Tribe of Hackers
Page 8
Motivation to keep learning new things and to continuously get better at what you do. If you’re not trying to sharpen your skills, you’re falling behind.
What is the best book or movie that can be used to illustrate cybersecurity challenges?
I don’t get to read much these days, but I’ve been reading the book Daemon by Daniel Suarez. It might not be the best example, but it sheds light on so many different pieces of the security landscape. It allows you to think outside the box and see other perspectives, which is a huge aspect of cybersecurity.
What is your favorite hacker movie?
Well, this isn’t a movie, it’s a show, but Mr. Robot. So much thought and research are put into it by some of the sharpest minds in the industry. And so good. Also, Catch Me If You Can because the social engineering…unbelievable.
What are your favorite books for motivation, personal development, or enjoyment?
Between work, and three kids, and side projects, there is little time left for reading. A few months ago, as I mentioned earlier, I started reading Daemon by Daniel Suarez. I needed something to read on flights, and this was recommended to me by several friends in security. It lets you think outside the box and is a really exciting read.
What is some practical cybersecurity advice you give to people at home in the age of social media and the Internet of Things?
Update. Always update. Personal computer, home router. Probably even your refrigerator in this day and age.
What is a life hack that you’d like to share?
I don’t know if this counts as a “hack,” but it’s something my mother has told me since I was little, and I have never found it to be more true than in recent years: exercise. If you take care of yourself, it is a lot easier to take care of everything else in your life. Period. It helps clear my mind from work and the day-to-day. I disconnect, and to be honest, it’s probably the only time of the day I actually disconnect.
What is the biggest mistake you’ve ever made, and how did you recover from it?
This one time I restarted a production database (and as a result, the application) in the middle of the day. I “recovered” from it—in that I brought it back online and made sure everything was okay again. I was absolutely embarrassed, for obvious reasons. But I never made that mistake again, and I will never forget that feeling of panic for as long as I live.
“Never let another person cause you to forget your sense of self.”
As far as a broader answer, there were several years in college when I focused on my relationship more than I focused on myself, my education, and my future career. I let a lot of time slip away from me that I could have done so much more with, and I missed out on a lot of opportunities and experiences. I placed more importance on wanting to be elsewhere than I did on living my own life. Never let another person cause you to forget your sense of self.
There are plenty of other mistakes, but those in particular have left lasting impressions. ■
12
Ming Chow
“Having a computer science degree doesn’t mean you know anything about cybersecurity—or even how to program, for that matter.”
Twitter: @0xmchow • Website: www.cs.tufts.edu/~mchow (will redirect you to mchow01.github.io)
Ming Chow is a senior lecturer at the Tufts University Department of Computer Science. His areas of interest are web and mobile security and computer science education. Ming has spoken at numerous organizations and conferences, including the HTCIA, OWASP, InfoSec World, Design Automation Conference (DAC), DEF CON, Intel, SOURCE, HOPE, and BSides. Since 2014, he has served as a mentor to a BSides Las Vegas Proving Ground track speaker—a track focused on helping new speakers in the information security and hacker communities acclimate to public speaking. Ming was named the 2016 Henry and Madeline Fischer Award recipient at Tufts; the award is given annually to a faculty member of the School of Engineering and judged by graduating seniors of the School of Engineering to be “Engineering’s Teacher of the Year.” He was named the 2017 recipient of the Lerman-Neubauer Prize for Outstanding Teaching and Advising at Tufts, which is awarded annually to a faculty member who has had a profound intellectual impact on students, both inside and outside the classroom.
If there is one myth that you could debunk in cybersecurity, what would it be?
That you need to have a computer science (CS) or a technical degree to be in cybersecurity. Having a computer science degree doesn’t mean you know anything about cybersecurity—or even how to program, for that matter. Mudge2 has a music degree. When I graduated with my bachelor’s degree in computer science, the only exposure to cybersecurity I had had was a cryptography course, which is only a piece of cybersecurity. Fast-forward more than a decade later, and many CS graduates still do not have any exposure to cybersecurity.3 Recently, I did an interview in which I talked about this in more depth: “Failings in Cybersecurity Education: An Interview with Professor Ming Chow.”4
What is one of the biggest bang-for-the-buck actions that an organization can take to improve its cybersecurity posture?
Emphasize cybersecurity during the onboarding/orientation process and constantly run exercises, including phishing exercises. Emphasizing cybersecurity early and often will demonstrate how seriously the organization takes cybersecurity and, more importantly, spread knowledge. Many learn the lesson not to touch a hot stove as a child after getting burned by one; it’s the same idea for running exercises and drills constantly.
“Emphasizing cybersecurity early and often will demonstrate how seriously the organization takes cybersecurity, and, more importantly, spread knowledge.”
How is it that cybersecurity spending is increasing but breaches are still happening?
