Chuck
Principal Security Engineer
Blog

Showing the Horse How to Drink

October 12, 2018 by Chuck McAuley

Horse Drinking

Having worked in cyber security for my entire career, I've been asked by many, mostly younger, people, how to enter into this space and make a positive contribution. This normally produces a long winded, meandering, poorly defined answer from myself, attempting to touch on all the parts of my life, ending where I am today. This isn't because I haven't thought about that question enough, but instead because I find the modern discipline of cyber security focuses too much on specific technical skills and not enough on the softer skills that make a good hacker. To that end, let me try to teach some horses how to drink.

Think Sideways

My father told me a long time ago that the secret to his success was "thinking sideways." I've always taken this as a maxim for getting through life, and it has served me well in cyber security. If you don't have any success banging through the front door, remember there are plenty of other locations to try to get in. And if you aren't thinking about them, either as an attacker or defender, you are limiting yourself from your true potential. Almost all attack classes that have ever been seen in cyber security are inspired by a single thought of "but what if..." against a chorus of "you can't." The solution (or cause of) a problem is simply looking at the same thing others have from an obtuse point of view; from Aleph One demonstrating that a segmentation fault could be used to insert assembly code into a process to Gabi's demonstration that rooting your car's infotainment system had much more dire consequences than you'd think, the discovery is in the interpretation of the results, and not the results themselves.

Learn as much as you can, forget, wash rinse repeat

Time and again people will fall for the trap of entering into a career simply because it has good pay. This can lead to huge amounts of confusion, frustration, and even anger as new hires quickly learn that there's an almost unmanageable amount of tribal knowledge that exists across all parts of cybersecurity. As a field, it is probably the most combative profession you can enter that doesn't require you leaving your desk or throwing punches, and there is typically an expectation that a lot of things you'll simply figure out yourself. This can lead to an overwhelming feeling of constantly trying to intellectually catch up. This never will truly leave, and you'll always probably feel like you are at the bottom of the Dunning-Kruger effect. Don't let it bother you, because your job, most likely, is breadth first and depth second.

Understand the impact of what you are doing

As mentioned above, most of what you do in cyber security could be given a much more mundane point a view. Most vulnerabilities are the result of boundary conditions, most often considered low priority bugs. The only reason they go from bug to vulnerability is because someone was able to explain the impact outside the scope of the program or network they were analyzing. Data breaches are often the result of a policy violation, poor patch management, or lost equipment, which only become damaging when an entity's dirty laundry is aired on the evening news. The foresight and understanding of the impact of a problem is the difference between a good and bad cyber security professional.

Change is normal, but nothing really changes

The most important skill you can have at this job is being able to take what you've seen prior and apply it to a new set of problems. Everything changes in cyber security, your adversaries, the technology in use, and the TTP's (tools, tactics and procedures) used. Understanding that cybersecurity is not a technology, but an adversarial human discipline, is probably the most underrated and missing element that we leave out of any curriculum. All the technology in place can leave us forgetting that it's all there to prevent human attackers, taking assets of value, from other humans with malicious intent. Keeping this in mind all the time is critical.