Saturday, February 23, 2019

Tribe of Hacker Responses

When I shared my review of Marcus and Jennifer's Tribe of Hackers, I suggested to the reader that there was value in responding the questions themselves.  In this post, I'm sharing my first swag at my own responses to Marcus's questions.

1. If there is one myth that you could debunk in cybersecurity, what would it be?
That it's all about technology.  There is much more to "cyber" than technology, largely because technology is designed, purchased, employed, deployed, used, and abused by people.  When it comes to software products, it's people who use them.  When you're threat hunting, it's one person or team against another.  Policies are created, enforced, and abused by people.

There was an engagement that I was working with several other team members, and we'd identified a number of systems from which we required images for analysis.  All of these systems were in the data center, and none of them were "easy".  Needless to say, none of us wanted to stay in the data center for the time it was going to take to acquire the images, so we set our processes up, and then covered EVERYTHING in tape and signage.  In some ways it was as necessary as it was ridiculous.  We did this because we knew that the technology and process were sound, but that someone would likely come in and remove everything.

If you have kids, particularly ones that are grown now, you'll know one aspect of what I'm referring to.  Kids can be like a hive mind; they're all texting and on social media, and when one of the finds something interesting or new in the technology they use, within seconds, they all know it.  It doesn't matter if it's some undocumented feature in the new phone someone got, or something that allows parents to monitor the kid's activities through the latest social media app; as soon as one knows, they all know.  If this doesn't illustrate that people are the key, I don't know what does.

2. What is one of the biggest bang-for-the-buck actions that an organization can take to improve their cybersecurity posture?
C- and E-suite executives, particularly the CEO, must take the cybersecurity posture of the organization seriously, and make it a priority.  And I mean, really make it a priority, not say that it is and then go back to what they were doing..  You can't just talk the talk, you have to walk the walk.

If the CEO says that security is important, those within the company will know based on her actions, not her words.  If they see her tailgating into the office after issuing a "no tailgating" policy, even once, the policy is no longer effective.

You can hire all the "smart people" you want to help you with your security posture...a lot of organizations say that they do exactly that.  "We hire smart people, and they tell us what do do."  Sure, okay...but do you listen?  I know a lot of smart people who have left organizations out of frustration because they said what needed to be done ("...we need to implement multi-factor authentication on our remotely accessible resources..."), but it hasn't been done, even after events have occurred that illustrated the need.

Wrestlers and snakes know, where the head goes, the body follows.  So, make cybersecurity a business process.  Businesses have all kinds of processes, from payroll, to vendor and partner vetting, to fulfillment and customer service.  Making cybersecurity a business process makes it part of the business, not the clumsy, drunk uncle that shows up on the holidays.

3. How is it that cybersecurity spending is increasing but breaches are still happening?
Spending does not equate to security.  Years ago, I responded to a customer who'd purchased three copies of ISS's RealSecure IDS product.  You're thinking, "wow, that's oddly specific...", but the fact was that one copy, still in the shrinkwrap, was being used to prop open the door to the SOC. People get hired into fancy new positions with big salaries, and are completely ineffective against embedded corporate culture.

4. Do you need a college degree or certification to be a cybersecurity professional?

I say this with the understanding that when you write your resume, as with anything else, you have to keep your audience in mind.  After all, being a "professional" implies that you're paid by someone, and in order to be paid by someone, you need to get a job.  Part of that is having a degree.  From my perspective as someone who has been a "gatekeeper" once or twice, when someone is looking to fill one position from 50 candidates, there has to be some way to trim the field, and a degree, any degree, is one way to do that.

Do you need a degree to be good at what you do?  No, not at all.  I've worked with some really exceptional practitioners who are really, really good, and I've worked with people with advanced degrees that have left me shaking my head in wonder.

5. How did you get started in the cybersecurity field, and what advice would you give to a beginner pursuing a career in cybersecurity?
I got started in "cybersecurity" back in '95, while I was in graduate school.  I asked a question that someone refused to answer.  It wasn't that they couldn't answer the question; they looked at me, smiled, and walked away.  Had their answer been different, I might not be where I am today.

