Tribe of Hackers
Page 24
Twitter: @AndyMalone • Website: www.AndyMalone.org
With a prestigious international career spanning 20 years, Andy Malone is not only a world-class technology instructor and consultant but also a Microsoft MVP and veteran conference speaker. He has spoken at notable events, including Microsoft Ignite, IT/Dev Connections, TechMentor–Live! 360, and the Cybercrime Security Forum. His passionate style of delivery, combined with his sense of fun, has become his winning trademark. Although his primary focus is security, Andy loves to talk about the Windows platform as well as the Exchange and Office technologies.
With knowledge dating back to the MS-DOS 2 and Windows 2.0 era, there is often an interesting story to be told. But technology never sleeps, and Andy continues to work with the Microsoft product teams to create and deliver groundbreaking material on Azure/Office 365. In 2018, Andy is scheduled to deliver content in Europe, the Middle East, and the United States. He has also just published his second book, Shadows Rising, the sequel to his award-winning sci-fi thriller The Seventh Day.
If there is one myth that you could debunk in cybersecurity, what would it be?
That hackers are shady cyber criminals who live in the shadows and do the most damage. The sad truth, however, is that, in most cases, hackers are opportunists. Often, script kiddies or malicious employees who want to be bad guys have gotten hold of a tool and thought, “Hey, I wonder what this does.” Once having tasted blood, they then expand their knowledge and arsenal to attack more tempting targets.
What is one of the biggest bang-for-the-buck actions that an organization can take to improve its cybersecurity posture?
In my humble opinion, the greatest action an organization can take to improve its security stance is to move from a traditional defense-based methodology to one that assumes a breach has already taken place. By assuming that the bad guy has already breached your network, the focus for the company shifts greatly toward detection and an information protection stance. For example, this includes adopting file classification, rights management, data loss prevention policies, and encryption. In principle, even if the bad guy obtains your data, it would be useless to him.
“In my humble opinion, the greatest action an organization can take to improve its security stance is to move from a traditional defense-based methodology to one that assumes a breach has already taken place.”
How is it that cybersecurity spending is increasing but breaches are still happening?
When I think of the technology that we use today, it reminds me of a box of Legos. TCP/IP, basic networking components, and most operating systems that are in use today are essentially the same as they were 20 years ago. So, in Lego-speak, this is essentially the green board that we build our businesses upon. Although we can add new services, security features, and functionality, in many cases, the basic flaws still exist—thus allowing an experienced hacker to easily circumvent an unpatched system or a poorly managed, weakly secured environment.
Do you need a college degree or certification to be a cybersecurity professional?
Absolutely not! However, that said, I would certainly recommend taking some form of certification exam, such as CompTIA’s excellent Security+ certification. It provides a great grounding in cybersecurity. From there, the sky’s the limit. There are a plethora of security options for you. Firstly, however, you should be aware that cybersecurity is an enormous area with many career options, and at some point, you need to pick a lane. Networking, ethical hacking, social engineering, information security, digital forensics, threat detection and response, and fraud are all possible career paths. So, have a think about what you’re good at, what drives you. Then take the step toward achieving those goals. Don’t worry about attending expensive classes, either. There is a wealth of online learning opportunities, from hands-on labs to video tutorials. You can also easily supplement your knowledge by obtaining self-paced books, free software, trial accounts, and demos to supplement your learning goals. Then, when you feel competent, simply take the exam. These are hosted through Pearson Vue or Prometric testing centers, and you can now even take a webcam-proctored exam at home in your pajamas.
How did you get started in the cybersecurity field, and what advice would you give to a beginner pursuing a career in cybersecurity?
To be honest, I have to take my hat off to my brother-in-law, and the author of this book, Marcus J. Carey. His tales of cybercrime and hacking really inspired me. That was 13 years ago. Today, I train, consult, and speak on various cybersecurity topics all over the world. I’ve become a passionate advocate of good security practices.
What is your specialty in cybersecurity, and how can others gain expertise in your specialty?
Cybersecurity casts a great shadow over business, and with so many career options, it’s often difficult to make a clear choice. For me, I have four favorites: digital forensics, social engineering, identity, and access. Of these, I would say that access probably takes up a lot of my time. As a Microsoft MVP in cloud and datacenter, I teach and consult a lot on Microsoft cloud technologies, including Microsoft Azure and Office 365. At the moment, identity convergence is the latest buzz phrase. With so many users still using multiple usernames and passwords, identity federation and single sign-on are a hot commodity. If this is an area of interest, then of course you can take the official Microsoft courses. But, if you, like many, have a limited budget, there is a wealth of free online materials. Take a look at the excellent Microsoft Virtual Academy (https://mva.microsoft.com/). Other great resources include YouTube and Microsoft’s excellent document repository (https://docs.microsoft.com/en-us/). And let’s not forget Microsoft’s Technical Community (https://techcommunity.microsoft.com/).
