- Home
- Marcus J Carey
Tribe of Hackers Page 5
Tribe of Hackers Read online
Page 5
I identified security deficiencies and implemented technical solutions. If policies or procedures did not exist, I wrote them. When awareness training was not being delivered, I researched best practices and created web-based training. If no one wanted to lead audits, I raised my hand. When monitoring was deficient, I deployed an IDS and SIEM. Whatever work was not being done, I always viewed that as opportunities, regardless of role or title.
Here’s my advice for newbies:
Don’t be too proud to apply for tech support or sysadmin roles to get your foot in the door.
If you are a member of a minority group, connect with people in other minority groups in the industry. All experiences are not created equal, so it is important for you to connect with people who can help you navigate certain issues that others will not acknowledge, understand, or care about.
Relationships are key: give back to the security community before you need a job.
Publish research, projects, and/or problems you’ve solved on LinkedIn, established blogs, or your own blog.
Volunteer at tech user groups, chapter meetings, and conferences.
Analyze local supply and demand to identify specific talent shortages in your region and “skill up.”
Understand the business side of security.
Be nice, share knowledge, and send the ladder back down when you succeed.
What is your specialty in cybersecurity, and how can others gain expertise in your specialty?
I specialize in deploying and maintaining advanced monitoring solutions to maintain secure configurations, support incident response efforts, reduce risk, increase automation, and comply with regulatory requirements.
You gain competence and confidence with dedication to your craft. You do not have to wait for invitations to teach yourself anything in the age of the internet. Many companies have free versions of their products on their websites. If you have an opportunity to work for a product company like Splunk or Tripwire, both are inclusive companies that provide pathways into careers in some of the largest organizations in the world. Those are just examples. Working directly for the product companies is one of the best ways to gain the technical skills needed to build expertise in this area.
Working in sysadmin, tech support, and compliance roles can also prepare you for this specialty. It really requires someone well rounded to be successful. The industry loves to glorify tech skills (and they are important), but people skills are a huge asset.
What is your advice for career success when it comes to getting hired, climbing the corporate ladder, or starting a company in cybersecurity?
Always negotiate total compensation, not just base pay.
Be so good at what you do that people cannot ignore you.
Create SMART goals to drive your career.
Your career plan is not a one-time exercise.
Have a results-oriented résumé.
Your network determines your net worth. If you’re part of an underestimated group, your journey will likely be filled with obstacles that others may not face. You will also have to put in extra work to gain access to opportunities. Do the work, network, and find mentors.
Control Google results about yourself with an online portfolio.
Dress for the job you want, not the one you have.
Some jobs are just chapters in your career; close them when necessary.
What qualities do you believe all highly successful cybersecurity professionals share?
Being highly successful is subjective. Some people define success by the number of social media followers. Others define it by industry fame. I lean toward defining success by using influence to make a positive social impact. People who do that share a common character trait of wanting to empower others. They also lead with empathy.
We need to elevate these influencers and stop worshiping the people who exhibit toxic behaviors.
What is the best book or movie that can be used to illustrate cybersecurity challenges?
Geostorm is a movie about, network-controlled government satellites built to control the climate, but greed is involved. What could go wrong?
What is your favorite hacker movie?
BlacKkKlansman, a movie based on a true story about the first African American detective to serve in the Colorado Springs Police Department. Soon after joining, he went undercover and infiltrated the KKK.
What are your favorite books for motivation, personal development, or enjoyment?
Becoming by Michelle Obama
How Exceptional Black Women Lead by Keirsten Brager
Secure the InfoSec Bag: Six-Figure Career Guide for Women
What is some practical cybersecurity advice you give to people at home in the age of social media and the Internet of Things?
Use a password manager.
Add two-factor authentication to high-risk accounts.
Review security and privacy settings regularly.
Communicate securely and privately where possible.
Talk to your family about digital security and privacy checkups.
I published a 60-Minute Digital Security Checkup on Homeland Security Today. You can check that out here: https://www.hstoday.us/subject-matter-areas/cybersecurity/cybersecurity-101-five-back-to-school-tips-to-stay-safe-online/.
What is a life hack that you’d like to share?
In our line of work, we all spend an extraordinary amount of time staring at screens. Therefore, I’m going to propose a self-care hack: follow fewer people on social media.
When you’re new to the industry, you’ll want to learn all the things and follow all the people in the listicles and #ff lists. Let me warn you: it is not healthy.
Instead, replace some of the time you spend mindlessly scrolling social media with some form of physical activity. You can do this even after you’re a parent.
I used to sit on my phone while the kids practiced for sports after school. Now I bring my dumbbells or kettlebell to exercise while they practice. I also started walking, riding my bike, and/or doing Zumba several times a week instead of staring at my phone in disbelief about the current state of world affairs.
