How did you get started in the cybersecurity field, and what advice would you give to a beginner pursuing a career in cybersecurity?
I have worked in information technology my entire career, for both private-sector companies and government agencies. Security has been a component of each of those jobs, but I didn’t formally pivot into cyber until 2013. I started off deploying security information and event management (SIEM) for large enterprises and helping analysts turn metadata into actionable intel, looking for the needle in the haystack. I then began consulting with Fortune 100 companies in the discipline of identity and access management, helping them secure the prized jewels—“privileged accounts.” To someone pursuing a career in cyber, I would say there are many resources online to help you achieve your goal. Research the various roles in cybersecurity, find out what it will take to get to that goal, and definitely network, network, network!
What is your specialty in cybersecurity, and how can others gain expertise in your specialty?
My specialty is privileged account management (PAM) security and identity and access management (IAM). To gain expertise in these areas, one must understand that identity is the new perimeter, and most organizations have four times as many privileged accounts as employees. So, IAM and PAM is a lot of asking the what, why, and who in relation to access and enforcing least privilege.
“To someone pursuing a career in cyber, I would say there are many resources online to help you achieve your goal.”
What is your advice for career success when it comes to getting hired, climbing the corporate ladder, or starting a company in cybersecurity?
There are no off days. There are no eight-hour days. Security events never happen when it’s convenient. In my experience, the people who accept these truths work harder and have a tenacity that doesn’t stop when they leave the office. And I will say it again…network.
What qualities do you believe all highly successful cybersecurity professionals share?
An investigative mind-set and the innate need to help.
What is the best book or movie that can be used to illustrate cybersecurity challenges?
I don’t have a movie, but the most realistic show I’ve seen to date is Mr. Robot. It highlights the threat of insiders, nation-states, and black hats. It’s a phenomenal look into cyber.
“Security events never happen when it’s convenient.”
What is your favorite hacker movie?
WarGames (1983).
What are your favorite books for motivation, personal development, or enjoyment?
The Bible, The Secret, Die Empty, and Rtfm: Red Team Field Manual.
What is some practical cybersecurity advice you give to people at home in the age of social media and the Internet of Things?
To enable multifactor authentication on cloud services, use antivirus, do personal banking on a separate computer used only for that purpose, use strong passwords on your Wi-Fi network, create a guest network for your IoT devices and actual guests, and use a password manager.
What is a life hack that you’d like to share?
You can make ricotta cheese at home from milk, salt, and vinegar.
What is the biggest mistake you’ve ever made, and how did you recover from it?
Not being comfortable in my own skin and not appreciating the gifts and talents that God had bestowed upon me. I recovered from this by being humbled and restored. ■
32
Ken Johnson
“Hire the right people—especially if they’re your first security person. Don’t skimp; if you’re going to do it, do it right.”
Twitter: @cktricky • Website: cktricky.com
Ken Johnson has been hacking web apps for 10 years. He started in networking, taught himself programming, and eventually built an application security consulting company before finally leaving to work at GitHub. Ken has spoken at RSA, You Sh0t the Sheriff, Insomni’hack, CERN, DerbyCon, AppSec USA, AppSec DC, AppSec California, DevOpsDays DC, LASCON, RubyNation, and numerous Ruby, OWASP, and AWS events about AppSec, DevOps security, and AWS security. Ken’s projects include the Absolute AppSec podcast, WeirdAAL, OWASP’s RailsGoat, and the Web Exploitation Framework (wXf).
If there is one myth that you could debunk in cybersecurity, what would it be?
Self-aggrandizing. We sometimes have to accept that we’re actually not that important. I feel that we do a lot to hype our unique/special culture, our silver-bullet products, the latest threats with a sexy logo and name, etc. But in the end, we’re one small aspect of most businesses. Sure, some businesses specifically have to take security up a notch. For most, though, we’re just one component of many in the typical business unit. I say this because, if you’re a newcomer, realize this early in your career, as it pertains to your approach. If you’re going to have input on a budget or give input as to the rollout of “X,” take the entire picture into account. When you’re overridden or dismissed by the folks working above your pay grade, try not to take it too personally. Just remember: you may have input, but at the end of the day, the business decides on priorities, and it’s usually not personal. It’s…business. It may seem like, “This is going to be soooo bad,” but it’s rarely as bad as you assume it will be.
What is one of the biggest bang-for-the-buck actions that an organization can take to improve its cybersecurity posture?
Hire the right people—especially if they’re your first security person. Don’t skimp; if you’re going to do it, do it right. These are the people who are going to onboard and advocate for additional security team members. These folks will decide your overall strategy and, ultimately, whether or not it’s effective.
How is it that cybersecurity spending is increasing but breaches are still happening?
Speaking as someone who has worked on both the offensive and defensive sides of the spectrum, defense has to get every single thing right—with zero human error involved—to successfully prevent even the smallest of breaches, whereas an attacker only needs to get lucky once. I believe security pros are acknowledging this.
