I like fantasy books. The Dresden Files series by Jim Butcher is about a private eye going after the forces of evil. I like to be devoid of reality as much as possible.
What is some practical cybersecurity advice you give to people at home in the age of social media and the Internet of Things?
When dealing with social media, I make sure everybody understands one important fact: nothing is as private as they want it to be. When you post, know that the person you hate the most is probably going to see it one day. Be careful when you’re private messaging because screenshots can happen. People think they’re only broadcasting to their five followers or close friends, but when it’s on the internet, it’s there for everybody to see at some point.
For the internet in general, people need to patch. You can get firewall and antivirus and all of these things to help you, but if you really want to keep yourself protected, keep your systems patched. And not just your operating system, not just the second Tuesday of every month, but everything you own (e.g., Java, Adobe, iTunes). That will protect you more than any antivirus you ever buy.
What is a life hack that you’d like to share?
Showing kindness to others. It’s not social engineering if you’re genuinely nice and expect nothing. Every once in a while, people can surprise you. You never know what kind of day the person you’re talking to is having. Being nice may not help you, but it may help the next person they deal with. There have been a lot of times when I’ve been upgraded or gotten something different, not because I was social engineering but because I was being nice and they appreciated it, so they ended up doing something nice in return.
Treat every person with respect because you never know when you’re going to need their help later on down the line.
What is the biggest mistake you’ve ever made, and how did you recover from it?
I’ve never made a mistake that I didn’t learn from. Mistakes are valuable. They’re not always encouraged, but when they do happen, don’t shy away from them, don’t try to avoid them—face them head on and learn from them. Those are learning opportunities. There’s not one mistake I’ve made that can be deemed my “worst mistake.” I’ve accidentally robbed the wrong bank before. I’ve hurt people’s feelings before. One time, I took more credit than I should have for an engagement and didn’t talk about the full role of others. They called me out on it, I admitted it, and I rectified it. Learning from mistakes is key, and you have to own up to them. ■
63
Ben Ten
“Users are not stupid. They’re just not trained or focused on security. Users were hired to do a specific job, which rarely involves security. Users can be educated if they believe security and IT actually matter.”
Twitter: @Ben0xA • Website: ben0xa.com
Ben has been working in technology and development for more than 20 years. He spent 13 years doing defense in the medical industry before moving over to offense. He uses his knowledge of defense to refine his offensive skills and then uses this knowledge to equip customers with a better understanding of defensive methodologies.
If there is one myth that you could debunk in cybersecurity, what would it be?
That a user is stupid. Users are not stupid. They’re just not trained or focused on security. Users were hired to do a specific job, which rarely involves security. Users can be educated if they believe security and IT actually matter. Otherwise, they will do just enough to not get caught or fired.
What is one of the biggest bang-for-the-buck actions that an organization can take to improve its cybersecurity posture?
Build your defense around detections after the initial compromise. Initial vector is not nearly as important as what an attacker does after they are in. When you build your defense with the idea that the attacker is already in, it allows you to detect attacks from rogue devices, rogue employees, or systems that have been compromised remotely. Detection is more important than deflection.
“Build your defense around detections after the initial compromise. Initial vector is not nearly as important as what an attacker does after they are in.”
How is it that cybersecurity spending is increasing but breaches are still happening?
The spending is on stopping the attacks. Every time a tool claims to stop an attack, the attackers create new ways to bypass them. When we consistently focus on initial vector, we will always play the catchup game.
Do you need a college degree or certification to be a cybersecurity professional?
I don’t have one. I will admit, for some organizations, the degree requirement is nothing more than an HR barrier. It doesn’t mean the person knows how to be a cybersecurity professional. I know many people without one, and they are way smarter than some other people I know who have a degree. I don’t think it’s necessary to do well, but it may be necessary for some organizations.
How did you get started in the cybersecurity field, and what advice would you give to a beginner pursuing a career in cybersecurity?
The company I worked for got broken into. While I had hard drive encryption, I wasn’t really into security. This caused me to become more interested, and I began volunteering at conventions like DerbyCon, BSides Chicago, and so on. As I volunteered and listened to more talks, I learned a ton. Then, in 2012, I gave my first talk at DerbyCon. I would always encourage someone to begin by volunteering. In this industry, it’s not what you know but who you know.
What is your specialty in cybersecurity, and how can others gain expertise in your specialty?
I have an extensive blue team background. I have developed a comprehensive Adversarial Detection & Countermeasures program for my organization that I have used at several Fortune 500 companies to detect attackers. I’ve been penetration testing for six years, but I was a defender for more than a decade before. I would say if you want to be a good cybersecurity professional, you should know both the red and the blue. Regardless of your role, knowing both sides makes you better at what you do.
