50
Bruce Potter
“If more organizations focused on doing the basics well, rather than focusing on fancy new technologies, we’d be better off.”
Twitter: @gdead • Website: cycleoverride.org
Bruce Potter is the CISO at Expel and founder of The Shmoo Group, and helps run ShmooCon. He has been doing cybersecurity for more than 20 years and can best be summed up as a “jack of all trades, master of none.” Bruce has dabbled in network security, wireless and mobile security, AppSec, product assessments, pentesting, and risk management—with many of his ramblings ending up as DEF CON talks over the years.
If there is one myth that you could debunk in cybersecurity, what would it be?
There are myths? I think there are a lot of bare truths out there that people choose to ignore. Like the fact that while antivirus isn’t perfect, it’s still necessary. Like the fact that we’ve known how to build secure systems for 40+ years, but the economics and business motivations aren’t there to do it. Like the fact that closing the workforce gap not only needs to focus on training and professionalization, but it also needs to address advances in technology as well. Maybe the myth is “We have myths.” The reality is we’re terrible at recognizing the truth.
What is one of the biggest bang-for-the-buck actions that an organization can take to improve its cybersecurity posture?
Do the basics. Patch, limit use of USBs, and use two-factor authentication (2FA). These are huge. If more organizations focused on doing the basics well, rather than focusing on fancy new technologies, we’d be better off.
How is it that cybersecurity spending is increasing but breaches are still happening?
You can only buy the products that exist. We can’t buy secure products because our developers can’t build secure systems. So, all the later lifecycle security spending is just putting good money after bad. It’s necessary to try to hunt down adversaries, patch vulnerabilities, and do all the things we know to be “cybersecurity.” But the reality is, without more secure building blocks, we’ll keep having breaches, no matter how much we’re spending.
Do you need a college degree or certification to be a cybersecurity professional?
Nope. That doesn’t mean it’s not a good idea to have one, though. I struggle with the multiple ways we try to measure what people know in this space—college degrees, certs, demonstration of personal projects—they’re all fraught with danger. Undergrad degrees didn’t exist 12 years ago, so anyone over the age of 34 is unlikely to have an undergrad degree in cybersecurity. Certs are both a test of what you know as well as a hugely profitable thing for the certifying bodies. And doing things on your own time means that the industry expects you to have a totally fucked-up work-life balance. I don’t have a good answer for knowing whether a person is capable of doing their job.
The best answer I have is, “Find someone who knows more than you, and have them interview the person.” It’s very much a per-person call as to what you know and how you’ll fit into an org. That’s hugely unsatisfying and fraught with opportunities for bias and discrimination.
How did you get started in the cybersecurity field, and what advice would you give to a beginner pursuing a career in cybersecurity?
I got started because one semester I helped the on-campus supercomputing center track down a person who had used our VAX system to break into their Cray. The very next semester, I was almost expelled because I used the command “
As far as how to get started, as Nike says, “Just Do It.” I never asked permission or waited for someone to tell me what to do. I just did shit I found interesting. Turns out it was all cybersecurity related, and it all worked out. But I did very little asking when I was young. I just did what made sense to me and learned from it.
What is your specialty in cybersecurity, and how can others gain expertise in your specialty?
Erm…uh…risk management these days? I’ve done a lot of stuff, and it’s hard to think I have a specialization. Really, in non-IT security roles, I think that’s important. A broad base of knowledge gives you a lot of flexibility to help your company and your customers. (IT security is different and requires domain knowledge of the tools and products in the space—very much a different animal, IMO.)
What is your advice for career success when it comes to getting hired, climbing the corporate ladder, or starting a company in cybersecurity?
Do what you love. Don’t feel like there’s a particular path you need to follow or a progression of skills/knowledge/jobs. At one point in my career, I went from being a pretty deep-level software security consultant—helping people build secure systems at a fundamental level—to doing security operations for service providers because I wanted to do ops for a while. Those two dots definitely aren’t connected in most “corporate ladders,” but I loved both jobs and learned a ton from both, and I could actually apply a lot of what I knew in both. When the time came to quit ops and do something else, I did so unapologetically. It was time to move on. I then did IC/DoD stuff, started my own company, sold it, did the CTO thing, and now I’m the CISO in a startup. That’s not a path, but I’ve loved it.
What qualities do you believe all highly successful cybersecurity professionals share?
Heh…the willingness to say “fuck it.” To do the right thing for yourself and others, even if it’s not the easy thing. We battle people and orgs that are not trying to do the right thing. In fact, they’re trying to do the opposite. So, becoming wed to a plan or a course of action makes us unable to respond to threats, both tactically and strategically. Getting an idea, knowing it’s right, and saying “fuck it” leads to much better places.
What is your favorite hacker movie?
Die Hard 4. I saw that and thought, “Yeah, that could happen.”
