Tribe-Of-Hackers-Cybersecurity-Advice-From-The
Total Page:16
File Type:pdf, Size:1020Kb
TRIBE OF HACKERS TRIBE OF HACKERS Cybersecurity Advice from the Best Hackers in the World Marcus J. Carey & Jennifer Jin Cover illustration: Creation © Allriot.com Cover and book design: www.adamhaystudio.com Copyright © 2019 by Marcus J. Carey. All rights reserved. Published by Threatcare Press in Austin, Texas. No part of this publication may be copied, reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic or mechanical (including photocopying, electronic, recording, or otherwise) without the prior permission in writing from the publisher. Limit of Liability/Disclaimer of Warranty: The views and opinions expressed in this book are of the contributors themselves and do not necessarily reflect the views of the co-authors, Threatcare, or its employees. While the authors have used their best efforts in preparing this book, they make no representations or warranties with respect to the accuracy or completeness of the contents of this book and specifically disclaim any implied warranties of merchantability or fitness for a particular purpose. The advice and strategies contained herein may not be suitable for your situation. You should consult with a professional where appropriate. This work is sold with the understanding that neither the authors nor the publisher are held responsible for the results accrued from the advice in this book. Neither the publisher nor the authors shall be liable for any loss of profit or any other commercial damages, including but not limited to special, incidental, consequential, or other damages. ISBN: 978-1-79346-418-7 Printed in the United States of America 10 9 8 7 6 5 4 3 2 1 First Edition www.tribeofhackers.com Introduction 1 01 Marcus J. Carey 6 02 Ian Anderson 12 03 Andrew Bagrin 18 04 Zate Berg 24 05 Cheryl Biswas 28 06 Keirsten Brager 32 07 Evan Booth 38 08 Kyle Bubp 42 09 Lesley Carhart 48 10 Lee Carsten 54 11 Whitney Champion 60 12 Ming Chow 66 13 Jim Christy 72 14 Ian Coldwater 78 Contents 15 Dan Cornell 84 16 Kim Crawley 90 17 Emily Crose 96 18 Daniel Crowley 100 19 Winnona DeSombre 104 20 Ryan Dewhurst 110 21 Deidre Diamond 114 22 Ben Donnelly 118 23 Kimber Dowsett 130 24 Ronald Eddings 136 25 Justin Elze 140 26 Robert Graham 144 27 Claudio Guarnieri 150 28 Ron Gula 154 29 Jennifer Havermann 158 30 Teuta Hyseni 162 31 Terence Jackson 168 32 Ken Johnson 172 33 David Kennedy 178 34 Michelle Klinger 186 35 Marina Krotofil 192 36 Sami Laiho 200 37 Robert M. Lee 204 38 Kelly Lum 208 39 Tracy Z. Maleeff 212 40 Andy Malone 218 41 Jeffrey Man 224 42 Jim Manico 232 43 Kylie Martonik 236 44 Christina Morillo 240 45 Kent Nabors 244 46 Wendy Nather 252 47 Charles Nwatu 258 48 Davi Ottenheimer 264 49 Brandon Perry 274 50 Bruce Potter 280 51 Edward Prevost 284 52 Steve Ragan 288 53 Stephen A. Ridley 292 54 Tony Robinson 300 55 David Rook 306 56 Guillaume Ross 314 57 Brad Schaufenbuel 320 58 Chinyere Schwartz 326 59 Khalil Sehnaoui 330 60 Astha Singhal 338 61 Dug Song 342 62 Jayson E. Street 352 63 Ben Ten 358 Contents 64 Dan Tentler 362 65 Ben Tomhave 368 66 Robert "TProphet" Walker 374 67 Georgia Weidman 380 68 Jake Williams 384 69 Robert Willis 390 70 Robin Wood 394 Final Thoughts 399 Acknowledgments 400 Bibliography 401 Tribe of Hackers Introduction My mind is in a very peaceful and reflective mood. I’m nearing the end of my first time away from work in at least three years, most of which has been a blur as I founded my own cybersecurity firm. I’ve learned a lot about venture capital, investors, and mentors—as well as what it takes to build a company from just an idea. It’s been an amazing journey. My reputation as a white hat hacker gave me the credibility to get this far, and we’re just getting started. I believe in giving as I go. In other words, instead of waiting until I “make it” to give back to others, I have been trying to mentor everyone I come across along the way. I have always been the type to want to help others, so I mean it when I say you’re welcome to email or meet me for guidance about anything. I will always try my best to help. Over the last year, I’ve listened to hundreds of hours of audiobooks while going to and from work and while walking the dogs. One of the books that really impressed me was Tribe of Mentors by Timothy Ferriss, and it stands as the inspiration for this book’s concept. I highly recommend this thought-provoking read on life and business, especially if you’re a fan of self-help books or entrepreneurship. 