Alyssa Miller

Hacker, Researcher, and Security Advocate

Alyssa Miller giving a keynote presentation

Closing Out 2019 and Looking Ahead

By

On December 21, 2019

In Community, Personal, Security Leadership

Announcing a new development as 2020 approaches

Looking back at 2019, it has been a tremendous year for me from a personal and career development perspective. I’ve been very fortunate to elevate my involvement in the security community. I’ve documented much of it in this video I made in response to a challenge from Jane Frankland. Looking ahead to 2020, I have many new opportunities on the horizon that are very exciting. However, first I need to say goodbye to 2019.

The Announcement

As 2019 comes to a close, so does my time working for CDW. I made the decision to leave my role in their security practice and begin a new exciting chapter in my career. I’ll save the announcement about that until shortly after the new year. For now, I want to reflect back on how amazing this, somewhat brief, chapter of my life has been.

Over the last 18 months, I worked with some amazingly talented people in their security practice. I remember asking, when I was first approached by their recruiter, “CDW does security consulting?”. Over my time in the practice, I had the opportunity to really drive market awareness of the practice in the security community as a whole. We always joke about this 20 year-old practice being the company’s best kept secret, and it’s true. However, it was my personal mission from the start to change that.

Alyssa giving a keynote speech
My role afforded me the opportunity to interact with business and security leaders in all new ways

My role afforded me the opportunity to interact with business and security leaders in all new ways. Not only did I speak at security conferences, I also was able to get in front of executive and industry specific audiences. Each opportunity allowed me to socialize new perspectives on how to solve the challenges around cyber security. Additionally, I interacted with so many wonderful people and forged new connections that I cherish greatly. I owe so much of my personal brand growth to my employer.

A Difficult Decision

It was a tough decision to leave my current role. I managed two teams of amazingly skilled individuals whom I care about very deeply. However, I believe they are in good hands. I have no doubt the security practice will continue to excel and bring value to their customers. Words cannot describe the honor of working with these wonderful people and helping coach them in their own career development. I’m looking forward to seeing all the great things each one of them will accomplish.

I have an extreme amount of respect for the organization I leave behind and all the good they have done and continue to do for the IT industry. It’s hard to leave a company when you know there is more you could accomplish there. However, I’ve got an exciting opportunity on the horizon that I simply could not say no to.

When appropriate, I will announce what my new opportunity is all about. For now, I wish to simply pause and reflect on all the great things I’ve been fortunate to accomplish as part of my current role. I’m going to enjoy the holidays and as the new year begins dive into something new and thrilling.

What Is a Hacker?

By

On September 20, 2019

In Community, Pentesting

Reclaiming the Hacker Title, and Ending the Stereotypes

For some, the term hacker elicits images of a person wearing a black hoodie in a dark room working tirelessly on a computer. In other cases, connotations of criminal syndicates or nation-state attackers jump to mind. Unfortunately, thanks in part to media and entertainment portrayals of hackers, the reality is rarely understood. In fact, even formal descriptions of hackers tend to focus solely on their actions as the defining measure. In truth, the term hacker describes an identity. It refers to characteristics of how a person looks at problems and attempts to solve them.

Tattoo with GrrCON logo that says artists and inventors not criminals and freaks.
My tattoo from GrrCON ’14 with the phrase from Jayson Street’s keynote that have inspired me ever since.

In 2014, I attended a security conference called GrrCON. A well respected member of the security community, Jayson Street, gave a very powerful keynote speech. His discussion focused on the history of hackers and drove home the message that hackers are not criminals and freaks. Instead, we are artists and inventors. His discussion impacted me so greatly that I got a tattoo at the conference that emblazons those words on the back of my shoulder.

The Mysterious Hacker

When we think about computer hackers in particular, we think about the secretive nature of hackers. People operating in anonymity, using handles rather than their names, using private and sometimes obscure communications channels to share information. Especially in the early days of the internet, this was an accurate view of the hacker community. As a result, it only adds to the myth and mystique of hacker lore. Since hackers were seen as criminals, anonymity was a crucial tool in simply advancing their craft. While their motivations were often rooted in curiosity, law enforcement had very different opinions.

As with any growing community of people, a social order began to develop as well. Personalities clashed, competition often ensued with rival hackers seeking to establish their place among the most skilled by demonstrating proof of their latest hack. Sometimes they even attacked each other. Even today, many of these behaviors persist. There is a degree of fame and respect that is given to those that demonstrate extraordinary skills. But hackers are so much more.

Curiosity and Creativity

“What makes me a hacker is my unfettered, at times almost obsessive need to understand the inner workings of technology.”

Alyssa Miller

If you’ve spent any time on my site or social media pages, you know I identify myself as a hacker. While I’ve taken over domain admin accounts by passing hashes, gained command line access to web servers via poorly configured web applications, and even dumped the entire contents of databases using blind SQL injection vulnerabilities, these skills don’t make me a hacker. On the flip side, I’ve never discovered a 0-day vulnerability, never stolen money or data, and never gone to jail for my activities. These facts don’t make me any less of a hacker.

What makes me a hacker is something more intrinsic, something very integral to my very being. What makes me a hacker is my unfettered, at times almost obsessive need to understand the inner workings of technology. It’s an optimistic problem solving skill. Believing that anything can be changed or improved if I can just simply understand first how it functions.