There is a range of problems here. First, many think throwing money at the problem will alleviate it. Second, does management even know what cybersecurity is, what they’re protecting against, and what the actual threats are? I’ve seen a number of security products advertised to protect against advanced persistent threats (APTs), but how many organizations really have an APT problem?5 Third, it is no secret that many cybersecurity products are overly complex and even riddled with vulnerabilities—oh, the irony. Fourth, if you take a look at why many breaches happen, it is because of “low-tech” factors, including social engineering, weak passwords, and failing to patch.6
Do you need a college degree or certification to be a cybersecurity professional?
At the moment, no. Cybersecurity is still not emphasized in many colleges. Some certifications have specific goals, such as incident response, malware analysis, offensive security, and so on. But that’s a very small part of the bigger cybersecurity picture.
Now, I am not bashing the idea of a college degree or certification—they hold value and demonstrate some baseline knowledge. We may need to revisit this question when the cybersecurity field becomes more mature.
How did you get started in the cybersecurity field, and what advice would you give to a beginner pursuing a career in cybersecurity?
If it wasn’t for Gary McGraw—and taking his tutorial on building secure software at the USENIX 2004 Annual Conference—I wouldn’t have even known about cybersecurity as a career path. I am also very grateful to the Wall of Sheep for giving me lots of basic knowledge I never received in college (e.g., networking, packet analysis).
One beauty of cybersecurity is that it is a broad, interdisciplinary field that has technical and nontechnical underpinnings—which many fail to comprehend. Another beauty of cybersecurity is its accessibility: you don’t need a college degree to delve in, and you don’t need the fanciest computer, either. You can be a political scientist or a psychologist and still relate to some aspects of cybersecurity immediately. And most of the tools and software are free. However, this all poses a problem: there is way too much out there. Thus, my advice:
This is a field that requires you to work hard. There is too much information, too many incidents, and many new tools and techniques bei
ng introduced. To keep up and be relevant, you have to work hard.
Have intellectual curiosity to understand how something works. Gary McGraw and Greg Morrisett coined the term “The Trinity of Trouble.” According to them, complexity, extensibility, and connectivity are the “three trends having a large influence on the growth and evolution of the [security] problem.”7 So much is now being abstracted away from people when it comes to education, software, and hardware products that we now take things for granted without considering the security, privacy, and social ramifications.
Have the ability to tinker. Hands-on practice is so vital in this field. Cybersecurity professionals are asked to build, break, fix, and explain. For starters, I tell beginners to build a vulnerable web server at home using a Raspberry Pi. That will give you the ability to build a system from scratch and understand the necessary components to install. Then, learn how to poke holes and find weaknesses in the system.
There is no substitute for real experience and projects.
“Hands-on practice is so vital in this field. Cybersecurity professionals are asked to build, break, fix, and explain.”
What is your specialty in cybersecurity, and how can others gain expertise in your specialty?
My focus is teaching cybersecurity. Take every small opportunity, build credibility, and keep learning from great people. My first time teaching and presenting on cybersecurity was at my job at Harvard more than a decade ago. Then, I took a small gig to teach a cybersecurity module at Middlesex Community College. I also took the SANS course “Hacker Tools, Techniques, Exploits, and Incident Handling,” which further developed my skills.
What is your advice for career success when it comes to getting hired, climbing the corporate ladder, or starting a company in cybersecurity?
Personality and emotional intelligence/empathy, hands down. To put it bluntly, no one wants to work with an a—shole. Your academic or engineering prowess may get you the job, but your personality and soft skills will get you the promotion.8
What qualities do you believe all highly successful cybersecurity professionals share?
The ability to explain the what, the why, and the how—and the ability to communicate that to a variety of audiences. When you’re communicating with a technical audience, they expect depth and proof. This is why I’m a fan of Rob Graham’s work and Tavis Ormandy’s security bug postings. When you’re communicating with senior management, you need to keep your thoughts concise. That’s why we have a policy memo deliverable in our “Cyber Security and Cyber Warfare” course at Tufts. One of my favorite stories is about convincing Tufts to build a joint Cyber Security and Policy program between the School of Engineering and the Fletcher School of Law and Diplomacy, starting with an investment to hire a bridge professor in cybersecurity and policy.9
What is the best book or movie that can be used to illustrate cybersecurity challenges?
It’s not a movie, but there’s a scene from The Simpsons I use quite often. In the episode, Mr. Burns and Smithers have to go through an elaborate security system to enter Springfield’s nuclear power plant, and an amusing scene unfolds. You can watch the clip on YouTube.10
For a movie, Catch Me If You Can, because all the old tricks still hold even in the age of technology. In fact, technology has made fraud even easier.
What is your favorite hacker movie?
Minority Report because almost everything in the movie turned out to be true in reality.
What are your favorite books for motivation, personal development, or enjoyment?
Masters of Doom by David Kushner. I love stories of legendary hackers (in this case, John Carmack and John Romero). It’s also a good book on starting out at the bottom; work ethics; business, personal, and professional failures; and the good old days of computer/video games.
What is some practical cybersecurity advice you give to people at home in the age of social media and the Internet of Things?
Less is more.
What is a life hack that you’d like to share?
