and best practice, maximizing the impact of her security expertise through different talks and mentorship programs. In recognition of her efforts, she was nominated as a Security Champion of the Year in 2018 at the Women in IT Awards. As part of her passion for the tech industry and innovation, Teuta and her mentees won first place in the World Blockchain Hackathon at the Blockchain Economic Forum in 2018, a world-class competition. As an advocate for gender diversity, she also has a keen interest in motivating, inspiring, and improving women’s participation in the industry.
If there is one myth that you could debunk in cybersecurity, what would it be?
Throughout my experience, one of the myths that I have seen is doing application security reviews as an afterthought process, meaning after the product has been developed. Although it is possible to add protection into applications post-completion, this is costly and less effective. To develop a successful application for today’s ecosystem, security must be every member’s responsibility—from managers and engineers to QA—throughout every stage of the software lifecycle. It is essential that each stage of the software development process has proper application security analysis performed, as well as defenses and countermeasures put in place that will result in more secure code. From envisioning through requirements, design, and implementation, to testing and releasing, security must be incorporated throughout the software development lifecycle (SDLC) to produce more secure and robust code that can better withstand attacks.
What is one of the biggest bang-for-the-buck actions that an organization can take to improve its cybersecurity posture?
The security posture of an organization is greatly impacted by the level of security awareness or security culture/readiness of the organization. If implemented correctly, security readiness and security awareness across the organization can be a major line of defense. If all employees are properly informed and trained regarding what to watch for, prevention, and remediation procedures, this can greatly minimize the potential security issues that could affect the company as a whole.
“The security posture of an organization is greatly impacted by the level of security awareness or security culture/readiness of the organization.”
How is it that cybersecurity spending is increasing but breaches are still happening?
The complexity of systems has risen exponentially in the past decade. With more complex systems, the attack surface has expanded too. However, bigger investments don’t necessarily imply better security defense mechanisms. For example, an expensive tool won’t make a difference if the tool is not used properly and employed to serve its purpose. There sho
uld be the right combination of tools, and engineers who take advantage of these tools, to make the right decisions.
Do you need a college degree or certification to be a cybersecurity professional?
Not necessarily. Technology is a fast-paced industry, and a college degree or a certification won’t make you a better cybersecurity professional. There are other ways to gain knowledge and obtain different skill sets. With online learning and free courses, combined with a high level of commitment and interest, I think anyone can become a cybersecurity professional.
“Technology is a fast-paced industry, and a college degree or a certification won’t make you a better cybersecurity professional.”
How did you get started in the cybersecurity field, and what advice would you give to a beginner pursuing a career in cybersecurity?
I started my career as a software engineer. Security was not on my radar until one day, at my previous job, there was a need for help with an application security assessment, and I volunteered to help. From that point on, I was fascinated with application security and how intriguing and exciting it can be. In regard to the way of thinking, one has to change the perspective, understand issues more deeply and accurately, and ponder at how an unworkable notion might become workable. To all beginners, cybersecurity is a field that requires mental toughness and resilience. However, its great reward is that you are on a mission and have a duty to protect users’ private information and serve the greater good.
What is your advice for career success when it comes to getting hired, climbing the corporate ladder, or starting a company in cybersecurity?
Because the job market has become so competitive, doing well on your job, climbing the ladder, and moving forward with your career has become more challenging than ever. Depending on one’s goals, advancement and recognition come as a result of a willingness and a strong desire to perform well. Once you have the willingness and the right mind-set, you will see a positive change in your career. Some of the things that have helped me on my own career path include taking initiative, being open to constructive feedback from co-workers and managers, communicating well, learning continuously, gaining trust, being results-driven, evaluating myself often, and making adjustments as needed.
What qualities do you believe all highly successful cybersecurity professionals share?
The cybersecurity industry progresses continuously and quickly, and the most important quality a successful security professional can have is natural curiosity, which leads to continual learning. Furthermore, one must have the ability to work and think fast, under pressure, and make decisions in real time.
“Depending on one’s goals, advancement and recognition come as a result of a willingness and a strong desire to perform well.”
What is the best book or movie that can be used to illustrate cybersecurity challenges?
One book that illustrates cybersecurity challenges well is Hacked Again. This book presents the challenges that businesses and institutions deal with and the tactics used to mitigate cyber attacks—what really happens before, during, and after data breaches or security incidents.
What is your favorite hacker movie?
There are a couple of movies that I like, but I would say The Girl with the Dragon Tattoo.
What are your favorite books for motivation, personal development, or enjoyment?
I have a few favorite books; however, this changes often. Currently, I like The Code of the Extraordinary Mind, The Future of the Mind, The Power of Now, and Phantoms in the Brain.
What is some practical cybersecurity advice you give to people at home in the age of social media and the Internet of Things?