My advice...engage.  The "cybersecurity" field has grown to be so large as to be overwhelming. Engage with a mentor to help you narrow things down, specifically to help you determine what you want to do in this field.

One reason why I recommend engaging is that my career in cybersecurity started long before I was in cybersecurity, going back to times when I learned or did things that laid the foundation for what I do now, but even today, are not really discussed.  For example, I took public speaking in college (circa '86).  Throughout my military training, there were multiple times when I was given a limited amount of time to prepare a short "speech"; that is, learn to speak coherently on the fly, in public.  I was evaluated multiple times during training, had to use it in my job, and then when I went back to the training environment, I had to evaluate others on their ability to do the same.

There was also a great deal that I did with respect to planning, and then executing that plan.  I found that this helped me a great deal when planning and executing assessment exercises, incident response engagements, etc.

What I'm saying is that, as is the case with others who "grew up" in cybersecurity before there really was such a thing, there was a great deal that I brought with me when I moved into a field that was very much in its infancy.  A lot of these things are not included in the courses or programs of instruction today, but are indispensable nonetheless.  The only way folks today are going to "catch up" is to actively engage with those who have been in the field for some time.

6. What is your specialty in cybersecurity? How can others gain expertise in your specialty?
Early on, I was doing assessment work, including war dialing. Not too long afterward, I moved into digital forensics and incident response work, and I've been doing that for quite some time.  Over a decade ago, that work started including targeted attacks, by both ecrime and nation-state actors.

I'm probably most known for the DFIR side, particularly as it applies to Windows systems.  I've also spent some time looking at data structures within files found on Windows systems, with an eye toward using metadata to extend analysis, as well as to inform and extend the threat intelligence picture.

The field has grown significantly since I started, and has gotten to the point where it is almost impossible to keep up.  My recommendation to anyone is to pick someplace to start...just pick one.  Look at it the way you "eat an elephant", so to do so one bite at a time.  Are you interested in malware analysis?  Start small.  Focus on something to get started...say, the PE file structure.  Learn what it is, and what it should "look like".  Build from there.  Or, you may find out that that aspect of cybersecurity is not for you.

Regardless, the point is to not get overwhelmed by the enormity of it all; break it down into smaller chunks and start by taking that first step.  Then take another.  Then another.

7. What is your advice for career success when it comes to getting hired, climbing the corporate ladder, or starting a company in cybersecurity?
Engage.  Get to know people, both in the field, as well as in other fields and disciplines.

Getting to know others in the field is going to have a profound impact on you.  First, it's going to help you with whatever level or degree of "imposter syndrome" with which you may have inflicted yourself.  Second, it's going to show that a lot of your assumptions about others are, again, self-inflicted, and wild misconceptions.

Above all, actively engage.  Clicking "like" and posting pictures of your food, your pet, or your workout is not actively engaging.  It's great to have hobbies and interests outside of cybersecurity, and it's something I highly recommend; however, in the age of "social" media, I think we've really lost track of what it means to actively engage.

8. What qualities do you believe all highly successful cybersecurity professionals share?
A sense of humor, and a focus on the goals that really matter.

Also, highly successful cybersecurity professionals understand the value in documenting things.  Truly successful professionals don't hoard information or experiences, and don't hide behind the "I don't remember" excuse.  There is too much that we don't know in this field to not be sharing what we do know, and one of the biggest qualities I see that truly successful professionals in this field share is sharing. 

9. What is the best book or movie that can be used to illustrate cybersecurity challenges?
There are two books that come to mind; "Once an Eagle" by Anton Myrer, and "Leadership in the Shadows" by Kyle Lamb.  Both are books that address leadership, but from a perspective that may be somewhat different than what you're used to.

Myrer's book is a fictional account of two officers, one who rises through the ranks by his own hard work and dedication, and the other who is "born" to it.  In a lot of ways, I see a parallel between these two officers, and what we see in business today.

Lamb's book is much more practical, but no less impactful or important.  Lamb addresses and discusses leadership from the perspective of a career working in special operations, providing lessons learned the hard way.  Leaders in the business world would see their effectiveness explode if they started following just some of what he describes in the book.

