Quick post today, just a few documentaries to watch that are industry relevant.
DEF CON Documentary (2013)
TPB AFK: The Pirate Bay Away From Keyboard (2013)
We Are Legion: The Story of the Hacktivists (2012)
Hackers are People Too (2008)
Media worthy talks on the latest hacking techniques, big vendor parties, and rubbing up against a random 300 pound man whilst battling with the other 7,000+ pre-registered attendees to get to the room of your choice…it’s all part of the show here at Black Hat USA in Las Vegas, but maybe not for long. As depicted by signs around the conference, Black Hat will be moving out of the Ceasar’s Palace digs it has long since out grown. Next year’s Black Hat venue will be the Mandalay Bay, whose conference center features an expansive three levels that will be more conducive to the size of the crowds now attending Black Hat USA. This move is largely an effort to meet the growing number of attendees and also likely provides a more attractive venue for vendor sponsorship.
For many this will come as sad news, as the sights and sounds of Ceasar’s Palace undoubtedly serve as a portal into years past for loyal Black Hat goers. The need for larger grounds is however a welcome change for the Black Hat conference which continues to mature and grow alongside of the broader information security market. It is clear that the information security industry requires a conference with more depth than RSA USA and more industrialist professionalism than DEF CON. UBM is keenly positioned to fill that need with the Black Hat conference. However, the relative size of the Ceasar’s conference center and the somewhat convoluted access to vendors (either in a room much too small, hallways much too narrow, or in a large room removed from the conference) has limited the continued growth through vendor sponsorship.
Much of these issues, and potentially (hopefully) the issue of standstill hallway traffic between talks will largely be alleviated. This should make Black Hat an increasingly attractive target for vendors who, as some know, will find that the demographic of attendees at Black Hat is much more likely to consist of a potent population for sales lead generation versus other security conferences. With this demographic and the new venue, the only thing standing in the way of Black Hat combining both the vendor support of RSA and the professional hacker community, is the time of year. Given the typical security sales cycle, it is difficult to generate leads at Black Hat and close them before the end of the year five months later.
Regardless, enlightened vendors recognize that market leadership is a continuous cycle and not just a year-end goal. As the Black Hat community continues to grow its influence over the broader information security market, the list of vendors sponsoring the event is likely to grow as well. Moving to a larger floor plan, will assist in allowing that growth. Either way, here today, there tomorrow…
Cisco announced their intention to acquire Sourcefire for $2.7 billion dollars this week in a somewhat surprising move given their relatively recent divestitures in well-known and adopted Cisco security products. Examples such as the end-of-life of the Monitoring, Analysis, and Response System (MARS) and the continued deteriorization of the Cisco IPS/IDS product the Adaptive Security Appliance (ASA), which itself was a re-engineered and re-branded IDS that came through the acquisition of the Wheelgroup in 1998, had many believing Cisco no longer wanted to invest in their presence in the security market. In retrospect however, these were also indicators as to why acquiring a company like Sourcefire was necessary for Cisco. While the acquisition may have shaken many of the Sourcefire loyal, in time, if done correctly, this acquisition could be a great step forward for the community as a whole and may have been a necessary one for the advancement of Sourcefire in general (and certainly one for Cisco).
Perfect Timing for Sourcefire
Sourcefire is a security community pillar functioning as a community organizer, open-source pioneer, and provider of leading security products. However, the industry is rapidly moving towards a newer iteration of security capabilities (I refuse to say Next G*&$#ation). Sourcefire has struggled with shifting OEM suppliers as well as major upgrades to their flagship product (I’m still holding my breadth for that Snort 3.0 release date). Furthermore, in recognition of the move to the next iteration of security products, Sourcefire has made investments into Next Generation (*cringe) Firewall technology and malware protection. However, these jumps are costly and difficult to make for vendors the size of Sourcefire. Especially considering that the market currently consists of largely focused niche vendors like Palo Alto in the realm of NGFW and FireEYE in malware protection.
