What qualities do you believe all highly successful cybersecurity professionals share?
Probably the number-one quality is having security (the profession) as a hobby. The security field is so complex and dynamic; defenses that worked today may become obsolete overnight. It would be impossible to be successful in security without continuous learning, which most of us are doing in our free time, simply out of passion. The number-two quality is perfectionistic attention to detail. Security protections are typically broken due to missed details or stupid mistakes caused by lack of attention. This brings us to the number-three quality, which is knowing your own knowledge gaps and asking questions. None of us has in-depth knowledge in all security areas, and we do not hesitate to reach out to colleagues. This is what makes the security community almost like a close family, because we interact a lot. Possession of the “evil bit” (the ability to think as a cunning attacker) is another quality.
What is the best book or movie that can be used to illustrate cybersecurity challenges?
Among recent ones, I relished Skyfall. This was the first James Bond movie that finally embraced cyber hacking as the main weapon in the villain’s arsenal. To my delight, the movie features two cyber-physical attacks: (1) blowing up part of MI6 headquarters by taking control of the building’s gas system, and (2) shutting down the electricity with the help of a virus, which resulted in the fail-open status of the villain’s prison cell door. Also, the “oh shit” scene of the MI6 security wizard when he hastily plugged the villain’s laptop directly into the MI6 network made me smile.
All security professionals have done stupid things of that caliber at least once in their career. In general, the movie vividly highlights human dependence on computerized systems and our lack of understanding of these dependencies.
What is your favorite hacker movie?
Clearly, Hackers is the iconic movie when it comes to representing the spirit of the security community. I really like the original The Girl with the Dragon Tattoo. Among others, I enjoyed two German movies, Who Am I, and an older movie, 23. I am probably in the minority, but I’m not really fond of Mr. Robot.
What are your favorite books for motivation, personal development, or enjoyment?
I am a bookworm. I’ve read many books that contributed immensely to my personal development and in shaping my mind. Probably Dale Carnegie’s books (luckily, he was among the few authors allowed in the post-USSR space) How to Win Friends and Influence People and How to Stop Worrying and Start Living had the biggest impact on me and served as my early life kickstarters.
Recently, I’ve been reading biographies of famous people, be they historical or current. My most recent was a biography of Michael Phelps. Before Phelps, I was obsessed with George Washington. In general, I enjoy books that uncover life from a previously unthought-of angle—e.g., Freakonomics by Levitt et al. or Outliers by Malcolm Gladwell. A long time ago, I read The Manual: A True Bad Boy Explains How Men Think, Date, and Mate—and What Women Can Do to Come Out on Top by Steve Santagati. It is such a very fun book to read, but it also perfectly shows that any system is hackable; you just need to understand how your target functions.
What is some practical cybersecurity advice you give to people at home in the age of social media and the Internet of Things?
It is extremely difficult to give advice at this point in time, as most people are still caught up in the euphoria of the benefits and the joy technology has given them. Users are not ready to hear about all the dangers of modern gadgets and social networks yet. My advice would be to realize that using the internet these days (on both PCs and mobile devices) is similar to going on vacation to a country with exotic beaches and known safety issues. What advice is typically given to people? To be aware of your surroundings and to not go to places one should not go. The use of internet-connected devices and internet services become safe when following similar rules. For example, looking for the green lock in the browser when making financial transactions (to make sure the communication is encrypted), being aware of phishing/scams and how much personal information is exposed via social media, etc. I never visit suspicious web pages and leave immediately if I accidentally land on one. When we go on vacation to a new country, we always read safety behavioral rules. Users should do the same before using the internet, internet-connected devices, and social media. There is also a great documentary to watch: Terms and Conditions May Apply (2013).
What is a life hack that you’d like to share?
Some individuals who do not program much or well are worried about not being able to succeed in security. You may worry less! Here is the secret: there are a lot of folks who can code well but don’t know security (or any other field). Team up with them! During my studies at the University of RadioElectronics in Ukraine many years ago, I geared more toward designing and calculating complex engineering systems rather than programming their functionality. I could program well, but I did not enjoy it as much as I enjoyed the engineering part of projects. Starting when I was at university and even today, I choose to team up with guys who can program or reverse engineer well but are not necessarily experts in the task or research questions we are working on (but I am). Such collaborations are fruitful for everybody involved. In general, if I don’t have a needed skill or knowledge set, I find someone who has it and form a partnership. This strategy has made me an extremely successful researcher (and, I hope, my collaborators too!).
What is the biggest mistake you’ve ever made, and how did you recover from it?
Over the years, I mastered the art of seeing all my mistakes as “learning experiences.” However, there is one mistake I cannot forget to date. Unfortunately, I cannot talk about it because of an NDA and the privacy of the parties involved. I trusted the wrong person, and my partners and I were taken advantage of and missed a very big opportunity. My partners actually forgave me; however, I still wonder how things would be if I hadn’t made that mistake.
