Tribe of Hackers Read online

  TRIBE OF HACKERS

  CYBERSECURITY ADVICE FROM THE BEST HACKERS IN THE WORLD

  MARCUS J. CAREY & JENNIFER JIN

  Copyright © 2019 Marcus J. Carey and Jennifer Jin

  Published by John Wiley & Sons, Inc. Indianapolis, Indiana

  Published simultaneously in Canada

  ISBN: 978-1-119-64337-1

  ISBN: 978-1-119-64340-1 (ebk.)

  ISBN: 978-1-119-64338-8 (ebk.)

  Manufactured in the United States of America

  No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted under Sections 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 646-8600. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at http://www.wiley.com/go/permissions.

  Limit of Liability/Disclaimer of Warranty: The publisher and the author make no representations or warranties with respect to the accuracy or completeness of the contents of this work and specifically disclaim all warranties, including without limitation warranties of fitness for a particular purpose. No warranty may be created or extended by sales or promotional materials. The advice and strategies contained herein may not be suitable for every situation. This work is sold with the understanding that the publisher is not engaged in rendering legal, accounting, or other professional services. If professional assistance is required, the services of a competent professional person should be sought. Neither the publisher nor the author shall be liable for damages arising herefrom. The fact that an organization or Web site is referred to in this work as a citation and/or a potential source of further information does not mean that the author or the publisher endorses the information the organization or Web site may provide or recommendations it may make. Further, readers should be aware that Internet Web sites listed in this work may have changed or disappeared between when this work was written and when it is read.

  For general information on our other products and services or to obtain technical support, please contact our Customer Care Department within the U.S. at (877) 762-2974, outside the U.S. at (317) 572-3993 or fax (317) 572-4002.

  Wiley publishes in a variety of print and electronic formats and by print-on-demand. Some material included with standard print versions of this book may not be included in e-books or in print-on-demand. If this book refers to media such as a CD or DVD that is not included in the version you purchased, you may download this material at http://booksupport.wiley.com. For more information about Wiley products, visit www.wiley.com.

  Library of Congress Control Number: 2019945161

  TRADEMARKS: Wiley, the Wiley logo, and the Sybex logo are trademarks or registered trademarks of John Wiley & Sons, Inc. and/or its affiliates, in the United States and other countries, and may not be used without written permission. All other trademarks are the property of their respective owners. John Wiley & Sons, Inc. is not associated with any product or vendor mentioned in this book.

