Tribe of Hackers Read online

Page 3


  I got a lot out of The Tipping Point, Blink, and Outliers by Malcolm Gladwell. These books helped me understand how to get my ideas to reach critical mass, how decisions are made, and what I can do to improve my chances of success by taking a scientific approach. I’m also a big fan of the Freakonomics books because, as an InfoSec professional, I think it’s fun to see how things relate to each other even when there is seemingly no logical connection.

  What is some practical cybersecurity advice you give to people at home in the age of social media and the Internet of Things?

  First things first, desynchronize your passwords! That’s the number-one thing you can do. Use a password manager to maintain separate and complex passwords across all your accounts. This is the biggest bang-for-your-buck you can have in terms of home security. If a site offers two-factor authentication, go ahead and activate it. There’s a great resource at Twofactorauth.org that can help you find the systems that support two-factor authentication and show you how to activate the service. Just the other day, a loved one told me that they’d received notification that there was a failed login from a different country. They immediately changed their password but didn’t know for sure whether the attacker got into their account. In this scenario, the detect and response parts worked great, but what we are really after is prevention. Multifactor authentication is a must.

  What is a life hack that you’d like to share?

  It starts with you. Take care of yourself. Your health and your happiness are force multipliers. If you feel good and are happy, there is no limit to what you can accomplish. Be sure to take the time to pursue passion projects as well. Passion projects keep that fire burning inside of you and lead to professional growth. If all you do is go to work, cruise through incident alerts, and then go home, you are prone to burnout. Take a few hours a week to research or play with a VM lab or something. Whatever it is, do something you want to do. Even as a manager, I keep a copy of Kali and other VMs on my laptop to play around with. This isn’t a part of my job anymore, but it makes me happy to tool around with attack tools and helps me better relate to our engineering teams.

  What is the biggest mistake you’ve ever made, and how did you recover from it?

  The biggest mistake I ever made was believing the mark of success was tied to money. This had a destructive effect on my career as I began pursuing opportunities only because of the potential payoff and not because I believed in the work, the company, or about my own happiness. My recovery began by being laid off.

  Coincidentally, I also found out around this time that I was going to be a father. I had much more to care about than just making money or advancing up the career ladder at this point. I had a small person who would soon depend on me to provide food, shelter, protection, and love. I couldn’t offer these things by solely focusing on the next promotion or the next raise. Ultimately, I wanted to focus on being happy and creating a happy home for my family, and the funniest thing happened…I began to enjoy an incredible professional renaissance and experience success at a level I never knew was possible. My biggest mistake was not realizing what was really important. The universe helped correct this by offering me a chance out of a dead-end job and a family to focus my attention on. My path isn’t for everyone, but it’s important that you find what makes you happy and what matters to you. When you’re fulfilled, success tends to follow. ■

  3

  Andrew Bagrin

  “The breaches are not a result of higher spending; the higher spending is a result of the breaches. It goes to show that the world is far from ready to handle breaches and most organizations are very likely underspending— increasing their risk in order to reduce cost.”

  Twitter: @abagrin • Website: www.linkedin.com/in/abagrin

  Andrew Bagrin is the founder and chief executive officer of OmniNet, a leading provider of firewall as a service (FWaaS) for small businesses. With more than 20 years of experience in the IT security industry, Andrew started OmniNet in 2013 to bring cloud-based, enterprise-level security technology to small businesses at an affordable price. Prior to founding OmniNet, Andrew served as the director of service provider business development at Fortinet, a network security provider. A network security expert, Andrew has been quoted in a variety of media outlets, including the New York Times, Bloomberg Businessweek, Small Business Computing, Columbia Business Law Review, and Business Solutions Magazine.

  If there is one myth that you could debunk in cybersecurity, what would it be?

  Focusing on the small and midsize business (SMB) arena for the last five years, my answer is geared toward that world. I often see and hear that people in the IT world believe that “we are secure because we use Product X.” In a way, the CySec blue-team vendors are responsible for this dangerous mind-set because they’ve inflated the scope and capability of their products to make sales. They also minimize the effort it takes to properly set up each system in an organization. The myth of “being secure” has long been debunked in the larger enterprise for the most part. Security is not a red or blue pill, and there is no absolute security. Security is a business decision to reduce or mitigate the risk posed by the cybercrime world at large, and this is accomplished by balancing the different aspects of defending your organization according to the organization’s risk tolerance and profile.

  The truth is, there is no amount of security, systems, protection, or processes you can put in place to be 100 percent secure. The only way to prevent death is to already be dead; otherwise, there is always a risk of being killed. One hundred percent security is a myth.

  What is one of the biggest bang-for-the-buck actions that an organization can take to improve its cybersecurity posture?

