Two weekends ago I finished reading “Tribe of Hackers: Cybersecurity Advice from the Best Hackers in the World”. (Please read previous blog entry to learn more.) I was amazed at how many of “Tribe of Hackers” contributors recommended an old book, “The Cuckoo’s Egg: Tracking a Spy Through the Maze of Computer Espionage,” which was written by Clifford Stoll in 1989.
The story actually begins at Lawrence Berkeley National Laboratory in 1986. I won’t go into too many details about the setting or the time. In computer years, it was ages ago. So my question: “How could such an old book about tracking down a hacker be so routinely recommended by a slew of highly knowledgeable and well-respected info sec professionals?”
Turns out cybersecurity hasn’t changed much. In “The Cuckoo’s Egg,” the hacker who is being tracked by Stoll, an astronomer, is aided by of the following: 1) default credentials, 2) processes that run as root, but shouldn’t, 3) well-known vulnerabilities, 4) the fact that folks can be fooled into entering their credentials into fake sites, 5) the desire of organizations to not share information, 6) the fact that various US agencies described this sort of attack as not their ‘bailiwick’, 7) the fact that various agencies don’t have the expertise to fully comprehend the risk to their data and network infrastructures, and 8) that organizations could not possibly imagine someone actually penetrating their ‘high security’ environments. I’m sure I’m missing a few, but you get the idea.
Besides being a great old book, published when I was a curious, modem tapping, BBS surfing adolescent, it’s an excellent primer on the foundations of modern cybersecurity. Sure, the technology has changed, but fundamentals haven’t moved an inch. Maybe all cybersecurity professionals have heard of this book except for me, but if you haven’t, consider reading it. Even if you’re not after the education, it’s wonderfully entertaining.
It’s weird how I found out about “Tribe of Hackers: Cybersecurity Advice from the Best Hackers in the World”. I saw a photo on Twitter of a fellow Luther Collage alum, Ben Tomhave, showing that he was featured as one of the ‘tribe’. “What’s this about?” I asked myself.
As it turned out, this was a book soon to be released by Threatcare, a firm that is an active, generous purveyor of learning and community building in cybersecurity.
I love books and learning learning, and I’m relatively new to cybersecurity. Though I would hazard to guess that a majority of people in this field feel like they are ‘relatively new’. For people like me, books like this are pure gold. (I can’t say I’ve read many books like this one, however.)
The crowning glory of this recent publication is thought-diversity. (Yes, I just hyphenated those two words together.) You can read a chapter by one contributor who says that ‘user security awareness’ is the biggest bang-for-the-buck toward improving organizational security. The next will say ‘asset inventory’. I love this.
The bang-for-your-buck question is just one simple example. There is a WHOLE LOT more going on in this book than that. It’s loaded with practical advice on building your career, getting along with others, and learning from your mistakes. Sure there is a lot varying ideas, but they all lead to a few core truths. One of these core truths is that cybersecurity is all about PEOPLE. That is even if you like the term ‘cyber’ which one author explains ‘holds no real meaning any more’. I love this too.
This collection of industry wisdom is a rare find. Hats off to Marcus J. Carey and Jennifer Lin and all the contributors who had the fortitude to put these reflections down on paper for people like me. 🙂 “Tribe of Hackers” wins the day! Check it out: https://www.threatcare.com/tribe-of-hackers/
Not long ago I did one of those “Strengths Finder” assessments put out by the folks at gallupstrengthscenter.com. At the top of my “strengths” list was the designation “Learner”. It essentially confirmed what I already almost knew — that I enjoy learning or getting to a point of understanding on a variety of topics.
Recently a colleague at work recommended that I consider taking at look at the 2600 Magazine. So I did. I read the Kindle version of the most recent edition. What I really enjoy about reading the Hacker Quarterly is that it is filled with articles written by people who love to learn and understand things, specifically related to computers and technology.