Many hackers, myself included, will tell you that as children we took things apart. Driven by a curiosity to understand how technology worked, we learned through examination. This is a cognitive trait that shapes how we look at problems and solve complex issues. This, in my opinion, defines what makes a hacker a hacker.

Hackers and Ideology

Take a look at the interactions of hackers on social media or other forums and you’ll discover hackers are typically very idealistic. While we don’t all have the same values, more often than not, they are all rooted in positive motivations. Street, in his presentation, discussed Nikola Tesla as an early hacker. Tesla had a vision for supplying electricity to the world without cost. He built upon the discoveries of his peers and predecessors to develop new technologies. His inventions drive many of the technologies we’ve become dependent on today. He wanted everyone to take his works and use them and continue to improve them. However, due in part to businessmen with less noble values, Tesla died broke and alone. His inventions tied up with patents that prevented new innovations.

Hackers often look at the internet the same way, with very idealistic vision. Most place a great deal of value on the free exchange of ideas and information while also valuing privacy and individual liberty. Many of us work to make the internet more secure to help ensure that vision. Nowhere is this ideal more clearly displayed than at the various hacker conferences that occur every year. Tens of thousands of hackers come together in various venues around the globe in an effort to share our knowledge, our research, and our opinions on how to improve the technology of the world we live in.

Gate-keeping

Unfortunately, while many in the security community work to promote a more positive image of hackers, there are some who want to perpetuate the stereotypes. They prefer the mystique of clandestine individuals or groups that have the power, because of their skills, to disrupt society and the world. That image of the hacker culture is seen as cool and almost elitist in a way. As a result, some attempt to establish their position in the social order by trying to define who is worthy of being called a hacker. Usually the definition relies solely on the level of their skills or the novelty of the exploits they unearth.

This view is counter-productive to establishing a truly free exchange of ideas and knowledge. It serves to create cliques, toxic competitiveness, and secrecy that break down the ideals. Sure it’s part of where we came from as hackers. Yes, competition can be healthy and productive. But to be truly great as a community, we must be able to build off the work of others. We have to leverage the unique perspectives we each bring to the table and let those drive new ideas. That is how we become l33t.

You're Hired

Talent Shortage, Really?

By

On September 6, 2019

In Community, Inclusion, Security Leadership

Examining the disconnect between employers and job seekers in Security?

There is a lot of talk among business leaders about a critical shortage of cyber security talent. Many cite studies and surveys that provide context for just how big the problem has become. In fact, Cybersecurity Ventures predicted in 2017 that by 2021 nearly 3.5 Million security jobs will go unfilled. While this discussion is seemingly ubiquitous in the business world, there is another side to the story.

Interacting with the security community through social media, one quickly discovers that there are significant numbers of job seekers unable to find security jobs. In fact, I recently tweeted about a job opening that I have coming up. With roughly 4,200 followers, I had over 200 people send me direct messages expressing interest. After weeding out those who were clearly not fits, I still have a list of over 50 potential candidates. With that much interest from one tweet about one position, it seems odd that organizations are having a hard time finding candidates. This dissonance is so powerful that I personally call BS on the talent shortage. What we have is a talent disconnect, but why?

Job descriptions and unrealistic expectations

Browse the listings of security jobs and you’ll quickly see just how poor and unrealistic many of them are. In my own less-than-scientific research, I’ve noted a few of the more common issues:

  • Requirements for an overly broad range of expert-level skills beyond what any single human could possibly possess
  • Length of experience requirements that are not commensurate with the position (e.g., 6-8 years of security experience for a security analyst role)
  • Unrealistic salary ranges for a given title (e.g., a Senior Security Architect role with a salary range of $50,000-65,000)
  • Seeking impossible levels of experience in emerging technologies (e.g., 10 years experience with block chain technology)
Breaking it down

Let’s tackle these one at a time. Overly broad skills requirements often stem from building job descriptions like a wish list. The approach ends up being “we can’t have it all, but whoever checks the most boxes in this list is the one we choose”. There are two problems with this methodology. First, job seekers read those lists as hard requirements. The more items on the list they can’t check, the less likely they are to apply. Second, picking a candidate with broad knowledge but little depth may leave the organization in a bad position when deep technical expertise is needed.

Security related job descriptions are still new to many organizations. As such, they are often derived from other technical roles with similar titles. This can lead to a scenario where the length of experience being asked for does not match up to what the market would dictate for that level position. This same scenario can often lead to the seeking impossible levels of expertise. Ultimately, more time and analysis is needed from security leaders and Human Resources working together to develop market-aligned expectations.

One of the most frustrating issues isn’t always visible from the job description itself. When the salary range attached to a role is unrealistic in terms of market forces, both hiring managers and candidates are impacted. Candidates often go through multiple rounds of interviews before finding out the pay range is too low. They end up feeling like their time was wasted. In cases where initial screening interviews are used to match salary needs, the hiring manager will likely receive few qualified candidates options, resulting in further frustrations on their part.

Engaging the Security Community

Another common issue that seems to hamstring many recruiters is their inability to connect with the security community. Anyone who has security experience listed on their LinkedIn profile has likely gotten messages from recruiters. Commonly, recruiters will use one or two search criteria and match highly experienced candidates with entry-level or unrelated positions. The “hot” job market in security brings many non-technical recruiters out in search of security talent. The resulting credibility problems for recruiters in the security industry in particular creates a heavy divide.