The collective result could have left Sourcefire in a rather precarious position with their core market of IDS/IPS, still existing, but rapidly shrinking and finding themselves in direct competition with already established industry leaders in emerging markets. While this precarious position was anywhere near being that of signaling significant decline for Sourcefire, it would have been difficult to continue the rapid growth it has enjoyed in previous years.
Of course having maturing products in a breadth of segments can assist an organization in growing despite more mature products on the market from niche vendors if the larger organization has more mature sales channels to help rapidly grow their install base. This however, is not an arena where Sourcefire is particularly strong. While Sourcefire enjoys solid penetration in the US government space and in various east coast enterprises, Sourcefire on the whole has struggled to achieve deep market penetration west of the Mississippi, let alone on a global stage versus market competitors in virtually every realm Sourcefire competes. All these elements combined to form the perfect time for Sourcefire to accept an acquisition offer. Far from desperation, at the peak of their abilities but facing potential hazards ahead and in need of a partner with brand recognition and strong sales channels.
Cisco Getting Back in the Game
While some analysis is required to understand why Sourcefire would need a Cisco type partner for growth, understanding why Cisco needs Sourcefires requires virtually no analysis. Sourcefire represents a clear opportunity for Cisco to get back into the security market in a big way. Though, given Sourcefire’s $2.3 billion market cap, $233.1 million 2012 earnings and years of continuous growth it is by no means a cheap opportunity ($2.7 Billion dollar acquisition!). That said, Cisco can provide the sales channel, and (non-security) executive-level brand recognition that Sourcefire currently lacks to continue growth. In addition, the Cisco brand opens up two key demographics that Sourcefire previously did not play as well in. The first is in the realm of inexperienced network administrators and architects not familiar with security vendors who put a lot of faith into the Cisco brand. The second is board room personalities, who, though interested in security, likely are not keenly focused on security in general. For top level executives, it must be noted that security is typically a small line item versus their companies overall expenditures. Having the ability to introduce and influence these decision makers to be more aware of security is invaluable for a pure-play company like Sourcefire. The influence that Cisco can assert in this realm is heavily assisted by looming US Federal Government influence on private sector businesses to ensure a better baseline for security (see the Executive Order on Improving Cybersecurity). It is not unlikely that, as these political forces continue to raise awareness and push senior-level decision makers to adopt more comprehensive security practices, that they will turn to giants like Cisco to help them get their businesses there (but that’s a whole other story).
Of course much of Cisco’s success will lie in the balance of whether or not they can appease the Sourcefire community with high-quality solutions and maintain the strong open-source following of Sourcefire and more particularly Snort, which I would argue has allowed Sourcefire to be highly competitive with frankly less sophisticated engine in the IPS/IDS market (referring to Snort 2.x engine versus McAfee or IBM). The real question is whether or not Cisco will be able to capture the passion of the security folks within Sourcefire as Sourcefire has been a refuge for many passionate security folks. While much of the community of passionate security professionals outside of Sourcefire have found themselves in a diaspora, Sourcefire has remained relatively potent with top-tier folks in research, development, marketing, and decision making. The result of this potency of passion for security has resulted in leadership in virtually every sector they operate, despite the challenge of being a standalone pure play. Sourcefire has set a high standard for marketing, product development community leadership, , and delivery. In order for Cisco to get their moneys worth out of this $2.7 billion acquisition, it is imperative that they capture that passion and cultivate it into market leadership.
How to Capture the Passion
It’s simple. Fund development, encourage innovation, support research (even if it’s controversial), retain top-level visionaries, and promote elitism (make those involved feel like they are a part of something special) while humbly continuing to build an external community. Of course these things are easy to evangelize when strictly focused on security. The true challenge Cisco faces is whether they will be able to meet these goals while of course recognizing that Sourcefire, though an industry mogul for security, currently would account for less than a 0.5% of Cisco’s annual revenue. If however, in the face of adversity, Cisco can manage to capture the passion of Sourcefire and properly integrate Sourcefire into the Cisco family, Cisco will certainly be a force to be reckoned with long into the future.