Cybersecurity is not just an organizational concern anymore. The number of smart devices we use and rely on at home has grown to the point where our day-to-day lives can be greatly impacted if an unauthorized malicious user gains access to them. My advice to people at home would be to use a strong password, and don’t use the same password for every application. For sensitive applications, use a multifactor authenticator.
“The number of smart devices we use and rely on at home has grown to the point where our day-to-day lives can be greatly impacted if an unauthorized malicious user gains access to them.”
Sensitive activities, such as banking or shopping, should be done only on your device. Do not use free, unauthenticated Wi-Fi when performing such activities. The data you are sending to the browser is in plain text and can be copied easily.
Social engineering is really common. If someone calls or emails you asking for sensitive information, it’s better to hang up and call the institution yourself than to trust someone on the phone.
What is a life hack that you’d like to share?
While I was in college, one of the biggest struggles I had was balancing sleep and study. With exams, essays, projects, and work deadlines rolling around at the end of each term, as a student, I found that napping can be a powerful tool to provide enough energy to carry me throughout the day. The schedule I used was three to four hours of uninterrupted night sleep combined with three or four power naps of 15–20 minutes between classes during the day. This is also known as a polyphasic sleep pattern, which refers to sleeping multiple times instead of once.
What is the biggest mistake you’ve ever made, and how did you recover from it?
One of my professional mistakes happened while I was a software engineer. I was assigned to a project to build a plugin for one of our products. However, the timeline was short; therefore, the project was assigned to two people in order to deliver it on time. Since we were two engineers, we were working simultaneously on codependent features. As we progressed with our projects, we failed to synchronize our code daily. We were on the second week of the project, and both of us had progressed on our feature sets, so we were asked to demo our progress. When we started to merge our code, it turned out that a lot of our code had conflicts and failed to merge. It took us a couple of days to resolve these conflicts, and on top of that, our features broke due to the merge. The lesson learned from this mistake was that, regardless of how small the project is, when working in parallel with someone else, pushing the code and merging daily is a must in order to deliver the project successfully. Hence, sometimes trying to save time backfires. In the case I just mentioned, neglecting to push and merge the code daily actually wasted time in the long run and delayed the release of the plugin. ■
31
Terence Jackson
“Many companies think that “checking the box” on compliance means they’re more secure.”
Twitter: @tjackson78 • Website: ttalkstech.com
Terence Jackson graduated from Howard University with a BBA in management information systems. He is currently the chief information security officer at Thycotic Software LLC and holds certifications from Thycotic, CyberArk, RSA, Oracle, and the Identity Management Institute. He has more than 17 years’ experience working in information technology and security for large and small federal contractors and as an independent consultant. Terence is also a Stars Mentor at MACH37, a Virginia-based cybersecurity accelerator. In his free time, he serves on the AV and Social Media Ministry at his church. He enjoys spending time with his wife and family, which includes his teenage son and five-year-old daughter. He’s also an avid Marvel movie watcher and enjoys technology news and research.
If there is one myth that you could debunk in cybersecurity, what would it be?
That compliance equals security. Many companies think that “checking the box” on compliance means they’re more secure.
What is one of the biggest bang-for-the-buck actions that an organization can take to improve its cybersecurity posture?
In my experience, removing local administrative privileges and application white/blacklisting goes a long way to improve security without spending a ton a money.
How is it that cybersecurity spending is increasing but breaches are still happening?
Spending is increasing; however, co
mpanies are purchasing disparate point solutions that are hard to integrate with each other and take months to deploy and configure, and teams are not properly trained to handle the emerging threats. Employees are on the front lines of this battle, but they have not been properly equipped. While there are annual security awareness trainings and phishing simulations, many times those are just to check a compliance box.
“Employees are on the front lines of this battle, but they have not been properly equipped.”
Do you need a college degree or certification to be a cybersecurity professional?
I don’t believe degrees or certifications can accurately predict the success or failure of someone in cybersecurity. Just like compliance doesn’t equal security, certifications and degrees don’t necessarily make a cybersecurity professional. What it typically means is that you studied and did well enough to pass a test or series of tests. That’s not a knock on degrees or certifications; I have both. But I think the trait that makes a person a true cybersecurity “guru” is an investigative mind-set—the drive to figure out how things work on a deeper level, often from the inside out. As a child, I would take all of my toys apart to see how they worked and then reassemble them and sometimes even modify them. I have worked with many self-trained cyber professionals who had little to no formal training, and they could run circles around some folks with degrees and certs. They were battle-tested and ready.
“I don’t believe degrees or certifications can accurately predict the success or failure of someone in cybersecurity. Just like compliance doesn’t equal security, certifications and degrees don’t necessarily make a cybersecurity professional.”