What is your advice for career success when it comes to getting hired, climbing the corporate ladder, or starting a company in cybersecurity?
Learn not only how to take advice but also how to take criticism. Being arrogant will never earn you friends and may possibly damage future business relationships. Like a wise man once said, never burn your bridges behind you. Learn as much as you can, and set yourself well-defined and reachable goals. Never let anyone tell you that you can’t do it. Learn how to widen your business contacts by joining networking groups, as well as learning to get the most out of social media. In terms of starting your own company, don’t be afraid of the challenge. Yes, it may be difficult, but in the end, it will be worth it. When you do finally get there, never forget the little guy—that one employee who stays late, that one guy who’s willing to go the extra mile. A good employee is like a gold bar, precious and definitely worth holding onto.
“Never let anyone tell you that you can’t be what you want to be, or you can’t do something. These people are basically in your way. You have to move past them and fulfill that dream.”
What qualities do you believe all highly successful cybersecurity professionals share?
One of my pet peeves is being called an “expert.” In my opinion, we’re all learners here. Cybersecurity, along with technology, is like the Old West, and at the moment, we’ve only just reached the frontier. It’s a never-ending journey for improvement, and it’s a constant game of chess against an adversary who is attempting to outwit you at every turn. Ultimately, though, as in the military world, you may win the odd battle, but the war rages on. So, for me, qualities would include the passion to succeed, determination, tenacity, and the drive to keep your skills updated, which sometimes can appear to be a constant and arduous struggle.
“One of my pet peeves is being called an “expert.” In my opinion, we’re all learners here.”
What is the best book or movie that can be used to illustrate cybersecurity challenges?
One of the greatest fears a person can have is the loss of his or her identity. I remember seeing the thriller The Net, where Sandra Bullock plays a virus and malware researcher who, as a consequence of a discovery, suddenly finds that her identity has been compromised. In just a short time, her entire life is tu
rned upside down by a shady organization of bad guys who are attempting to infiltrate the U.S. government with a malicious software program called the Gatekeeper. That was a great movie.
“One of the greatest fears a person can have is the loss of his or her identity.”
What is your favorite hacker movie?
Oh, this is an easy one for me. The 1983 Matthew Broderick classic, WarGames. It’s about a Seattle-based teenager who hacks into the War Operations Planned Response—a top-secret computer that is installed to help avoid the possibility of human error in a nuclear war. Of course, things don’t entirely go according to plan.
What are your favorite books for motivation, personal development, or enjoyment?
You know, I have to be honest here; I’ve never been one for those types of books. However, in terms of inspiring moments, this is something I can share: when I was a kid, I left school with nothing, and growing up, every Thursday, I watched an old TV show called The Paper Chase starring John Houseman. He played an old crusty professor at Harvard Law School. He was that guy you thought would be the meanest person in the world, but in the end, he was the kindest and really cared for his students. After leaving school with no qualifications, I was inspired to further my education and eventually earn a degree. I’m sure after reading this, you’ll be able to recall a moment in your life where something similar happened to you—that one person or a conversation perhaps. And if not, then use this as a model: never let anyone tell you that you can’t be what you want to be or you can’t do something. These people are basically in your way. You have to move past them and fulfill that dream.
What is some practical cybersecurity advice you give to people at home in the age of social media and the Internet of Things?
There’s no doubt that social media has changed our world, and I’m not convinced it’s for the better, either. You just have to lift your head up from your smartphone and realize, “Holy crap, look at that.” We’re all addicted to these damn devices. Every single one of us—on trains, airports, at work, and even in bed at night—we can’t put them down, and you have to ask why. But also, why are we so addicted to social networks?
“There’s no doubt that social media has changed our world, and I’m not convinced it’s for the better, either.”
I think it’s because we all have an innate need to be wanted, to belong to something or someone, and perhaps this is the way the future will be. I certainly hope not. So, my first piece of advice is to detox yourself and your family from social media. In terms of the Internet of Things, treat it like any other technology. Plan for it, understand how it works, investigate its weaknesses, and ultimately learn how to protect yourself, your family, and your business from any potential vulnerabilities it may have.
“So, my first piece of advice is to detox yourself and your family from social media.”
What is a life hack that you’d like to share?
I’m a huge Star Trek fan. I remember an episode of Star Trek: The Next Generation called “Tapestry,” in which Captain Picard is killed and encounters the character Q, played by John de Lancie. Appearing as God, Q listens to Picard’s tales of regret and agrees to give him another chance at life. So, after transporting him backward to his early days in Starfleet Academy, Picard strives to avoid making the mistakes he made in his youth. But, of course, he ends up changing so much that he actually unravels his life, and when he’s finally returned to the Enterprise, he’s no longer the captain; he’s a junior officer. Of course, it all works out in the end, but the lesson here was that, in life, you have to step forward, and you have to get noticed if you want to succeed. Otherwise, your life will simply drift. Don’t live with regret; learn from it and move on; otherwise, it will consume you.