Recruiters must overcome that credibility problem with a genuine understanding of the security landscape. Additionally, they must learn to engage security professionals through less traditional avenues. The best security recruiters have learned how to connect with the community via social media. They’ve learned how to have meaningful interactions on Twitter and are patient in their approach. It takes time, but recruiters who take time to learn security and develop long-term relationships with members of the security community find greater overall success in filling roles.

Breaking the mold

A side effect of interacting with the security community is that organizations will also shed their preconceptions of what security talent looks like. Sometimes there literally is a bias as far as the appearance of security professionals. Bold hair colors, visible tattoos, body piercings, and non-traditional fashions are very common among security experts. Meanwhile, the corporate world continues to shift at a glacial pace toward acceptance of such appearances.

Security and business leaders alike still carry heavy bias, albeit sometimes unconscious, against individual expression. Conformance to traditional standards is still sought and often to degree of disqualified otherwise highly qualified candidates. Managers hiring for security positions (or any positions for that matter) need to understand this and move beyond their preconceived images.

Incubating talent

I find it particularly frustrating how little foresight organizations put into developing security expertise in their current staff. As digital transformation trends continue, security has to be a part of every phase of our business. So why then don’t leaders look to groom security expertise in all business functions? Imagine a world where every team from accounting to finance to development was required to have security expertise.

An approach like this has multiple benefits. First and foremost, it begins developing a culture in which security is always a consideration. No longer do we allow admin or operational groups to fly under the radar of security considerations. Second, these resources now become an internal pool of candidates from which security-focused positions can be filled. Essentially, it becomes an incubator of security talent. Third, this type of investment in employees also helps combat turnover. Employees are able to develop marketable skills that give them a clear path for advancement or new challenges.

Obviously, this type of approach requires executive level buy-in and support. Business and support functions will be reluctant to dedicate portions of their budgets to training in skills they see as unrelated to their purpose. However, at an executive level, when the cost of training is weighed against recruiting costs, turnover costs, cost-of-vacancy, and third party services expenses, the business case is easy to build. Organizations must stop relying on someone else to develop security talent and instead they must take an active role in the process.

Bridging the gap

Is the idea of a talent shortage truly false? It’s hard for anyone to say for sure. However, the way organizations search for and cultivate talent clearly contributes to the problem. We’re seeing a shifting of the tides in terms of how security talent and hiring firms come together, but there’s still a massive gap. To those of us active in the community, that disconnect is very visible everyday.

Girl covering mouth with photo of another mouth

Deep Fakes in 2020

By

On August 29, 2019

In Election Security, Policy

How artificial media could impact US Elections

Deep fakes, extremely convincing artificial media produced by deep neural networks, have entered the political arena. In 2017, Buzzfeed published a short video on YouTube that appeared to feature President Barack Obama sharing some surprisingly candid viewpoints. In reality, the visual portions of the video were artificially produced. The voice on the video was an impression done by comedian Jordan Peele. Many comments throughout social media lamented how terrifying this new technology is.

In my presentation, “The Death of Trust: Exploring the Deep Fake Threat”, at BSides Vancouver Island, I discussed the many threats posed by Deep Fakes. Among those threats is the expected role that Deep Fake media will play in the 2020 US Presidential election. While the technology continues to advance, it still has some important limitations that may help mitigate it’s impact. Moreover, there is a considerable amount of research being done into detection techniques. So far, this research boasts some impressive results.

How Deep Fakes are Created

Deep Fake videos are created using the learning capabilities of deep neural networks called Generative Adversarial Networks (GANs). In a GAN, two neural networks are pitted against each other. A Generator network is responsible for creating video frames that appear real. A Discriminator network in turn is attempts to validate whether the frame is “authentic” or not. The Generator essentially repeatedly tries to trick the Discriminator into believing images it creates are real.

Depiction of a GAN
A simplified view of a Global Adversarial Network (GAN)

Both networks are trained with a large set of still images of faces, often hundreds of thousands. After learning, the GAN can be provided a relatively small number of still images of the intended subject (for instance President Obama). The Generator is also typically provided a target video into which the subject’s face will be inserted. Frame-by-frame, the generator creates new artificial frames. The discriminator in turn decides if they belong with the set of subject images. Each time the discriminator rejects a frame, the Generator learns and refines it’s algorithms. The end result is very convincing video content.

The Political Threat

Deep Fakes are concerning for the political process because they further support the distribution of dis-information. As the capabilities of deep fake producing GANs improves, politically motivated actors can create false videos of their adversaries. These can be used to convince voters that a particular candidate said or did things things that are detrimental to their reputation. A striking characteristic of this type of dis-information is that once it is in the minds of the public, it is very hard to combat. Even with well documented evidence that a video is fake, many will still believe it is true.

However, another issue that is less talked about is the the opposite case. What happens when compromising video of a politician surfaces but they claim it is a fake? There are already an abundance of claims of “Fake News” echoing in political discord. Trying to prove the authenticity of a video claimed to be fake can be quite challenging. In this way, deep fake technology puts a heavy strain on our ability to trust anything we see or hear.

Limitations of Deep Fake Technology

The good news is, deep fake technology is still far from perfect. The limitations of the technology are constantly changing but researches continue to work on methods for exploiting those limitations. One limitation is that in the training process, GANs rely on facial images of a fixed size. This is due to processing limitations. As a result, researchers from University at Albany, SUNY have been able to train neural networks to find warping artifacts that are indicative of deep fake videos.