I know, I know, I've heard the same thing throughout my career in the private sector; "...that's the military, it won't work here."  The simple fact is that it will not only work, following (and living) military style leadership principles will have a profound effect not only on those around you, but the business, as well.

10. What is your favorite hacker movie?
"Hackers", hands down.  I not only enjoyed it (after all, it was a movie), but there are some very quotable lines in the movie, and when I'm giving a presentation I tend to share quotes from pop culture that, to me, are funny in the moment.  Movies from the '80s, '90s ("Hackers" is circa '94), and the later 2000s ("Deadpool") are fodder for many presentations.

11. What are your favorite books for motivation, personal development, or enjoyment?
I've always been a fan of first person perspectives of historical events, specifically first person accounts shared by military special operations personnel.  It doesn't matter if the event is VietNam, Iraq, Afghanistan, or any of the myriad smaller, undisclosed events, I find the "boots on the ground" perspective absolutely fascinating.  Having served in the military, and then working in DFIR, it's interesting that in both cases, there is the "historical write-up" of an event from a macro-perspective, but there is also the perspective of the individual working in the trenches.  It's that worm's-eye view that is often missed.

For enjoyment, I've always leaned towards science fiction.  William Gibson and Orson Scott Card are two of my favorites.  One of William Gibson's books talked about "locative art", or digital renderings that existed in a place, dependent upon your location and which direction you were looking.  Interestingly enough, we're starting to see some of that in VR realms. Card's series of books that started with "Ender's Game" have provided me with some great reading on plane flights.

12. What is some practical cybersecurity advice you give to people at home in the age of social media and the Internet of Things?

Simply put, if you don't want your drama on social media, don't put it there.

With respect to IoT, there's no reason why everything needs to be connected to the Internet.  Baby monitors do not need to be accessible to anyone and everyone. The simple fact is, when something is made "easier", it's made easier for everyone.  If you can search for accessible security cameras online with a simple query, why would a baby monitor or your refrigerator be any different?  When technology is developed and made widely accessible, the unspoken guarantee is that there is no security, and you don't need to be an "expert" to understand that fact, nor to abuse it.

Vehicles have all sorts of new "safety" features built in, not to protect the driver, but to offset and overcome all of the other distractions we've put in front of the driver.

13. What is a life hack that you’d like to share?
Don't listen to that inner dialog that prevents you from doing something.  A while back, I was going through a very dark time in my life, and was overwhelmed with the tasks I had before me.  To make things a bit worse, there were people actively working against me.  Let me be clear, this was not a perception based on the negativity that I'd wrapped myself in; these people were actively saying and doing things to make my life difficult.

However, in one moment of clarity, I had an epiphany.  I realized that if I broke the mountain in front of me down into management, compartmentalized components, I ended up saying to myself, "wait a minute...hundreds of people do each of these things every day, and do them successfully".  Why can't I?

That moment changed everything for me.

14. What is the biggest mistake you’ve ever made, and how did you recover from it?
Biggest?  Wow, where to begin?  I've made so many mistakes over my career that it's hard to pick just one. I've misplaced dongles.  I've said the wrong thing or reacted the wrong way in front of a customer.  I've had a small error in a script snowball into a much bigger mistake in my findings.

You can recover from mistakes, and if what we see in the news media on a regular basis is any indication, there is only one way to do so.  Own up.  Accept responsibility, and learn from the mistake.

One thing that I try very hard to do is recognize when I've made a mistake early on, own it, and most importantly, inform my boss as soon as possible.  Did you get a call from a customer, get on a late fly and fly all night (at considerable expense) and then miss the meeting because you overslept?  Bite the bullet, and tell your manager first.  Don't make excuses.  Yes, your manager will be upset, but not nearly as upset as they would be if they were hearing about the issue from the customer.

Mistakes are like breaches; you have to accept that they're going to happen. It's what you do about them that matters.  Own up, and learn from your mistakes.  Also, take every opportunity to learn from the mistakes of others, not just by passively following someone, but by actively engaging with them.  I guarantee you that if you get the opportunity to sit down with someone and engage over a beer, at some point, you'll find out what mistakes they learned from.

Note that others have taken up this mantle, as well.  For example, Mark Kelly shared his responses on LinkedIn.

No comments: