“For those just starting out, I would say find something about security you’re passionate about and chase it.”
What is your specialty in cybersecurity, and how can others gain expertise in your specialty?
Social engineering and socially based attacks. After that, I would say my other specialty is network engineering. I would suggest reading as much as you can about human reactions and responses, what makes people tick, and how they act under pressure. There are a lot of social engineering books on the market, but I’d skip them and start with psychology and sociology first. I’ve found that those topics help me more than anything. You have to be comfortable talking to people and talking to them about anything. As for the engineering stuff, most of my training was hands-on. I learned by breaking and fixing.
What is your advice for career success when it comes to getting hired, climbing the corporate ladder, or starting a company in cybersecurity?
Do it. Just run out there and do it. Fall flat on your face, stand up, and keep pushing. Security is hard; IT is too. But none of us working got here without learning a few lessons along the way—including some that were learned the hard way. Honestly, my successes are great, but I treasure my failures. I learned more that way. When you’re looking for a job, don’t sweat the interview. Relax and be ready to show why you deserve a spot on the team. Showcase your talents and skills, and explain how you solved a really challenging problem. Most of all, remember it isn’t bragging if you’ve done it or can do it and have proof.
What qualities do you believe all highly successful cybersecurity professionals share?
The ability to learn. The ability to adapt. The ability to realize they know nothing and are still students, even if they’ve got 20 years on the job.
What is the best book or movie that can be used to illustrate cybersecurity challenges?
There have been a few movies that have come close, but I can’t really think of any. Honestly, if they were realistic, they wouldn’t be entertaining. No one wants to see someone sit at a computer for days randomly typing and hitting the Backspace key over and over.
What is your favorite hacker movie?
Hackers. It was awesome 20 years ago, and it’s awesome now.
What are your favorite books for motivation, personal development, or enjoyment?
I like reading Mack Bolan novels and Mitch Rapp novels. They’re good for long flights. Both are spy thrillers.
What is some practical cybersecurity advice you give to people at home in the age of social media and the Internet of Things?
Limit what you share and how you share it. There is nothing wrong with having a few close friends on one platform and thousands of others on another platform. So: Facebook (close friends/family) and Twitter (everyone else). On Facebook, lock it down, keep it out of public view, and only share with the group. On Twitter, keep things basic and simple; try to avoid having deep conversations about sensitive stuff. As for Internet of Things…change your default passwords.
What is a life hack that you’d like to share?
Only check social media and email at the top of the hour. Make this a habit and you’ll get more done at work.
What is the biggest mistake you’ve ever made, and how did you recover from it?
I formatted the CEO’s laptop and lost about 1.5TB of MP3s and movies when I was working the help desk. Lucky for me, she had a backup at home, so I was able to restore them. ■
53
Stephen A. Ridley
“There comes a point in every great project when you get goosebumps and have that epiphany moment. I love that feeling; I’m addicted to it.”
Twitter: @s7ephen • Website: iot.security
Stephen A. Ridley is a security researcher with more than 10 years of experience in software development, software security, and reverse engineering. In the last few years, he has spoken on these topics and presented his research on every continent except Antarctica. Stephen and his work have been featured on NPR and NBC, as well as in Wired, The Washington Post, Fast Company, VentureBeat, Slashdot, The Register, and other publications. Stephen has authored a number of information security articles and co-written several texts. The most recent of these is Android Hacker’s Handbook, published by John Wiley & Sons. He has guest lectured at NYU, Rensselaer Polytechnic Institute (RPI), Dartmouth, and other universities on the subject of software exploitation and reverse engineering. Stephen is on the programming/review committees of USENIX WOOT, Securing Smart Cities, and BuildItSecure.ly. He also serves on the board of IndySci.org, a California 501(c)(3) nonprofit devoted to making “open source” pharmaceuticals a reality.
If there is one myth that you could debunk in cybersecurity, what would it be?
From a big-picture perspective, I think the biggest myth is more of this pervasive notion that security will eventually be “solved.” It permeates cybersecurity product marketing, and it’s ever present in the tension between internal security staff and the rest of the organization. It is always there, and try as we might, we can never eradicate this. We can, however, get “good enough.” By throwing all threats and attack types on the board and seeing where the large clusters are, we can definitely take minimal steps toward eradicating those big clusters of risk. Cybersecurity is really just a niche version of “risk and quality assurance.”
What is one of the biggest bang-for-the-buck actions that an organization can take to improve its cybersecurity posture?
Risk is really relative to the organization. I learned this when working as a consultant (first at Matasano and then at Xipiter). A good consultant and cybersecurity subject-matter expert, who acts as a trusted advisor to an organization, doesn’t go in with a script of remediations and techniques. Instead, he or she empathetically looks at the organization (and what people in that organization care about most) and then pulls from his or her knowledge to help build a plan to strike at the “center of mass” of those risks. One thing is true, though: the best “bang-for-the-buck” security measures (no matter what kind of organization) have one commonality—simplicity.