  CONTENTS

  Cover

  Acknowledgments

  Introduction

  Chapter 1. Marcus J. Carey

  Chapter 2. Ian Anderson

  Chapter 3. Andrew Bagrin

  Chapter 4. Zate Berg

  Chapter 5. Cheryl Biswas

  Chapter 6. Keirsten Brager

  Chapter 7. Evan Booth Note

  Chapter 8. Kyle Bubp

  Chapter 9. Lesley Carhart

  Chapter 10. Lee Carsten

  Chapter 11. Whitney Champion

  Chapter 12. Ming Chow Notes

  Chapter 13. Jim Christy

  Chapter 14. Ian Coldwater

  Chapter 15. Dan Cornell

  Chapter 16. Kim Crawley

  Chapter 17. Emily Crose

  Chapter 18. Daniel Crowley

  Chapter 19. Winnona DeSombre

  Chapter 20. Ryan Dewhurst

  Chapter 21. Deidre Diamond

  Chapter 22. Ben Donnelly

  Chapter 23. Kimber Dowsett

  Chapter 24. Ronald Eddings

  Chapter 25. Justin Elze

  Chapter 26. Robert Graham

  Chapter 27. Claudio Guarnieri

  Chapter 28. Ron Gula

  Chapter 29. Jennifer Havermann

  Chapter 30. Teuta Hyseni

  Chapter 31. Terence Jackson

  Chapter 32. Ken Johnson

  Chapter 33. David Kennedy

  Chapter 34. Michelle Klinger

  Chapter 35. Marina Krotofil

  Chapter 36. Sami Laiho

  Chapter 37. Robert M. Lee

  Chapter 38. Kelly Lum Note

  Chapter 39. Tracy Z. Maleeff

  Chapter 40. Andy Malone

  Chapter 41. Jeffrey Man

  Chapter 42. Jim Manico

  Chapter 43. Kylie Martonik

  Chapter 44. Christina Morillo

  Chapter 45. Kent Nabors

  Chapter 46. Wendy Nather

  Chapter 47. Charles Nwatu Note

  Chapter 48. Davi Ottenheimer Notes

  Chapter 49. Brandon Perry

  Chapter 50. Bruce Potter

  Chapter 51. Edward Prevost

  Chapter 52. Steve Ragan

  Chapter 53. Stephen A. Ridley

  Chapter 54. Tony Robinson

  Chapter 55. David Rook

  Chapter 56. Guillaume Ross

  Chapter 57. Brad Schaufenbuel

  Chapter 58. Chinyere Schwartz

  Chapter 59. Khalil Sehnaoui

  Chapter 60. Astha Singhal

  Chapter 61. Dug Song Notes

  Chapter 62. Jayson E. Street

  Chapter 63. Ben Ten

  Chapter 64. Dan Tentler

  Chapter 65. Ben Tomhave

  Chapter 66. Robert “TProphet” Walker

  Chapter 67. Georgia Weidman

  Chapter 68. Jake Williams

  Chapter 69. Robert Willis

  Chapter 70. Robin Wood

  Epilogue

  Bibliography

  End User License Agreement

  Acknowledgments

  Tribe of Hackers would not exist without the awesome cybersecurity community and the contributors in it. I owe them tremendously for allowing me to share their perspective on our industry.

  I'd like to give a special shout-out to my wife, Mandy, for allowing me to do whatever the heck I want as far as building a business and being crazy enough to do this stuff. To Erran, Kaley, Chris, Chaya, Justin, Annie, Davian, Kai: I love you all more than the whole world!

  I also want to thank Jennifer Jin for helping build the Tribe of Hackers book series and summit. She would like to thank her parents for not thinking that she's crazy for quitting pre-med.

  Thanks also goes to Jennifer Aldoretta for helping me build a company that is true to our values. Shout-out to every one of the people I've worked with over the past few years.

  Thanks to Dan Mandel, Jim Minatel, and the Wiley team for believing in the whole vision.

  —Marcus J. Carey

  Introduction

  My mind is in a peaceful and reflective mood. I'm nearing the end of my first time away from work in at least three years, most of which has been a blur as I founded my own cybersecurity firm.

  I've learned a lot about venture capital, investors, and mentors—as well as what it takes to build a company from just an idea. It's been an amazing journey. My reputation
as a white-hat hacker gave me the credibility to get this far, and we're just getting started.

  I believe in giving as I go. In other words, instead of waiting until I “make it” to give back to others, I have been trying to mentor everyone I come across along the way. I have always been the type to want to help others, so I mean it when I say you're welcome to email or meet me for guidance about anything. I will always try my best to help.

  Over the last year, I've listened to hundreds of hours of audiobooks while going to and from work and while walking my dogs. One of the books that really impressed me was Tribe of Mentors by Timothy Ferriss, and it stands as the inspiration for this book's concept. I highly recommend this thought-provoking read on life and business, especially if you're a fan of self-help books or entrepreneurship.

  For his book, Ferriss asked famous people from his impressive network 11 questions, and then the magic just happened. For me, this immediately sparked the idea that there should be a cybersecurity version of the book. So, I compiled the most common questions people ask me about cybersecurity and then narrowed it down to the list you are about to see.

  In total, I ended up with 14 questions. The questions start with views of cybersecurity at large and then become more personal. I have noticed that when I have conversations at conferences, this is the normal flow. We call these types of conversations “hallway-con,” because some of the best learning happens between the scheduled talks and events.

  After compiling the questions, I started reaching out to my network of friends and colleagues in the industry and asked them to be part of this book. I was humbled by the response. In total, we ended up with 70 inspiring and thought-provoking interviews with notable hackers—including such luminaries as Lesley Carhart, David Kennedy, and Bruce Potter.

  But before we launch into the interviews, let's take a quick look at the questions:

  If there is one myth that you could debunk in cybersecurity, what would it be?

  What is one of the biggest bang-for-the-buck actions that an organization can take to improve its cybersecurity posture?

  How is it that cybersecurity spending is increasing but breaches are still happening?

  Do you need a college degree or certification to be a cybersecurity professional?

  How did you get started in the cybersecurity field, and what advice would you give to a beginner pursuing a career in cybersecurity?

  What is your specialty in cybersecurity, and how can others gain expertise in your specialty?

  What is your advice for career success when it comes to getting hired, climbing the corporate ladder, or starting a company in cybersecurity?

  What qualities do you believe all highly successful cybersecurity professionals share?

  What is the best book or movie that can be used to illustrate cybersecurity challenges?

  What is your favorite hacker movie?

  What are your favorite books for motivation, personal development, or enjoyment?

  What is some practical cybersecurity advice you give to people at home in the age of social media and the Internet of Things?

  What is a life hack that you'd like to share?

  What is the biggest mistake you've ever made, and how did you recover from it?

  Before we wrap up, a quick note about the book: we edited every interview to improve flow and readability, and in some cases, this meant abbreviating answers or deleting non-responses. You'll also notice that we've included contact information at the beginning of each biography indicating where you can find each hacker on the Web, as well as on social media. We're an engaged and tight-knit group, and we hope you'll join us.

  Creating this book has been an amazing journey, and I hope the answers to these questions help guide you along your path.