One habitual mistake I used to make was hesitating to put myself forward and not speaking confidently about my competencies and achievements. To me, it felt like cheap showing off and bragging. I thought that people should know my name and understand my skill set from the work I’d done. It took me a while to realize that most people, even folks from within my own professional community, don’t know everything about me. In the end, nobody has the time to read all of my papers and watch my talks. Learning to speak about my expertise and achievements was life-changing. This also helped me to gain confidence in putting myself forward more. You need to let the world know about you if you’d like to be a part of it! ■
36
Sami Laiho
“Implement the principle of least privilege—don’t allow end users to be admins on their local boxes.”
Twitter: @samilaiho • Website: win-fu.com
Sami Laiho is one of the world’s leading professionals in Windows OS and security. He has worked with and taught OS troubleshooting, management, and security for more than 15 years. Sami’s session was evaluated as the best session in TechEd North America, Europe, and Australia in 2014, and by the Nordic Infrastructure Conference in 2016 and 2017. At Ignite 2017, the world’s biggest Microsoft event, Sami was noted as the Best External Speaker. He is also an author at PluralSight and the newly appointed conference chair at the TechMentor conference.
If there is one myth that you could debunk in cybersecurity, what would it be?
That security cannot be increased without lowering usability. I do believe that security is a compromise between usability, security, and price—you can get two, but you can never get all three.
What is one of the biggest bang-for-the-buck actions that an organization can take to improve its cybersecurity posture?
Implement the principle of least privilege—don’t allow end users to be admins on their local boxes.
How is it that cybersecurity spending is increasing but breaches are still happening?
Most customers I meet are sp
ending the bucks on solutions and features, although they should be spending it on training and implementing concepts.
“Most customers I meet are spending the bucks on solutions and features, although they should be spending it on training and implementing concepts.”
Do you need a college degree or certification to be a cybersecurity professional?
No, I don’t have one. You can learn by reading and practicing by yourself.
How did you get started in the cybersecurity field, and what advice would you give to a beginner pursuing a career in cybersecurity?
I used to teach troubleshooting and Windows internals. I started teaching security because I hated all security sessions in general. They were built to scare people but didn’t offer mitigations, and they were always using insecure OS implementations—like old OS versions, full admin rights, and no full disk encryption or whitelisting.
“I started teaching security because I hated all security sessions in general. They were built to scare people but didn’t offer mitigations, and they were always using insecure OS implementations—like old OS versions, full admin rights, and no full disk encryption or whitelisting.”
I started by learning how computers and operating systems work. If I could recommend one book to read, it would be Windows Internals by David Solomon, Mark Russinovich, and Alex Ionescu.
What is your specialty in cybersecurity, and how can others gain expertise in your specialty?
I teach concepts, not features. I teach how to implement things like principle of least privilege and whitelisting. I would recommend that others watch my sessions on Channel9.msdn.com and YouTube.
What is your advice for career success when it comes to getting hired, climbing the corporate ladder, or starting a company in cybersecurity?
Sharing is caring. Learn things and then share your knowledge. Remember that it currently takes 100 people at Microsoft to know everything about the Windows OS. Networking is your most important skill nowadays. Get to know people who know what you don’t.
“Sharing is caring. Learn things and then share your knowledge.”
What qualities do you believe all highly successful cybersecurity professionals share?
Belief in the fact that security keeps things running and more performant. If you yourself believe that security makes things hard, you’ve lost the game.
“Networking is your most important skill nowadays. Get to know people who know what you don’t.”
What is the best book or movie that can be used to illustrate cybersecurity challenges?
The film Zero Days, and books by Mark Russinovich.
What is your favorite hacker movie?
Zero Days.
What are your favorite books for motivation, personal development, or enjoyment?
Anything by Mark Russinovich. Be the Master by Don Jones.
What is some practical cybersecurity advice you give to people at home in the age of social media and the Internet of Things?
Don’t put anything on social media that you can’t allow to get public.
Use different passwords on every website, and, even better, invest in a password manager.
Use multifactor authentication when possible.
Don’t use admin accounts for daily logons.
What is a life hack that you’d like to share?
Use your fingerprint reader to register your index finger as your limited user and your middle finger as your admin user. This way, you can fast switch when needed.
“Use different passwords on every website, and, even better, invest in a password manager.”
What is the biggest mistake you’ve ever made, and how did you recover from it?
I missed a backup from my family photos and lost two years’ worth of photos of my older daughter. ■
37
Robert M. Lee
“Defenders have many tools at their disposal, and attackers aren’t nearly as sophisticated or well coordinated as many suggest. When defense is done correctly, I would actually argue that defenders have the upper hand.”
Twitter: @RobertMLee • Website: www.robertmlee.org
Robert M. Lee is the CEO and founder of the industrial (ICS/IIoT) cybersecurity company Dragos, Inc. He is also a nonresident National Cybersecurity Fellow at New America, focusing on policy issues relating to the cybersecurity of critical infrastructure. For his research and focus areas, Robert was named one of Passcode’s Influencers, and in 2015, he was awarded EnergySec’s Cybersecurity Professional of the Year. The following year, he was inducted into Forbes’s 30 under 30 for Enterprise Technology. Robert obtained his start in cybersecurity in the U.S. Air Force and at the National Security Agency. While in the U.S. Air Force, he served as a Cyber Warfare Operations Officer. Robert has performed defense, intelligence, and attack missions in various government organizations, including the establishment of a first-of-its-kind ICS/SCADA cyber-threat intelligence and intrusion analysis mission. A passionate educator, Robert has authored several courses for SANS, along with their accompanying certifications. He routinely writes for publications on the topics of industrial security, threat intelligence, and cybersecurity and is a frequent speaker at conferences around the world. Robert has testified before the U.S. Senate Energy and Natural Resources Committee and is currently pursuing his PhD at King’s College London, researching the industrial control threat landscape. Lastly, Robert, along with Jeff Haas, creates a weekly technology and security web comic titled Little Bobby.
If there is one myth that you could debunk in cybersecurity, what would it be?
That adversaries have the upper hand. Defenders have many tools at their disposal, and attackers aren’t nearly as sophisticated or well coordinated as many suggest. When defense is done correctly, I would actually argue that defenders have the upper hand.
What is one of the biggest bang-for-the-buck actions that an organization can take to improve its cybersecurity posture?
You need to hire smart analysts. Smart analysts are going to help you choose the right technologies and tell you what you need for the particular problems you’re having. And they’re going to help you avoid buying vendor products that you don’t need. At first, it might be hard to pay the extra $30,000, $40,000, or $50,000 for a senior analyst, but they’re going to give you a good return on investment, and they’ll pay for themselves time and time again.
How is it that cybersecurity spending is increasing but breaches are still happening?
I’m not sure that those metrics are correlated at all. Security is increasing, and we’re actually seeing, by all industry metrics, that the number of breaches are decreasing. We’re hearing a lot more about breaches these days, so it seems like they are increasing, but I don’t know whether that’s actually accurate. It’s more of a perception issue. We’re also finding things that have existed for years.
Do you need a college degree or certification to be a cybersecurity professional?
Not at all. Both can be helpful for career progression purposes, but they’re not required at all.
How did you get started in the cybersecurity field, and what advice would you give to a beginner pursuing a career in cybersecurity?
I got started through the U.S. Air Force, and I went into cybersecurity. Most things I actually know (and most of the skills I have) are self-taught. For people who are starting out, you can go through a decent pipeline, end up with a job, do the 8-to-5, and that’s perfectly fine; there’s no problem in doing that. But if you want to be one of the top performers and earn higher salaries and so forth, it’s going to demand that you go outside of the normal pipeline and do a lot of self-education. The good news is, there’s an immense number of free resources out there; you don’t need any given pipeline to reach your goals. There’s plenty out there.
What is your specialty in cybersecurity, and how can others gain expertise in your specialty?
Mine’s in industrial control systems as well as threat intelligence. For both of those, I r
eally think there’s no better teacher than actually going and doing it. I think a lot of the ability to get started, especially in industrial controls, can be gained by working at places like utilities or industrial companies. Your local utility, I guarantee, is in need of people. Working at those places can give you extremely valuable experiences.
What is your advice for career success when it comes to getting hired, climbing the corporate ladder, or starting a company in cybersecurity?
Generally speaking, if you’re going to progress outside of holding a salaried job, it’s going to require you to go outside of your bubble, do a lot of self-education, and get involved with the community. When you start speaking publicly or writing papers or doing training for folks, it gets you noticed quickly, and it sharpens your skills. It makes you someone people are comfortable with holding those positions. For starting your own company, just add in a level of craziness, a lot of friends, and a lot of sleepless nights.
What qualities do you believe all highly successful cybersecurity professionals share?
The highly successful ones all share a passion and dedication to learning. No real expert I know calls themselves an expert.
What is the best book or movie that can be used to illustrate cybersecurity challenges?
The Cuckoo’s Egg is a must-read on everybody’s reading list, and then from a movie perspective, I’m not sure that we really have a good one about our field just yet. I would say people should go outside of security if they’re trying to solve security issues. There are plenty of books to help with that. There’s a book called Strategy: A History by Lawrence Freedman, but I would entirely encourage people to read the softer arts. Another one that should be mandated reading is The Psychology of Intelligence Analysis by Richards J. Heuer, Jr. It’s not so much about personal enjoyment; it’s just that nontechnical books can help you become a better technical professional.
Tribe of Hackers Page 22