“When you start speaking publicly or writing papers, or doing training for folks, it gets you noticed very quickly, and it sharpens your skills.”
What is your favorite hacker movie?
It’d be a faux pas not to mention Hackers, but honestly, I think my favorite, if I had to pick one, would be WarGames.
What is some practical cybersecurity advice you give to people at home in the age of social media and the Internet of Things?
I generally tell people not to fear and don’t overthink it. Very simple things like using legitimate licenses for your operating system and two-factor authentication (2FA) for your account logins can really help. With the basics like that, you’re going to be significantly well off as a home user.
What is a life hack that you’d like to share?
It’s not really a life hack, but sort of a guiding point I tell people: the threats are far worse than you realize but not as bad as you imagine them. That kind of centers us a bit.
What is the biggest mistake you’ve ever made, and how did you recover from it?
I’m generally not a person who lives with regrets, but when it comes to running a company, everyday decisions that I make impact outcomes that we may not realize for a year or more. There are plenty of little mistakes and adjustments I’ve had to make, and not necessarily one big one. Honestly, the way to deal with it is to realize that more issues are created by not making a decision than by making one that might not have been perfect. It’s extremely important to keep moving and to make the right call based on what you know at the time, and then just be flexible enough to adapt as you need to in the future. ■
38
Kelly Lum
“Institute a culture of security across your organization rather than treating it like ‘somebody else’s problem.’ ”
Twitter: @aloria
Kelly Lum has “officially” worked in information security since 2003 and is currently a security engineer at Spotify—where she brings more than a decade’s worth of application and network security experience from the financial and government sectors to the startup space. Additionally, she teaches application security as an adjunct professor at NYU.
If there is one myth that you could debunk in cybersecurity, what would it be?
One thing that I have observed is that there is still this preconception that InfoSec is some sort of mystical art that can be done only by the rare, chosen few. It isn’t just nontechnical people, either. I’ve walked intimidated developers and students through proof of concepts (POCs), and it’s always cool to see their reaction when they get it working.
What is one of the biggest bang-for-the-buck actions that an organization can take to improve its cybersecurity posture?
Institute a culture of security across your organization rather than treating it like “somebody else’s problem.” Security needs to start at the beginning of every project, not in the middle or at the end. Throw less money at vendor crap and more at your talent.
How is it that cybersecurity spending is increasing but breaches are still happening?
Because folks are throwing too much money at “silver-bullet” vendor crap and not enough at attracting and empowering talented employees. But seriously, security is a complicated, moving target, and getting it right requires a lot of coordination and collaboration, and a lot of organizations aren’t there yet.
Do you need a college degree or certification to be a cybersecurity professional?
Absolutely not; some of the smartest people I know in the industry got started out of high school. I believe it really all depends on your personality, career goals, and learning style. I needed the structure of a college curriculum since I tend to be disorganized and easily side-tracked. Someone who is more of a self-starter might find that kind of environment constricting.
How did you get started in the cybersecurity field, and what advice would you give to a beginner pursuing a career in cybersecurity?
In the ’90s, I was a stereotypical friendless nerd who did mischievous stuff on her computer. During junior year, my university (what is now NYU Tandon) started offering the Scholarship for Service,12 and I realized I could do those kinds of things for a living.
In addition to my day job, I’m also an adjunct professor at NYU Tandon. One of the things I always tell my students is to be curious and explore things outside of your curriculum. Attend some local meetups and try to get to know some folks in the field. Participate in a capture the flag (CTF), or read through some write-ups detailing recent vulnerabilities or breaches. Not only does this impress the heck out of potential employers, but it will broaden your horizons and expose you to areas of security you may not otherwise have known about.
“Try to get out there and get involved with some project, group, or conference. It will help to humanize you into something more than just bullet points on a résumé.”
What is your specialty in cybersecurity, and how can others gain expertise in your specialty?
I’ve dabbled in a bit of everything, but I have been doing application security for most of my career. I think one of the great things about AppSec is that there are so many tools and resources out there to get your feet wet. There’s Google Gruyere, Damn Vulnerable Web App (DVWA), CrackMe challenges, and tons of CTF write-ups and walkthroughs, to name a handful of things.
“I think one of the great things about AppSec is that there are so many tools and resources out there to get your feet wet.”
What is your advice for career success when it comes to getting hired, climbing the corporate ladder, or starting a company in cybersecurity?
I suppose I’ll just repeat the advice I gave earlier. Try to get out there and get involved with some project, group, or conference. It will help to humanize you into something more than just bullet points on a résumé.
What qualities do you believe all highly successful cybersecurity professionals share?
Curiosity, passion, and maybe—most importantly—humility. A willingness to give back to the field as you grow in it.
What is your favorite hacker movie?
It’s not a movie, but the “Who is Max Mouse?” hacker arc of Ghostwriter. Cyberpunk Julia Stiles FTW.
What are your favorite books for motivation, personal development, or enjoyment?
I read a lot of true crime. I find detective work and forensics fascinating. Also, people leave me alone on the subway.
What is some practical cybersecurity advice you give to people at home in the age of social media and the Internet of Things?
Use a password manager, two-factor authentication (2FA), and patch your crap.
“Use a password manager, two-factor authentication (2FA), and patch your crap.”
What is a life hack that you’d like to share?
You can’t get a hangover if you don’t stop drinking.
What is the biggest mistake you’ve ever made, and how did you recover from it?
I think my biggest mistake was falling into the misconception I described earlier. I’ve always been surrounded by incredibly smart InfoSec folks and for the longest time had insane imposter syndrome. One day, I was sitting next to one of those incredibly smart people, and he couldn’t figure out how to exploit a vulnerability he had found. I did. People tend to broadcast their successes, not the hours they spent banging their head on the desk trying to get there. When you compare yourself to other people, you’re comparing yourself to that outward image and doing yourself a disservice.
Also, one time I put an OR rather than an AND in a conditional and took down a production website for about three minutes. ■
Note
12. https://www.sfs.opm.gov/.
39
Tracy Z. Maleeff
“We all bring something unique to the table. Diversity of thought makes us stronger to solve complex problems.”
Twitter: @InfoSecSherpa • Website: nuzzel.com/InfoSecSherpa
Tracy Z. Maleeff is a cyber analyst in the security operations
center for a global pharmaceutical company. She earned a master of library and information science degree from the University of Pittsburgh and holds undergraduate degrees from Temple University (magna cum laude) and the Pennsylvania State University.
A librarian turned information security professional, she is your guide up the mountain of information as @InfoSecSherpa on Twitter. Tracy is GIAC Security Essentials (GSEC) certified and was recognized with an Information Systems Security Association Women in Security Leadership Award in 2017. She has also presented at DEF CON’s Recon Village in addition to several Security BSides conferences. Tracy frequently presents to librarian and information professional audiences on information security and OSINT topics.
If there is one myth that you could debunk in cybersecurity, what would it be?
That only computer science majors or people with heavy tech experience can be employed in this industry. Information security professionals have a variety of backgrounds and educational experiences. We all bring something unique to the table. Diversity of thought makes us stronger to solve complex problems.
What is one of the biggest bang-for-the-buck actions that an organization can take to improve its cybersecurity posture?
Create a culture of security that contains empathetic and FUD-free (fear, uncertainty, and doubt) end-user training. Scared or intimidated end users will not be willing to work with the security team or self-report incidents like clicking a malicious email. Periodic phishing tests will not necessarily reinforce security, but frequent interactions with empathic InfoSec professionals within an organization will keep security on the minds of end users.
How is it that cybersecurity spending is increasing but breaches are still happening?
I have to imagine that some of it is due to the inflated, fear-based pricing of these security products. I am also inclined to believe that spending money on security helps to satisfy organizations that have to answer to a board or stockholders, and the spending is proof that they are paying attention to the problem. Whether that money is well spent is a different issue. Until cybercrime becomes a less lucrative business than cyber protection, it will always win out.
“Until cybercrime becomes a less lucrative business than cyber protection, it will always win out.”
Do you need a college degree or certification to be a cybersecurity professional?
This is a difficult question for me to answer. Prior to going into InfoSec, I was a librarian. In that world, the minimum degree required for most jobs is a master’s. I became accustomed to having that high bar for entry. Degrees and certifications are definitely important for people like myself who transitioned into this industry from other disciplines. People like me need to somehow prove that we have the knowledge. I wouldn’t say that degrees and certifications are necessarily requirements if the person has the correct industry knowledge and can articulate it. I believe that one of the reasons why it is so hard to find cybersecurity talent is because the traditional interviewing and résumé system doesn’t exactly fit this industry, but nobody told the human resources staff and recruiters. So, perhaps to play the hiring game, having a résumé with a degree or a certification is the way to hack that system.
How did you get started in the cybersecurity field, and what advice would you give to a beginner pursuing a career in cybersecurity?