What are your favorite books for motivation, personal development, or enjoyment?
Trout fishing books. Learning to tie flies and catch trout is my current “keeps me sane” hobby.
What is some practical cybersecurity advice you give to people at home in the age of social media and the Internet of Things?
First, realize you’re not a target. If you are a target, you know. You’re a director of an agency or a CEO or something; 99.999 percent of the time, you’re not a target. Knowing that, don’t worry about the security of your IoT device. Worry about the company providing it to you, their cloud service that feeds it, and what they’re going to do with that data. If you don’t pay them by the month, you probably can’t trust them. Don’t use it if you don’t pay for the service (looking at you, Amazon and Google). Use Apple products. Seriously. They’re hard to hack, a small part of the market, and just not attractive to mass-market attackers.
What is a life hack that you’d like to share?
That the term life hack isn’t really a thing. It’s just learning. Some things you learn are cooler than others, but binning knowledge into different buckets isn’t useful as a tool. You’re better off just learning what you want and not worrying if it bubbles up to the level of being a “life hack.”
What is the biggest mistake you’ve ever made, and how did you recover from it?
I can’t think of a lot of “big mistakes” I’ve made. I’ve made a bunch of small ones that, when added together, equaled something much larger. I think the biggest mistake you can make is not recognizing the little mistakes. Not being honest with yourself about what you’re doing and whether you’re doing the right thing. In the end, letting a million little cuts add up is just as bad as one large one…and much more likely. ■
51
Edward Prevost
“Invest in educating employees. Awareness goes a long way in a world where lying and social engineering are
the keys to most doors.”
Twitter: @EdwardPrevost • Website: edwardprevost.info
Edward Prevost started with computing at a young age when his uncle (a professor) gave him C and BASIC textbooks. Having only school computers, he mostly theorized and scribbled on paper. Fast-forward and today Edward uses his powers to help organizations stay secure in cyberspace. He also enjoys wrestling, powerlifting, soccer, RPGs (not the grenades), comics, sci-fi, epistemology, and making people laugh.
If there is one myth that you could debunk in cybersecurity, what would it be?
I would want the world to know that Marcus J. Carey does indeed hack better while bearded and that sometimes, just sometimes, it's not actually China or Russia that did it.
What is one of the biggest bang-for-the-buck actions that an organization can take to improve its cybersecurity posture?
Invest in educating employees. Awareness goes a long way in a world where lying and social engineering are the keys to most doors. This also applies to technical awareness. Encouraging, paying for, or otherwise providing employees opportunities to become more technically astute is money and time well spent.
How is it that cybersecurity spending is increasing but breaches are still happening?
As the depth and breadth of complexity in computing increases, no amount of spending is going to make that stop growing. Most compromises can be reduced to basic awareness failures. As long as there is a deficit in awareness, there will continue to be a steady increase of breaches. We need a massive cultural shift in the sharing of technical information and partnering across all industries if we really want to see breaches slow down.
“Most compromises can be reduced to basic awareness failures. As long as there is a deficit in awareness, there will continue to be a steady increase of breaches.”
Do you need a college degree or certification to be a cybersecurity professional?
Lulz…nope.
How did you get started in the cybersecurity field, and what advice would you give to a beginner pursuing a career in cybersecurity?
I was blessed to be exposed to computing at a young age whilst helping my father at the Rensselaer Polytechnic Institute (RPI). Although I had been involved in InfoSec from a young age (thanks to RPI), I began my career pursuing nursing. Then, in God's good providence, I was given an opportunity to move into application security at the very hospital I was working at.
My advice would be to look into everything! Security is applicable in every industry and practice, and there may be one specifically that you'll find most enjoyable and rewarding over all the others. And if you're looking into InfoSec for money, stop and think. On average, one will spend more time with co-workers and working over the course of their life than with their own immediate family. Don't plop yourself into InfoSec only to be regretful or embittered later. It can be lonely, long, and monotonous.
What is your specialty in cybersecurity, and how can others gain expertise in your specialty?
If I were to have a specialty, it would be the ability to tackle multiple specialties. I've spent an embarrassing number of hours looking for POP POP RET, identifying bad characters in protocol calls, reading, studying, social networking, building things that don't work and some that worked too well, and playing in my home lab. It worked for me, but it may not for you. I found these practices to be the most efficacious way for me to gain new and useful skills, both technical and interpersonal. Try things out. Feel out various pedagogical patterns, see what fits you, and then keep drinking it up.
“Try things out. Feel out various pedagogical patterns, see what fits you, and then keep drinking it up.”
What is your advice for career success when it comes to getting hired, climbing the corporate ladder, or starting a company in cybersecurity?