What is the biggest mistake you’ve ever made, and how did you recover from it?
Gosh, that’s a tough question. I’ve made a few, and it depends on if you’re talking about technical mistakes or life mistakes. I guess we’re all guilty of those at some point. The biggest technical mistake I made was not to check that a backup had been performed at one of my major clients. So, of course, when I deleted their database by mistake, there was mayhem. They were crazy mad at me. It took two days and nights of hard work to get the data back. In the end, it all worked out, and you’ll be surprised to know that they are still a great customer. I can tell you after that experience, I never made that or a similar mistake again. ■
“The biggest technical mistake I made was not to check that a backup had been performed at one of my major clients. So, of course, when I deleted their database by mistake, there was mayhem.”
41
Jeffrey Man
“The reason breaches keep happening is because “we” believe that if we spend enough on security technology, we will fix the problem of being insecure.”
Twitter: @MrJeffMan • Website: securityweekly.com/hosts
Jeffrey Man is a respected information security expert, advisor, evangelist, and co-host of the security podcast Security Weekly. He has more than 35 years of experience in all aspects of computer, network, and information security. Jeffrey has held various information security roles within the DoD as well as private-sector enterprises, is a former PCI QSA, and was part of the first penetration testing “red team” at the NSA.
If there is one myth that you could debunk in cybersecurity, what would it be?
If I may be philosophical for a moment, I would suggest that the biggest myth in cybersecurity is the notion of security in and of itself—that it is a state that can be achieved or to which one can be elevated. As a more practical matter but probably equally as daunting, I would say the biggest myth in cybersecurity is the notion that cybersecurity begins and ends with technology. I was doing information security (InfoSec) for years before computers—and networks—came along.
While technology is here to stay and is certainly an integral part of cybersecurity, I believe there are fundamentals to understanding this thing we call “cybersecurity” that are too often misunderstood, because the understanding and application begins with a presumption about the technology. Here’s a simple example: the notion of protecting your information assets too often revolves around all the information technologies that are employed within the enterprise, whereas I believe the information assets are far and away the information and data itself that is processed, transmitted, and stored using the information technology. In other words, we focus on the vehicle rather than the content.
What is one of the biggest bang-for-the-buck actions that an organization can take to improve its cybersecurity posture?
Taking any steps to educate the employee population about the nature of the business—and what is considered valuable by the company in terms of its information assets—and fostering an environment where every employee understands, embraces, and buys into the notion that what they do (or don’t do) impacts the overall success of cybersecurity efforts. I’m not talking about compulsory viewing of an annual 30-minute security awareness video. I’m talking about systemic, core-value, company identity practices that change behaviors of employees—rewarding right behaviors and doing the right thing rather than turning a blind eye or creating a work culture where bad practices, or even breaking the rules, is rewarded or expected. How is this a “biggest bang-for-the-buck” activity? I believe it is the only thing left to do that hasn’t already been done or really invested in. There’s always going to be IT and IS spending, and God help the people who have to try to sort all that out in terms of the right level and focus of investment. But no amount of technology spending, ultimately, will take the place of employees understanding the goals of cybersecurity and doing their part to facilitate it in their organizations.
How is it that cybersecurity spending is increasing but breaches are still happening?
The reason breaches keep happening is because “we” believe that if we spend enough on security technology, we will fix the problem of being insecure. Innovation has created so man
y different ways to quickly and seamlessly share information with little to no regard (in the big picture) of how to limit or protect the “sensitive” data from falling into the wrong hands. We have bought into the notion that advances in security technologies can and are keeping up with the increased capabilities of our information-sharing technologies. But something is fundamentally broken, because too often the breaches are caused by “simple” problems—like a missing patch or a default password—that no amount of technological advancement ever seems to solve. Most of the “user” community rather blindly uses the technology with the belief that it must be secure (if they even think about security at all) or that there is so much data flying around that what they do will go unnoticed or have little to no impact.
“Too often the breaches are caused by “simple” problems—like a missing patch or a default password—that no amount of technological advancement ever seems to solve.”
Breaches keep happening because a) there is an economic motivation for criminals to keep attempting breaches, and b) they can accomplish enough success with little to no technical acumen (i.e., it’s not that hard).
There is a dirty little secret in our industry as well. We spend most of our time, effort, and resources (failing) to prevent the casual or opportunistic bad guy from breaching our organizations, yet do little to prevent a determined and intentional adversary who is focused on us specifically. We generally write that off to some risk assessment that is out of the bounds of our abilities and budgets. We love the increased revenues and profitability that IT provides us while not really being able to afford what it actually takes to protect the data, information, and IT resources that we so heavily rely upon to make money. It’s not cost-effective.