We’ve seen the rise of cybersecurity insurance. We’ve seen more and more CSOs/CISOs emphasizing the need for having an effective incident response plan and disaster recovery strategy, as well as understanding their risk profile. That way, when a breach does occur, they are ahead of the game. To me, this is an acknowledgment that we cannot 100 percent guarantee a breach will never happen. All we can do is prepare for it and minimize the damage. I’m not saying we’re sitting back and saying, “Welp, there’s nothing we can do. Oh well.” What I am saying is we can make ourselves hard targets, prioritize where our controls are in place, minimize our risk, and be prepared when a breach does occur.
Do you need a college degree or certification to be a cybersecurity professional?
I don’t have a degree. Part of me wishes I did, just in case there ever comes a time when it might matter. To date, though, I feel I’ve had a pretty successful career and it hasn’t mattered. If it is something you want to do for you, go for it. But I’d advocate a degree in cybersecurity is less relevant than one in, say, computer science. Take that with a grain of salt, as I do not actually have a degree. What I can say pretty definitively is that understanding the nuts and bolts of networking, programming, processors, etc. is far more practical than understanding the CIA Triad. There will be plenty of time to learn that kind of domain-specific “stuff” later.
How did you get started in the cybersecurity field, and what advice would you give to a beginner pursuing a career in cybersecurity?
I’m going to try to paint a picture without being overly long-winded. In short, I was the stereotypical “takes things apart, learn how they work, and build something better” type of kid that you hear most InfoSec folks describe themselves as.
However, there was an unflattering side to that. I was incredibly bored in school, which meant I was really lazy. In high school, I barely attended. I only did enough to graduate with a diploma…bare
ly. School was just super boring to me unless I was in front of a computer. If it was a typing class, I’d figure out what else the computer could do. I’d finish assignments early and then find out what I could do with the computer system in front of me.
Fast-forward to my senior year, and I’m embarrassed it took that long to figure it out, but I realized I was headed for a pretty sad existence with no real prospects. I liked computers a lot; they brought me joy. So, I enlisted in the U.S. Navy as an IT.
The Navy taught me many things—how to sweep floors properly, the multitude of uses for Simple Green (a cleaning solution), and, most importantly, discipline. While I did enlist as an IT, I would have learned next to nothing relevant if it hadn’t been for my sheer willpower to read, experiment, and stay up late following the networking crew around, running cables and asking questions. I was based in Italy for a few years, and I’d even buy Italian hacker magazines because, for whatever reason, I was drawn to what we now call “InfoSec.”
When I left the Navy, I took jobs doing typical IT work until I decided to move to the East Coast for an opportunity doing security (which I didn’t even know was a profession until the opportunity came about). Truly, I love programming, so I taught myself how to program. It was only a matter of time before I picked up the Web Application Hacker’s Handbook and taught myself about web application security. From that point forward, I learned what I could, shared what I had via blogging and videos, spoke at little get-togethers, and found like-minded folks at conferences. Basically, I built the connections that landed me my first consulting gig with FishNet Security. And I’ve been working in AppSec ever since.
What is your specialty in cybersecurity, and how can others gain expertise in your specialty?
I work in application security, or AppSec for short. Basically, if the tech is using a web standard to communicate (web application, mobile application, thick client, IoT device, etc.), then it falls under AppSec. The most important thing to know in this area is how to write and read code. It’s a fundamental requirement, since we live and breathe code.
Beyond that fundamental requirement, you need to know how to test the security of an application. It is far less risky these days to test what you’re learning or reading about against a real-world website or application because of the advent of bug bounties. When I was starting, if you’d never done this professionally and were learning how to find flaws in a web app…well, you had to have a little gray in your hat. Sure, we had things like WebGoat and Samurai, but that’s not the same as real targets. Nowadays, you can sign up for a bug bounty program and get cracking on real targets. The two most important books, for me, were The Tangled Web by Michal Zalewski and The Web Application Hacker’s Handbook by Dafydd Stuttard and Marcus Pinto.
What is your advice for career success when it comes to getting hired, climbing the corporate ladder, or starting a company in cybersecurity?
I’ve been the lowest of the low on the totem pole. I’ve also been the co-owner and CTO of a 30-person security consulting firm, and everything else in between. The security industry is interesting in that I’ve found it to be a small world. Word of mouth is incredibly important. For me, I’ve found strong character, work ethic, and mastery of your craft will carry you incredibly far. Leave a good impression and you never know where you’ll end up.
Leave a good impression and you never know where you’ll end up.
If you’re starting a security company, my answer would be pretty much the same when you distill it down. What worked for me when it came to sales, recruitment, and management was all guided by the same philosophy. That philosophy is you have to maintain high standards morally and ethically for the quality of work you produce, as well as for the people you choose to work with.
What qualities do you believe all highly successful cybersecurity professionals share?