What is your advice for career success when it comes to getting hired, climbing the corporate ladder, or starting a company in cybersecurity?
It is who you know, not what you know. People came to me to hire me. I didn’t have to seek anyone out. It was because of my involvement in the community, contribution to projects, volunteering at events, and speaking at conventions. As people know you more, they have a desire to have you on their team and to give you chances to advance within the organization. Keeping up with trainings provided by respected organizations is another way you can continue to advance in this field.
What qualities do you believe all highly successful cybersecurity professionals share?
The desire to learn and to take things apart. Whether it is code or a new widget, I have always wanted to know how or why something works. I think this is at the core of most of us in the security field. We have the unquenchable desire to know how something works, to see if we can make it do something else, and to see if it can be broken in any way.
What is the best book or movie that can be used to illustrate cybersecurity challenges?
Every Star Trek series out there. They have the most advanced spacecraft out there, yet people can still bypass security controls, get duped into performing a security function for an unauthorized person, get compromised and have their technology work against them, and have personnel who are untrained enough not to spot the obvious villain. Every time I watch an episode, I wonder what control would have prevented the villain from being successful.
What is your favorite hacker movie?
Sneakers…love that movie so much!
What are your favorite books for motivation, personal development, or enjoyment?
I prefer to read survival manuals that detail how to survive with no technology. It gives me a challenge to build something with what is around without using any technology and to survive.
What is some practical cybersecurity advice you give to people at home in the age of social media and
the Internet of Things?
Use it! However, there should always be a healthy level of paranoia when it comes to these things. You are allowing something to monitor you in your home. Just as you wouldn’t want a guest to watch you at all points, your IoT devices should be able to help you without invading your privacy.
What is a life hack that you’d like to share?
When I travel, I have to stay in hotels. Some of the hotels only have paper cups. When I try to put my toothbrush in one, it tips over. So I poke a hole in the side of the cup near the bottom. Then I slide the end of my toothbrush through the hole so it offsets the center of gravity. The toothbrush stays in the cup and doesn’t tip over.
What is the biggest mistake you’ve ever made, and how did you recover from it?
I tried to get too much too soon when I first went out on my own. I got in way over my head with debt and was evicted from my first apartment. My credit was ruined, and I could barely afford to live as a roommate. It took years of self-discipline and saving, but eventually, I was able to regain control of my finances and have owned two homes since. I learned that it is better to wait for something and not be in debt than to get it immediately and owe something to someone else. I live beneath my means now. ■
“I learned that it is better to wait for something and not be in debt than to get it immediately and owe something to someone else.”
64
Dan Tentler
“Every time someone makes up a new word to make a sale or calls a vulnerability assessment a pentest, they’re hurting the whole industry.”
Twitter: @viss • Website: phobos.io
Dan Tentler is the executive founder and offensive security practice director of the Phobos Group. Dan has an established reputation in the industry for his innovative risk surface discovery projects and numerous speaking engagements. Dan and his team have conducted unique targeted attack simulations for companies in sectors including financial, energy, manufacturing and industrials, and various platform service providers. Dan routinely appears in the press to speak on new security risks and security industry development.
If there is one myth that you could debunk in cybersecurity, what would it be?
That compliance in any way helps companies be secure. One of the biggest problems we face as community members embedded in the industry is the perpetual stream of bogus information that comes from the news, charlatans, companies with “eager sales and marketing departments,” and other sources of information that are patently false, or otherwise purposely skewing information and reports. People misuse technical jargon all the time, and the topic we should really be concerned with is that companies will often do this on purpose to try to make sales, or salaciously solicit the media to get their name in the news. Every time someone makes up a new word to make a sale or calls a vulnerability assessment a pentest, they’re hurting the whole industry.
What is one of the biggest bang-for-the-buck actions that an organization can take to improve its cybersecurity posture?
Examining their own perimeter, even with a rudimentary skill set. Many orgs simply ignore security outright and focus almost solely on compliance. It literally translates to “They’re putting in zero effort.” They do the paperwork dance to keep the auditors away, and they make that circus sideshow of smoke and mirrors so elaborate, so huge, that it takes a whole department of people to produce all of this self-referential documentation to occupy regulators and auditors. If they actually did some kind of security instead of completely ignoring it, it would make staggering, mammoth improvements—even just having an inventory of their equipment and Nmapping it from time to time.
How is it that cybersecurity spending is increasing but breaches are still happening?
Because orgs are happy to spend millions of dollars on “feel good” security, which consists mainly of appliances that wrap open source tools, dramatically increasing the cost for their customers. For example, many “pentest shops” simply run Nessus or Nexpose against the external perimeter of an org, charge several thousand dollars, and call that a “pentest.” Oftentimes, the org can simply buy the tool themselves and get far more value. The reason is twofold, the way I see it. First, companies see Equifax and Sony get hacked, and they get nervous and think, “I don’t want that to happen to me.” Second, these “pentest shops,” as mentioned earlier, are happy to slide into that conversation and say, “Oh, we’ve built something just for that! You should pay us for that!” and companies in many cases are happy to do so. Costs go up for literally no reason other than customer fear. Everyone loses.
