70
Robin Wood
“Security is a wide subject area and needs everyone from policy writers to exploit developers.”
Twitter: @digininja • Website: digi.ninja
Hacker, coder, climber, runner. Robin is the co-founder of the UK conference SteelCon, as well as a freelance security tester. He is the author of many tools and is always trying to learn new things.
If there is one myth that you could debunk in cybersecurity, what would it be?
That you have to be a hardcore techie to get into security. Security is a wide subject area and needs everyone from policy writers to exploit developers. Most people don’t know that much about their chosen area when they’re starting out, but as long as they’re prepared to learn on the job and put in the hours, they’ll soon develop the skills.
What is one of the biggest bang-for-the-buck actions that an organization can take to improve its cybersecurity posture?
Training their people—and not just the security team; teach all staff at least basic security skills. For example, if product QA knows that something really bad happens if they put a single quote in an input field and get a SQL error message, then you’ve got a whole department who can now pick up low-hanging fruit. Similarly, explain to normal office users what phishing is and why it’s bad, and then give them incentives to look out for it and report it. You now have your frontline acting as an intrusion detection system (IDS).
How is it that cybersecurity spending is increasing but breaches are still happening?
There are more people in the industry, all wanting a piece of the pie and all offering differing services that claim to solve all your problems. Good salespeople sell these as must-haves, and companies buy into the sales pitches without first addressing the fundamentals. Having perfect threat intelligence isn’t much use if you’re running a 12-month-old WordPress installation. An amazing perimeter firewall isn’t much use if the disgruntled receptionist walks out with all your sales data on a memory stick.
Do you need a college degree or certification to be a cybersecurity professional?
No. But depending on the type of company you’re looking to work for, it may help you get past HR. If I’m interviewing, then I’ll weigh a degree or certificate alongside other things, such as experience and general life skills, so it definitely puts some points on the scorecard, but those points can also be gained through other channels.
How did you get started in the cybersecurity field, and what advice would you give to a beginner pursuing a career in cybersecurity?
The company I was working for had a web server hacked, and I spent 12 hours sitting with the boss going over every line of code in a complex app to try to find the vulnerability. That got me hooked, and from then on, I slowly moved sideways from development into security testing.
The bit of advice I give to everyone is to get yourself a reputation in the community. Create a blog, be active on forums, ask questions on email lists, and go to conferences. The more active you are, the more chance you have of meeting the person who will give you your big break. None of these interactions has to be at a super-elite technical level. For the blog, write stuff up at your level, and don’t worry whether anyone will ever read it. Even if they don’t, when I interview you, I’ll read it, and it will show me that you are prepared to put the time in to learn, understand, and give back.
On mailing lists and forums, don’t just ask questions; show your workings to get to the point of asking the question. Say what you’ve tried, what worked, what failed, and what you are trying to achieve, and, really important, feed back into any answers given. Don’t just take an answer, use it, and then drop the thread. If the answer fixed the problem, say so; same if it didn’t. And most important, say thanks. Most people who offer help will be doing it on their own time. That “thank you” shows them that their efforts were appreciated.
What is your specialty in cybersecurity, and how can others gain expertise in your specialty?
I mostly test web applications, and I’d recommend doing some development work before learning to test, or at least doing dev alongside it. Understanding how an application works from the inside, and being able to put yourself in the mind of the person who wrote the app, makes a big difference. You’ll know the different ways the feature could have been written, what mistakes you made when you developed something similar, and the problems you have to work around.
Having a background in development also helps you talk to the developers during and after the test to explain your findings. You don’t just hand off a bland report and leave them to get on with the fixes; you can talk to them and explain (in terms they will understand) what each issue means.
What is your advice for career success when it comes to getting hired, climbing the corporate ladder, or starting a company in cybersecurity?
Something really important for me when I started freelancing was to have cash in the bank before I quit full-time work. It wasn’t easy, but I put enough cash aside so I could go six months without getting any work in; this way, there was no initial panic on day one. I’ve seen a few friends fail, as they didn’t have reserves. They didn’t get as much work in the first month as they expected and then ran out of cash and had to quit their dreams within three months.
I also had a second job as a climbing instructor, where I worked evenings and weekends to bring in extra cash. It didn’t interfere with the 9-to-5(ish) client work, but it did mean that my mortgage was covered each month.
What qualities do you believe all highly successful cybersecurity professionals share?
The ability to get on with things when they can, learn when they need to, and ask questions when they get stuck. You have to be motivated; otherwise, you won’t progress. It’s important to learn rather than being spoon-fed everything. But realize when you get stuck or don’t have time for research. It’s okay to ask for help.
What is the best book or movie that can be used to illustrate cybersecurity challenges?
Kevin Mitnick has done some good books. Kingpin by Kevin Poulsen and We Are Anonymous by Parmy Olson are also good reads.