Another limitation of deep fake video creation is that currently the GANs do not account for context and linguistics. Facial habits that are specific to the content and or emotions being delivered are not easily replicated. Since training relies on static images, context-related expressions are not easily replicated. As a result, researchers from Dartmouth released research earlier this year that analyzes video for consistency with these “soft biometrics”. As of the release date, the study achieved a 95% accuracy rate. The researchers estimate that by the start of the 2020 primary season, that accuracy could be as high as 99%.

Finally more development needs to be done before fully synthesized (both audio and video) deep fake videos can be reliably produced. Tools like Adobe VoCo and Baidu’s “Deep Voice” can produce very realistic synthesized voices. However, combining both deepfaked audio and video has yet to be demonstrated with consistent reliable results. That said, it seems reasonable to expect that it is only a matter of time before fully synthesized video can be created from nothing more than a typewritten script.

Proving Authenticity

Researchers have also been working on ways to ensure that truly authentic videos can be validated. NYU researchers recently demonstrated how current high-end digital cameras can be modified to create digital watermarks. Their study went further however. They also used neural networks to overcome loss of forensic data due to regeneration (re-encoding an image/video). Overall they were able to build the framework of what could be an all-new approach to digital forensics.

Looking ahead

It certainly seems clear that for 2020, deepfakes will be a part of the (dis-) information bombarding the American public. If there is any good news in this it’s that we’ve not yet reached a level of capability talked about in the many doomsday scenarios regarding deepfakes. To truly limit the impact of deepfake media will require a coordinated approach of public awareness, careful and responsible journalism, and of course technological countermeasures. Security professionals can help shape the course of these three elements through our evangelism, influence and research.

Woman wandering in the desert

You Can’t Do Anything, Why Haven’t You Done Something?

By

On August 22, 2019

In Security Leadership

The conflicting messages Security Professionals give Business Leaders

It’s not if you’ll get hacked, it’s when. This is a statement every security professional has probably heard. In fact, most of us have probably used it at one time or another. A slightly different version is, if a hacker wants to get it badly enough, they will and you can’t stop them. While these statements may be true, they are not helpful. Worse yet, they setup a form of paradox among security professionals. We tell leaders they can’t do anything to protect themselves but then shame them when they do nothing.

Why say these things?
Frustrated Man using Laptop
Photo by Tim Gouw on Unsplash

The origins and intents of these types of statement are most often genuine. Usually they’re used to convey the notion that being 100% hack-proof is unrealistic. Furthermore, they set the expectation that security is a continuous process not a destination or goal. While the sentiments are accurate but poorly communicated.

In some cases, however, these statements of hopelessness sound like an attempt to convey superiority. Their context seems to say, I know more about these attackers than you and you’re foolish to think we can stop them. Ultimately, the tone is counter productive and prevents us from inspiring the actions we want to see.

Shaming Inaction

Things get worse when, after telling leaders there is no hope, cyber security specialists turn around and shame them for not taking action. A breach occurs. The security folks point fingers at all the security initiatives that didn’t happen due to business decisions. Yet the blame game isn’t fair. Those fingers should be pointed at the ones who said there was no hope.

Consider this. When someone you count on for their expertise says a task simply can’t be done, how motivated do you feel? Will you spend time trying to accomplish something you have little passion for when the expert says there’s no hope? This is the scenario we as security professionals create when we share these messages of hopelessness. Basically, we’ve told them to just accept what is and move on. So how can we expect that they would do anything we ask?

Communicating better

When we talk to business leaders about security, we have to arm them with decision making criteria. We need to help them see that the course of action we’re recommending has tangible benefits. That doesn’t mean over-promising the impact of a new control or solution. Instead, we just need to help quantify the risks and the reduction of risk that will result. Give them some hope that if they do this thing, it will reduce the likelihood or impact of a compromise.

Of course quantifying risk makes most security folks shudder. It is hard to do and harder to do well. However, it’s not impossible. Focus on numbers. How many user accounts will no longer have static passwords with the new multi-factor solution? How many functional systems will be isolated to their own segment with that micro-segmentation proposal? Use those numbers to develop metrics. Will revenue generating systems be more secure? Well how much revenue are you helping protect?

The case being made doesn’t have to include complex formulas that create objective risk scores. Rather, we just need to provide tangible context of how much more secure will we be tomorrow over today? It sounds silly to say but ultimately that’s the decision business leaders are asked to make. We’re asking them to make a cost-benefit based decision in their heads. Make it easy for them.

When you give someone credible hope that their actions can be successful, they become motivated. Know what successful means and coach them if you have to. Success in security strategy is not becoming unhackable, we know that. It’s achieving continuous improvement over time. Stop spreading doom-and-gloom and wondering why they don’t take action. Use positive messaging to inspire action and get the results you want.

Padlock screen on mobile phone

Inside the Backdoor Backlash

By

On July 24, 2019

In Encryption, IoT

Taking a more tangible view of encryption backdoors

US Attorney General William Barr gave a speech Tuesday morning in which he approached the topic of what he called “warrant-proof” encryption. His argument revives discussion about establishing encryption that can be broken or bypassed by law enforcement. Overall, the security community responded with the level of condemnation one might expect. However, looking through the various reactions, opportunity exists to make those arguments more compelling. More can be done convincing the voting public that this is an important issue.