  This really depends on the type of organization in question, but there are several industry-based frameworks and guidelines to help. Some examples are PCI and HIPAA, which are extensive, but they do have requirements that are specific to each organization. There is also the NIST framework—that’s more of a general framework for all business types. If you want to have the best bang for the buck, leverage the systems you already have properly. Don’t ignore obvious big problems.

  “If you want to have the best bang for the buck, leverage the systems you already have properly. Don’t ignore obvious big problems.”

  A basic security foundation should include three things:

  Process/procedure: Authentication, data management, access control, and so on

  Network security: UTM/NGFW

  Endpoint security: EDR or at least some protection from downloads/attacks, and so on

  Once you have these three items in place, work on tweaking and tuning them so they provide maximum effectiveness and proper information.

  How is it that cybersecurity spending is increasing but breaches are still happening?

  The breaches are not a result of higher spending; the higher spending is a result of the breaches. It goes to show that the world is far from ready to handle breaches and most organizations are very likely underspending—increasing their risk to reduce cost.

  Unfortunately, when that strategy didn’t pan out, the organizations started increasing their cybersecurity spending. The other big contributor is the rapid increase in technology. Where there is new technology, there will be vulnerabilities and more security required to protect those new technologies.

  Do you need a college degree or certification to be a cybersecurity professional?

  I sure hope not…. Some of the best cybersecurity professionals I know don’t have any degrees or certificates; however, education is always a good thing and does help. I would never discourage someone from getting a degree or certificate, but I would also not discourage anyone from getting into CySec without a degree or cert.

  “Some of the best cybersecurity professionals I know don’t have any degrees or certificates; however, education is always a good thing and does help.”

  How did you get started in the cybersecurity field, and what advice would you give to a
beginner pursuing a career in cybersecurity?

  I got into it from the networking side of things and the firewall world. Later, I became a pentester and then got back to the blue side for most of my career.

  At the time, I was the youngest and newest member of a team and got all the stuff no one knew or wanted to work on. Firewalls was one of those.

  What is your specialty in cybersecurity, and how can others gain expertise in your specialty?

  My specialties are network architecture and network security architecture, as well as how network security is implemented in a managed service environment. To gain experience, you just need to continue to do, learn, and get better. Before trying to get into security, you should understand networking in general. If you don’t understand what a packet looks like throughout its life, it will be really hard to fully understand network security.

  What is your advice for career success when it comes to getting hired, climbing the corporate ladder, or starting a company in cybersecurity?

  Always continue to learn and stay on top of what’s going on. The CySec world advances quickly, and it’s easy to be left behind if you don’t stay in tune with that world. The rest of the success comes from human interaction, which is sometimes the hardest thing for CySec technical people. Just be a respectful human being; the industry is small, and you don’t want to burn bridges.

  “Always continue to learn and stay on top of what’s going on. The CySec world advances quickly, and it’s easy to be left behind if you don’t stay in tune with that world.”

  What qualities do you believe all highly successful cybersecurity professionals share?

  Most successful people I know in CySec have a desire to always learn more and discuss what they find or learn. Since the industry changes so quickly, you need to be able to learn what’s changing, discuss that with peers, and articulate it to non-CySec people in a way that will make sense to them.

  What is the best book or movie that can be used to illustrate cybersecurity challenges?

  I can’t really think of any movies that excite me on hacking and its challenges; usually they just provoke embarrassment when they try to say something technical. There are lots of great hacking books. One of the first I read was Hacking Exposed, which gave a great overview of the basics of hacking and how it all works. Maybe one day we’ll make an entertaining movie that is technically correct as well.

  What is your favorite hacker movie?

  I would have to say Swordfish, mainly for its entertainment quality and for portraying a hacker as something other than a geeky little kid. I also like the old Hackers movie since it was one of the originals.

  What are your favorite books for motivation, personal development, or enjoyment?

  I read fewer books since I got hooked on The Great Courses Plus. I try to get through a lecture series in a month (sometimes two months) and gain real knowledge about things that I find fascinating. Learning new, interesting things is something I’ve always enjoyed doing.

  What is some practical cybersecurity advice you give to people at home in the age of social media and the Internet of Things?

  Don’t use the same login in multiple places. Always change your password, even if by one character. Add the letters PP to your PayPal password or BoA to your Bank of America password. It will at least change the hash; this way, if your LinkedIn or Adobe credentials get compromised, you don’t have to change your password in 100 other places.

  “Don’t use the same login in multiple places. Always change your password, even if by one character.”

  What is a life hack that you’d like to share?

  To avoid making a bad decision that I would regret in the future, I visualize myself as my future self giving my present self advice. We always say things like, “I shouldn’t have eaten the whole tub of ice cream.” As your future self, you’re more disconnected from the immediate gratification and more in tune with longer-term, higher rewards. The more you practice this, the better you become at it. Successful people have the ability to postpone gratification.