What is your favorite hacker movie?
Hackers followed by Sneakers and WarGames.
What are your favorite books for motivation, personal development, or enjoyment?
I don’t read much about IT stuff; I prefer biographies and stories from adventure-sports people. I’ve read some good books by people who have gone from not being able to run a mile or swim a length—but have put in the time and effort—and are now really enjoying their chosen sports. A lot of it mirrors good hackers; they put in their training around their normal 9-to-5 lives—squeezing in a run in the evening, a swim before work, a capture the flag (CTF) after the kids have gone to bed, or reading blog posts over breakfast.
What is some practical cybersecurity advice you give to people at home in the age of social media and the Internet of Things?
Think before you act. Is something too good to be true? If so, then it probably is. Have you spent money with Company X recently? If not, then the refund or invoice is probably a fake.
What is a life hack that you’d like to share?
Have hobbies outside of IT so you spend time away from the screen. I run, climb, and swim; without those, I’d be stuck in front of a screen 24/7, which really isn’t good for anyone.
What is the biggest mistake you’ve ever made, and how did you recover from it?
Being too reliant on one client, who then went bust, owing me quite a bit of cash. I recovered, as I had cash in the bank, but I’ve made sure to try to spread out my work much more widely since. ■
Epilogue
One of the mind-blowing things that Dug Song talked about was how the meaning of life is to live a meaningful life. For me, this encapsulated a lot of the things I've felt but couldn't fully express. Throughout life, we kind of feel a certain way about stuff, and then, every once in a while, someone comes along and articulates something th
at really resonates, condensing everything you felt into a few concise words: the meaning of life is to live a meaningful life.
Anybody who knows me knows that I quote books all the time. There aren't a lot of books that are actually written from a cybersecurity perspective, and I wanted to create a book where the perspective is from people who have worked in the field. I'm surrounded by a lot of really smart people, and I wanted to share some of my conversations with them. I learn a lot by networking and communicating with the people in this space.
One of the things I hope readers will understand is that some of the folks in this book are very well known, successful, and considered in high regard. I wanted to humanize them because sometimes we think our heroes aren't human. One of the questions I asked was about mistakes, which gave us the opportunity to share how we've messed up and, ultimately, reveal that we're all human.
On Running a Company
There are a lot of cybersecurity companies out there, and it can be hard to differentiate yourself in this field. Cybersecurity is still a relatively new area. Amazon launched EC2 in 2008, and as of the writing of this book, it's been less than 10 years since cloud infrastructure emerged. In some regards, it's a really young industry, and people are rushing to adopt the technologies without really understanding the security ramifications. There are actually a lot of products that don't work, and there are legacy concepts that no longer work. Selling cybersecurity products is a new field and a fast-paced, moving creature. So how do you keep up? How do you differentiate? I don't like to perpetuate myths; I'm a myth-buster. I like to find out what actually works, and what doesn't work, and then deliver that to customers.
However, just like anything, some customers and industries are stuck in the past. They're trying to do stuff that was “hot” 15 or 20 years ago. Many of these things have been proven ineffective, but they somehow end up in books or taught in schools. Some companies have cybersecurity lobbyists who manage to get things to become federal regulation or standard. There are a million ways that these bad things get in, and some of them just don't work.
It's like the medical field. Every time they come out with a new medical study, they then figure out, “Oh, snap, we were kind of wrong about that.” Every year, the cholesterol story seems to change. Same thing with whole milk versus skim milk. Cybersecurity is somewhat like this, except it's slower. So, whose advice do you trust? How do we become that trusted advisor from a business perspective? For example, people have been told for years to run an antivirus, and now there are folks saying that antivirus is dead. What do you believe? Do you believe antivirus isn't that important because there are people out there saying it isn't? Should you not run an intrusion detection system (IDS) because some people are saying IDSs are dead? That's the struggle in being a security company, right there.
On the Future of Cybersecurity
Back in the 1970s, mainframes were the common thing when you talked about computers. In the ‘80s, big companies and government agencies were starting to use client-servers in their organizations. Then in the ‘90s, there was the dot-com boom, where technology became more of a commercial thing. Before that, the client-server side was mostly businesses. However, the dot-com era enabled the creation of B2C, or business to consumer. In the 2000s, cloud computing came into prominence, and companies like Salesforce.com were selling enterprise apps directly to companies (B2B, or business to business).
Then, in 2008, Amazon came out with EC2. This allowed anyone to harness the power of an infrastructure like Amazon. Now any regular person can deploy things. From a security perspective, it totally changed the way businesses operate. Back in the day, security was like digging a moat around an old-school castle to protect it. Now we can all work from home because everything is in the cloud. The next generation of cybersecurity people are going to have to understand how the cloud works. There's a funny saying that goes, “There's no such thing as the cloud; you're just using other people's computers.”