10:15 Advanced Chrome Extension-Leveraging API Powers for The Better Evil
2:15 Don’t Stand So Close To Me: An Analysis of the NFC Attack Surface
3:30 Intrusion Detection Along the Kill Chain: Why Your Detection System Sucks and What to Do About It
5:00 Adventures in Bouncer Land
10:15 A Scientific (but not academic) Study of Malware Employs Anti-Debugging, Anti-disassembly and Anti-virtualization Technologies
11:45 iOS Kernel Heap Armageddon Revisted
2:45 Digging Deep Into the Flash Sandboxes
3:30 Mobile Network Forensics
If you haven’t by now heard that Feds have been politely asked not to attend DEF CON this year, you may be living under a rock in the information security community. The news came Monday in a post on Defcon.org by Dark Tangent (aka Jeff Moss) entitled, “Feds We Need Sometime Apart” which politely states the following:
"For over two decades DEF CON has been an open nexus of hacker culture, a place where seasoned pros, hackers, academics, and feds can meet, share ideas and party on neutral territory. Our community operates in the spirit of openness, verified trust, and mutual respect.
When it comes to sharing and socializing with feds, recent revelations have made many in the community uncomfortable about this relationship. Therefore, I think it would be best for everyone involved if the feds call a "time-out" and not attend DEF CON this year.
This will give everybody time to think about how we got here, and what comes next."
This of course has sparked much debate and left many to ask the question “why?” Especially given the nature of Moss’ governmental advisory role, it would seem that this move is at best symbolic in nature and even somewhat hypocritical. There has not been much to explain why this move was made, other than some vague statements made by Moss to Reuters recently where he stated, “”The community is digesting things that the Feds have had a decade to understand and come to terms with,” Before going on to say, “A little bit of time and distance can be a healthy thing, especially when emotions are running high.” (Reuters)
It would be easy to assume that this announcement is a move to denounce the the activities allegedly revealed by Edward Snowden and certainly there are a number of articles that have been released discussing exactly that. However, I think, to truly understand why this announcement was made you would have to understand Jeff Moss, or better yet, Dark Tangent, and while we’ve barely ever even met, there is one run-in I had with Dark Tangent that I think was somewhat revealing of his personal motivations as a DEF CON leader.
Years ago, in 2007, I met my now good friend Ming while sitting on the Wall of Sheep (WoS). Ming and I quickly bonded over pwning sheep and handing them to the WoS folks to post. Since that time meeting up at the WoS, collecting packets, sharing information, sharing tools, etc has become somewhat of an unspoken annual tradition for Ming and I. This tradition, is one that I look forward to all year. Early on, working on the WoS made me a little nervous, when you’re on the outside of the tables set up for WoS, everyone could see your computer, everyone knew what I was doing, it was just a little uncomfortable. That was until an incident involving Dark Tangent.
In 2008 (I think) during DEF CON at the Riviera, Ming and I were sitting on the WoS like we had the previous year, collecting packets and enjoying ourselves, when suddenly from behind us a stern, authoritative voice shouted, “YOU RIGHT THERE, STOP WHAT YOU’RE DOING AND STAY RIGHT THERE!!!” Stunned (and raised with Catholic guilt) I immediately spun around thinking, “Uh oh, I’m in trouble.”
To my surprise however, I looked up to see that a gentlemen was standing in a skybox hovering over Ming and I taking pictures of us with a high powered camera and a telephoto lens…I was shocked. Tangent instructed a DEF CON goon to watch the man and make sure he did not move. No more than a minute later Dark Tangent appeared on the Skybox balcony to confront the man. To be frank, I mostly went back about my business at that point and am not entirely sure what happened next, however, I believe, Tangent removed the gentlemen’s camera memory.
As an industry analyst, I often attend DEF CON with a Press Badge, and know and understand that their are certain standards around my interactions with others at the CON as a result of that level of attendance, some are unspoken standards, like never publish anything unless all parties involved know and understand that it will be published ahead of time (basic etiquette really). Others are well-spoken and documented. One specific documented standard surrounds how and when a picture can be taken (a screenshot of the standard from Defcon.org can be seen on the right), each and every Press pass attendee must sign an agreement regarding photos each conference. The gentlemen in the skybox was not abiding by these standards, whether he was press or an attendee. As a result, Dark Tangent took care of the situation.