Directly related to my “less is more” comment is the Minimalist Mantra: “Stop buying the unnecessary. Toss half your stuff, learn contentedness. Reduce half again. List four essential things in your life, do these first, stop doing the nonessential. Clear distractions, focus on each moment. Let go of attachment to doing, having more. Fall in love with less.”11
I’ve thrown away so much stuff over the last three years that I now have less than I had when I moved into my home. It is liberating. The joke among my family and friends is that the only thing I haven’t thrown out of the house is myself.
What is the biggest mistake you’ve ever made, and how did you recover from it?
Not having a good grasp on systems early. This includes operating systems, pointers, memory, and networking. It goes back to what I said earlier: to understand how something works. Most of these topics are fundamental to cybersecurity, especially the technical side. I had to relearn almost everything on my own, and I feel like I’m still paying penance. ■
Notes
2. Peiter Zatko, better known as Mudge, is a prominent hacker and network security expert.
3. Kelly Jackson Higgins, “Top US Undergraduate Computer Science Programs Skip Cybersecurity Classes,” Dark Reading, July 4, 2016, accessed April 2018, https://www.darkreading.com/vulnerabilities—threats/top-us-undergraduate-computer-science-programs-skip- cybersecurity-classes/d/d-id/1325024.
4. You can read the interview here: https://clutch.co/it-services/failings-cybersecurity-education-interview-professor-ming-chow.
5. Eric Capuano, “Fortune 100 Infosec on a State Government Budget,” 2017, accessed April 2018, https://cdn.shopify.com/s/files/1/0177/9886/files/phv2017-ecapuano.pdf.
6. Josh Abraham, “How to Dramatically Improve Corporate IT Security Without Spending Millions,” Praetorian, accessed April 2018, https://p16.praetorian.com/downloads/report/How%20 to%20Dramatically%20Improve%20Corporate%20IT%20Security%20Without%20Spending%20 Millions%20-%20Praetorian.pdf.
7. Gary McGraw, “Software Security: The Trinity of Trouble,” Freedom to Tinker, February 15, 2006, accessed April 2018, https://freedom-to-tinker.com/2006/02/15/software-security-trinity-trouble/.
8. Ming Chow, “How I Hire,” LinkedIn Pulse, July 15, 2015, accessed April 2018, https://www.linkedin.com/pulse/how-i-hire-ming-chow.
9. You can read the proposal here: https://mchow01.github.io/docs/proposal.pdf.
10. YouTube, “Springfield Nuclear Power Plant—The Simpsons,” Video, January 19, 2015, accessed April 2018, https://www.youtube.com/watch?v=eU2Or5rCN_Y.
11. Minimalist Mantra: Stop buying the unnecessary. Toss half your stuff, learn contentedness. (Minimalist Mantra, n.d.)
13
Jim Christy
“Sometimes you have to go backward or laterally to be in a position to move forward.”
Twitter: @Jimchristyusdfc
Jim Christy is a retired special agent who specialized in cybercrime investigations and digital forensics for more than 32 years with the Air Force Office of Special Investigations and the Department of Defense Cyber Crime Center (DC3). He now works in the private sector and is a cyber lead for the DB Cooper Cold Case Team.
If there is one myth that you could debunk in cybersecurity, what would it be?
The one myth I would like to debunk is that the government has your back when it comes to cybersecurity. The government can’t take care of its own problems, let alone help its citizens. Plus, it’s not the government’s mission. The different government agencies are not created equal and certainly don’t share information among themselves. State and local governments are, woefully, decades behind the federal agencies in protecting themselves. They certainly can’t help you. You’re on your own.
In fact, the intelligence community (IC) actually works against the best interests of citizens and other government agencies. The only thing that matters to the IC is offense. If they detect a vulnerability in an operating system, softw
are package, or network, they hold that close to the chest so they can exploit it, no matter how much that vulnerability puts individual citizens, companies, or other government agencies at risk. I personally believe defense needs to come first when we’re talking about cybersecurity.
What is one of the biggest bang-for-the-buck actions that an organization can take to improve its cybersecurity posture?
The biggest bang-for-the-buck action an organization can take to improve its cybersecurity posture is a function of where in the organization the cybersecurity office reports. Most organizations place the cybersecurity office under the chief information officer (CIO) because it’s technical in nature. That is absolutely the worst place to put it due to the competing priorities and conflict of interest that creates. CIOs report directly to the chief executive officer (CEO), whose mission in the private sector is to make money. As such, the CIO’s mission is to provide information systems and technology that make the company more efficient and effective at the lowest cost. The CIO also helps the company stay on the leading edge of technology, which ideally translates into making more money. It is hard to quantify the impact of the cybersecurity function on the company’s bottom line until you have a breach.
The security office should also report to the CEO, as their mission is to provide all aspects of security for the organization. This includes the very different security disciplines of physical security, personnel security, and cybersecurity. You don’t make personnel security the responsibility of the human resources office (or do you?). You have personnel security within the domain of the security office because it’s a security function. Likewise, you don’t make physical security the responsibility of the building maintenance/logistics office (or do you?). It also falls under the security office.