1 Tribe of Hackers In his book, Ferriss asked famous people from his impressive network eleven questions, and then the magic just happens. For me, this immediately sparked the idea that there should be a cybersecurity version of the book. So, I compiled the most common questions people ask me about cybersecurity and then narrowed it down to the list you are about to see. In total, I ended up with 14 questions. The questions initially start with views of cybersecurity at-large and then become more personal. I noticed that when I have conversations at conferences, this is the normal flow. We call these types of conversations “hallway-con,” because some of the best learning happens between the scheduled talks and events. After compiling the questions, I started reaching out to my network of friends and colleagues in the industry and asked them to be a part of this book. I was humbled by the response. In total, we ended up with 70 inspiring and thought-provoking interviews with notable hackers— including such luminaries as Lesley Carhart, David Kennedy, and Bruce Potter. But before we launch into the interviews, let’s take a quick look at the questions: 1. If there is one myth that you could debunk in cybersecurity, what would it be? 2. What is one of the biggest bang-for-the-buck actions that an organization can take to improve their cybersecurity posture? 3. How is it that cybersecurity spending is increasing but breaches are still happening? 2 Tribe of Hackers 4. Do you need a college degree or certification to be a cybersecurity professional? 5. How did you get started in the cybersecurity field, and what advice would you give to a beginner pursuing a career in cybersecurity? 6. What is your specialty in cybersecurity? How can others gain expertise in your specialty? 7. What is your advice for career success when it comes to getting hired, climbing the corporate ladder, or starting a company in cybersecurity? 8. What qualities do you believe all highly successful cybersecurity professionals share? 9. What is the best book or movie that can be used to illustrate cybersecurity challenges? 10. What is your favorite hacker movie? 11. What are your favorite books for motivation, personal development, or enjoyment? 12. What is some practical cybersecurity advice you give to people at home in the age of social media and the Internet of Things? 13. What is a life hack that you’d like to share? 14. What is the biggest mistake you’ve ever made, and how did you recover from it? 3 Tribe of Hackers Before we wrap up, a quick note about the book: We edited every interview to improve flow and readability, and in some cases, this meant abbreviating answers or deleting non-responses. You’ll also notice that we’ve included contact information at the end of each bio indicating where you can find each hacker on the web, as well as on social media. We’re an engaged and tight-knit group, and we hope you’ll join us. Creating this book has been an amazing journey, and I hope the answers to these questions help guide you along your path. Marcus J. Carey CEO Threatcare January 1, 2018 4 Tribe of Hackers Marcus J. Carey Marcus J. Carey is the founder and CEO of Threatcare. He describes himself as a hacker who helps people not suck at cybersecurity. He started his technology voyage in U.S. Navy Cryptology and later went on to refine his knowledge while working at the National Security Agency (NSA). Twitter: @marcusjcarey Website: www.threatcare.com If there is one myth that you could debunk in cybersecurity, what would it be? The biggest myth that I hear is how attackers are always changing up their tactics. While it is true that new exploits come out over time, the initial exploit is just the tip of the iceberg when it comes to attacker movement on a system or network. Even if an organization is compromised by a zero-day attack, the lateral 01 movement, registry manipulation, network communications, and so on will be very apparent to a mature cybersecurity practitioner and program. So, their tactics don’t really change a lot. What is one of the biggest bang-for-the-buck actions that an organization can take to improve their cybersecurity posture? The easiest thing an organization can do to prevent massive compromise is to limit administrative accounts on systems. In the military, we obeyed the “least privilege principle” when it came to information access. Organizations should do the same when it comes to their own administrative access. If attackers are able to compromise a user with administrative credentials, it’s essentially game over; they now have all the keys to the castle.