He took action, not because Ming and I were complaining (heck we didn’t even know it was happening), or because he wanted to be flex his power. Rather Dark Tangent took care of the situation and likely created the standard in an effort to promote a safe and comfortable environment for people like Ming and I or really any other DEF CON attendee, which in its core has always just meant, “hackers.” It was frankly successful, it was the last time I felt even a slight bit uneasy working on the Wall of Sheep and the memory largely fell to obscurity in my mind. That is until I read the announcement requesting that Feds stay back this year.
I believe that Dark Tangent feels as though he has a responsibility to make sure that hackers may operate in the most comfortable environment possible, one that is conducive to sharing thoughts and having some fun while doing so. That is the core of what DEF CON is. To preserve that, there are both spoken and unspoken standards of how specific groups may behave and within reason they are held to those standards. Hackers, are a naturally paranoid crowd and while since 2001, hackers and Feds have intermixed to a point where in a lot of cases it is very difficult to separate the two, recent media has made a fair portion of the hacker collective uncomfortable, as such an unspoken standard has been broken. Maybe Dark Tangent respectfully requested that Feds refrain from the conference for the time being, not as an affront to the Feds or as a political statement, but rather in an effort to preserve the core of DEF CON, which is again, to provide a comfortable environment for hackers, nothing more, nothing less. I think that is something everyone could and should appreciate.
Over the past generation and increasingly the past decade, information security has become a key arena for international warfare. Cyberwar, as it is commonly referred to, has the ability to forcefully derail economic, social, and combat capabilities absent of the direct physical confrontation previously required. The progression of human conflict into a domain where confrontation is defined by intellectualism, and casualties are measured in lost data, in no small way speaks to the advancement of humankind. However, these advancements have been coupled with global collaboration that have unified intellectuals of multiple nations in efforts of technical invention and innovation. There are no better examples of these unifications than within global corporate entities, where billions of people work collaboratively to continue growth.
Though we tend to view these entities as singular, they are actually large conglomerates of individuals. Individuals who hold multiple allegiances beyond the walls of their corporations and borders of their nations. In information security communities, where national security is not mutually exclusive of private sector security capabilities, when these allegiances come into conflict, questions arise. For example, when does a global company choose to publicly report covert operations conducted by a nation to hinder another nations ability to become a nuclear power? Indeed this question sounds like the premise of a cheesy suspense film, but was actually the specific question posed to Symantec analysts in the discovery of Stuxnet, a computer worm targeted against Iranian industrial control systems, likely built collaboratively by Israelis and Americans. This article will explore these conflicts as well as the role that the growing community of information security professionals currently play and indeed will likely continue to play in the realm of international conflict.
An Ever Shrinking Planet
It has been well over a half century since the United States and indeed much of the world could have claimed any real amount of isolationism. Rather, we live in a global economy where international relations and alliances can exist simply through adding friends on Facebook. Interconnection has altered the world in ways that even the brightest visionaries previously could not have imagined.
These advancements and collaborations may have been summed up best in a 2001 speech entitled, “Globalization, Free Trade, and National Security” delivered by Kenneth I. Juster, former Under Secretary of Commerce for Exporta Administration, when he stated:
“Advances in information and communications technology have made it much easier for companies in all sectors of the economy to “go global,” to create multinational workforces, to set up operations and facilities in remote areas of the world, and to market their products and services worldwide.”
Yet, while the affects of globalization are in many ways widely recognized, most studies and considerations surround economic implications and the relation of national security to nations economic stability. What separates information security beyond this realm is the antithesis of this relationship. Rather, what may be economically best for security companies may largely negatively impact national security. This is a distinct possibility in the aforementioned incident involving Iranian nuclear efforts. No doubt, Symantec made a few pennies off of the free publicity.
Amongst the unanticipated bi-products of technological innovation and indeed corporate globalization are new intersections between corporate interests and national security. Despite the numerous areas where these issues exist, few are as complex as within the realm of information security.
