TProphet began writing for 2600: The Hacker Quarterly while still in high school and authors the Telecom Informer column. He is one of a handful of individuals to have attended every DEF CON and is a cofounder of Queercon (the forefront LGBTQ organization in the InfoSec community) and the founder of the famous TeleChallenge phone-based puzzle challenge. Robert works as an information security architect.
If there is one myth that you could debunk in cybersecurity, what would it be?
“Certifications are a necessary qualification.” Certifications do not make people more qualified. Some of the best people in the industry don’t have any certifications. Certifications tend to be pursued by people who are pure InfoSec rather than where InfoSec is just part of the job. Also, most certifications issued today didn’t even exist when the most senior people in the industry entered it.
What is one of the biggest bang-for-the-buck actions that an organization can take to improve its cybersecurity posture?
Getting the basics right. Most people are compromised, even still, by malicious email attachments, phishing, and clicking dodgy things in browsers. There is also a lack of multifactor authentication and failure to patch systems. That’s actually probably one of the top things. A lot of problems can just be prevented in the first place by staying on top of patches. So many enterprises that run Windows don’t take Microsoft patches the day they’re pushed because they’re afraid there’s going to be a bad patch. In 13 years at a large Fortune 500 company, there were only two bad patches that I deployed in internal environments. And only one of those caused any disruption—once in 13 years. But, in that same time period, there were a large number of attacks that could have been prevented by patching on time.
“Most people are compromised, even still, by malicious email attachments, phishing, and clicking dodgy things in browsers.”
How is it that cybersecurity spending is increasing but breaches are still happening?
Spending is not really up, actually. In most organizations, it’s flat or even down. And this is speaking as somebody who was trying to build a startup in the information security area and sell a product; budgets are down across the board. It’s largely because security is constrained to IT budgets, which have to do more with less every year.
But, at the same time as budgets are staying flat or even going down, at least in my view of the industry, the number of attack surfaces has dramatically increased with movement to the cloud. The number of information systems and tools is much larger than it’s been in the past because we rely on technology a lot more. And the number of devices that are being used to access information has gone up because we’re all running around with a couple of phones and a tablet in addition to a laptop or three. So, when you increase the attack surface by an exponent of 5 or 6 and you don’t spend any more on security—or even less—and you don’t change any of your existing information security practices (such as not patching on time), then it just makes your organization as a whole a lot more vulnerable.
Not only is there way more stuff to attack than there has been in the past, there are a lot more people doing it because criminals have figured out that they can steal a lot of money by compromising information systems.
Do you need a college degree or certification to be a cybersecurity professional?
It depends. Do you need a certification? Well, to actually do the job, probably not. But, increasingly, it’s become a requirement for no particular reason, even though certifications usually don’t prove anything other than you spent several hundred dollars on a certification. HR departments all around the world have blindly started adding this as a checklist requirement to the point where I can’t get certain gigs because I don’t have a certification, even though I’ve been doing the work since before the related certifications even existed. So, do you need it? Probably not. Do you need it in practical terms? Maybe.
I think college degrees are good at exposing you to a whole bunch of different ideas that are outside of the realm of experience you’re normally in. You learn a lot of stuff that’s not what your degree is in by going to college, and, more importantly, you prove that you can stick with something for four years or longer and come out on the other end of it. So, if you want to go into any kind of management role, it’s not a hard requirement, but I think that it is helpful to have in many environments.
Also, you need to be relatable in the role that you’re in to the people you’re working with. If you’re working in an organization that is relatively well educated and you aren’t, then that’s going to be a problem for you potentially. On the other hand, if you’re on the technical side and not managing anybody, you can learn how to do that stuff in high school. You can go straight out of high school (or even drop out of high school) and do this professionally. But, you might hit a wall where your limitation in educational experience is one you can’t get beyond. That’s not true in every organization nor in every city, but certainly here in Seattle we value education highly.
How did you get started in the cybersecurity field, and what advice would you give to a beginner pursuing a career in cybersecurity?
I got started in high school when I started phreaking. So, I actually started on the black-hat side of things as a juvenile before I was 18. Over time, as I got more education and experience and started working on things professionally, information security became part of my job. By the time I got to a large Fortune 500 company (and was running a fairly substantial IT enterprise for them), security was a pretty big part.
I’ve never in my career held a pure information security role. Actually, most information security workers do not hold an information security title. That’s something that’s really important to call out. It’s a relatively new thing to have a title of “cyber engineer” or “engineering security something.” It’s typically been part of an IT job, and, even now, it’s still part of an IT job in most places.
What is your specialty in cybersecurity, and how can others gain expertise in your specialty?