Do you need a college degree or certification to be a cybersecurity professional?
No, flat out. I and many other professionals have established careers on their skills alone. Think about it this way: how long does it take for Q1 2018 threat intel and knowledge about bugs and techniques to percolate down to students sitting in chairs? Ten years? How good is that information 10 years later? Maybe parts of it, but certainly not all of it. Certifications tend to be a mixed bag. Many certifications are specific to hardware or equipment. CCNA/CCNP, for example, these are great certs, but only if you’re going to be spending a lot of time working with Cisco equipment on switching and routing. You want to do firewalls or wireless? Those are different certs.
There is no “well-rounded security cert,” no matter how much people attempt to convince you otherwise. That 400-question, multiple-choice cert that asks you about barbed-wire fences and fire extinguishers? Don’t waste your money.
How did you get started in the cybersecurity field, and what advice would you give to a beginner pursuing a career in cybersecurity?
I got started doing freelance work 10 years ago helping people with WordPress blogs and basic network and host-based security posture assessments. I was a sysadmin for 10 years before that, and the knowledge I gained from building systems and networks helped me immensely in determining where security problems were happening.
Arguably, the best thing you can do before getting into security is getting a fundamental understanding of how systems and networks function, even at a basic level. You don’t need to be able to recite IP protocol numbers or TCP header and footer offsets or how to construct a Cisco ACL in an ASA off the top of your head, but you have to know what those things are and how they work. If you don’t know how MySQL talks to Apache in a LAMP stack for a WordPress blog, you’re not going to do very well discovering and abusing SQLi. My advice here is to go be a sysadmin or work in operations for a couple of years before going into security—it will provide immeasurably useful experience. You can’t secure a system if you don’t know how it works. You can’t hack a system effectively if you have no idea what’s going on under the hood.
What is your specialty in cybersecurity, and how can others gain expertise in your specialty?
I’ve landed in a sort of strange spot, where my expertise is a cow-print mask over the corpus of knowable information security knowledge. I’m personally strong in the offensive/attack martial arts, but having gone back and forth between red team and blue team my whole career, I am also aware of the defensive tools, what they are, how they operate, and when to use them. I’m not as strong in defense as I am on offense. Having spent a decade doing systems and networks, I’m a fairly handy sysadmin, and I maintain a surprisingly wide personal network involving several servers, enterprise wireless networking gear, several Cisco ASAs, VPN site-to-site links, and a small VPN service for friends and family to be used at hackercons and shady coffee shops.
For someone else to follow in my footsteps, the best advice I can give is to go be a sysadmin for five to seven years. Learn Linux, Windows, routers, switches, networking, Wi-Fi. Learn what to do when someone is in your lobby being shady. Find out how to spot them using the Cisco WDS heatmap or the Aruba heatmap. Figure out how to examine a pcap that’s 2TB in size on consumer equipment with only a 100Mb link to the machine the pcap is on. Get stuck in weird problems, figure them out. Don’t just ask the
internet. Do it yourself. With your hands. Then attack it, and watch the logs.
What is your advice for career success when it comes to getting hired, climbing the corporate ladder, or starting a company in cybersecurity?
I was never any good at climbing the corporate ladder because, in my experience, that means leaving your scruples and your morals on the road outside the company. Usually, climbing the corporate ladder amounts to “making your management like you enough to promote you.”
Getting hired will vary depending on where you’re going. Big shops will want something; small shops will want something else. Coming in as a contractor, yet another variation. The best way to grapple with this mentally is to follow these steps:
Do cool things and share them with friends. Show your work.
No matter what branch of InfoSec you’re interested in, you can set up a GitHub account and share your scripts, tooling, code, etc.
Having examples of “what you can do now,” regardless of what job you’re in now, is super helpful.
Have a plan. Saying “I wanna go into security” is like saying “I wanna work with animals” or “I wanna work in government.” You need to have some idea of where you want to go.
If you don’t know, say you don’t know.
Learn to be resourceful. People who can “get stuff done” are the ones who get the job.
As far as starting a company? Ask me again in a year. I’m still working on mine. I can tell you right away, though, don’t underprice yourself, and don’t charge an arm and a leg without the ability to back up why you’re charging so much. This will involve market research. Also, make sure you know how to sell whatever it is you do, services or products. You’ll have to learn the ins and outs of basic sales. If you don’t like working with people and just want to write code or do hacks, then starting a business is not for you.
Tribe of Hackers Page 39