Headshot of William Barr
Photo courtesy of The United States Department of Justice

Many of the responses to Barr’s speech echo previous statements about weakening encryption. They often focus on idealistic privacy concepts or ethereal encryption principles. Unfortunately, those arguments are easily countered with discussion of practicality over security ideals. Indeed, Barr brought out some of those points in his speech. Some cited policy and corruption concerns. They described worst case scenarios where law enforcement would abuse the capability. However, on the whole society still trusts in law enforcement and sees these abuse cases as fringe activities.

Even security pros don’t get it

Security and privacy professionals seem to struggle making compelling arguments on this topic. I myself struggled in a conversation earlier this year with a former member of the CIA. While I could talk about idealistic views, violations of fundamental encryption concepts, etc. I never felt I overcame the counter arguments. It ended as an agree to disagree situation. Furthermore, security professionals actually advocating that backdoors in encryption are not a big deal exemplify the need for a better argument. At least in my opinion.

So I searched my mind for ways we could re-frame the discussion. How can the security community create discussion focused on tangible risks? After all, in theory, weighing the risks ultimately drives decision making. If risk to the public outweighs the risk of not being able to decrypt potential evidence, then we can shape public opinion and in turn the policy making decisions by our politicians.

Centralized key storage and master keys

First we need to understand a fundamental concept of how encryption protects us. Current asymmetric encryption derives a level of security from the distributed storage of the private keys and the 1-to-1 relationship of public and private keys. The owner of the key pair is the only person who has access to the private key. One or multiple private keys impacts only a fraction of the public, from a global perspective. Replacing a small number of affected keys restores security.

Unfortunately, implementation of a backdoor would likely require either a centralized repository of private keys or a single master key. Either way, compromise of that repository or the master key would impact vast numbers of key pairs. The global impact would be tremendous. Compromise of a master key or private key repository would put millions of key pairs at risk.

Exploitation of attacks becomes trivial

Second, and building off this knowledge, the attack vectors against encryption would change. In current implementations, the distribution of private keys and the singular relationship of key pairs makes attacking the keys themselves a high effort, low reward approach. As a result, attackers focus on attacking the implementation of the encryption architecture itself. Weaknesses in encryption algorithms can be very difficult to discover. Even once discovered, executing padding oracle, side-chain, etc. attacks consumes a lot of time and effort for each key pair encountered.

With a backdoor, the attack vector shifts. Attackers could focus all attention on the back door itself. Suddenly, cracking a single repository or key would be a high-reward approach. If attackers find a flaw in the implementation of the back door or worse expose a master key or repository of private keys, exploitation of millions of key pairs would now require only nominal effort.

The door lock metaphor

When explaining this to non-security people, I’ve had success using the door lock analogy. Right now every door in the world has only one key that can open it and those keys are stored separately with their owners around the globe. Attackers aren’t going to try to find as many keys as they can and steal them. It would take a long time and have little reward. However, a master key or key repository allows attackers to focus their attacks on a single location. A successful attack gains them access to millions of doors all at once.

Additionally, as a result of the distribution of keys, attackers have to focus on cracking the lock itself. Even when we know a type of lock can be picked, each one has to be picked individually. That is a time and effort consuming process. If a back door is created, once the master key is stolen or repository is exposed, opening any lock in the world would be as easy as walking up and putting a key in.

As you see, none of this requires fringe case abuse by law enforcement to put the public at risk. The increased public risk extends directly from violation of core encryption concepts but links to quantifiable changes in risk to the public. This is the kind of argument we need to make. Ultimately, establishing a backdoor for encryption collapses two of the primary pillars that provide strength in our current encryption technologies. And that, is a big deal!

Corner office board room in a skyscraper

Get a Chair At the Big Table

By

On July 22, 2019

In Security Leadership

CISOs can drive the security discussion in the board room

Cyber security is increasingly becoming a top business concern for executives. A recent survey from The Conference Board found that US CEO’s rank cyber security as their top external concern for 2019. However, at a board level, security discussions with the CISO are relatively rare. Without this critical interaction, it can be challenging for a CISO to drive security strategy. Luckily, there are some steps security professionals can take to earn a spot at the table with the board.

Why aren’t CISOs being invited to the discussion?
Three women in a meeting
Photo by Tim Gouw on Unsplash

Numerous challenges stand in the way of a CISO getting in front of the board of directors. From reporting structure, to stereotypes about a CISO’s qualifications, security executives have many barriers to overcome. Understanding the challenges enables development of strategies to overcome them.

Organizational reporting structure

In most organizational reporting structures, the CISO reports to another executive below the CEO. As a result, organizations commonly view the CISO’s duties as a subset of another officer’s role. The board typically calls upon the higher ranking executive, commonly the CIO, COO, or CRO, if and when the discussion of security reaches the board room.

Perception of the CISO

A connotation that CISOs are too technical also plagues their ability to win a spot in the discussion. Developing a security strategy requires a significant level of technical knowledge. Indeed, CISOs sometimes struggle with presenting security strategy in terms that resonate with the board. Overcoming the stereotype of too technical for the board room challenges even the strongest CISO.

Security is scary

Despite the increased focus on security, all too often the board avoids topics of security. The complexities and uncertainty of cyber security makes it an untenable discussion point. Sure, directors want to keep the organization’s name out of the headlines. But at the same time, some treat cyber security like a toothache. Rather than go to the dentist, try to avoid even thinking about it. However, the problem doesn’t simply go away. Just like that tooth, ignoring it only makes things worse.