For example:
At McAfee, I developed secure coding practices for all of the company’s worldwide developers. And the best thing we did there was make it easy for devs to use secure coding practices by publishing safe libraries for them to use (Java, C, C++). We also did simple checks at the time of code commit. This killed tons of bugs.
At Xipiter, we advised hardware/IoT companies to just use simple tamper switches that will inform you if someone has opened a device and to disable business logic in the firmware.
At Senrio, we created a simple passive asset identification and anomaly detection network monitoring solution that helps people see all the things on their network (even things that they didn’t know were there). Asset identification isn’t a “sexy” InfoSec problem, but it is what people currently lack.
All of these things have simplicity in common, no matter what the organization. For the standard enterprise, I would say the biggest bang for your buck is visibility. You can’t protect what you don’t know is there. Don’t assume you know how everything is interconnected and how your users are actually using resources—gather intel first. Identify assets. See how they communicate. And from there, start snipping bad practices. Visibility is key; you can’t protect what you can’t see.
How is it that cybersecurity spending is increasing but breaches are still happening?
This is a great question, and I possibly have a different opinion on this. Spending is definitely being driven by awareness of “the art of the possible” growing within the organization. However, I think the breaches are “still happening,” or even happening more often, for reasons we might not think of.
As an example, between 1988 and 1996, breast cancer rates skyrocketed. In fact, other kinds of cancer rates have increased dramatically, even within the last few years. On the surface, this paints a very gloomy picture. And, in fact, there are many predatory product companies and c
haritable orgs that use this in their marketing. But when you actually dive into the research, you learn that the cancer rates themselves never increased. It was the detection rates that increased. In the case of breast cancer, between 1988 and 1996, mammography had a renaissance. Computing was getting cheaper, and some of the niche tech also got dramatically cheaper, so the equipment was less expensive to operate and became more abundant. For other cancers, machine learning and image analysis techniques exploded in the early 2000s, and this dramatically increased detection rates.
So, I offer that example to explain what I believe is happening in cybersecurity. I contend that the breaches were already happening. And the reason these incidences have seemingly increased is because our visibility into the problem has also increased.
Do you need a college degree or certification to be a cybersecurity professional?
I don’t believe you need a degree to be good at cybersecurity. I will, however, say that some of the best cybersecurity professionals I have met came from other well-educated technical backgrounds first (CS, mathematics, robotics, even civics). The things that are most important are drive, the ability to logic/reason your way through a challenge, and being willing to try crazy things.
How did you get started in the cybersecurity field, and what advice would you give to a beginner pursuing a career in cybersecurity?
The best advice I can give to cybersecurity newcomers is “Trust your technolust.” Trust that excitement you feel when you sit down in front of a screen full of colorful text. Trust the excitement you feel when you think about networks and computing, and even future-leaning stuff like virtual reality (VR), augmented reality (AR), and artificial intelligence (AI). All of those things are your engine. They fuel your passion, and it’s your passion that’s going to make you work harder and late into the night, giving you those “eureka moments” that help you level up.
Also, get good at reading people. You’ll waste a lot of time trying to learn from people who you’ll later discover don’t really know as much as they let on. Stay true to what it is you want to learn, and if you find someone you can learn from, latch on and drain them of everything. And then, the hardest thing…stay true to yourself. Don’t pretend to be anyone else as you learn from them. Your vision and your perspective are going to help you find your novel solutions.
What is your specialty in cybersecurity, and how can others gain expertise in your specialty?
For the last few years, I have been running a product company. So, these days, I spend a lot of time in front of customers or helping people understand what we are doing and how it relates to cybersecurity. My love and passion, however, is reverse engineering/exploitation. I love building tools that do neat things. Exploits, or “software lock picks,” are probably my absolute favorite. But, in general, I love just understanding how a technology works. There comes a point in every great project when you get goosebumps and have that epiphany moment. I love that feeling; I’m addicted to it. The best way to learn is to self-teach and find others in your niche who you can learn from. And play, play, play. You have to play to learn. Set up things at home, or in a place where you can freely experiment. No matter what part of InfoSec you want to specialize in, I have found this to be the commonality.
What is your advice for career success when it comes to getting hired, climbing the corporate ladder, or starting a company in cybersecurity?
Starting companies is overrated, I think. It’s really just something you do because you realize that it’s the only path to “creating the thing” or “doing the thing” you want to do at any appreciable scale. I don’t want to piss in anyone’s cornflakes, but I personally don’t think it’s any fun to start a business “just because.” There has to be a driver or a reason, and the company is simply the vehicle for that.
That said, I think the most important thing in building a career in InfoSec (aside from building a reputation as someone who “knows their stuff”) is to have empathy for people. Read them, understand where they’re pointed; and if it aligns with what you want to do, fly formation with them for a bit. I think staying genuine and honest and professional is the most important thing. Then, when it’s time for you to break formation and fly solo or join a new formation, do it in a way that makes everyone feel comfortable and happy to welcome you back again.
