Tribe of Hackers
Page 37
Knowing what assets you have in your environment is really important to be able to figure out what your risk is and how to prioritize security work.
How is it that cybersecurity spending is increasing but breaches are still happening?
It’s really important to prioritize security work appropriately in accordance with your attack surface. Spending more money on generic vendor solutions may not be the right solution in a lot of cases.
Do you need a college degree or certification to be a cybersecurity professional?
I personally got my master’s degree in security because I didn’t have access to the security market after graduating with my CS undergrad. But today, with a high demand for security talent and a lot of free security resources, it’s not necessary to pursue degree programs. That said, degree programs and certifications can definitely help you get your foot in the door.
“The biggest myth I think there is in cybersecurity is that it’s this unique thing that only a handful of people who have this undefinable skill set can do, but that’s really not true.”
How did you get started in the cybersecurity field, and what advice would you give to a beginner pursuing a career in cybersecurity?
I took a class in undergrad about security protocols and introductory concepts of cryptography. I loved the combination of building and breaking that existed in the security realm. I then decided to pursue further research opportunities in security for my undergrad thesis and apply for grad school in security. In the market today, I would definitely encourage all newcomers to engage with the community and learn from all their work.
What is your specialty in cybersecurity, and how can others gain expertise in your specialty?
I have primarily been focused on product/application security in my career. An understanding of web application security concepts is definitely a good starting point in this field. But it’s also important to build communication, collaboration, and customer service skill sets to enable your developers efficiently. In the world today, thinking about ways to scale application security is also important.
“It’s really important to prioritize security work appropriately in accordance with your attack surface.”
What is your advice for career success when it comes to getting hired, climbing the corporate ladder, or starting a company in cybersecurity?
Make use of all the free resources out there for self-learning to be able to demonstrate your security skill set.
What qualities do you believe all highly successful cybersecurity professionals share?
Having an enabling mind-set that helps other people (both the business and engineering stakeholders) understand and make security decisions.
What is the best book or movie that can be used to illustrate cybersecurity challenges?
I think for someone new in application security, The Tangled Web is a great read to understand how we got here in terms of web security and the internet.
What is your favorite hacker movie?
Hackers is definitely a classic.
What are your favorite books for motivation, personal development, or enjoyment?
Multipliers: How the Best Leaders Make Everyone Smarter
The Phoenix Project: A Novel about IT, DevOps, and Helping Your Business Win
What is some practical cybersecurity advice you give to people at home in the age of social media and the Internet of Things?
I think the biggest thing I do for family and friends is to get them to use password managers to minimize password reuse.
“Spending more money on generic vendor solutions may not be the right solution in a lot of cases.”
What is a life hack that you’d like to share?
For me, regularly thinking through and writing down my top personal commitments helps me not overcommit and make sure I am consistently giving my best to whatever I commit to.
What is the biggest mistake you’ve ever made, and how did you recover from it?
On one of my first engagements as an associate product security engineer, I ended up taking the hard line on security and preventing a team from shipping their weekly release one Wednesday evening just because I wasn’t done finishing security testing and couldn’t “sign off.” So, I didn’t even have concrete evidence of open security issues. The engineering leaders from the team obviously ended up really upset about this. At the time, given my limited exposure to the industry, I thought I was doing the right thing in making sure I could “assure” security of the product before it shipped. The next day, my leadership found out what had happened and was very calm about it. They definitely had my back but gave me critical and direct feedback on what I did wrong. It helped me grow out of the mind-set of “only the technical things matter.” It also laid a foundation for understanding risk management, security enablement, and collaboration. ■
“An understanding of web application security concepts is definitely a good starting point in this field.”
61
Dug Song
“A life of meaning is to have an impact and help others. At the end of the day, we’re not going to take it with us. No one has ambitions to die rich. What is the legacy that you’re going to leave behind?”
Twitter: @dugsong • Website: www.dugsong.com
Dug Song is the cofounder and CEO of Duo Security, the leading provider of unified access security and multifactor authentication delivered through the cloud. Duo protects more than 12,000 customers globally, including Dresser-Rand, Etsy, Facebook, K-Swiss, Random House, Yelp, Zillow, Paramount Pictures, and more. Founded in Michigan, Duo has offices in Ann Arbor and Detroit, as well as growing hubs in Austin, Texas; San Mateo, California; and London. Prior to launching Duo, Dug spent seven years as founding chief security architect at Arbor Networks, protecting 80 percent of the world’s internet service providers and helping to grow the company to $120 million+ annual revenue before its acquisition by Danaher. Dug also built the first commercial network anomaly detection system, acquired by Check Point Software Technologies. Dug’s contributions to the security community include popular projects on open source security, distributed file systems, and operating systems, as well as co-founding the USENIX Workshop on Offensive Technologies.