Information security in many ways is knee deep in espionage between corporations, and indeed governing entities. As a result, security researchers are often working directly on issues of national security without knowing it. Yet, while it is simple to report when a researcher finds a foreign country is hacking an organization, it can be far more difficult to determine when to report when the researchers own country is hacking another business.
Such has been the case in numerous instances, where researchers were paid to determine root cause analysis of attacks that infiltrated businesses or perhaps even disrupted capabilities. While a researcher uncovering their own nation state being the culprit behind the attack is rare, it does happen. This leaves the very simple question, when does one report that their own country is hacking another?
When to Report
The patriotic answer would seem quite simple, “this should never be reported.” However, the stark reality is not so black and white. There are issues with not reporting. Consider first, that there are of course security implications for failing to report information publicly or even privately within an organization. In certain cases, synthetic malware can be re-purposed for further attacks against other entities. Such was certainly the case for Flamer, which was re-purposed and utilized in an attack against Aramco. Without proper disclosure of the original piece of malware, detection would be more difficult and damages could be much greater.
In addition, there is a business component of not reporting. At this point in time, security research is being done by global vendors in a multitude of countries. Thus, as a result, if one entity fails to report an issue, it is not entirely unlikely that another entity will not fail to do so. There is therefore a level of marketing competitiveness involved in the reporting of issues.
These things considered, the answer becomes a bit convoluted, in fact the best answer is that it depends. One should report issues of state sponsored attacks from the country that they hail when it is first and foremost safe to do so, both at a personnel level and at a national level within their particular nation-state. Should one face jail time retaliation for such a disclosure, then the answer is simple, it shouldn’t be disclosed. It is a corporations responsibility to be a good citizen and protect their employee who was merely doing their job. If alternatively, a disclosure will be controversial but not particularly dangerous then that is the time to disclose. And yet, while these time frames seem rather simple, they still somehow manage to be incredibly complex. One thing is not complex though and is plain to see, security researchers will continue to play a large role in international relations whether they like it or not…
This site is by no means meant to be a movie review site, but this film really should be seen as “We Steal Secrets” is a fantastic documentary. Aside from the sensationalized view of hacking (using rainbow tables to crack an NTLM hash is not sophisticated sorry) the movie is the most accurate depiction of multiple levels of the hacking scene that I’ve seen.
The movie takes you from the early days 80′s/90′s with Julian Assange and I guarantee you know this personality 100 times over in the scene. The self-righteous narcissist who thinks they are completely revolutionizing the world because they made a site with file upload capabilities. Then there is Adrian Lamo and Bradley Manning. Both personalities you feel really bad for and I’m sure know well also.
In the case of Manning, you see a poor young man struggling with gender confusion and his sexuality while living in a military community, which I imagine is not a particularly warm place for someone struggling with either. He seeks refuge within the hacking community by reaching out to Assange, who clearly takes advantage of him, and Adrian Lamo a hacker with a clear social disorder. Although Lamo sympathizes with Manning and is warm and comforting (there is an oddly powerful moment where he comforts a seemingly suicidal Manning with “just keep typing”). Though he ultimately betrays Manning’s trust damning him to imprisonment without charges and arguably torture.
In the end Assange uses the publicity to gain celebrity as a hero for the freedom of speech and knowledge, though he realistically did nothing. He uses this to duck prosecution for what seems to have been a fairly clear case of rape but not in the sense that most initially would think it is (and it is clearly not the US trying to set him up). Manning’s life is pretty much over, he is facing life imprisonment or possibly even execution. Lamo’s punishment is in many ways incredibly severe. He is labeled as a traitor and ostracized within the community probably for life, and the confliction/guilt of destroying the life of someone who sought him for help.
What may be even more sad is the lasting effects of Assange’s continuing misguidance. Consider, the movement that he figureheads and how many more people, many children, have ruined their lives as a result of his deceptions. Consider the many Anonymous arrests that came about as a result of the DDoS attacks when credit card companies and Paypal stopped processing donations for Wikileaks or consider the money that people donated to Wikileaks not knowing that it was really going to Assange’s defense funds.
