I’m still learning how to navigate, but I’ve definitely gotten better at decreasing the deliberation time when my gut is pointing in a different direction. And to that end, I think it’s extremely important to “re-center” yourself, whether that’s spending time with family, going to church, or crushing it at the gym. Whatever it is, I have very recently learned (within the last six months) that you have to forcefully take time to re-center yourself. That means saying, “No, I can’t take that important call right now because I have to get to the gym.” Otherwise, if you don’t take that time, even your “gut decisions” will be completely wrong. ■
54
Tony Robinson
“I had the skills necessary to apply for the positions, but it was the people I knew who introduced me to the people who were hiring.”
Twitter: @da_667
Tony Robinson is a security professional with expertise in threat intelligence, malware triage, and network security monitoring. Tony is the author of Building Virtual Machine Labs: A Hands-On Guide, as well as a course instructor for an online training course of the same name. Tony has a decade of combined experience in information technology and information security positions. When he’s not working, he can be found traveling with his wife, Rebecca, and two basset hounds, Henry and Sam.
If there is one myth that you could debunk in cybersecurity, what would it be?
There is no such thing as “unhackable.” There is only mitigation of risk, reduction of risk, and acceptance of risk. The only unhackable, 100 percent secure system is the one that is powered off.
What is one of the biggest bang-for-the-buck actions that an organization can take to improve its cybersecurity posture?
Situational awareness. And what I mean by that is proper software and asset inventory management. Companies pay untold amounts of money to large security vendors with solutions that promise to passively collect and index both your asset and software inventory over time, but oftentimes, these solutions are extremely flawed. Keep track of what is running, where on your network it’s running, and what hardware (or cloud) it is running on. It makes patch management and vulnerability management loads easier if you have this information on hand and regularly updated.
Companies pay untold amounts of money to large security vendors with solutions that promise to passively collect and index both your asset and software inventory over time, but oftentimes, these solutions are extremely flawed.
How is it that cybersecurity spending is increasing but breaches are still happening?
Focus is being applied in all the wrong places. Companies don’t want to have to hire people to manage the balance between usability and security; they want a magic, machine-learning AI turnkey solution that they can drop in place and forget about, not realizing that this is not how cybersecurity works. Machine-learning AI turnkey solutions don’t tell you that you have RDP exposed all over your perimeter. These solutions don’t tell you that the IoT firmware you’re shipping in the latest internet-enabled device you’re bringing to market with an ancient version of the Linux kernel is a terrible idea. These solutions don’t tell you that one of your users who happened to use their company email address for registering to a service that got breached also reused their company password on this service, and the service did not hash their passwords, so the hackers who acquired those passwords are coming for your company next.
Companies would rather pay for cybersecurity insurance and just accept that breaches are inevitable rather than do anything more than the absolute minimum required to pass compliance and/or acquire said cyber insurance policy. That being said, while the bar is still low, vendor solutions are exorbitantly priced—if not for the hardware and software, then for the licensing and/or support that is mandatory for running whatever appliance or solution the business has bought into.
Do you need a college degree or certification to be a cybersecurity professional?
If you had asked me this at the beginning of my career, I would’ve told you that getting a degree is kind of pointless. There are so many hoops you have to jump through—core curriculum and electives—just to get that piece of paper, not to mention the mountains of debt. It’s a huge ask in this day and age of record-high tuition rates, combined with record-low tuition assistance and relaxed rulings on predatory loan practices. I had professors who, at the time, I thought were crazy and gave me stupid assignments. But my college experience made me more well rounded. I learned to see alternate points of view. I learned to write well-thought-out research. I learned to present an argument. I learned communication by necessity. Those communication skills are invaluable. I learned public speaking at college, and the more I talked at security conferences and the more I wrote well-thought-out blog posts, the better I got, and the more respect I was given.
Soft skills, written communication, and oral communication are extremely important with regard to cybersecurity careers. You can be the smartest security professional ever, but if you are unbearable to work with and are incapable of reading your audience to determine how you should interact with them—and/or unable to relate problems to them in a way that they understand—then you’re not going to get far. I learned how to do a lot of that in college. Most will tell you that you don’t need a degree to excel in cybersecurity, but I also want to point out that a degree and/or certifications will not hurt your chances of success either. If someone gives you a hard time because of the education you have or the certifications you’ve acquired, there’s a good chance that you dodged a bullet.
How did you get started in the cybersecurity field, and what advice would you give to a beginner pursuing a career in cybersecurity?