If there is one myth that you could debunk in cybersecurity, what would it be?
That security is so hopelessly complex. Unfortunately, the security industry tends to admire threats and problems as much as actually solving them. You find that folks focus on the wrong things; most security conferences are really sensationalistic with all the stunt hacking and hype. In reality, when you look at how most organizations fail at security, it’s always from the same fundamental and basic things that were highly preventable. There are always fancy zero-day attacks, zero-day threats, and super-capable nation-state attackers, but that’s not what most security actually is, or where the real problems are. With Duo, we’ve begun to help change the perception that security is hopelessly complicated.
What is one of the biggest bang-for-the-buck actions that an organization can take to improve its cybersecurity posture?
Hygiene. Since we focus on the wrong things like the “super-sexy attacks,” we end up in a situation where we basically fail at the fundamentals. We overlook the most basic things we should be doing, and we end up doing dentistry via root canal. There’s been other organizations that have taken a stab at coming up with a very basic security program, for instance, critical point controls. But looking at the organization, do you have a security program? The quality of that stuff is pretty simple.
There’s actually a tweet from Alex Stamos (@alexstamos), former CISO of Facebook, where he summarizes pretty well all the things a company should do. It starts with reducing your attack scope by putting everything you need to protect behind single sign-on. Then comes defending that with systems like Duo to understand who your users are, making sure you have a full inventory of all the devices used in your environment and that they’re updated and safe, as well as a
wareness of what’s happening in your environment and the ability to audit that activity. Lastly, add some controls to understand what to do when things go wrong.16
How is it that cybersecurity spending is increasing but breaches are still happening?
Most security products don’t actually protect organizations from the threats they face. In security, a vendor can make money by selling you a box that sits there and does nothing, and the vendor will say, “See? You’re more secure; nothing’s happening.” And the customer will say, “Well, geez, nothing was happening before I bought this dumb box.” The reality is, security is a lemon market where people don’t or can’t understand the effectiveness of the tools and products they buy.
Breaches are definitely still happening, and they’re escalating because of the digital transformation of businesses—every organization is bringing their ecosystem into the world. Everybody has a lot more of their customers’ data than they ever did. That concentrated risk of data loss is something that’s driving it on one side. But on the other side, computing is getting much safer. The consumer IT products we use today are much safer than they ever were and much more capable.
Consider an iPhone. The iPhone is about the safest computing platform out there today. There is no antivirus market for the iPhone, and there never will be; Apple makes sure of that. It’s kind of the “Holy Grail” of trusted computing. This exists now today not only for iOS devices, but Android devices and even Chromebooks. It’s amazing to me to think that the nation’s schoolkids are in safer computing environments than most businesses. Safer options do exist now; we just have to be able to recognize that and make better choices about what we use.
Another aspect is security never kept up with the consumerization of IT. It used to be that almost all great technology was developed first by the government, then it would go to business, and finally it would get to consumers. Today, it’s exactly the opposite. My 8-year-old kid has an iPad before anyone at my office does, before the government allows them to be used. This inversion of control means that every user is basically a CIO, and if I don’t like your security program—and if I don’t want to jump through the corporate firewall and the corporate VPN to get to the corporate file server to share a file with a colleague—I’m just going to use Dropbox. Organizations have very little real ability to tell people what to do anymore. They have to design security IT workflows that people actually want to adopt.
The other piece driving this is that every enterprise today is an ecosystem. The internet has not only hyper-connected all of us individually, but all of our business as well. You look at any modern organization and it’s an ecosystem of partners and contractors and vendors, and the degree of third-party risk for all of our organizations in a hyper-connected world is much greater than it used to be, and that’s why you see all these breaches happen that way. Someone gets hacked as sort of a second-order effect of another organization getting breached. That exposed attack surface of users and devices—and all the data applications that have left the four walls of your building—that’s been a wonderful thing for productivity and users in terms of a better experience, but I think security has just failed to keep up. Security still thinks it can enforce unnatural behaviors on people, and that’s just not possible anymore. You used to have to put an agent on an endpoint to keep it from running the wrong software, but now all that stuff is evolving. There are app stores that prevent bad software from getting on my device. There’s a natural segmentation within the cloud: salespeople can only go to Salesforce, HR people go to Workday. There’s no crossing of streams within a single shared environment anymore.
Computing has gotten much safer, but insecurity today exists at the intersection of people and technology. Hackers have that figured out. Today, they don’t go after systems anymore; they go after people.
Do you need a college degree or certification to be a cybersecurity professional?