This was a great movie documentary, from the clear depiction of hacker personalities and the scene in general, I encourage all to see it. It is currently on iTunes.
For many security professionals career progression often requires an increased amount of public speaking. This may mean delivering a talk at Defcon, presenting to venture capitalists, or even supporting sales teams in explaining research on any various security topics. Of course it is no secret that the venture into public speaking represents and incredibly difficult task for technologists, especially in information security. This article discusses my journey into public speaking as well as tips and tricks I learned at comfortably giving solid speeches.
Learn From Failures
Be aware that much of this is in fact trial and error, so don’t be afraid to fail. I decided to try my hand at being an industry analyst at EMA in 2007 this was a big jump from the previous role as a vulnerability management coordinator and forensic investigator while working in the public sector. To say the least, I was not comfortable stepping out from behind the monitor to share my thoughts and insights in a public forum but I knew it was necessary.
My first foray into public speaking came at the Rational Software Developers Conference in Orlando in 2008 where I gave a talk on application security assessment. Long story short, I bombed. I did several webinars that I wouldn’t site as any point of pride, though I’m sure they weren’t horrible. Then came my second major attempt at GFIRST in Atlanta in 2009. Saying I bombed is an understatement. People were making fun of me on twitter…it was bad. What I learned though was that I needed to manage my time, I needed to know at least two takeaways before I took to the stage.
Since those bombs, I’ve made a great deal of progress, am very comfortable presenting, and do the majority of my presentations to rave reviews. Getting there was not easy. Here are a few of the things that really helped me.
Know Your Material
When I say know your material, I do not mean have your talk memorized. Though that can help in certain cases, memorization of a talk is not really knowing your material. I mean know everything there is to know about your topic and if you don’t, know what you don’t know. In the security industry, it is a virtual guarantee that someone in the audience is either thinking they are smarter than you, or they are going to try to prove it with some pointed questions. Knowing your material backwards and forwards is a key ingredient in the biggest, tip I can give, be comfortable in your own skin!
Create an Outline and Story
When you’re talking for an hour, make it less of a lecture and more of a story, it will keep your audiences attention longer. In order to do this, create an outline for your story, this will make it easier to implement more than just pointed jokes and foreshadows in order to keep the audience interested.
Be Comfortable in Your Own Skin…And Clothes
There are tons of reasons for you to be talking, the audience WANTS you on stage, they want to know what you have to say. They are all looking towards you, so you don’t want to have to worry if the fly on your pants that are a little too tight is going to hang on for the entire talk. Be comfortable on stage! The first step to this means be comfortable in your clothes. If you need to wear a suit, make sure it is the most comfortable suit available!
For many of us “keyboard cowboys” as the ever quotable 90′s flick “Hackers” put it, stepping out behind the flickering monitors is an interesting adventure. Yet, it is an adventure many of us will be forced to embark on as we progress in our careers. Indeed there are many lessons to be learned in these undertakings. One of which can be found within a recent engagement where I was requested to appear in a marketing video in order to provide some thoughts on sophisticated attackers.
Great opportunity right? Absolutely! There was only one problem, I was traveling and did not bring the proper attire to appear in said video. The result was, as one rather stylish marketing professional put it, a version of me that “looked like a rat” or as my own sister put it, “A ragged Mr. Rogers.” Let’s consider the events that lead to such a result in order to identify where I made my mistakes.
I had traveled to the RSA conference for customer meetings and the obligatory annual security industry reunion. Of course, this trip was not quite so simple for me. After arriving at RSA on Monday, I was required to leave late night Tuesday for an engagement in Arizona, before returning to the RSA conference Wednesday afternoon. Furthermore, I would be attending Hacker Snowfest, a gathering of sorts in Tahoe, post RSA. Later, I would learn I needed to stop by Pulse in Las Vegas and make an appearance at an Executive Business Center meeting in Atlanta, before finally returning home. In other words, I had planned to make a trip to three cities in a week, and ended up making a trip to five. One of those trips required ski attire including a bulky jacket, snow pants, an under layer, ski socks, gloves, and a helmet (which is not to mention my awesome cookie monster t-shirt). All this means is I did a lot of travelling with a lot of extra weight.