Also, as someone who works in cyber security, it is exceedingly helpful for me to understand the types of vulnerabilities that are written about in Hacker Quarterly articles. For example, I read an article by an individual who was able to ‘investigate’ a very larger number of routers in Malaysia. Initially, he had resource constraints, but discovered that by using a Spot Instance at AWS he could considerably broaden his reach at a very low cost: ten dollars. I’ll be seeking to understand these AWS Spot Instances and the impact they may have on the security of organizations in the future.
By and large the spirit of the “Hacker Quarterly” is centered around learning and understanding. And the culture of the group is such that criminal activity is frowned upon, though they do skirt the edges of legality from time to time. To have a window into this world is marvelous. I’m now reading through a whole ‘digest’ of issues from the past year. And if you’re a “Learner” like me, I suggest you do the same. Here’s their website: https://www.2600.com/
This morning I read an article in the Economist about a kid who was born without a cerebellum. Learning to walk, among other things, has proven to be much harder for him than it is for other kids his age. He has had more success than kids who merely have damaged cerebellums. This is partly because other parts of his brain have compensated for the part of his brain that is missing, which can be harder than if it is missing completely.
Another reason why he’s seen success and exceeded the expectations of medical experts is because of his parents. The Economist article illustrates how it is that his parents acted like a cerebellum for him. Repeatedly, they pushed him to stand up when he would have rather crawled. When he totters off a trail while walking through the zoo, they pull him back on. He’s momentarily agitated, not entirely sure why, but then he gets back on track, mentally.
This is an exaggerated case, but what it and other cases like it show is that if a human brain can use other brains to aid its processing power, it will. And that, as humans, we tend to rely on this distributed processing power. Whether this is in a family, a social group, or even in the workplace, I think it is important to understand our own distributed processing. If groups aren’t communicating or are in separate work silos, this will significantly reduce the value they bring to an organization. On the flip side, if these distributed systems are able to interface with each other, we can expect to see considerable value added to innovation supply chains.
We often relish rugged mental individualism, but by ignoring our distributed models of thinking, we decapitate our true potential of generating value within an organization. It is true that we can and should “put our heads together”. My son calls this “Hive Mind”.
These days efforts to revamp company culture are in vogue. I’m going to attempt to articulate what I see as a connection between machine learning and efforts to change company culture. Stay with me here a bit because the analogy doesn’t show up until the fourth paragraph and I need to share a little bit of background first. 🙂
One group leading the charge to change company culture is Partners in Leadership (https://www.partnersinleadership.com). They use a tool that identifies the following flow toward changing results. It’s a pyramid that moves from experiences to results in the following steps: EXPERIENCES >> BELIEFS >> ACTIONS >> RESULTS. According to the model, you start with the results you want to see as an organization and then move backward until you’ve arrived at the experiences that you need to create. The thinking is that experiences shape beliefs, which shape actions, which shape results. They maintain that you cannot simply skip ahead results until the rest of the house is in order first.
As for the experiences, they actually need to be high quality experiences. Partners in Leadership breaks these experiences into four types (big paraphrase here): 1) Easy to interpret, 2) Needing work to interpret, 3) Very little meaning, so there isn’t much to interpret, and 4) Experiences that, well, kind of did the opposite of what they were intended to do.
Now it is time for the machine learning analogy! Boiled down, machine learning is essentially learning from experiences (data) in order to shape beliefs (trained statistical models). These beliefs/models turn into actions (acting on the outcome of a model), which leads to results. Critical to this process is the experiential data and its interpretation (the model). We train our models by feeding data (experiences) into them. Why am I making this connection? Because organizations are really struggling to understand machine learning. Why not piggy back off of something that they’re learning already? Results from machine learning algorithms are no different results gleaned from an organizations’ cultural change initiatives. What data do you have that you can use to shape your statistical models? Which actions do you need to take to get results? You can change your culture and understand machine learning at the same time!