I was a librarian, mostly in law firms, for 15 years. About three years ago, I read a professional development article entitled “Future-Proofing Your Career.” It made me reevaluate my goals, and I decided that I wanted to rekindle a love of tech that I never pursued in my younger years—for complicated reasons. I experimented by attending every tech meetup and workshop I could find to see if anything created a spark for me. I was introduced to the world of information security, and that spark turned into a white-hot flame within me, and I knew that I needed to make this my career change. I immersed myself in reading lots on the subject, meeting people, and attending events. I quit my library job and created my own consulting company, where I did research and social media projects with an InfoSec slant. I continued to plug away at studying and learning until an opportunity came for an interview in a security operations center. I emphasized my transferable skills and showed them my desire to learn and grow within this industry. I have now been a cyber analyst for seven months, and I wouldn’t do a thing differently.
What is your specialty in cybersecurity, and how can others gain expertise in your specialty?
I would say that my specialty is a combination of threat intelligence and training/awareness. I rely on my research training in librarianship for the threat intel. My experiences in past customer-facing jobs help immensely for user training and awareness.
What is your advice for career success when it comes to getting hired, climbing the corporate ladder, or starting a company in cybersecurity?
Have good interpersonal skills in addition to creating, maintaining, and sustaining a solid professional network of people. Be able to articulate your vision or work with clarity. Set goals and be prepared to course-correct as things inevitably change.
What qualities do you believe all highly successful cybersecurity professionals share?
From what I have observed, highly successful cybersecurity professionals seem to all possess curiosity, passion, willingness to share knowledge, and a fire inside them that drives them to keep doing a job that, at times, seems like a Sisyphean task.
“From what I have observed, highly successful cybersecurity professionals seem to all possess curiosity, passion, willingness to share knowledge, and a fire inside them that drives them to keep doing a job that, at times, seems like a Sisyphean task.”
What is the best book or movie that can be used to illustrate cybersecurity challenges?
The Choose Your Own Adventure series of children’s books from the 1980s. The reader was required to make choices in order to progress the story through the books. It illustrates cybersecurity challenges because the reader was presented with a situation and then had to act. Sometimes the results were positive, and sometimes they were negative. At times, the scenarios were unpredictable, and other books were more intuitive. The challenge of cybersecurity is that it presents itself with a variety of variables, unknowns, and actions to take, like these books.
What is your favorite hacker movie?
Since I’m not super-techy, I appreciate the films that explore the social engineering aspects of hacking. Catch Me If You Can is probably the gold standard of that genre. It’s worth mentioning that Amadeus is also a master class in social engineering tactics and techniques, with an amazing score and period costumes.
What are your favorite books for motivation, personal development, or enjoyment?
The Power of Unpopular: A Guide to Building Your Brand for the Audience Who Will Love You (and Why No One Else Matters) by Erika Napoletano
Bossypants by Tina Fey
The Fortune Cookie Chronicles: Adventures in the World of Chinese Food by Jennifer 8. Lee
Overall, the works of Diana Abu-Jaber, Judy Blume, F. Scott Fitzgerald, Ernest Hemingway, and Jhumpa Lahiri bring me enjoyment
What is some practical cybersecurity advice you give to people at home in the age of social media and the Internet of Things?
Use multifactor authentication. Periodically check your privacy and security settings on social media platforms. Make wise choices when it comes to using geotagging for posts. Regarding IoT, I advise people to be aware of what data of theirs will be used and how. Know the product you are purchasing and using. Be aware of what these devices do. You don’t want to spread FUD, but there is a way cybersecurity professionals can make people aware of the choices they are making by engaging an IoT device.
“Regarding IoT, I advise people to be aware of what data of theirs will be used and how.”
What is a life hack that you’d like to share?
Be courteous. Be respectful. Be punctual. Be confident. (As my mother used to say, “Act like you’ve been th
ere before.”) Help others. These “hacks” help create opportunities for yourself and others. We go further together.
“Be courteous. Be respectful. Be punctual. Be confident.”
What is the biggest mistake you’ve ever made, and how did you recover from it?
When I was in high school, I was the business editor of the newspaper. I dropped the ball on doing the accounting and was too fearful to ask for help. I kept bringing in advertising money and paying the printer, but I didn’t keep track of anything. There was no impropriety other than me being a lousy bookkeeper. After six months, I came clean to the teacher who oversaw the newspaper and stated that I would fix the issue and then resign as the business editor. She refused to accept my resignation and gave me guidance and assistance on how to get the books back in order. My mistakes were that I didn’t ask for help to do my job since I didn’t know how and then that I let it fester for so long. I learned to speak up and ask questions without fear. It was more of a mess to clean up after six months than it would have been after a few weeks of not knowing what I was doing. It was a good lesson to learn early. ■
40
Andy Malone
“In my humble opinion, the greatest action an organization can take to improve its security stance is to move from a traditional defense-based methodology to one that assumes a breach has already taken place.”
Tribe of Hackers Page 23