Remember your roots, and always think rationally. There are many people along the way who will want to say they “know” you or will want to be around when you're executing on something “cool.” But you know who really “knows” you, and they'd be there regardless. Remember them; and as much as possible, keep hanging around them, because none of us gets out of this whole thing alive, and a friend is always a great thing to have.
What qualities do you believe all highly successful cybersecurity professionals share?
Genuine compassion and a never-ending desire to learn. They also all seem to tolerate reading for nefariously long periods of time.
What is the best book or movie that can be used to illustrate cybersecurity challenges?
Alice in Wonderland. Creative thinking and an approach to problems that allows for unique and differing ways to solve the same problem.
What is your favorite hacker movie?
The Computer Wore Tennis Shoes (1969).
What are your favorite books for motivation, personal development, or enjoyment?
The Scriptures (66 books of the Textus Receptus) by God
The Christian's Daily Walk by Henry Scudder
Where the Sidewalk Ends by Shel Silverstein
What Color Is Your Parachute? by Richard Nelson Bolles
What is some practical cybersecurity advice you give to people at home in the age of social media and the Internet of Things?
Don't click stuff!
What is a life hack that you'd like to share?
Find out what part of the day you prefer to labor. Are you a night owl, an early bird, or a daytime dog? And do what you can to facilitate working during that time.
What is the biggest mistake you've ever made, and how did you recover from it?
The Ninth Commandment requires us to always tell the truth… I was the security lead for a very large advertising effort taking place during a national sporting event. I had failed to secure a form for a certain type of attack. When I realized this, I quickly notified every team I could. Unfortunately, several of the attacks happened. Thankfully, secondary protections prevented serious damage. I humbly recognized my failure during the large post-event debrief and was voted to receive a prestigious award for my cross-team efforts and honesty. ■
52
Steve Ragan
“Fail hard, and fail often. You’re going to mess up, and that’s okay. Just remember to learn from those failures so you don’t repeat them.”
Twitter: @SteveD3 • Website: about.me/SteveD3
Father. Hacker. Journalist, covering national security and information security.
If there is one myth that you could debunk in cybersecurity, what would it be?
I would like to see a few myths done away with. The first is that zero-day vulnerabilities are the ultimate risk and should be one of the top focal points when developing a security program. That’s just not true. In fact, most attacks will originate via phishing, exploiting weak or improper controls, or leveraging existing (old) vulnerabilities.
Another myth I’d like to see done away with is the concept that security should come second or that breaches are just “the cost of doing business” within an organization. Being willing to accept a data breach because you refuse to dump legacy code or apps, or have some desire to keep a few Windows NT boxes on the network, is just backward thinking.
What is one of the biggest bang-for-the-buck actions that an organization can take to improve its cybersecurity posture?
Hands down it’s limiting access and controlling user permissions. Least privilege does more to strangle malware than any endpoint product could ever do. The problem is most organizations can’t or won’t do this because their users complain or suffer workflow issues. And even if the workflow issues are imagined, the constant stream of tickets related to admin rights drags the help desk down to the point that it’s just easier to let people have elevated access. There’s also the problem of remote workers (who usually request admin rights) and executives who will not work with anything less than administrator access.
How is it that cybersecurity spending is increasing but breaches are still happening?
The budgets are spen
t on shiny boxes and checkbox-based security solutions. It’s great to have a FireEye or CrowdStrike appliance, but if said products are not tuned or used to their full potential, they’re essentially bricks. The fact is, most security purchases require massive investments in resources (people, money, infrastructure), and once they’re purchased and installed—provided they meet expectations and/or requirements—they’re left alone. It isn’t hard to get past defenses if you have valid credentials, which are usually phished, guessed, or located in password dumps. (LinkedIn’s data breach has led to countless secondary incidents because people recycle passwords.)
Do you need a college degree or certification to be a cybersecurity professional?
I don’t believe so, no. While a degree or certification will help and lately does get you past the HR firewall, it’s your drive, passion, and experience that push you forward in security. Most of us working in InfoSec today started out as IT; security was something that landed in our laps, and it was sink or swim. Not to push the “get off my lawn” narrative, but when I was coming up, we didn’t have security-based classes in college, and computer science was mostly the basics.
How did you get started in the cybersecurity field, and what advice would you give to a beginner pursuing a career in cybersecurity?
I came into work one day and had a choice: do security or get a new job. So, I started with endpoint defenses, then moved to a firewall, and so on. I ended up in a dual role, as I ran the help desk and the security team (on paper, the security team was just me really), but it was educational.
For those just starting out, I would say find something about security you’re passionate about and chase it. If you’re into phishing and social engineering, develop something no one has—a new awareness program or method of attack—and keep building. One other bit of advice is to fail. Fail hard, and fail often. You’re going to mess up, and that’s okay. Just remember to learn from those failures so you don’t repeat them.
Tribe of Hackers Page 31