My point is that you do not need a gym membership for self-care. All you need to do is decide less social media, more self-care.
What is the biggest mistake you’ve ever made, and how did you recover from it?
The biggest mistake I made during my career was believing that I had to be 100 percent qualified for roles with a job description that were a college-essay long. I recovered by coming to the realization that I do not want roles that are five positions written as one.
I also decided that I would apply for future roles of interest even if I am not 100 percent qualified. If a reality TV star can be hired to lead national security, I can do anything. ■
7
Evan Booth
“Between the proliferation of information security conferences (many of which are inexpensive or free) and the abundance of online learning resources and challenges/CTFs, it is easier now than ever for someone to learn the skills required to work in the industry.”
Twitter: @evanbooth • Website: fort.ninja
Evan Booth is a builder, architect, developer, and challenge designer at Counter Hack—a company devoted to building fun and engaging challenges that educate and evaluate information security professionals. When Evan isn’t struggling to get his job title to fit in HTML forms, he loves building stuff out of other stuff, spending time with his family, and hitting the character limit on this bio.
If there is one myth that you could debunk in cybersecurity, what would it be?
“Real hackers wear dark hoodies.” My theory is that the predominant hacker stereotype cycles between the shadowy, hoodie-clad character and the aggressive silhouette rendered entirely out of 1s and 0s based on some combination of factors that have yet to be determined.
How is it that cybersecurity spending is increasing but breaches are still happening?
Effective marketin
g is effective. Ooh! Someone should put together high-gloss sales materials for those boring, tried-and-true security practices. “Introooooducing [insert lasers + lens flare] Not Leaving Default Credentials on Your Network PrinterTM—version Blockchain. Cloud PLATINUM…”
Do you need a college degree or certification to be a cybersecurity professional?
Man, I sure hope not. Between the proliferation of information security conferences (many of which are inexpensive or free) and the abundance of online learning resources and challenges/CTFs, it is easier now than ever for someone to learn the skills required to work in the industry. That said, I think it’s important to recognize that there’s a wide variety of learning styles and that lots of people thrive in structured learning environments like traditional degree and certification programs. That’s perfectly okay.
In any case, I would strongly recommend pairing your education—however it may come—with a mentorship with someone currently working in the industry. This should be someone who can help you learn what you don’t know and, more importantly, help you identify skills and concepts that you don’t know you don’t know.
How did you get started in the cybersecurity field, and what advice would you give to a beginner pursuing a career in cybersecurity?
I suppose I technically started as a mischievous kid with a healthy level of curiosity, a shared phone line, and a 14.4K modem. But for the sake of brevity, I’ll skip ahead a decade or so and say I started by being an active participant in the “hacker” community. You see, I’d been working for some time as a software engineer when I heard about this “penetration testing” thing where you basically get a pass to be a bad guy, break into places, and compromise their networks. Well, I just thought that sounded fun as hell, and I figured I’d give it a shot. So, I started learning about lock picking and surreptitious entry. A few months and some ski masks later, a colleague and I were slipping through a window in the dead of night, disabling the alarm with a code that had been conveniently provided to us by the alarm company—after having impersonated one of the client’s employees using info we’d found on a network share earlier in the engagement. Good times.
If you’re expecting me to say, “It’s that easy!” at this point in the story, it’s important to note that I still wouldn’t have considered myself to be a qualified industry practitioner. In fact, outside of some pretty solid findings, a fairly comprehensive report, and a happy client, the most persuasive evidence of competence to that end was that I hadn’t managed to find myself on the business end of a police-issued taser. However, the experience was instrumental in validating that I’m most satisfied and firing on all cylinders when I’m building things as opposed to breaking them, even though I find both highly enjoyable. Additionally, it prompted me to attend my first information security conference, CarolinaCon, which is an excellent annual gathering of hackers held in Raleigh, North Carolina. I can still remember the talks, the people, the packed TOOOL lockpick village, and learning about all the cool projects people were working on.
Fast-forward a couple years, and I was presenting my own work, Terminal Cornucopia, at the third annual DerbyCon conference in Louisville, Kentucky. After the talk, a gentleman in a porkpie hat who had attended the talk walked over, introduced himself, and started a conversation that ultimately led to a job offer—one that I, after taking way too long to come to my senses, would eventually accept. The gentleman was Mr. Ed Skoudis, and the job was building security-related challenges for products such as SANS NetWars and Holiday Hack Challenge.
The best advice I could give people who are pursuing a career in cybersecurity is this: don’t wait until you have an InfoSec job to get involved in the InfoSec community. If you want to dance, go where the music is playing.