Cybersecurity as a field of research and employment is as deep as it is wide. The best advice I can give is to experiment. There are so many more resources available than there were when I graduated nearly a decade ago. CTFs, wargame exercises, free and cheap training, conferences all over the world, and so on. Take advantage of all of those cheap and free resources. Be sure to attend conferences and build your social and/or professional network. Having that network of peers is extremely important. As your network grows and people learn of your skill and expertise in a particular cybersecurity niche, they will come to you with questions relating to your expertise. And you, in turn, can approach them with questions and/or problems that fall outside of your expertise, and you will be able to rely on their expertise to guide you. Not only that, my network of peers is what allowed me to acquire practically all of my information security positions. I had the skills necessary to apply for the positions, but it was the people I knew who introduced me to the people who were hiring.
What is your specialty in cybersecurity, and how can others gain expertise in your specialty?
My primary expertise is in network security monitoring (NSM). To be even more specific, I have a lot of experience when it comes to network intrusion detection and prevention systems (NIDS/NIPS). To make a long story short, these systems inspect network traffic looking for anomalies. If anomalies are found, an alert is triggered, the traffic is often logged, and an analyst is somehow notified. The analyst is then responsible for further investigating the alert(s) and determining whether they represent a problem and require further investigation and/or response (true positive). If the event was a false alarm, then the analyst determines whether the alert requires tuning or needs to be disabled. The best advice I can give for learning more about NSM, IDS, and IPS tech would be to experiment. Try out the security onion distro, try your hand at incident response and packet analysis exercises—like the ones available on malware-traffic-analysis. net—and familiarize yourself with Snort, Suricata, and BRO IDS and IPS platforms.
What is your advice for career success when it comes to getting hired, climbing the corporate ladder, or starting a company in cybersecurity?
As I mentioned earlier, having a network of friends, peers, and professionals you can rely on, and who rely on you, is important. The more people who rely on y
ou and know of your expertise, the more of a community pillar you become, and the easier it is for you to attain a career and/or be considered successful.
What qualities do you believe all highly successful cybersecurity professionals share?
As a cybersecurity professional, I find that good verbal and written communication skills are extremely important. Additionally, one should have good soft skills, such as being able to read your audience, showing empathy, and generally being willing to demonstrate not only that you are human but that you understand the other difficult aspects of running a company or organization. You need to be able to communicate risk in a way that people can understand. They need to understand why the problems you are bringing up are things that should be resolved as soon as possible.
There exists a common mantra in law enforcement and/or counterterrorism called “Follow the money.” If you follow the money, more often than not you find the bigger bad guys who are financing an operation, and your efforts usually pay off a bit more. I believe this concept also holds true for cybersecurity. You need to be able to communicate issues you find in terms of risk to mission-critical resources. For a government organization, this may be classified information or personally identifiable information (PII). For a private-sector organization, this is likely intellectual property or systems that generate revenue. If you can relate your problems in terms of the risk they pose to sensitive data or revenue generation, there is a better chance of your message being heard and acted upon.
“There exists a common mantra in law enforcement and/or counterterrorism called “Follow the money.” If you follow the money, more often than not you find the bigger bad guys who are financing an operation, and your efforts usually pay off a bit more.”
What is the best book or movie that can be used to illustrate cybersecurity challenges?
As old as it is, and as cliché as it might seem, Cliff Stoll’s The Cuckoo’s Egg is a classic book that illustrates a lot of the same cybersecurity issues we see today, nearly three decades later.
What is your favorite hacker movie?
I’m not really one for hacker movies, so let me pick the absolute worst hacker movie I’ve ever seen: Blackhat.
What are your favorite books for motivation, personal development, or enjoyment?
When it comes to enjoyment, I have a tendency toward fantasy. A Song of Ice and Fire and The Kingkiller Chronicle are some of my favorites. When it comes to professional development, I prefer books published by No Starch Press. They are wonderful reference books to have on hand.
What is some practical cybersecurity advice you give to people at home in the age of social media and the Internet of Things?
Resist the Internet of Things as much as you can. Not everything in your home requires an internet connection.
What is the biggest mistake you’ve ever made, and how did you recover from it?
One time, I violated company policy at a former employer. This misinterpretation of the company rules cost me my job. The same day I was officially let go, I had dozens of job offers lined up, and it was thanks to my network of peers connecting me with opportunities quickly. This is why I say it’s extremely important to have a good network of peers who rely on you and know you by deed and reputation. The effort you put into helping others always finds a way to come back to you. ■
55
David Rook
“If you don’t work for a company that supports a good work-life balance, find another company to work for.”
Twitter: @davidrook • Website: securityleadership.ninja
David Rook is the European security lead at Riot Games. He has worked in technology for 18 years and in the information security space full-time since 2006. Before moving into the computer games industry, David held various application security roles in the financial services industry. He has presented at leading information security conferences, including DEF CON and RSA.