  “To avoid making a bad decision that I would regret in the future, I visualize myself as my future self giving my present self advice.”

  What is the biggest mistake you’ve ever made, and how did you recover from it?

  I once started an advertising company but knew little about advertising, the industry, or anything about it. I set up the entire system technically and got things working. Luckily, the largest part of my investment was in the technical part, and I was able to sell the majority of it without too big of a loss. It was an important lesson that taught me to do my research before jumping in and spending large amounts of money. ■

  4

  Zate Berg

  “You have to learn to balance the technical stewardship of “securing all the things” with understanding the motivations and drivers of the business, and you have to figure out how to get everyone to take ownership of the security of their products and systems.”

  Twitter: @zate • Website: blog.zate.org

  Currently employed as a security leader, Zate Berg has knowledge in a wide variety of technologies and prides himself on being able to quickly spot security problem areas and recommend corrective action. He is especially interested in application security, vulnerability management, network security monitoring, and penetration testing. Zate enjoys the challenge of pushing the limits of existing technologies, mastering new technologies quickly, and solving the hardest problems. He seeks to challenge himself in everything he does—building relationships through teaming, coaching, and the sharing of ideas—and does so in a manner that builds integrity and trust.

  If there is one myth that you could debunk in cybersecurity, what would it be?

  That free tools and free software are free. Often, they are not. “Free” means you need expertise (in systems that are often poorly documented), you need more people to manage it, and it will take longer. When working out the cost, factor in the cost of time to value (how long it takes before it’s doing what you need), the cost to learn it, and the cost in terms of hardware and people to make it work. There’s no such thing as “free”; it always costs you something.

  What is one of the biggest bang-for-the-buck actions that an organization can take to improve its cybersecurity posture?

  Ingest and monitor your DNS logs. Seriously, set up some kind of free repo (repository) for them (ELK, etc.). Route these logs into the repo you’ve created, and start looking. It’s a gold mine of what your systems are doing, who is talking to what, when, and so on. A step above that is something like Bro IDS on egress traffic to allow you to examine metadata about the actual connections. If you’re good on those, educate your users; get them using a password manager. All of this is foundational, but it’s the foundational things that most places are bad about and that most attacks take advantage of.

  How is it that cybersecurity spending is increasing but breaches are still happening?

  Most companies still see cybersecurity as something their cybersecurity team does. The people who build things, administer things, and run the business are not making security part of their job, and they’re expecting their underfunded, understaffed, overworked security teams to secure everything—but without impacting the business. The business itself needs to take cybersecurity seriously, not just write some policy, give the cybersecurity team a budget for some people and tools, and then let them go. Security needs to be an important part of business decisions, just like any other risk is. If your business leaders are weighing all the risks associated with the business but they’re not taking enough interest in the cybersecurity risks, there will be significant gaps.

  “The business itself needs to take cybersecurity seriously, not just write some policy, give the cybersecurity team a budget for some people and tools, and then let them go. Security needs to be an important part of business decisions, just like any other risk is.”

  Do you need a college degree or certification to be a
cybersecurity professional?

  No. I have no degree, and I’ve let my CISSP lapse. Degrees and certs are good for baseline knowledge, but our industry moves very fast, and if you’re not constantly learning both inside and outside of work, you will lag behind. When I’m interviewing interns or people right out of college, I look over what field their degrees are in, but I don’t really care. What I care about is do they have enough passion for this field to do the real learning outside of their school time? Do they have a home lab, a GitHub? Are they up on the latest things happening in security? I’ll take a mechanic with no experience who has taught themselves enough to get their foot in the door over a college grad with no outside passion who’s just done the course material.

  I don’t need people who know the answer; I need people who will recognize the answer when they see it. The answers are always changing, same as the questions, so you have to be able to move and adapt your learning.

  How did you get started in the cybersecurity field, and what advice would you give to a beginner pursuing a career in cybersecurity?

  I got started in the Australian Army doing basic IT-related things—setting up servers, building networks out in the field, and connecting them over satellites. It wasn’t until a few years later, when I was working as a Solaris Unix admin for PwC, that I got the break into cybersecurity. I was always pushing for security on our Unix systems (and the few Linux systems I managed to sneak in). Throughout my career, since the Army, I have always been security conscious. Whether it was proving why we needed to restrict LotusScript in Lotus Notes emails—by writing a script bomb that was sent to everyone on the email when it was opened/read/deleted—or by pushing hard for getting our Unix systems to be patched quarterly, I was generally the squeaky security wheel. Eventually, I was “encouraged” to interview with the security team at PwC US IT in Tampa and was given a book to study overnight (The 19 Deadly Sins of Software Security). I guess I passed because I transitioned to the US IT Security team and did threat and vulnerability management (TVM) and application security (AppSec) on internal applications and systems.