I am in a fairly unique position because I’ve worked across a large variety of disciplines in IT and software development, including research. In addition to that, I have startup experience and an MBA that I got later in my career. Where I sit is at the intersection between business and technology. I can really see technology problems through the lens of being a business problem, but not through a stupid lens because I do have technology experience. That’s one of the things that happens commonly in our industries. You have businesspeople making decisions and they don’t really understand technology at all, or the security implications of the decisions they’ve made. I’m really, really good at being able to see it across a broad spectrum.
And my last pure information security thing was a startup where we were doing the intersection of physical and digital security, which is another area where there’s not a whole lot of overlap.
What is your advice for career success when it comes to getting hired, climbing the corporate ladder, or starting a company in cybersecurity?
That’s going to depend on where you’re getting hired. If you want to get hired at the Pentagon, then go do cyber-something for the Army and then get hired by a defense contractor on the back end of that to do cyber-something. Work on a cyber-y thing that is very cyber that you can’t tell anybody about. You’re going to live in a world that’s completely different from the commercial space, and you’ll probably never really have a lot of success in the commercial space because the thinking and the work are very different.
If you want to be on the commercial side, where do you want to be? There’s also a difference between governments, I should point out. There’s civilian government, and there’s the military side of government. Those are two entirely different sets of roles. If you want to get into the civilian side of government, it’s pretty simple. They have a checklist of things you must be in order to be able to apply for that job because they have to evaluate everybody equally and score them on a scale. That�
�ll also be the case in pretty much any kind of public hiring, like a university, for example. They’ll have some boxes to check, and if you check enough boxes, then you qualify to be interviewed, and then they’ll pick somebody who is the most qualified based on some neutral criteria so they don’t get sued.
In the commercial space, if you want to work in a company that isn’t a software or information security company, familiarity with the industry is helpful. For example, if you want to work in the oil industry, it’s great if you know oil field stuff, like the systems and processes they use. A lot of people grow into an information security role inside of the company from some work that they’re already doing there. That’s a very common thing. You can be in IT for something, then you just start doing more and more security stuff, and they create a security position for you because they realize they need that.
If you want to get into consulting, it’s helpful if you have some consulting experience in general. A lot of IT security people work as consultants. The first rule of consulting is that you have to be a good consultant and also know how to do the thing you’re consulting on. It kind of goes in that order.
Just like any other job that you’re going to find, a lot of the opportunities that are available to you come informally. Most jobs aren’t posted someplace; they’re positions that are created for someone. You’ll want to actually go out and meet the people who you’d potentially want to work with and impress them.
And then there is starting a company. I actually teach a class at The Evergreen State College on how to start your own company, so I’d encourage people to come take that. It’s called “Startups and Entrepreneurship.” The first rule of starting your own company is figuring out who’s going to pay you to do the thing you want to do. Figure out your market. That is job #1 of an entrepreneur. We use a series of techniques called “Lean Startup,” where we do rapid iteration in what we call a “build, measure, and learn” loop. Basically, go find people who you think might pay for something, and try to get some validation that they’re actually going to pay you to do that. You do enough of those loops, and you’ll figure out how many people are buying what you’re selling and whether you can build a business around it.
The only other thing that I would say is this: don’t rely on being able to raise outside capital. That’s what sank my last company. We needed to raise venture capital to be able to do it, and that is exceedingly difficult to do in this space. If you’re going to start a company, you might choose something that you can make money with right away, where you don’t need any outside investment.
It gets back to these declining budgets that I talked about before. It’s a shrinking market in terms of money. It’s not a shrinking market in terms of problems, but it is in terms of money being invested. That gives venture capitalists a lot of pause in putting money into this space. It’s also more expensive than average to build an information security company because you have to hire people who are very much in demand and have very high salaries. Your costs are higher, but the amount of money being spent is lower; it’s just very tough.
What qualities do you believe all highly successful cybersecurity professionals share?
Intellectual curiosity. And another thing: being nice. Most jerks in this business, people who are not nice, may be really brilliant in technology, but they’ll never gain a lot of traction. There’s only so far you can go. The best people in this industry are nice people who really share and engage a lot with the community and maintain the respect of their peers.
“Most jerks in this business, people who are not nice, may be really brilliant in technology, but they’ll never gain a lot of traction.”
Communication skills also matter. You can point to people who are really out in front, and the common thread they all hold is that not only are they really smart technically, but they can explain what they’re doing and make things understandable. They’re just genuinely nice and they share a lot.
Finally, they’re doing this kind of work because it’s what they love. If you come into this and you’re not intrinsically motivated, you’re not the right kind of person to be in this field.
What is the best book or movie that can be used to illustrate cybersecurity challenges?
Sneakers.
What is your favorite hacker movie?
