What is your advice for career success when it comes to getting hired, climbing the corporate ladder, or starting a company in cybersecurity?
I don’t have any advice for starting a company. I find a company and become loyal to it. I would never consider starting my own company.
As for getting hired, 95 percent of the jobs I got were from people I knew. There were only two companies in my career where I had to go in cold and interview. If I were going to give advice for getting hired, I would say network. And that all came from Twitter, which is how I know everybody who’s given me a job. For our industry, networking is key. That is why it’s so difficult to get into it. Everyone who gets a job is usually handed off by someone else they know. If you’re going to start off in InfoSec, start networking and getting to know people, and talk about what you’re interested in and what you’ve been working on to achieve experience—whether it’s at home or in a business.
There are some folks who’ve chosen InfoSec just because that’s where the money seems to be. But I think a lot of us hire each other because we see the passion versus the need to get a paycheck.
If you’re in IT and your role is creating user accounts and it’s rote and mundane, take it upon yourself to understand what you’re doing—and start doing it more securely so you become the security person. (Not that you bypass the security org, but you keep security in the forefront of your mind, making it clear that it’s something you want to do.) Also, communicating how you’ve done this to others as you network shows that you’re serious about security versus trying to get into the field to make some money. There are some folks who’ve chosen InfoSec just because that’s where the money seems to be. But I think a lot of us hire each other because we see the passion versus the need to get a paycheck. If you can show your passion to others, I think that is like 90 percent of how you stand out in somebody’s mind. And that’s what’ll make them willing to go out of their way to hand in your résumé or push you up the ladder.
What qualities do you believe all highly successful cybersecurity professionals share?
Passion and skepticism. You don’t take things at face value, you question things. You’re always asking “why?” Why are we doing it that way? Why does it do that? Why can’t we do it this way? Also, critical thinking is such an arbitrary way of putting it, but that’s exactly what it is. It’s looking at something, anything that you’re doing in life, and then always having a follow-up question. It’s like saying, “Based on these answers, wait a minute, but what about this? Why this?” The ability to think critically and always ask “why” is a common thread among InfoSec professionals. It’s like always playing devil’s advocate—not to be argumentative but just to better understand.
What is your favorite hacker movie?
Sneakers.
What are your favorite books for motivation, personal development, or enjoyment?
I don’t read books for motivation or personal development. Books to me are strictly for enjoyment. The Mistborn Trilogies. It was just so different. It was sci-fi, so think magic; but instead of having magical powers, they ingested metals—and depending on the metal that you ingested, you were able to move or do certain things. But you had to be born with the ability to use the metals. And I had never heard of that before, and I thought it was just fantastic.
What is some practical cybersecurity advice you give to people at home in the age of social media and the Internet of Things?
Situational awareness. Always be aware of what you’re saying. Social media is just another dimension. Being outside, where you’re at, it’s all the same; it’s just being situationally aware of who’s around, what you’re saying, and whether you want it to be overheard by someone. Social media will amplify, but again, at the end of the day, it’s you saying something out loud and people overhearing it.
As for the Internet of Things, same thing. Be aware of what you’re putting on the internet and your network. If you put things on your network, understand that there’s a vendor that created it, and who knows if they updated. If I’m putting it on my network, it’s gotta provide me some value. I’m not gonna just stick something on the network just because it’s cool. For example, I have a front-door PIN that can be connected to the internet, but I’ve chosen not to do that because all I wanted was the ease of the PIN versus the physical key. I don’t need to have it on the internet. That’s the difference.
“Be aware of what you’re putting on the internet and your network.”
What is a life hack that you’d like to share?
Self-care, whatever that means to you. It could be a hobby, it could be getting a massage, it’s just self-care. Even if InfoSec is your hobby on the side, you’re doing it for you versus doing it to get better at school or work. It’s understanding that you are a person, and you take care of yourself as well. You deserve to grow and continue learning if that’s your thing. If you want to learn how to do manicures for the sake of learning it, then do that. But it’s finding something that makes you happy and pursuing that whenever you want—and at your leisure—while being mindful and intentional about it.
What is the biggest mistake you’ve ever made, and how did you recover from it?
Hindsight is 20/20. I would say I haven’t made one yet. ■
35
Marina Krotofil
“Most organizations believe they are not a target because they are “too small,” “don’t do anything important,” and “are unknown to anybody”—or they simply think they’re not a target because “they said so.” This is, in my view, the biggest myth in security, which makes most of the hacks possible.”