Earning a spot at the big table

Security leaders need to change the perception of the CISO role and make cyber security a regular topic for the board. This begins with establishing a level of credibility with higher ranking executives and the board. While this process takes time, establishing a solid report with the board ensures they’ll seek out the CISOs perspective.

Forget FUD, focus on the business

CISOs commonly make the mistake of presenting security in terms of Fear, Uncertainty, and Doubt (FUD). They share perspectives on the horrible things that could happen. However, playing off the fears of others does not motivate them to action, it causes them to avoid the conversation.

Instead, security leaders need to focus on how security strategy can improve existing business or enable new lines of business. For instance, demonstrating how an investment in Cloud Access Broker technology creates the ability to offer new cloud-based services, delivers a very compelling story line. Additionally, it demonstrates an understanding of the business beyond simply the technology.

Be prepared for the right questions

Responding with solid, tangible answers establishes expertise and confidence. In order to do so requires an understanding of how board members look at the business. Ultimately, when it comes to security, the board wants to know that appropriate measures are being taking to manage threats to the business.

Directors ask questions along the lines of “Could we get hacked today?” or “What would the impact be if we get hacked?” Answering these requires reading between the lines to understand what information they’re asking for. Fundamentally, they’re trying to assess risk and ensure that something is being done to address it. So share tangible efforts and programs that are in place, but do so in the context of critical business functions. Avoid talking about the latest technology you deployed, but instead describe the resiliance of business processes to recent publicized attacks.

Establish Visibility

Regular communication with the board can start without attendance at the meetings. CISOs should work with their top-level executives to establish a reporting cadence the with the board. A proactive approach, allows the CISO to shape the security strategy message and demonstrates competence and expertise. Furthermore, the regular cadence establishes visibility that builds a bridge into the board room over time. Ultimately, putting more security focused data in the hands of board members builds demand for further security discussion.

While it can be challenging, CISOs can drive the security discussion all the way up to the board of directors. Taking time to understand the board and their perspectives allows the CISO to exhibit their expertise and build confidence. Ultimately, as the board hears more from a competent CISO, their trust grows and their desire for interaction leads to a spot for the CISO at the big table.

Conquering Impostor Syndrome

By

On July 14, 2019

In Community, Inclusion

Recognize that you bring value to the discussion and be heard

One of the things I’ve always found incredible about the security community is the commitment to openly sharing information and discoveries. We have countless conferences, discussion medium, and publications devoted to sharing security related works. However, for many, seeing the massive contributions of others invokes a level of anxiety when seeking to establish they’re own contributions. The infamous impostor syndrome rears its ugly head and hold people back from getting involved.

My first experience with impostor syndrome

Woman hiding her eyes behind her braided hair
Photo by Sharon McCutcheon on Unsplash

My memories of my first experience with impostor syndrome are very clear. I was working as a Managing Consultant for a security firm and at that point had been in security as a penetration tester for eight years. While I had thought about speaking at a security conference on occasion but never really considered it a realistic goal. That is, until my director and a sales person encouraged me to submit a talk to a local conference our company was sponsoring.

I agreed, after all it was my boss telling me I should do this; and yet I was scared to death. I had seen some of the biggest names in our industry on stage at conferences, I had seen 0-day exploits announced at DEFCON, and here I was with nothing of the sort to contribute. Who am I to speak at anything? If I get accepted, they’ll all see that I’m just an average person and I’ll get laughed off the stage. All these thoughts went through my head, but I had to push through and create a talk, so that’s just what I did.

I had just come off a string of three separate application assessments where I had discovered various issues in OAuth2 implementations that created some significant vulnerabilities. I decided to put together a talk to discuss the proper implementation of OAuth2 and common failures that led to exploits. The talk got accepted, I delivered it (to a surprisingly full room), and I got some great feedback afterward.

A week or so later, I received a link with the video of my talk. I provided it to my director who suggested I send it out to our entire AppSec practice. While I received a number of gracious emails, the one that stood out in my mind came from a principal consultant who had spoken at a few conferences, including as part of a group at BlackHat USA. His response read, “A lot of hand waving here, nothing new or informative being shared”.

I was crushed. This was what I feared the most. An experienced conference speaker telling me my talk wasn’t worthy. I ignored all the good feedback I got at the conference, all the great emails I got from other consultants on our team, and I allowed this one email to confirm in my mind that I was a fraud.

Thankfully my director was an amazing leader who knew how to motivate me and he helped me see the truth. He pointed out how the email I got came from a consultant who himself was insecure and felt like an impostor. He helped me see the value of my talk and encouraged me to continue speaking. And that I have. I now speak regularly at conferences, and while I still have my bouts with impostor syndrome, I don’t let it hold me back. So I wanted to share some steps I’ve learned about how to overcome these feelings.

What causes impostor syndrome?

I’ve done a lot of self reflection on this along with a lot of reading and research. What I’ve found is that impostor syndrome is ultimately the result of feeling like one doesn’t belong. It’s this feeling that we’ve somehow stepped into a world where we are not like those around us and we’re somehow inferior as a result. When we perceive that the people around us are far more experienced, talented, or qualified than we are, those feelings come to the surface. For people in under-represented groups like people-of-color, women, those with disabilities, or LGBTQ+, the problems can be compounded since we can struggle to identify with our peers.

