What is your specialty in cybersecurity, and how can others gain expertise in your specialty?
My two areas of concentration are penetration testing and mobile and IoT security. But as an independent researcher and startup founder, I find that, really, I specialize in everything. When I was starting out, it seemed like most of the material available was geared toward experts. I ended up writing the book I wished I’d had available to me, Penetration Testing: A Hands-On Introduction to Hacking. It assumes no prior knowledge and has helped many people breach into the industry.
What is your advice for career success when it comes to getting hired, climbing the corporate ladder, or starting a company in cybersecurity?
Recognize that no one knows everything, and everyone is constantly learning. Everyone feels like a moron sometimes. Don’t be like me and beat yourself up about it. There are plenty of people in this industry to do it for you. Never stop learning.
What qualities do you believe all highly successful cybersecurity professionals share?
Perseverance, resilience, and arrogance. In penetration testing, in particular, you are always wrong until you are right. But once you land the shell, it’s hard to stop gloating.
What is the best book or movie that can be used to illustrate cybersecurity challenges?
I’ll have to go with mine: Penetration Testing: A Hands-On Introduction to Hacking.
What is your favorite hacker movie?
You think I have time to watch television? Okay, sometimes I do watch, but I often wonder if doctors come home to watch House MD. I assume not, for the same reasons I don’t watch movies or TV shows about cybersecurity. So, I’ll have to go with the PBS documentary I was in, Roadtrip Nation: Life Hackers.
What are your favorite books for motivation, personal development, or enjoyment?
Wuthering Heights, Autobiography of Red, The Secret History, Infinite Jest, A Confederacy of Dunces.
What is some practical cybersecurity advice you give to people at home in the age of social media and the Internet of Things?
The only completely secure system is smashed, melted down, and buried. And even then, I’m not so sure. There is no silver bullet that will make things secure. People have to understand the risk and impact to make informed decisions about how they choose to use technology in our connected world.
What is a life hack that you’d like to share?
I used to work so hard and so single-mindedly that I would routinely burn myself out. After a few rounds of that, I realized something had to give. I re-engaged in my childhood sport of horseback riding. I’m still a super-driven, competitive person, so instead of a relaxing hobby, I compete for equestrian titles. Taking the time to put work aside for a few hours, focus on my riding, and bond with my horse, Tempo, allows me to focus single-mindedly on work the rest of the time.
What is the biggest mistake you’ve ever made, and how did you recover from it?
It is really hard to A/B test reality. Many things that seemed like big mistakes in the immediate aftermath have come to seem like some of the best decisions of my life so far in hindsight. ■
68
Jake Williams
“Actively acknowledge the things you won’t be proficient in and seek out experts you can call on when you need solid advice on a topic.”
Twitter: @MalwareJake • Website: www.renditioninfosec.com
InfoSec professional. Breaker of poorly written software. Incident responder. Digital defender. Business bilingual. Jake Williams treats InfoSec like the Hippocratic Oath: first do no harm. By addressing realistic risks, Jake helps businesses create secure environments that actually function. He penetration tests organizations so they can find the weak spots before an attacker does. When an attacker does find a weak spot first, Jake works with the organization to remove the attacker, assess the damage, and remediate the vulnerabilities that allowed the attacker access in the first place. Jake is also a prolific conference speaker, an instructor, and an InfoSec mentor.
If there is one myth that you could debunk in cybersecurity, what would it be?
That everyone who is a cybersecurity expert in one discipline is an expert in all disciplines. Cybersecurity is a broad topic. Nobody knows it all. For instance, I’m an expert in offensive cyber operations, forensics, and incident response. I consider my knowledge base fairly broad, but I’m not a virtualization security expert. When you’re starting out, decide what you want to specialize in and focus your studies there. Actively acknowledge the things you won’t be proficient in and seek out experts you can call on when you need solid advice on a topic.
What is one of the biggest bang-for-the-buck actions that an organization can take to improve its cybersecurity posture?
Get users out of the local administrators group, and use a solution like LAPS to ensure that local admin passwords aren’t shared across workstations. So few organizations do this today that attackers just don’t expect it. They’ll make lots of noise trying to determine why their normal tricks aren’t working.
How is it that cybersecurity spending is increasing but breaches are still happening?
This “conventional wisdom” irks me. The question is asked consistently, but completely ignores the fact that 1) more organizations are digitizing data (increasing the opportunities for breaches), and 2) attackers are getting better at their craft. We should expect more breaches to occur as attackers see more blood in the water. Also, don’t expect cybersecurity spending to eliminate breaches. That’s not how any of this works. Spending (smart spending, anyway) just makes it harder to compromise your network.
Do you need a college degree or certification to be a cybersecurity professional?