Twitter: @Marmusha
Marina Krotofil is an experienced ICS/SCADA professional who has spent almost a decade on offensive industrial control systems (ICS) security—discovering and weaponizing unique attack vectors, engineering damage scenarios, and understanding attacker techniques when exploiting ICS. Marina’s offensive security skills serve her well during forensic investigations, ICS malware analysis, and when engineering defenses. She previously worked as a principal analyst and subject-matter expert within the Cyber-Physical Group at FireEye (USA), as a lead cybersecurity researcher at Honeywell (USA), and as a senior security consultant at the European Network for Cyber Security (Netherlands). Between her industrial positions, Marina joined academia to pursue a doctoral degree and teach security courses at Hamburg University of Technology, Germany. She has authored more than 20 academic papers and book chapters on ICS security and is a frequent speaker at the leading security events around the world. She holds an MBA in technology management, an MSc in telecommunication, and an MSc in information and communication systems.
If there is one myth that you could debunk in cybersecurity, what would it be?
The “I am not a victim” myth. Most organizations believe they are not a target because they are “too small,” “don’t do anything important,” and “are unknown to anybody”—or they simply think they’re not a target because “they said so.” This is, in my view, the biggest myth in security, which makes most of the hacks possible. Organizations that believe they are not targeted care little about protecting their organizational assets and become the victim of various types of attacks. The least harmful consequence is that the company’s computing assets become part of the botnets, used as proxy servers to hide attack origin or used for mining cryptocurrency. The most harmful consequence is when a compromised organization is used as a testing ground for sending trusted spear phishing emails, exfiltrated for sensitive customer information, or used as a stepping stone into a more protected organization via trusted communication links. Most large breaches these days are happening via third-party companies.
There is no need to go after a high-profile target via a front-door firewall if it is possible to connect to the organization “securely” via a compromised third-party VPN connection. Similarly, there is no need to exfiltrate needed information from a well-protected target company (with t
he risk of being detected) if one can obtain the same information from a subcontractor who only weakly protects that information.
What is one of the biggest bang-for-the-buck actions that an organization can take to improve its cybersecurity posture?
My opinion would probably be unconventional, but I formed it through my work at some large organizations—from servicing customers and from conversations with IT friends. Among the biggest bang-for-the-buck actions an organization could take is the empowerment of the so-called champions. Most companies typically do not have or do not dedicate large budgets for security. But, in almost every organization, there is a network admin, an IT professional, or simply a hobbyist who knows the company’s infrastructure well and who has good ideas for easily implementable security controls, which could substantially improve the company’s security posture (e.g., review and tune firewall rules, tighten access control, set up security logging and network monitoring, etc.).
Most of these activities require minimal financial investment, mostly consisting of the man-hours of the personnel who are willing to and capable of working on security projects. The main disappointing comments I hear from such champions is that management either does not give permission or does not allow time to be dedicated to activities related to security. Conversely, companies that are willing to improve their security are often trying to find such “champions” within their organizational units because such a person would voluntarily evangelize security.
How is it that cybersecurity spending is increasing but breaches are still happening?
I think many security professionals would give the same answer, namely, that security protections in most organizations are typically mounted as a panic-driven reaction to a breach that has already occurred, without any sort of analysis of the organization’s business processes or a security assessment of the IT infrastructure. It is appealing for the affected companies to believe that a single “box” or two would be fully capable of protecting the organization from future breaches, without additional effort or human involvement. In contrast, security consultancies and service providers are having a difficult time selling their offerings because their recommended security actions require involvement of the client’s personnel and a long-term commitment to implementing security programs. It’s hard to change this mind-set because it is habitual to mankind in general—for example, most of us understand the value of preventively maintaining a healthy lifestyle, yet most of us still prefer a reactive approach of taking “a magic pill/smoothie/medicine” when health disorders arise.
Do you need a college degree or certification to be a cybersecurity professional?
This is probably one of the hottest questions discussed in the security community. Those who don’t have a degree argue against one and vice versa. I can speak from both sides. When it comes to general/broad security topics, I am an educated professional. I actually taught security courses at the university level for 11 semesters (introduction to security as well as network, software, and application security). I also attended a couple of security courses at a neighbor university solely for my personal education. I can’t emphasize enough how much I’ve benefited from my in-depth and broad security knowledge throughout my career. Too frequently, “security professionals” are knowledgeable in a narrow topic area only and are unable to think across the entire “defense-in-depth” spectrum. It is especially frustrating to deal with security managers who have no in-depth knowledge of security concepts and believe, for example, that the distribution of private keys via a USB stick should be “just fine.”