Everyone that I’ve seen be successful (who wasn’t that .0001 percent wunderkind) did things outside of work. Whether that’s speaking, writing, contributing to open source projects, podcasting, etc., all of them do something outside of their nine-to-five, which is what helps them stay relevant, so the two go hand in hand.
What is the best book or movie that can be used to illustrate cybersecurity challenges?
Genuinely, I think everyone should read The Phoenix Project by Gene Kim, George Spafford, and Kevin Behr. Talk about a book that really emphasizes all components of a business unit and discusses security’s role in it.
What is your favorite hacker movie?
The Saint with Val Kilmer. Now, I know this isn’t your stereotypical hacker movie, but the main character, John Rossi (Simon Templar), sneaks into places he shouldn’t be; gains access to things he shouldn’t be able to; and uses social engineering, lock picking, high-tech devices, and encrypted communications to do it. Then, he ends up trying to open-source cold fusion technology rather than have it end up in the hands of corrupt politicians, businessmen, or the mob.
What are your favorite books for motivation, personal development, or enjoyment?
Extreme Ownership by Jocko Willink and Leif Babin. Everyone should read it.
What is some practical cybersecurity advice you give to people at home in the age of social media and the Internet of Things?
Be careful what you share. Enable two-factor authentication for any social media account. Don’t click before figuring out what exactly you are clicking. Ask yourself, “Do I really need an internet-connected toaster?”
What is a life hack that you’d like to share?
Two things. First, get quality sleep and focus on your work until you can’t focus anymore. Then, go do something else. A good night’s sleep helps me figure things out faster, and I feel better.
Working in sprints means I’m focused only on what I’m working on, and that’s easier to do if I’ve had rest. If I’ve not finished whatever I’m doing before I feel my attention waning, I walk away for a bit. That way, the time I do spend in front of a computer is limited to quality time rather than getting lost in Twitter or cat memes. I think that in today’s society, people prize multitasking to their detriment. Quality work requires quality focus. Get some rest and go for walks.
What is the biggest mistake you’ve ever made, and how did you recover from it?
Have you heard of the sunk cost fallacy? Let’s just say this led me to triple down on an investment in someone and, ultimately, in a business when, in reality, I should have cut ties way earlier. There were far too many warning signs to say, “I couldn’t have seen how this would play out.” Instead, I just kept working harder and harder to stave off the ramifications of this person’s poor personal and professional conduct. So, it took some time to forgive myself for that mistake, understand that I’m still (relatively) young, and realize there are plenty of other opportunities out there. Life is too short to dread waking up in the morning. ■
33
David Kennedy
“One of the biggest myths, in my opinion, is that what hackers do requires a high level of complexity and skill. Most attacks out there are generic, and the way most organizations (and people) get hacked is through very basic things.”
Twitter: @HackingDave • Websites: www.trustedsec.com and www.binarydefense.com
David Kennedy is the founder of TrustedSec, Binary Defense, and DerbyCon. TrustedSec and Binary Defense are focused on the betterment of the security industry from both a defensive and offensive perspective. He also serves on the board of directors for the (ISC)2 organization. Formerly, David was the CSO for Diebold Incorporated, where he ran the entire INFOSEC program. He is also a co-author of the book Metasploit: The Penetration Tester’s Guide as well as the creator of the Social-Engineer Toolkit (SET), Artillery, Unicorn, PenTesters Framework (PTF), TrevorC2, and several popular open source tools. David has been interviewed by several news organizations, including CNN, Fox News, MSNBC, CNBC, Katie Couric, and BBC World News.
David has also consulted on hacker techniques for the hit TV
show Mr. Robot. He is the co-host of the Social-Engineer Podcast and is featured on several additional podcasts as well. David has testified in front of Congress on two occasions concerning the security of government websites, and he is one of the founding authors of the Penetration Testing Execution Standard (PTES)—a framework designed to fix the penetration-testing industry. Prior to the private sector, David worked for the U.S. Marine Corps and deployed to Iraq twice for intelligence-related missions.
If there is one myth that you could debunk in cybersecurity, what would it be?
One of the biggest myths, in my opinion, is that what hackers do requires a high level of complexity and skill. Most attacks out there are generic, and the way most organizations (and people) get hacked is through very basic things. The biggest challenge corporations face is the speed at which they must move to conduct business. Often, information technology (IT) and security are behind the organization, so they miss things, which is where we fall into the breach categories. Companies try to sidestep building security programs by purchasing the next piece of software that’s supposed to fix most of their issues, but the problems stem from the program itself.
More than anything, companies need to focus on building up their programs, which takes time, and focusing on how to detect and prevent attacks in their environment. That comes with having the right people who are skilled in understanding how attacks work, which is key to identifying the specific methods an attacker can use in order to compromise an organization.
“More than anything, companies need to focus on building up their programs, which takes time, and focusing on how to detect and prevent attacks in their environment.”
What is one of the biggest bang-for-the-buck actions that an organization can take to improve its cybersecurity posture?
Tribe of Hackers Page 19