Sneakers, although Hackers has better music.
What are your favorite books for motivation, personal development, or enjoyment?
I am a real fan of The Lean Startup by Eric Ries. If you’re entrepreneurially minded, that is probably the best book to read if you’re thinking of starting your own company.
What is some practical cybersecurity advice you give to people at home in the age of social media and the Internet of Things?
Be careful what you click because antivirus won’t always protect you and firewalls don’t always work. Know that’s not the state of things as they should be, but that’s the state of how they are today.
What is a life hack that you’d like to share?
I have visited all seven continents without paying any airfare. I am very good at using miles and points to do it. You can read more about some of the hacks and tricks that I like in the travel space at www.seat31b.com.
What is the biggest mistake you’ve ever made, and how did you recover from it?
I thought my boyfriend loved me and moved to another continent to follow him, but he ended up dumping me. Recovering from it, I got an MBA, started two companies, and learned a lot. ■
67
Georgia Weidman
“I’d like to put to rest the idea that preventative security alone can solve all your security problems.”
Twitter: @georgiaweidman • Website: www.georgiaweidman.com
Georgia Weidman is a serial entrepreneur, penetration tester, security researcher, speaker, trainer, and author. Her work in the field of smartphone exploitation has been featured internationally in print and on television. Georgia has presented or conducted training around the world, including venues such as the NSA, West Point, and Black Hat. She was awarded a DARPA Cyber Fast Track grant to continue her work in mobile device security and is a Cybersecurity Policy Fellow at New America. Georgia is also the author of Penetration Testing: A Hands-On Introduction to Hacking from No Starch Press.
If there is one myth that you could debunk in cybersecurity, what would it be?
I’d like to put to rest the idea that preventative security alone can solve all your security problems. This may sound strange since that’s how most preventative security products are marketed. “Buy our panacea solution and you will never have to worry about security again!” And yet, all these enterprises with their giant security budgets are still getting breached. What’s missing? Penetration testing, vulnerability assessment, impact analysis, call it what you want; the missing piece is simply confirming that your security solutions hold up under a simulated attack and then finding the weaknesses and limiting the impact of a successful breach as much as possible. No preventative solution alone can stop sophisticated attacks.
What is one of the biggest bang-for-the-buck actions that an organization can take to improve its cybersecurity posture?
Just do testing! It’s all too common to go to Gartner and buy all the things in the top right of all the magic quadrants, turn them on, and consider security taken care of. The security needs of each organization are unique; the risks they have are unique. You cannot fix security with preventative products alone. Testing is a necessary and often-overlooked part of security. How will a real attacker break into your organization? Will they be able to bypass your preventative solutions? (Hint: yes.)
How is it that cybersecurity spending is increasing but breaches are still happening?
Perhaps we are just spending our money on the wrong things. And, don’t get me wrong, I get it. As someone who runs a product-oriented startup in the security-testing business, I am constantly up against companies that claim their product fixes everything.
“Put our Silver Bullet 3000™ on your network, and mobile and IoT will never be a problem again! BYOD? No Problem!” How can I compete with that when our message is “Install our product and understand what your risks around mobile and IoT are, how to fix them, and the effectiveness of the preventative security controls you have deployed in detecting and stopping attacks?” If I were the (nonsecurity expert) signer of checks, I’d buy Silver Bullet 3000 too. But Silver Bullet 3000 isn’t getting the job done.
Do you need a college degree or certification to be a cybersecurity professional?
Well, you might need to be certifiable, but no, you don’t need a degree to get started. It certainly helps with getting your foot in the door, though. I have a master’s degree in computer science, and all the big contractors just showed up at my school begging for people. I didn’t actually have to prove I knew anything about anything to get my first job.
How did you get started in the cybersecurity field, and what advice would you give to a beginner pursuing a career in cybersecurity?
I went to college at 14 and finished in four years, so you might say that in graduate school I kind of treated it like undergrad. I joined a lot of department activities, but it was the Cyber Defense Club that really rang my bell. We played in the Mid-Atlantic Collegiate Cyber Defense Competition (MACCDC), which is basically legal torture. The students were the recently hired security staff of an organization under active attack. We had to keep our systems alive, keep the attackers out, do business injects like installing new services, and periodically get yelled at by a CEO who was really mad about these security breaches. The real goal of the red team (volunteer real hackers) was not so much to breach and destroy our systems but to make us cry and vomit. Naturally, MACCDC was a very stressful and tiring experience. But that first time I saw a popup box (it said “I like turtles”) on one of my game machines, I knew it was the red team, and I was hooked. How had they done that from another room? I knew I wanted to do that to people’s machines for the rest of my life.
Tribe of Hackers Page 41