What is your advice for career success when it comes to getting hired, climbing the corporate ladder, or starting a company in cybersecurity?
Be honest about what services you can and cannot provide for the customer. Be a team player and self-motivated. If you love what you do, there is an inherent level of motivation to not just be good but to become great. Also, be consistent—that illustrates dedication.
“Be honest about what services you can and cannot provide for the customer.”
What qualities do you believe all highly successful cybersecurity professionals share?
Staying informed and dedicating time to perfecting your craft.
What is your favorite hacker movie?
WarGames. I loved this movie, and it really had me thinking about what was possible in the world of computers. (Mind you, the first time I laid hands on a computer was in the early ‘90s when we saved everything on 3.5″ floppy disks while learning DOS—I’ll leave it there.)
What are your favorite books for motivation, personal development, or enjoyment?
I don’t get a chance to read nearly as much as I would like, but the last good book I read was The Last Lecture by Randy Pausch and Jeffrey Zaslow. Randy Pausch was a professor of computer science, human-computer interaction, and design at Carnegie Mellon University, and the book details a series of topics in his lecture titled “Really Achieving Your Childhood Dreams.” A month before the lecture, he was told that his pancreatic cancer was terminal, so it became the last lecture he gave.
What is some practical cybersecurity advice you give to people at home in the age of social media and the Internet of Things?
Not to state the obvious, but stop posting your life on social media! You don’t know who’s monitoring you. Also, update your devices and really look at the services running on them. Do you know what those apps are, who installed them, and what other apps have dependencies on them? Ask yourself if you really want it running on your device. ■
“Not to state the obvious, but stop posting your life on social media!”
59
Khalil Sehnaoui
“Now there are a lot of myths that need debunking in InfoSec, but if I were to choose just one, it would be that using vendor products (antivirus, firewalls, gateways, etc.) to protect yourself, or your organization, is enough.”
Twitter: @sehnaoui
Khalil Sehnaoui is a Belgian-Lebanese information security consultant and hacker who specializes in the Middle East. He’s also the founder of Krypton Security, an InfoSec firm that helps test companies’ security strengths, weaknesses, and loopholes. Khalil is a member of the Chaos Computer Club (CCC), Europe’s largest association of hackers, and was featured in The Guardian’s video series The Power of Privacy, as well as on National Geographic in the series Breakthrough, Season 2 Episode 2, “Cyber Terror.”
If there were one myth that you could debunk in cybersecurity, what would it be?
For all intents and purposes, let’s first agree to stop using the word cyber. It holds no real meaning anymore and has been overused by the media, trying to make the internet sound scary and basically trying to wrap a complex system into a single word rather than really trying to understand it. In this particular case, we will be talking about information security, or InfoSec for short.
Now there are a lot of myths that need debunking in InfoSec, but if I were to choose just one, it would be that using vendor products (antivirus, firewalls, gateways, etc.) to protect yourself, or your organization, is enough. The correct approach to information security must include not only products, but product training, regular penetration testing, regular security assessments, user-awareness training, research, regular updates, and constant monitoring of your networks and applications, etc.
What is one of the biggest bang-for-the-buck actions that an organization can take to improve its cybersecurity posture?
As far as I’m concerned, that’s an easy one: awareness training. This is probably the cheapest and easiest action an organization can take, but one that will have the most positive effect on its information security posture. The weakest link in any organization is always the human element. You can have all your sophisticated products in place, but if you don’t train your users and define proper procedures, they could render all of that moot in a second.
How is it that cybersecurity spending is increasing but breaches are still happening?
Breaches will always happen. That is an immutable fact, and anyone who says the contrary—or says they have a fully secure, unbreakable network—is either idealistic or doesn’t know what they’re talking about. That being said, there are two main reasons why information security spending is increasing and why breaches are still, and always, happening. First, information security spending is nowhere near the level it should be. Most organizations still see it as a side-spending issue, if they see it at all. On a positive note, global awareness is rising throughout the world (mainly because of all the reported attacks), hence spending will rise as well; but it will still take a while to reach the level it should be at. We still see a lot of organizations that do not invest in information security because they fail to grasp the risk/reward ratio.
Second, in today’s digital and ever-evolving complex world, information security is a game of cat and mouse where, unfortunately, the attackers will always have the advantage. Vulnerabilities in existing software or hardware, as well as new attack scenarios, are discovered every day, and you cannot really defend against an attack if you don’t know where it’s going to come from. That, added to the problem of the human element being the weakest link, is a constant, and this is why breaches will always happen.
Do you need a college degree or certification to be a cybersecurity professional?