The problem stems from how we identify ourselves. We begin to establish our identity through labels when we are very young. Age, gender, race, job titles, etc. all play into how we identify who we are. We label others and often compare our labels with them. This is how social groups form. So when we follow a course of action in which we perceive that we’re stepping outside of those labels, our anxieties kick in. We fear that someone will figure out that we don’t wear that arbitrary label we’ve given them and they’ll see us as a fraud, that they’ll look at us and point us out as not a member of their group.

This is a very natural phenomenon in human social interactions. We place labels and gravitate toward those who we perceive as sharing the same labels we give ourselves. So how do we break down the barriers we place on ourselves? The following is the process I’ve come up with through my own self-analysis and research.

Acknowledge and combat those feelings

As you might suspect, the first step in overcoming the anxieties of impostor syndrome is to simply recognize that this is what we’re experiencing and combat it. When we begin to feel those fears, it’s important to look at those feelings and identify where they come from. How does the fear you’re experiencing related to a feeling of not belonging? Personally, I take a mental inventory of those.

The key to combating them is objectively identifying the positive accomplishments we’ve experienced. Those positive comments and emails I received were a perfect example. So find those elements, but be careful. Do this objectively. Do not assign a relative value to them, just simply acknowledge and appreciate them.

Let the feelings go

Once you’ve identified your feelings and where they come from, you can start to let them go. Sometimes what you feel will be tied to things you simply cannot control, like your gender, race, etc. Understand that those are not characteristics that impact your qualifications and so don’t allow them to make you feel inadequate.

Also recognize those feelings that result from comparing yourself to others. Humans fall into the trap of measuring our talents and skills in comparison to others. However, that’s not a valid way to measure. Instead, see your qualifications as an objective measure, you have certain skills or you don’t. When you find that feelings of inadequacy are the result of such comparisons, trust that they’re not an accurate measure of your abilities and let them go.

Analyze your process of success

Look back at where you’ve been. How did you get to where you are today? Did you just have one success after the next without experiencing challenges and failures? If you’re honest with yourself, the answer is no. Thomas Edison did not invent a working light bulb on his first attempt. Stop holding yourself to that standard. Those challenges and failures are how you learned and developed your skills. Accept them, be proud of them, and understand that you’ll experience more of them in your future and that is a good thing.

Set objective goals and measurements

Identify the goals you have in attempting what it is you’ve set out to do. If you’re thinking about speaking at a conference, perhaps your goal is to share information about some research you did. It may seem corny, but list those goals and how you plan to measure them. Then look back. Are they based on others’ reactions, feelings, etc? If so, those are not objective goals because they’re based on your perception of someone else’s feelings. So re-frame them into something that focuses solely on you and something that you can objectively measure. This ensures that when you accomplish those goals, you’ll be able to recognize it and celebrate it. It prevents you from letting feelings downplay the great things you achieve.

Everyone experiences impostor syndrome

Finally, understand and accept that everyone has these feelings from time to time. I’ve talked to some of my idols who tell me often of their own experiences of feeling “out of their league”. It’s in pushing ourselves to exist beyond our labels that we grow and conquer obstacles. That’s how each of us becomes great.

Accept that it’s OK not to know all the answers and that if you did, it would mean you’re not pushing yourself hard enough. Have faith that it is not only acceptable to reach out for help, but that this is actually an effective tool. It gives you the opportunity to get others’ perspectives and challenge your own biases on the topic. It is also a chance to establish relationships with others who may actually be fascinated by the work you’re doing.

In the end, we all build off of each others’ works. Collaboration drives the continued growth of our collective community. So rather than convince yourself that asking for help makes you less, embrace it as part of the process.

These are the steps that have worked for me and that I’ve found corroborated in other research I’ve done. Hopefully some of this resonates with you and is helpful. I’d love to see some comments from others on what has worked for you that I’ve not included above.

NASA View of Earth from Space

The Oxymoron of “Smart” Devices

By

On July 13, 2019

In IoT, Pentesting, Vulnerabilities

What a hair straightener can teach us about IoT Security

A recent article on Threat Posts provides details of a vulnerability in the Glamoriser Bluetooth Smart Straightener. The vulnerability is pretty significant. An attacker can fairly easily gain control of the hair straightener, turn the heating element up to max power, and potentially cause a fire. Discovery of this vulnerability provides us with a clear example of why manufacturers need to more calculating in their responses to the “smart” device trend.

Stock photo of the Glamoriser Bluetooth Smart Straightener
Researchers have found a security vulnerability in the Glamoriser Bluetooth Smart Straightener

According to product information on the Glamoriser website, the straightener comes with a mobile app that allows the user to control heat settings of the straightener for different types of styling and lock in a favorite setting. However, as it turns out (maybe not surprisingly), their implementation of this feature is anything but “smart”.

According to quotes from the researcher that discovered the vulnerability, Stuart Kennedy, the hair straightener’s Bluetooth Low Energy (BLE) connection lacks some of the basic security features most users have come to expect in Bluetooth devices. There is no pairing function in the straightener’s BLE implementation, meaning any device within range can connect and control the straightener. Sure, the risk may be fairly low due to the distance limitations of BLE, but the threat vector is very real.

An emblematic problem with IoT and Connected Devices

This certainly is not the first time that we’ve seen once innocuous home devices turned into a threat vector. Manufacturers have routinely enabled “smart” functionality but failed to implement basic security features. However, the risks associated with this example lend credence to the warnings of researchers regarding just how serious the problem could be.