If there is one myth that you could debunk in cybersecurity, what would it be?
The perception that cybersecurity is an incredibly difficult technical problem. Most of the issues we want to prevent often require very low-tech solutions, or the control needed is simple. The hard part comes in changing the behavior of people and the company culture.
What is one of the biggest bang-for-the-buck actions that an organization can take to improve its cybersecurity posture?
Based on what I’ve seen work in my time in cybersecurity, I’d say my top four would be:
Reduce the access employees have to the minimum needed, and implement multifactor authentication everywhere you can.
Implement solid patch management.
Provide a password manager license (and training!) for your employees.
Speak to people and teams. Make yourself and your team approachable and open to collaboration.
How is it that cybersecurity spending is increasing but breaches are still happening?
I feel this one is quite simple. It’s accurate to say spending is increasing, but I feel most companies spend in the wrong places. For example, I could count on one hand the number of tools and services I think are really impactful and game-changing in the application security world. I don’t think many in cybersecurity would argue with me if I said most products and services we buy really aren’t that useful. They don’t stop the threats we really worry about, and they do almost nothing to change the behaviors of people, which is the root cause of most issues.
Do you need a college degree or certification to be a cybersecurity professional?
My short answer to this question, as someone who didn’t go to college or university, is no; but I could be biased. The longer answer is still no, but having a bachelor’s, master’s, or even a PhD can of course be beneficial. I think if you want to land your first cybersecurity job in a large tech company like Google, then a degree is very likely a requirement.
If you don’t have the option of getting a degree or, like me, had no interest in going to college or university, you need to think about how to make yourself stand out. When I’m hiring, I don’t view standing out as proving you know X, Y, and Z, but I do want to see a demonstration of your passion for security. If you’re a developer wanting to move into application security, as an example, I’m going to look for blog posts on this topic, maybe application security–related projects in your GitHub, and potentially things like contributing to open source security tool projects. To be clear, I expect to see this kind of thing from every candidate, but I feel if you don’t have a degree, it’s vital you do this.
How did you get started in the cybersecurity field, and what advice would you give to a beginner pursuing a career in cybersecurity?
I had already been working in various IT roles, from basic support to IT manager, between the ages of 16 and 21. I initially worked in a warehouse loading large tubs of glue onto vans when I was 16. Then later, in the IT manager role, I started to ask questions about the security of our infrastructure, account security, password policies, and so on. That led me down the rabbit hole that is cybersecurity! I read everything I could get my hands on and leveled up the security of the company I worked for. I also did a few security certifications (look away now, those of you who feel certifications are useless), but having a CISSP helped me get my first cybersecurity job interview. That turned into my first full-time cybersecurity role in 2006, which focused on infrastructure and network security.
My move into application security was partially because of my inquisitive nature and partly by accident. The company I joined started to realize application security was something they needed to focus on, and they suggested I give it a try. I tried it, loved it, and worked in that area of cybersecurity for the next 11 years!
So, my advice is this: always be on the lookout for opportunities to learn, don’t hold yourself back, and don’t be afraid to ask questions and give it your all. If possible, find a great mentor in the area you’re interested in and make the most of the advice they give you and t
he doors they may open.
What is your specialty in cybersecurity, and how can others gain expertise in your specialty?
My specialty is application security. I’ve been working in cybersecurity since 2006 and in application security full time since 2007. I think nowadays it’s probably easier than ever to learn and practice some of the skills needed to work in application security. I would encourage anyone interested in this area to participate in bug bounties. These programs will allow you to develop the breaking skills needed in application security whilst also earning some money. If you are able to concisely explain, in a language developers understand, how to prevent these issues from occurring in the first place, you’ll really be setting yourself up for success.
You can develop those fixer/building skills in a few ways. If you submit bug bounty reports, do your research on how to fix the issue you’ve found. As someone who has run a public bounty program, I can tell you people appreciate guidance on how to fix the issue you’ve found. Being able to code is also a huge help for anyone working in this field. The team I built at Riot spends a large chunk of its time writing software that helps developers produce secure products. If you can code, you should learn how to write secure code and fix security vulnerabilities. I’m sure pretty much any open source project would welcome you with open arms if you offered to find and fix vulnerabilities for them.
For instance, the Open Web Application Security Project (OWASP) obviously has some great resources. I love the cheat sheets in particular, and they participate in the Google Summer of Code project. If you take part in this, you’ll work with some of the leading people in application security, write code for some of the biggest open source projects in our field, and get paid for doing it.
Tribe of Hackers Page 33