  Marcus J. Carey

  CEO Threatcare

  January 1, 2018

  1

  Marcus J. Carey

  “Even if an organization is compromised by a zero-day attack, the lateral movement, registry manipulation, network communications, and so on, will be apparent to a mature cybersecurity practitioner and program.”

  Twitter: @marcusjcarey • Website: https://www.linkedin.com/in/marcuscarey/

  Marcus J. Carey is a cybersecurity community advocate and startup founder with more than 25 years of protecting government and commercial sensitive data. He started his cybersecurity career in U.S. Navy cryptology with further service in the National Security Agency (NSA).

  If there is one myth that you could debunk in cybersecurity, what would it be?

  The biggest myth that I hear is how attackers are always changing up their tactics. While it is true that new exploits come out over time, the initial exploit is just the tip of the iceberg when it comes to attacker movement on a system or network.

  Even if an organization is compromised by a zero-day attack, the lateral movement, registry manipulation, network communications, and so on, will be apparent to a mature cybersecurity practitioner and program. So, their tactics don’t really change a lot.

  What is one of the biggest bang-for-the-buck actions that an organization can take to improve its cybersecurity posture?

  The easiest thing an organization can do to prevent massive compromise is to limit administrative accounts on systems. In the military, we obeyed the “least privilege principle” when it came to information access. Organizations should do the same when it comes to their own administrative access. If attackers are able to compromise a user with administrative credentials, it’s essentially game-over; they now have all the keys to the castle.

  How is it that cybersecurity spending is increasing but breaches are still happening?

  Unfortunately, I believe that we are spending too much money on cybersecurity products that bill themselves as silver bullets. Another thing is that there will always be breaches. Anything connected to a network can be compromised and the information pilfered. What really matters is can an organization detect and defend the attacks?

  I recommend that organizations get the basics down really well before they blow money on a lot of products. Instead, organizations should hire and train people to defend their networks. In most cases, I’ve found that there isn’t enough investment in the personnel responsible for securing networks.

  Do you need a college degree or certification to be a cybersecurity professional?

  Years ago, the answer would certainly have been “Yes, you need a college degree.” When I was growing up, I was told that I needed to go to college. All of the “successful people” I knew had some form of higher education. Luckily, I went to the military and was able to eventually earn a master’s in network security. I still believe I needed it back then and surely do not regret anything.

  However, this is 2019, and I do not feel this way anymore. My son has been working as a software developer for a cybersecurity company since he was 16 years old. In technology, especially software development, you can prove your knowledge through blogging, podcasting, and working on open source projects. GitHub is the new résumé for software developers.

  I understand that college degrees or certifications are still valid because they show minimal mastery of a subject matter. But nowadays, there are so many more ways to show actual experience. So, in short, my answer to this question is yes, no, maybe, and it depends.

  How did you get started in the cybersecurity field, and what advice would you give to a beginner pursuing a career in cybersecurity?

  I remember being fascinated by computers ever since I saw the movie WarGames. I never had a computer growing up, but I did take a few classes on coding in middle school and high school. Since I couldn’t afford to go to college and really wanted to, I joined the U.S. Navy for the Montgomery G.I. Bill.

  I scored pretty well on my ASVAB (military aptitude test). At the military processing center, I told them that I didn’t care what job I got as long as it had to do with computers. I was told I would be training at a school for cryptologic technical communication
s. It ended up being awesome. It allowed me to work for the Naval Security Group and the National Security Agency for the first eight years of my adulthood. I learned a lot about cryptography, telecommunications, system administration, basic programming, and internetworking.

  The military isn’t for everyone, but it definitely helped me. I always tell anyone considering the military route to demand from their recruiter a career field and skills that are applicable to the civilian world.

  What is your specialty in cybersecurity, and how can others gain expertise in your specialty?

  I’d say my specialty is understanding internetworking really well. I gained these skills while working in the Navy and at the NSA. A big part of gaining expertise in that subject was reading a lot of books and taking several Cisco Systems certifications. After getting the certifications, I was in a better position to practice related skills and gain even more experience.

  My advice is to try as hard as you can to validate your knowledge so that others will give you a chance. This is extremely important. Every time I acquired a certification, I was given so many more opportunities. Eventually, I was the first military service member to become part of the NSA’s global network engineering team. That was a big deal, and I learned a lot from my time there.

  What is your advice for career success when it comes to getting hired, climbing the corporate ladder, or starting a company in cybersecurity?

  I’ll take a swing at a couple of these. First, my advice for getting hired is to look at job postings and reverse engineer them. Create a résumé that mirrors what they are asking for if you already have the skills. If you don’t have the skills, I recommend using your free time to learn those missing skills by reading, using open source software, and consuming any free training you can find. I’ve found that even if you don’t have the necessary degree, years of experience, or certifications, there is still hope. Don’t limit yourself and think that you aren’t good enough for a job based solely on those requirements. If you believe that you have the skills to do a job, you should always apply.