What is your specialty in cybersecurity, and how can others gain expertise in your specialty?
My professional background is in software engineering and information architecture, and I love to build stuff.
There are enough free educational resources out there on those topics to choke a donkey—just pick a topic and dive in!
What is your advice for career success when it comes to getting hired, climbing the corporate ladder, or starting a company in cybersecurity?
There may be a typical career path or whatever, but that doesn’t mean it has to be your career path. Early and often, try to intentionally put yourself in the way of work that complements your strengths. If you aren’t sure what your strengths are, I highly recommend taking the CliftonStrengths assessment.1
What qualities do you believe all highly successful cybersecurity professionals share?
They all either teach or write tools at a very high level and, in many cases, do both.
What is the best book or movie that can be used to illustrate cybersecurity challenges?
What’s that one movie where Anonymous uses social engineering and open source intelligence (OSINT) to bankrupt a local small business owner while they’re offline due to a nasty virus? Oh right, that was Tom Hanks and Meg Ryan in You’ve Got Mail.
What is your favorite hacker movie?
Joe Dante’s Explorers, circa 1985.
What are your favorite books for motivation, personal development, or enjoyment?
The Complete Calvin and Hobbes by Bill Watterson. It’s basically an instruction manual for life.
What is some practical cybersecurity advice you give to people at home in the age of social media and the Internet of Things?
Keep your software up to date.
Use a password manager.
If someone contacts you first, stop and verify the number/email address/carrier pigeon before relinquishing any information.
What is a life hack that you’d like to share?
Unless you are actively working on something that carries at least a 50 percent chance of complete and utter failure, the odds that Steven Seagal or Chuck Norris will ever portray you in a direct-to-video movie are pretty much zero.
What is the biggest mistake you’ve ever made, and how did you recover from it?
Early on, I spread my time extremely thin working on tech startups for “sweat equity.” Ugh. I didn’t have nearly enough time to devote to them, and they ultimately ended in failure. Steven Seagal and Chuck Norris were wildly disappointed. ■
Note
1. You can take the test here: https://www.gallupstrengthscenter.com.
8
Kyle Bubp
“Perhaps I’m just jaded by all the marketing, but I think the biggest myth in security is that risk can be reduced, and security posture can be improved, by purchasing products.”
Twitter: @kylebubp • Website: kylebubp.com
For more than a decade, Kyle Bubp has worked for enterprises, hosting providers, the FBI, the Department of Energy, and the Department of Defense to analyze and improve their security posture. As co-founder of Savage Security, he focused on cutting through fear, uncertainty, and doubt (FUD) to help make defensive strategies cheaper and easier for customers. His company was later acquired by Threatcare, where Kyle served as the director of strategic services and worked directly with the CEO. Kyle continues to develop practical defensive strategies, research security issues, and publish articles and presentations on improving the security industry. Outside of work, you’ll find him hiking, riding motorcycles, hitting the gym, playing music, and exploring the globe.
If there is one myth that you could debunk in cybersecurity, what would it be?
Man, this is tough, because I’ve spent the latter part of my career trying to debunk cybersecurity myths. In fact, I started a company whose number-one goal was to change the industry. The decision to quit my job and start a bootstrapped security consulting company was likely fueled by my displeasure with all the myths in the industry.
Perhaps I’m just jaded by all the marketing, but I think the biggest myth in security is that risk can be reduced, and security posture can be improved, by purchasing products. In my experience, extremely sec
ure networks cannot be built by investing millions in security products but instead require process, procedure, and configuration changes.
“In my experience, extremely secure networks cannot be built by investing millions in security products but instead require process, procedure, and configuration changes.”
I liken this to the way we treat personal health as well. It’s the reason there are so many fad diets and why the diet industry has to continuously come up with new ways to convince you that they can make you healthier in less time. Less time than it would take you to do the things we know make you healthy: eat right, get plenty of rest, stay hydrated, don’t smoke, and drink in moderation.
The cybersecurity industry does the same thing. Instead of taking the time to implement proper policies, procedures, training, and configuration, the marketing machine of the industry tries to sell you fad diets for your technical debt. And, just like personal health, even if you do lose the weight/become more secure, statistics show that you’re going to put that weight back on (and maybe more) within the year, just as you will reclaim that technical debt that your silver-bullet solution was supposed to solve.
What is one of the biggest bang-for-the-buck actions that an organization can take to improve its cybersecurity posture?
Least privilege—not only least privilege in the user permissions sense but in all areas of technology and business processes. From the technical sense, users should be given the minimum number of permissions they need to do their work. This generally means no local admin, no right to read (or modify) data that they don’t absolutely need, and no ability to enter physical areas they don’t need access to in order to do their jobs.