As many in the security community already know, manufacturers with no history or previous experience with implementing connected technology are rushing to create “smart” devices. The resulting implementations are often filled with security and functionality gaps. Whether this is a result of a lack of expertise or the need for speed to market (or both) is debatable. But the trend of security issues in newly released “smart” devices is undeniable.

The hair straightener example also stands as a particularly poignant lesson in that the only discernible reason to have a mobile app seems to be just the ability to label their styling tool as “smart”. The desired feature set enabled by the mobile app, being able to identify and set the needed temperature based on hair type and desired style, could have just as easily been implemented without connectivity. Hair straighteners for years have had adjustable temperature controls. Couldn’t an app that allowed the user to look up the correct settings and then manually set them on the device have been enough? Have we really reached the point in lazy consumerism where we need the app to make that adjustment for us? Let alone to the detriment of someone’s safety?

Time To Stop and Think

Sure, smart home devices are all the rage right now. Connected IoT devices are touted as the latest innovations and everyone wants to get on that bandwagon. However, if manufacturers can’t concern themselves with the safety of their consumers, they must at least start considering the risks in terms of their own liability for implementing faulty devices with real security vulnerabilities. How much does the manufacturer stand to loose if they get sued when someone is hurt or killed as a result of a security flaw in their product? The case of the Glamoriser straightener provides the most tangible illustration of those risks we’ve seen to date.

With that risk comes the need for serious investment in R&D before simply launching a product. That investment needs to include analysis of the benefits of the new connected features against the risks of liability if those features turn out to be a security flaw. Manufacturers cannot afford to assume an immeasurable marketing edge will come from simply labeling their product as “smart”. Had such analysis been done in the case of the Glamoriser, it’s doubtful that the ability to set a temperature on the device from your phone would have demonstrated value in the marketplace that outweighed the potential liability of someone’s house being burned down. This isn’t a particularly challenging threat model to build, so how did they get it so wrong?

It seems most manufacturers only pay attention to the threats and risks of their products when there is a palpable demand from consumers. Unfortunately, consumers remain blissfully unaware of these risks until something catastrophic occurs and is publicized widely in the media. Even then market trends show we’re often willing to forgive and forget if it means we can own the latest innovative device. So we, as security researchers, have to find other ways to motivate manufacturers. So far this has proven to be a monumental task. The tide is shifting, more and more manufacturers are becoming aware of the risks and working with the security community. Sadly, it’s most often only after their failures or those of their competition are exposed.

Educating consumers and manufacturers alike seems to be one possible course of action. Security researchers have begun some outreach to the manufacturing community and we’ve made headway in certain markets like the automotive space. However, more can and must be done. There is opportunity for us to be more involved in the manufacturing community. We must look for ways not to scare manufacturers into doing better but to motivate them. Drawing the connections between producing secure products and expanding their business model is the key.

From a consumer perspective it is much the same. We’ve tried scaring people. We’ve talked about all the potential bad things that can happen. For consumers it’s a bunch of noise and they just want that cool new thing. So it’s time we start focusing on how their lives can be more convenient, more trendy, etc. by ensuring that they demand products that are secure and reject the early to market brands that blaze trails with questionable products. We need to make being securely connected the new hot thing.

Alyssa Hacker behind computer

Welcome Aboard

By

On July 12, 2019

In Application Security, Breaches, DevSecOps, Incident Response, Inclusion, IoT, Network Security, Pentesting, Policy, Red Teaming, Vulnerabilities

An Introduction of Epic Futility

OK well here I am interwebs!! After much encouragement from colleagues, friends, and acquaintances, I’ve launched a website and blog. As you’re likely aware, if you’ve found your way to this page, I’m very passionate about all things security and privacy related. It’s my career, it’s my passion, and most of all it’s something I love to share with others.

I’ve had a very a-typical journey into the world of security however. I’ll probably bore you in some other post with the full progression from my childhood interest in computers to my present day role as a security professional. But for now let me just share that what began as a hobby of playing with computers turned into a full-time job as a programmer which in turn lead to my entry into penetration testing and assessment work.

I have no delusions of grandeur. I am not the world’s greatest hacker, I am not some super security celebrity or highly touted “thought leader”. However, what I am is a person who really loves digging into technology, exposing how it works and how it fails, and sharing what I’ve learned with others. I’ve spoken at industry conferences, as you can see on this site. I’ve delivered various security assessments, training, and strategy guidance as part of my professional work. I’ve been featured in security publications and podcasts. I’m of course active on social media as well. But this is the first time that I own a dedicated space on the web to formally share my thoughts and opinions in written form.

Related to technology, security, and privacy, I also have a very powerful drive to correct what I see as a toxic environment in the tech and security communities. Women, People of Color, LGBTQ+ and other under-represented groups often find that the tech and security space is particularly unwelcoming. In security specifically, studies using the most liberal of criteria have found only around 20% of people in security roles are women. I believe that toxic environment is partly to blame. This is something I feel needs to change. I’m involved in multiple organizations that do work in this area, I speak on this topic as well, and so you’ll probably see posts from me focused on making our industry more inclusive as well.

So I hope you’ll enjoy. I hope you’ll reach out to me and share your own thoughts. I love to heard opposing viewpoints and discuss/debate at length as long as it’s done in a respectful and productive way. Thank you for visiting and please come back over and over!

Page 2 of 2

Previous

Powered by WordPress & Theme by Anders Norén