A part of going forward is understanding the limitations of this. For instance, if I use Amazon or Microsoft Azure, I have to understand where their security stops and where mine begins. People are going to have to understand how to operate in this kind of environment—where you don't really control everything, but you have to essentially supplement what other people are doing with your data and applications—and then learn how to secure that. You have to understand that going forward.
In the future of cybersecurity, everything is decentralized; you don't own the infrastructure, you may not own the platform, but you still have to defend your data from an internal perspective (your “secret sauce”), and you have to protect your customers' data. The new question is, how do you still ensure that all your corporate secrets are safe and your customers' data is safe?
Staying in Touch
For my last piece of advice, get on Twitter. It's the best way to break into this field. For some reason, all of the cybersecurity people are on it, and they're usually interacting and sharing information. Twitter will be around for a long time, and it's super similar to some of the old-school chat programs, like IRC. So, if you're trying to get into this field, get on Twitter and follow some of the people in this book. We look forward to seeing you there!
Bibliography
Abraham, Josh. “How to Dramatically Improve Corporate IT Security without Spending Millions.” Praetorian. Accessed April 2018. https://p16.praetorian.com/downloads/report/How%20to%20Dramatically%20Improve%20Corporate%20IT%20Security%20Without%20Spending%20Millions%20-%20Praetorian.pdf.
Adobe. “2018 Adobe Cybersecurity Survey.” Slideshare.net. January 12, 2018. Accessed May 2018. https://www.slideshare.net/adobe/2018-adobe-cybersecurity- survey.
Capuano, Eric. “Fortune 100 Infosec on a State Government Budget.” 2017. Accessed April 2018. https://cdn.shopify.com/s/files/1/0177/9886/files/phv2017- ecapuano.pdf.
Chow, Ming. “How I Hire.” LinkedIn Pulse. July 15, 2015. Accessed April 2018. https://www.linkedin.com/pulse/how-i-hire-ming-chow.
DesMarais, Christina. “25 of the Most Inspiring Books Everyone Should Read.” Inc.com. February 16, 2017. Accessed May 2018. https://www.inc.com/christina- desmarais/25-of-the-most-inspiring-books-everyone-should-read.html.
Flora, Matteo. 2015. Claudio Guarnieri
Jackson Higgins, Kelly. “Top US Undergraduate Computer Science Programs Skip Cybersecurity Classes.” Dark Reading. July 4, 2016. Accessed April 2018. https://www.darkreading.com/vulnerabilities—threats/top-us-undergraduate-computer- science-programs-skip-cybersecurity-classes/d/d-id/1325024.
McGraw, Gary. “Software Security: The Trinity of Trouble.” Freedom to Tinker. February 15, 2006. Accessed April 2018. https://freedom-to-tinker.com/2006/02/15/software-security-trinity-trouble/.
Mech, L. David. “Alpha Status, Dominance, and Division of Labor in Wolf Packs.” Canadian Journal of Zoology no. 77: 1196-1203. Jamestown, ND: Northern Prairie Wildlife Research Center Online. http://www.npwrc.usgs.gov/resource/2000/alstat/alstat.htm. (Version May 16, 2000).
Minimalist Mantra: Stop buying the unnecessary. Toss half your stuff, learn contentedness. Minimalist Mantra, n.d.
Rashid, Fahmida Y. “LinkedIn CISO: How We Bring Diversity into Security with the Stories We Tell.” Decipher. April 13, 2018. Accessed May 2018. https://duo.com/decipher/linkedin-ciso-bringing-diversity-into-security-with-the-stories-we-tell.
Stamos, Alex (@alexstamos). “1) Unify behind cloud SSO (Okta, OneLogin); 2) Two- factor (Duo, Yubikey); 3) Push IT to ditch Exchange for GSuite or O365.” Twitter. May 3, 2018. https://twitter.com/alexstamos/status/992206933418430465.
Syed, Matthew. Black Box Thinking: Why Most People Never Learn from Their Mistakes—But Some Do. Ebook. New York: Penguin, 2015. Accessed May 2018. https://books.google.com/books?id=d-VJBgAAQBAJ.
YouTube. “Springfield Nuclear Power Plant—The Simpsons.” Video, January 19, 2015. Accessed April 2018. https://www.youtube.com/watch?v=eU2Or5rCN_Y.
YouTube. “WarGames: The
Two-Factor Edit.” Video. June 5, 2014. Accessed May 2018. https://www.youtube.com/watch?v=WH_KuCCf0c0.
WILEY END USER LICENSE AGREEMENT
Go to www.wiley.com/go/eula to access Wiley’s ebook EULA.
Tribe of Hackers Page 43