Thus, in an effort to reduce weight, I packed “intelligently” for work, especially pertaining to work attire. During the winter, this means wearing a sweater rather than a suit or suit jacket. Sweaters can be great travel business attire since it is presentable, easily packable (foldable and can be ironed), and can be used in both social and business contexts. Additionally, the sweater can be paired with collared shirts and ties. This look has worked well in the past for me (as can be seen by my swagger in the picture to the right) but it is not the look you want to sport in a video. This can be seen as my first mistake, I did not pack for a situation where I could be required to dress more formally. Though this is a simple mistake to make, in a way it violates Rule #5 of my rules for security business travel.
Not having a suit or a jacket left me with a few options, purchasing a new suit or suit jacket (both expensive options and highly time consuming), or putting together an outfit from the clothes I brought with me. I elected to go cheap and efficient by putting together an outfit from the clothes I had with me. The problem was that I figured that any sweater and any collared shirt combination would work (it didn’t). Therefore, I was forced to put together the only two items I had with me that looked somewhat presentable, which happened to be a Michael Kors sweater at Nordstrom Rack (I pop tags) and a $15 collared shirt I keep as a back up in my suitcase.
What does this all mean? It means I looked as thrown together as my outfit was, that I was not comfortable and by not being comfortable it effected my performance, which was acceptable, but not by any means my best. Worst yet, the collective of all of this is all of this is immortalized in a pretty solid marketing video. Which can be seen below.
So what did we learn? When doing something that is recorded and public facing, make sure you are comfortable and professional. In a jam, that may mean springing the extra dollar to ensure that you are, or it may mean passing up on an opportunity. Doing this will establish an ethos and one mistake can live on for a long period of time. As for me, I’ll only make this mistake once.
After reading Moxie’s post on career advice over at http://www.thoughtcrime.org/blog/career-advice/ I decided write my own for all the young and hungry current and future security professionals. My path was certainly not normal, though most who know me likely know me from my current role at that tech giant or from my days as an industry analyst, the reality is that I had a whole career before in State government. My days there were quiet and deeply technical but it was one of the best experiences of my life. How I got that job and my foot in the door is an interesting story and it certainly did not follow a typical career start. This brings us to the first bit of advice…
5. Pave Your Own Roads
Hacking, security, even business in general is about creativity, use it in getting the things you want in your career. Recognize your resources, exhaust them to their full extent to get to the next step. For me, I was an under-achieving student with averageish grades and no inroads to the security industry. What I did have was an opportunity to do an independent study. Thus, I did an independent study in security, walked into the nearest high CISO’s office and convinced him to higher me through the duration of my study. That was the path to my start in security. Each path will be different however, what is important is to recognize what you have and focus on turning that into the next step.
4. Smile at the Doors as they Shut In Your Face
Doors will shut in your face, there is no doubt about it. Smile at those doors and recognize that if they are worthwhile, you’ll kick them in later (as you see in my third point). Being passionate about a topic makes any loss or setback feel devastating. However, they are nothing of the sort. They are merely obstacles.
At one point in my career, I was invited to apply for a job that was already filled. The move was political, in that the managers were struggling to actually free the resource that they had already hired for the position. They therefore needed a viable candidate to force the hand of those holding the person already hired for the position back. I was used as the sacrificial lamb to force that hand. However, in smiling at that ridiculousness, I was offered four different positions, including one that paid almost 90% more. A year later the person who had the job I thought I had a chance at was asking me for a position.
3. Kick Down the Doors that are Worth Entering
This is plain and simple. If you want something, don’t let a door shutting deter you. Maintain persistence and keep going after it.
2. Make Friends
In many ways making friends should be your top priority. If there is one rule that I try to live by in business it is, “take care of your people.” Eventually they will take care of you as well. Whether that means producing great work as your subordinates or possibly bringing you onboard as a superior someday, the bottom line is that people are the lifeline of the security industry.
1. Never Be Complacent