Most information security professionals I know do not hold a college degree, or at least not a degree pertaining to InfoSec. As an example, I hold a master’s degree in economics and never studied any form of information technology in school or university. So, no, you do not really need a college degree or certification to be an information security professional, and most InfoSec operators will probably tell you the same.
Also, there are no real information security degrees out there currently in most universities’ curriculums. That being said, some certifications are useful to show a future employer that one at least knows what they’re talking about, and some prospective clients will always feel safer when a company boasts a lot of certifications on their factsheets.
Finally, some certifications are mandatory for delivering certain services, like PCI-DSS certification, which is required when working with credit card processing technologies. So, depending on which spectrum of the information security landscape you decide to service, you might need to get some certification after all.
Most hackers I know could get certified easily, as their own self-taught knowledge far surpasses that which is asked by the certifying bodies.
How did you get started in the cybersecurity field, and what advice would you give to a beginner pursuing a career in cybersecurity?
I was always a hacker at heart. And by hacker, I mean the actual definition of the word, which, in my opinion, is not necessarily related to computers. A hacker is someone who has a natural curiosity for things, a thirst for knowledge and details, and someone who doesn’t accept things the way they are without always trying to make them better, more efficient. Leonardo Da Vinci was a hacker. Einstein was a hacker. That kid taking his new toy apart and trying to put it back together could become a hacker. I was that kid.
As I grew older, and even though I followed a curriculum not related to IT per se, I remained fascinated by computers and software and would spend most of my time learning, discovering, and delving deeper into that world. With the kind of knowledge you get with time, you come to a crossroads where you decide to use your skills either for bad or for good. I chose the latter and decided to use my experience to help protect others. But I really did not start as a profes
sional in information security (and by professional, I mean someone who makes a living out of it) until I founded my company, Krypton Security, in 2012.
As far as advice for beginners, I would say be passionate. Let your work be your hobby, and vice versa. You can’t go wrong when you love what you do, and passion will give you that extra edge that is needed in the information security field. Go to conferences, listen to podcasts, watch videos, and, most importantly, interact with the community. The information security community is not very big, but it is a tight-knit one, and you will probably get your first InfoSec job through someone you met at a hacker gathering.
What is your specialty in cybersecurity, and how can others gain expertise in your specialty?
I consider myself a jack of most information security trades, though a master of none. In the business of information security, there is a gap between the way hackers and corporate management perceive things, so I would say my specialty is bridging the gap between technical operators and corporate management—translating the hacker mind-set to corporate, and vice versa, and what I like to call conducting.
I often use the analogy of an orchestra conductor: The conductor does not know how to play all the instruments in his orchestra; and if he does know how to play a few of them, he definitely does not know how to play them as well as his musicians. He chose each musician because they are one of the best at playing that specific instrument, and he knows enough to be able to detect an out-of-tune instrument or a false note. Without the conductor, the orchestra would not play in unison, and without the orchestra, the conductor would not be able to produce a symphony.
This expertise was gained through my formal training in business and economics—as well as my previous working experiences outside of information security—and my dabbling in all things information security, without really focusing or acquiring specialist skills in any one aspect of it.
What is your advice for career success when it comes to getting hired, climbing the corporate ladder, or starting a company in cybersecurity?
Be passionate about what you do; be true to your principles; have the “hacker mind-set” (I talk about this in more detail in the next question); and, most importantly, believe in yourself. If you don’t believe in yourself, how can you expect others to believe in you?
What qualities do you believe all highly successful cybersecurity professionals share?
One quality—“the hacker mind-set”—which I would define as passion, curiosity, perseverance, generosity, and modesty.
What is the best book or movie that can be used to illustrate cybersecurity challenges?
This is a tough one, but after some thorough thinking, I’m going to go with Catch Me If You Can, released in 2002 by director Steven Spielberg and featuring Leonardo DiCaprio and Tom Hanks. The movie is about the real life of Frank Abagnale—a now-successful security consultant who started out in the ‘60s as a social engineer, a forger, and a con man—and the FBI agent tasked with catching him. The challenges of information security are illustrated by the ever-evolving landscape that Frank had to deal with to perform his crimes, mainly the financial ones, every time needing to adapt to the new security measures by finding new exploitable vulnerabilities, and so on.
There is also the social engineering part that he mastered, whereas he gained his breach information by impersonating people and abusing the lack of security or verification procedures across many different industries. We finally see a resemblance to the actual InfoSec scene, as, after being caught, he was offered a job with the federal authorities.