This is a contentious topic. I’ll tell you that I seek out college graduates for my business because writing and communication are key. Analysts who aren’t college educated regularly tell me that they write just as well as college-educated analysts. That may be true in some cases, but it’s not true on average. My largest costs are acquiring and training personnel. Even if you’re the exception, I’m playing the odds. Also, don’t just pay for a college degree. Every employer has universities they avoid like the plague. I won’t list them here, but you can probably guess them. As for certifications, meh. Certifications get you an interview; they won’t get you the job in most cases. Certifications are useful tools for HR to select candidates. People regularly complain that certs don’t indicate knowledge, but I ask how should HR at a Fortune 500 filter the thousands of résumés they receive?
How did you get started in the cybersecurity field, and what advice would you give to a beginner pursuing a career in cybersecurity?
I came through the military and intelligence fields. Go serve your country and get your education paid for by them. But don’t assume that by itself will do it. Every year, there are hundreds and perhaps thousands of others taking the same training program you’ve taken. Do something, anything, to distinguish yourself. This goes double for anyone getting a degree in cybersecurity.
What is your specialty in cybersecurity, and how can others gain expertise in your specialty?
I specialize in offensive cyber operations, forensics, and incident response. These fields are all tied together with a fundamental understanding of how operating systems and applications work (and don’t work).
What is your advice for career success when it comes to getting hired, climbing the corporate ladder, or starting a company in cybersecurity?
Show a passion for your craft. Passion is infectious. I’ve worked in a few industries over the years (and my consulting work has taken me to many more). One thing I’ve noted consistently is that those who are involved in InfoSec tend to be more passionate about their jobs than those in other fields. I’m not knocking other fields here, just making a point. While you may have gotten away with a humdrum, 9-to-5 attitude somewhere else, that is less likely to fly in InfoSec. If it flies at all, it won’t make you successful.
What qualities d
o you believe all highly successful cybersecurity professionals share?
Passion (as I mentioned earlier) and curiosity. There are so many passionate people in this field, it’s hard to stand out (in a good way) if you’re not one of them. As for curiosity, this is another critical area. Some of the best research I’ve ever done came from asking “I wonder what would happen if?” questions. Most people I know who are successful are wildly curious. Finally, I would note that without outside-of-the-box thinking, you’re unlikely to be asking the right questions, so I would focus on that as well.
What is the best book or movie that can be used to illustrate cybersecurity challenges?
It’s the movie that hasn’t been made yet about the Equifax breach(es). I think that movie/book will detail the fact that running a vulnerability management program is way harder than people like to give credit for. I’m not excusing Equifax for failing at it, but I think the story will be one we use to illustrate the issues inherent in vulnerability management programs for a long time.
What are your favorite books for motivation, personal development, or enjoyment?
If I can give one recommendation here, it’s to read Good to Great. This book is critical if you run your own business. If you coordinate with businesspeople (MBAs), assume they’ve read the book—they almost certainly have. It will give you an immediate common talking point and make you less of an outsider. In other words, read this and you’ll have infinite social engineering opportunities. (Also, it’s a great book.)
What is some practical cybersecurity advice you give to people at home in the age of social media and the Internet of Things?
Everything you put on the internet is out there forever. Nuance gets lost in character limits. Be careful what you post. We do social media searches for every candidate we look at hiring. The stuff you post today will be with you forever. IoT is a place we’re not seeing as much in the way of long-term privacy impacts yet, but given time, it’s coming. Be smart about how you use IoT, and always assume someone will sell (or steal) your “private” data later.
What is the biggest mistake you’ve ever made, and how did you recover from it?
I stayed too long in a job. Constantly re-evaluate whether the job you are in is the right one for you. Just because it was when you took the job doesn’t mean that it still is now. Be smart about identifying the right time to move. Complacency will make you a rat on a sinking ship. Once I realized I had stayed too long at a job, I immediately started looking to move and took steps to find another job where I could grow professionally. Surround yourself with people you can learn from. If everyone is coming to you for knowledge and you aren’t learning from those around you, it’s probably time to make a move. ■
69
Robert Willis
“I think the biggest myth surrounding cybersecurity is that someone has to be very technical to get into a system.”
Twitter: @rej_ex • Website: www.redteam.it
Robert Willis is a security consultant at 1337 Inc. with a BS in management and certifications in IT and security from Stanford University, USAF, DHS, CompTIA, EC-Council, ELS, and various other organizations. He began his journey into programming and hacking in the late 90s on AOL. Robert is also currently enlisted in the TXSG, working in cybersecurity at Camp Mabry in Austin, Texas.
If there is one myth that you could debunk in cybersecurity, what would it be?
I think the biggest myth surrounding cybersecurity is that someone has to be very technical to get into a system. There have been studies showing that most attacks begin with a simple phishing campaign, which doesn’t require much skill.