Hell, no. For instance, at Duo, I would say only 20 percent of our people have prior experience in security, and everybody else comes from a whole bunch of different backgrounds. Even outside of our security team, we have just as large a design team, and our design team also has user research as a function. This team is led by a former journalist, who actually spends their time conducting hundreds of user interviews so we can understand our users’ experiences living with security every day. We have to solve for their needs.
How did you get started in the cybersecurity field, and what advice would you give to a beginner pursuing a career in cybersecurity?
I’m not a good example, unfortunately, because I grew up in a very different time and age when we just didn’t have access to the things we needed to learn. You learned how to do things in an environment that you didn’t have legitimate access to. Today is very different; you have computers everywhere. The barriers are extremely low. In fact, both of my kids, a 12-year-old boy and an 8-year-old daughter, have their own Raspberry Pis. They both have been doing programming since they were very little, and not because I’m pushing them, but because their friends are programming and their schools are teaching them. I’m excited that the joy of creation in technology is becoming much more mainstream. It’s not just computers; it’s “making” as a culture. I’m happy to see science, technology, engineering, math, and also the arts intersecting much more from an early education perspective than they had before. I have great hope there will be many more folks who will have the skill sets and the mind-sets for this kind of work in the future. Right now there is a labor gap in terms of these skills today.
I got started by just messing around, and I think that’s how anybody learns anything, ever. You can sit there and have somebody tell you how to do something, but until you’ve had the joy and frustration of trying to do it on your own and make that progress yourself, you don’t really learn. For example, I love skateboarding as my primary hobby, because, one, you have a super-strong feedback loop, and two, you can’t really fool anybody. Either you are able to do something or you aren’t, and you figure it out quickly because concrete is pretty unforgiving. It’s also the kind of thing where you have no other choice but to maintain a beginner’s mind-set, which is what you have to have in security particularly. In other disciplines, you can master something over 20 years and then all of a sudden you know everything you need to know about a discipline. Security is just constantly evolving, and the landscape is shifting, because, again, security is about how things can be made to fail. That’s why I think hobbies like hacking and skateboarding are similar, because no matter how much you know or how far you get, you’re just one pebble or one zero-day exploit away from falling on your face.
My suggestion to anyone looking to get into security is to find a community to join. For me, security wasn’t about just the subject matter alone. It was the socialization of that learning as part of a community and becoming friends. I had to find those friends and network online before the internet with bulletin board systems (BBSs), X.25, etc. In this day and age, there are so many options, and that’s what’s so wonderful about the democratization of all this knowledge and access via the internet.
One of my favorite articles on this was from my friend Cory Scott, the CISO of LinkedIn. He contributed an interview to Decipher, an editorially independent news site of Duo. He talks about the four categories of security minds that he likes to hire and includes folks that he basically describes as being actuaries, like accountants.17 In a certain respect, a lot of security is about getting the fundamentals right. How do you ensure proper hygiene? Folks who are used to building and reviewing checklists, or building reliable processes, can ensure organizational outcomes. There’s a wide variety of things to do in security, so there’s many paths into it besides just what I was doing.
What is your specialty in cybersecurity, and how can others gain expertise in your specialty?
I’m not sure I have a specialty, and I think that’s one of the fun things about security. No matter how much you learn, there’s a
lways something more to get into. I’ve done everything from authentication and network protocol stuff to operating systems and application security; I’ve kind of done a little bit of everything. That’s the joy in it. I also enjoy being on the people side of it, too. It’s not only security design and usability stuff, but thinking about how innovation in security actually happens from open source communities and networks, how security becomes or is introduced as a basic capability on every team, or how you create more successful and diverse security startups.
“I’m not sure I have a specialty, and I think that’s one of the fun things about security. No matter how much you learn, there’s always something more to get into.”
My interests in security persist in ways that are not strictly technical anymore; it’s more about trying to contribute to the community that I grew up in that supported me, and now I, in turn, have an obligation to help support and pay it forward. I would like to see more diversity of opinions, thoughts, ideas, experiences, and people in this industry. That’s presently what my interest and focus is in.
What is your advice for career success when it comes to getting hired, climbing the corporate ladder, or starting a company in cybersecurity?
I don’t think success is linear. Some people are born knowing exactly what they want to be in life, and those people scare me. I have a friend who’s a public company CEO, and he said, “I knew I was going to be a public company CEO when I was eight,” and that’s…scary. I think there are many routes to the top, and it’s not just ladder climbing. You can enter a field and find a profession and work your way up the levels; for some people, that works, but that’s not me. My interests growing up have been pretty broad—from skateboarding and graffiti to punk rock and hacking—but for me, it’s really the exploration. If you’re like me, you have the voracious appetite to experience the world from a bunch of different perspectives and incorporate that into your learning.