So, in the film, we have an ever-evolving landscape where attackers have the advantage over defenders (like red teams versus blue teams), and we have social engineering as the easy but effective method of gaining information (like open source intelligence, phishing, and social-engineering attacks). Then we also have human weakness as the most vulnerable element in any security environment (with law enforcement trying to catch the attackers, and ultimately hiring them after they do, because who better to catch a thief than another thief?). All of those elements in the movie illustrate today’s information security challenges.
What is your favorite hacker movie?
My favorite hacker movie is, without a doubt and to this day, WarGames, released in 1983, directed by John Badham and featuring Matthew Broderick and John Wood. It was truly a game-changer for me and instilled the passion for all things computer that drove me all my life, and still drives me today.
What are your favorite books for motivation, personal development, or enjoyment?
For motivation, personal development, and/or enjoyment, I like to read white papers, proofs of concept, technical books, and the like. The subjects can be varied; the essential thing I’m looking for is new knowledge. So, you might see me reading a coding manual, an astrophysics book, a quantum theory white paper, or a hacking proof of concept.
One of my favorite books, though, is A Brief History of Time, published in 1988 and written by Stephen Hawking. It explains, in non-technical terms, the structure, origin, development, and eventual fate of the universe.
I also recommend PoC or GTFO by Manul Laphroaig, published in 2017. It is a collection of proofs of concept revolving around offensive security research, reverse engineering, and file formats that will delight the more technically inclined readers.
What is some practical cybersecurity advice you give to people at home in the age of social media and the Internet of Things?
The main issue with security in the age of smart phones, social media, and the Internet of Things—as well as our all-around connectivity—is that it is not practical. Hence, the problem. Users go for the effortless way of operating, notwithstanding the fact that it will put their personal data and privacy at risk. And yet, there are a few simple steps or actions anyone can take, without having to be versed in information security, that will allow them to at least reduce their exposure to attacks or viruses and to be safer than most users out there.
These are universal and can be applied to any of the social media accounts, applications, or personal devices out there (IoT or otherwise).
Make sure your operating systems and applications are always updated.
Make your passwords complex; you can always use a good password manager so you only have to remember one password.
Don’t use the same password for all accounts, especially for important banking or financial applications or connections.
Don’t use the same email address for everything. It’s easy to create new addresses that you use just for certain important accounts. That will limit your exposure to spam, phishing, and scam emails.
Use two-factor authentication (2FA) when available.
Don’t click suspicious links, even if the sender is in your senders list.
Don’t enter personal information on websites or pop-ups without verifying that it is legit. Always check for HTTPS.
Disable default username and password on all devices.
Do not leave your Wi-Fi, Bluetooth, or other connection protocols active if you don’t need them.
What is a life hack that you’d like to share?
Google it! Or “search engine” it. But let’s be real, there’s no other game in town (at least not at this time). This is my advice: learn how to properly use search engines. It’s not really a life hack, I know, but people sometimes fail to realize just how much information is out there. We live in a day and age when everything about anything is available to us, just a few clicks away. Tutorials, blogs, videos, manuals, and full-fledged courses—all are available online.
Granted, sometimes we get lazy, but how hard is it to just launch a browser and look for the information you need? People will always be more dedicated to helping you out if they see you’ve made the effort to look for it yourself first.
What is the biggest mistake you’ve ever made, and how did you recover from it?
The biggest mistake I made was probably thinking I could have a happy an
d fulfilling life without doing what I loved. I did not have the necessary confidence in myself to believe I could succeed as an information security professional, so I sought the easy way out by just joining the family business. But I wasn’t happy, and to make a long story short, I eventually took the leap of faith and started my own company. I was blessed to have family around me—as well as the right friends and partners—to help, support, and accompany me in that adventure.
Today, I am happy with what I do, and I’m part of an amazing community of hackers I call family. I can only wish everyone who reads these lines that kind of success. ■
60
Astha Singhal
“For me, regularly thinking through and writing down my top personal commitments helps me not overcommit and make sure I am consistently giving my best to whatever I commit to.”
Twitter: @astha_singhal • Website: www.linkedin.com/in/singhalastha
Astha Singhal leads the application security team at Netflix that secures all the applications in Netflix’s cloud infrastructure. Prior to this, she managed the AppExchange security review on Salesforce product security. She is a security engineer by qualification who is passionate about proactive security and developer enablement. She is also an active member of the Bay Area security community as an organizer of conferences like AppSec USA and BSidesSF.
If there is one myth that you could debunk in cybersecurity, what would it be?
The biggest myth I think there is in cybersecurity is that it’s this unique thing that only a handful of people who have this undefinable skill set can do, but that’s really not true. There are so many different roles in security, and we need lots of help.
What is one of the biggest bang-for-the-buck actions that an organization can take to improve its cybersecurity posture?
Tribe of Hackers Page 36