I spend approximately 8-10 hours a day in front of a computer. That’s a lot of time staring at a screen. (I think a lot of other people are probably in the same boat.) And, yes, I’m sitting in front of a screen to write this. 🙂
So I’m mindful of ways where I can dive deeply into the analog world. I’ve found one activity really provides a great escape from all of that: analog music. Yup, an actual musical instrument. Lately, I’ve been playing the violin. It is so incredibly fun and there is so much to learn about it. Granted, if I want a tip from Itzhak Perlman about how to hold my bow, I briefly turn to YouTube for a quick tutorial, but then I’m right back to my purely analog endeavor. I also play guitar, cello and mandolin. All those instruments provide an excellent balance against computing.
For me, the vibration of an actual string, which is caused by fingers, hands and arms…and then the resulting sound dancing off my eardrums…is about as real as it gets. Sure, I can have my head in some sheet music, but I can also close my eyes and visualize the sound and have it connect with actual movements my body is making.
Also, I try to enjoy every note and try not to get to wrapped up in a whole piece or song being completed. Sometimes three notes are all you need, or a couple measures. Just ask the members of my household. I’m sure there are times when they wish I had a slightly more varied approach to my practicing. In my mind, though, practicing by definition is repetitive. Anyway, something to think about as an antidote to computing. Never too late to start!
How much of the world’s IT infrastructure is in the cloud now and much of it will be in the cloud in five years? I’m sure there is nearly solid data somewhere to answer those questions. Regardless, it is happening and it won’t be long until most IT infrastructure is in the cloud.
Oddly, though, in my conversations with other IT professionals, it seems like we’re finding we’ve arrived late to the party. With the advent of “the cloud” organizations are finding that there are all sorts of solutions out there that don’t necessarily need the involvement of traditional IT. In much of the IT world, our perception is that this process is more gradual when in fact it is accelerating.
So the real question is not whether “the cloud” is coming, but whether we see it coming. If we want to make sure cloud implementation is done properly and doesn’t completely hose our respective organizations, we must learn as much as we can in a very short period of time.
Nearly every day I find myself reading about cloud security risks right along side incredible cloud solutions for problems that would normally be much harder to solve. At the same time, many cloud solutions create problems that we’ve never seen before. With the flip of a switch something private can become public: see S3 buckets. And it isn’t so much that the cloud is insecure, but how we connect to the cloud, whether this is through our API infrastructure or open ports that maybe shouldn’t be…open. The only answer I have for all of this is that we need to learn, learn, learn, learn…and fast.
So, generally, the easiest way for hackers to get into an organization is by convincing users do to something: click on an email attachment or a link, make a phone call, share information, etc. For all the technological advances that have sprung forth in the past decade, this is still among greatest challenges faced by security professionals: figuring out how to keep people from following hackers’ instructions.
Our biggest vulnerability is also our greatest asset. We can make thoughtful decisions quickly. And sometimes our decisions aren’t so thoughtful because we’re in the midst of doing other things, or generally too distracted to slow down and think through what is being asked of us. This little glitch in our code is all an attacker needs.
Exploiting this human vulnerability is all an attacker needs to get us to act in a way that is not in our best interest. This is the nature of a hacker-victim relationship. But are there other ways that people are getting hacked that maybe aren’t as overt as this? Think of the decisions we make daily. How many of them are in our best interest or the best interest of our friends and family.
We make snap decisions all the time that aren’t really based on sound logic. I bet any one of us can look back over the course of the case and think about an action we took that wasn’t ideal. It’s a given. If we didn’t make decisions relatively quickly, our brains would grind to a halt and we’d become mostly ineffective at making our way through this world. But as technology gets better and better at humans hacking other humans (think targeted advertising through machine learning algorithms), we should pause to ask ourselves whether we’re on the right track. Will this lead us to a better humanity? Just throwing that question out there. It can go a myriad of different ways. Thanks for reading.