What is one of the biggest bang-for-the-buck actions that an organization can take to improve its cybersecurity posture?
Stay updated on patches; they’re free. While working on projects, double-check everything you do. Also, make sure your organization’s employees are properly trained to handle social engineering attempts. Humans are the weakest link.
How is it that cybersecurity spending is increasing but breaches are still happening?
Many companies (including very large organizations) don’t want to invest in protecting themselves until their lack of security becomes a financial burden they can measure after their first breach—or if it becomes so bad that even the biggest skeptic would be horrified. Companies look to meet regulatory compliance to continue doing business and avoid fines, but being compliant doesn’t make you secure.
Organizations that do take measures to secure themselves rarely have ways to verify that their security is continuously working between penetration tests and vulnerability assessments. I highly recommend breach and attack simulations for this reason.
Do you need a college degree or certification to be a cybersecurity professional?
A degree isn’t required for many IT-sector jobs. A degree or certification will get you past HR and get your foot in the door at a lot of places. I know people who don’t have a degree or a single certification who are incredible at what they do, but unless someone has a solid network of professionals who know them and their quality of work, they could lose a job opportunity to an entry-level person. Is a degree or certification needed? No. Can it help the nontechnical HR person who knows nothing about security offer you a job? Yes.
How did you get started in the cybersecurity field, and what advice would you give to a beginner pursuing a career in cybersecurity?
I knew at a young age that I wanted to be in cybersecurity after spending countless hours on my old, zombified PC learning everything I could about hacking, programming, and computers in general. I had my first paid cybersecurity job through the military and worked hard to be a security researcher after many years in IT-related roles.
My advice to someone pursuing a career in cybersecurity would be to meet the right people and to surround themselves with other like-minded individuals. Everyone started at square one—learn as much as you can and never give up. Don’t jump into advanced topics without laying a solid foundation to understand them fully. Don’t have an ego or overlook small details; you’ll only hurt yourself.
What is your specialty in cybersecurity, and how can others gain expertise in your specialty?
My specialty is building security programs for organizations seeking to map to compliance for regulatory or business-enablement purposes. I also do many red team/blue team activities for clients, ranging from vulnerability assessments and penetration tests to threat modeling.
What is your advice for career success when it comes to getting hired, climbing the corporate ladder, or starting a company in cybersecurity?
Be humble, and make friends who believe in you (and make sure they are also worth believing in). Know when to ask for help, and know when to offer help to others. I’ve found that the overlap of my job also being my hobby outside of work greatly helps expand my knowledge; the more you know (and can do) plays a large part in how your employer assesses your value.
What qualities do you believe all highly successful cybersecurity professionals share?
I think the most successful people I’ve met don’t see giving up as an option. Understand that, in many cases, you can achieve what you want; you just have to find the answer. Be willing to be driven crazy while still being able to execute constructive thoughts and actions. Hardworking people can accomplish great things; accomplishing something great usually requires overcoming many difficult tasks.
What is the best book or movie that can be used to illustrate cybersecurity challenges?
Apollo 13. Many things can go wrong, but you have to keep faith and take it home by trying harder.
What is your favorite hacker movie?
I am a big fan of The Matrix and Hackers. I first saw Hackers at a young age and was excited that there was a technical “alternative” culture. I had a love for tech prior to seeing the movie, so this really helped me identify what I wanted to pursue within the field based on my personality and interests. The Matrix was released almos
t 20 years ago and is still one of the best movies ever made.
What are your favorite books for motivation, personal development, or enjoyment?
The Four Agreements is a book that I learned about at work, and it literally changed my life. It’s hard to be social when you’re on a computer all day; not having deep relationships with other humans can cause self-questioning like, “I hope X didn’t take what I said the wrong way.” As long as you follow the Four Agreements, you have nothing to worry about.
What is some practical cybersecurity advice you give to people at home in the age of social media and the Internet of Things?
Nothing is secure. If you don’t want naked pictures of yourself available to individuals unknown to you, don’t take them. Also, whenever you create an account, assume that the password is going to end up in a dump somewhere after the company gets pwned. I’ve known individuals who had very embarrassing passwords that got leaked, and it horrified them. It’s just a matter of time before your credentials are out there.
“Nothing is secure. If you don’t want naked pictures of yourself available to individuals unknown to you, don’t take them.”
What is a life hack that you’d like to share?
It takes less time to do something the right way than it does to do it the wrong way.
What is the biggest mistake you’ve ever made, and how did you recover from it?
The biggest mistake I made was going to college. I have been on my own since a very young age, so I had to put myself through school. Because of this, it took many years of struggling to get a degree. If I could do it all over again, I would have dropped out of high school, quickly earned a GED, and studied hard for certifications to get an InfoSec job much earlier in life. ■
Tribe of Hackers Page 42