What qualities do you believe all highly successful cybersecurity professionals share?
Success is overrated. I would challenge people to look for excellence over success. Success is the end, but excellence is the journey. I try to align myself with people who have rectitude, speak honestly, and have demonstrated that they know how to intelligently navigate tough spots. I would say the rarest and most valuable gem is a person’s ability to “get it done.” There are a lot of people who just do busywork or throw a lot of smoke and glitter in the air. But if you see people executing or “doing what it takes” to get to the objective, that is really the rarest quality I have seen in people, regardless of career path. Smart people can do anything. So, if you have to filter, look for smart people who can get dropped into new environments and achieve the objective without a lot of handholding and realignment. These people are rare. And you’ll likely want to work with them for the rest of your life in some capacity or another.
What is the best book or movie that can be used to illustrate cybersecurity challenges?
Wow, there are lots of great books out there. When I was in grade school, I fell in love with William Gibson’s work. Now, as an adult, I’ve since gone back to re-read them, and they were almost unreadable. Hah! I guess my point is this: don’t necessarily look for self-help books or books in which some successful person tells you what they think. I’ve gotten the most fuel and rejuvenation from books and movies that fed my technolust. They made me dream of new technologies and ways to use technology. I think it’s that forward thinking that fuels you to improve and evolve tech instead of just “accept that this is how it is.”
What is your favorite hacker movie?
My favorite hacker movie…oh, man. I spent many years toiling in obscurity because, at the time, manga and anime were really the only place I could fully indulge in “techy sci-fi futurism.” I loved the now-famous Ghost in the Shell manga series (and animated 1995 movie). Roujin Z was another favorite. Patlabor, Bubblegum Crisis, Battle Angel Alita, and Memories by Katsuhiro Otomo are also amazing.
There were some great, cheesy hacker movies like New Rose Hotel, Johnny Mnemonic, and The Lawnmower Man. Then, when I was in high school, Hackers came out. And as much as I made fun of that movie, I secretly loved it. It made me read The Cuckoo’s Egg and Three Days of the Condor and all these other books. As I neared the end of high school, The Matrix was released, and that movie just confirmed what I had spent most of my young life consuming in obscurity. I finally got to show my family what it was that I was thinking about, and watching and reading, in all these strange movies and books. The Matrix put cyberpunk in the mainstream, and after it, I had to do less explaining. And lastly, Sneakers. By far the best. And my man Branford Marsalis did the soundtrack!
What are your favorite books for motivation, personal development, or enjoyment?
Three books that blew my mind were Hyperspace by Michio Kaku (which I read in the latter years of high school), The Elegant Universe by Brian Greene, and Linked: The New Science of Networks by Albert-Laszlo Barabasi. These three books were like gateway drugs to thinking about life and the universe in new ways, especially that last book. More recently, as I’m getting older, the books that have really resonated with me and my career are Zero to One by Peter Thiel, Essentialism: The Disciplined Pursuit of Less by Greg McKeown, and Venture Deals by Brad Feld—and one or two others by Brad Feld that relate to business. The Black Swan by Nassim Nicholas Taleb and Blink by Malcolm Gladwell are also great recent books for me. Tragedy and Hope by Carroll Quigley is also an amazing read.
What is some practical cybersecurity advice you give to people at home in the a
ge of social media and the Internet of Things?
I travel a lot internationally, and one thing that astounds me is how much American consumers really believe the marketing spin—especially as it relates to IoT and social media/online services. For example, consumers in Asia, and the European Union think Americans are crazy for buying cellphones that only work with a given service provider. They just don’t stand for that. Ironically, America is where most (if not all) of this technology innovation originated, because Americans are largely the most entrepreneurial in the world, and our government fosters this in a lot of good ways.
That said, once these products get to market, American consumers are woefully unprepared to think critically about them. They tend to suspend disbelief very easily, so it has led to a whole glut of privacy-violating online services and products (especially in IoT). The best advice is to just think critically. Why put an always-on microphone and camera in your house just because it can help you get recipes when your hands are kneading bread?
What is a life hack that you’d like to share?
Life hacks are so abundant these days, it’s hard to think of anything good. Maybe get an Imgur account. It lets you skim funny images in your downtime, and every few days a gallery of cool life hacks will pop up.
What is the biggest mistake you’ve ever made, and how did you recover from it?
The biggest mistakes I’ve ever made stemmed from not trusting my gut. I think, especially as an entrepreneur, you want to do what is best for the business, which means fully recognizing that your decisions may not be the best course of action. So, naturally you seek other opinions and more information to double-check your decision-making—or defer to someone else to make the decision. In virtually all of these cases, I have regretted the outcome or had to expend extra energy to undo the mistake.
Tribe of Hackers Page 32