In contrast, I am a self-taught cyber-physical hacker. My security specialization is the exploitation of industrial control systems (ICS), which are highly specialized, engineered systems. When I started, I had no idea how they worked and how they could be hacked. Also, there was little public knowledge on the topic. I became an expert in ICS engineering and security by finding ways to break these systems. A lot of talented security professionals are self-taught and earned their impeccable reputation through hacking things or in-depth security research. Because hacking requires overcoming multiple layers of security protections and finding new security flaws, security researchers typically possess in-depth knowledge in security.
How did you get started in the cybersecurity field, and what advice would you give to a beginner pursuing a career in cybersecurity?
I started my cybersecurity career by providing incident response services for malware infections in business applications (banking, retail, and others). I had my own small IT business, which provided various IT-related services and security services, and this quickly became my specialization. Often, I had to infect and remediate a test system first so that I could recover the primary application without inadvertently disrupting it. Later, I was asked to break the security scheme of a wireless sensor network protocol. This is when I discovered my passion for offensive security and decided to obtain a professional degree in the security field by pursuing a PhD. My PhD was application-oriented, meaning I closely worked with the industry on solving practical matters. This helped me to produce meaningful results and to easily get a job afterward.
As in any field, it is important to find a specialization that really excites you (e.g., social engineering versus reverse engineering, offensive versus defensive security, software versus hardware security, web applications versus network security, and so on). You could start with watching recordings of the security talks and attending local security meetups and conferences (e.g., local BSides or OWASP conferences).
Often, local events host free or affordable security trainings, which are great for starting! I personally traveled to a few conferences specifically for trainings. Many large cities around the world also have so-called maker spaces, where local communities meet for various security and hands-on activities (e.g., lock picking, hacking, crafting, building hardware, etc.). For a small price, you not only get access to a lot of expensive equipment, but you also get the unique knowledge of the local community members. Following inspiring security professionals on Twitter is another option. After you decide on a specialization, practice is extremely important. Currently, there are so many free tools, platforms, and online communities for practicing security. Working toward a security certification or two could be a good starting goal and a helpful stepping stone for eventually landing a security job.
What is your specialty in cybersecurity, and how can others gain expertise in your specialty?
As I mentioned earlier, I specialize in ICS security—specifically in physical damage. One of my key skills is offensive security—i.e., designing exploits for inflicting impact in the physical world by the means of cyberattacks. Many systems I exploit are considered to be critical infrastructures. The physical impacts I work with range from the dramatic (such as equipment breakage and explosions) to moderate (alteration of the manufactured product) to less impactful (such as short-term interruption of the operational process). I’ve worked with many physical applications, including chemical plants, electricity and water distribution, various smart city applications, and more.
My work consists of two parts: (1) engineering the physical damage scenario, and (2) implementing the cyber-attack, which would allow me to achieve my physical damage goal. I enjoy this field because it is highly challenging by nature. One needs to process, electrical, mechanical, and control engineering; data processing; network and embedded security; and many other disciplines to design an exploit with a specific impact. Because I began specializing in this field before it became popular (before Stuxnet), there were few, if any, educational materials or helpful resources available. I learned this field through “doing” and finding needed pieces of knowledge while engineering my attacks. I created my own experimental security platforms and often traveled long distances to talk to engineers or visit factories.
In the meantime, ICS security became fashionable, and now you can find a lot of useful resources to help you obtain and practice ICS securit
y skills. There are a lot of talks and educational videos on YouTube, public repositories of pcaps and process data, academic papers, and even books. Several labs, which run large-scale ICS testbeds, now allow remote access for research purposes. There are also simulations of large-scale industrial processes in software or miniaturized hardware (e.g., small robotic hands). You can also find cheaper alternatives to industrial equipment. Raspberry Pi uses the same microprocessors as industrial controllers and can be easily turned into programmable logic controllers with open source software. Cheap IoT devices frequently run on the same real-time operating system (RTOS) as critical infrastructure assets. Also, more and more industrial facilities organize “open door” days and can be toured for free.
What is your advice for career success when it comes to getting hired, climbing the corporate ladder, or starting a company in cybersecurity?
What worked for me was being unique and authentic. When deciding on a security specialization, I chose the path least traveled. Nobody did physical damage. So, I picked this area and became an expert in it. To let the world know about my skills, I started presenting on large security stages around the globe. As a result, I became a natural hire for the companies who needed my expertise. I also maintain my authenticity in terms of being an innovative security professional who works very hard and who is sincerely dedicated to the field.
Tribe of Hackers Page 21
