Two Great Security Professionals Reflect on One Human Factor in Cybersecurity

From an interview with Chris Roberts, currently the vCISO and chief hacker with the Hillbilly Hit Squad and the former chief security strategist for Attivo Networks.

And from correspondence with my former employee, Paige Thompson, all the way back from 2014, who is now in jail pending her upcoming case for allegedly perpetrating cybercrime against Capital One and single-handedly committing one of the largest and most expensive breaches in cybersecurity history.

Proving that the more things change, the more they stay the same.

Chris Roberts: This COVID-19 pandemic is unlike any other thing I have ever experienced in my lifetime and I’m sure that is true for almost everyone else working from home and sheltering in place right now. We are all figuring it out as we go. But, it actually isn’t unlike the cybersecurity business in general, except that it is now compressed and hit by an accelerant.

We have historically fumbled about with this whole problem space. We’ve largely ignored the people component and have mostly focused on technology and we have essentially been making it up as we have gone along. We pretend we understand things we don’t and act as though we know stuff when we actually don’t.

Paige Thompson: At some point, the world got this idea that using computers is supposed to be easy, which to me is like saying that immortality is supposed to be easy or space travel is supposed to be easy; things that nobody fully understands are supposed to be easy.

We live in a world where people don’t question things and believe they know better because they are ‘smarter than most.’ They may be smart, but they have no chance of standing on their own. Aside from the fact that people in general still don’t understand computers, I firmly believe that the sort of ‘do as I say not as I do’ mentality that is all too common today, has taken its toll in other aspects of life and empowered people to incredulous acts of corruption; I don’t believe that capitalizing on people’s fears is a path to innovation or progress for anybody except for the people who get paid for it.

There’s also this social stigma of ‘if something is difficult to understand then it’s easy to hide behind what somebody else says’ because it’s somehow embarrassing to not have the answers; I believe it is important instead, to embrace your mistakes and take pride in knowing that accepting the fact that there is always somebody better than you should inspire us to try to do better ourselves.

I strongly believe that the real problem is in how people think, which is to say they don’t do much of it for themselves. I have found the most success in life by questioning everything, it’d be nice to see other people doing the same.

Chris:  So, now that we’re hit by this tectonic shift, we look back and wish we had put the tools and controls we have in place a while ago. But we didn’t. And even when a few of us did, we didn’t test them. Not under these conditions.

It’s a bit like a Ransomware attack. We know we could have prevented it, but those things didn’t seem very important at the time. Now suddenly they do. And the WFH scenarios add a level of complexity unimagined by most of us. The new reality is testing our technical support procedures and processes with enormous complexity – we have no idea what everyone has in their home environments – all that network sharing – all those use cases no one can adequately describe or properly characterize – we can’t sort out the thousands of potential threat vectors in this exponentially expanded landscape because we can’t yet understand what we’ve got.

Even something as apparently simple as the WFH environment where we can’t even order a desk chair because they are sold out or whether or not a conferencing tool like Zoom is secure magnifies the difficulty. Now we see that Teams has been hacked as well.

My biggest frustration is that the threat actors are now in 300 places instead of one. Not just hiding out in your data center but instead camping in your child’s online learning app or your spouse’s streaming downloads or in your blended network and originally configured modem and router.

It is crazy hard now and only about to get worse. We need to learn from this and own up to what we really understand and do something about what we don’t or we will just repeat our inadequacies the next time a global threat erupts.

From 2017

Paige:  Amazon is definitely a good place for anybody to work at least once, I learned a ton of stuff there. It’s a huge company, and some of the teams are kind of toxic, but if you get on a good one it’s a very good place to work. I think I’ll still be able to go back someday, I left on pretty good terms but just wasn’t doing very well performance-wise as I started spending more time away than anything to avoid somebody.

They’re a lot stricter than they used to be about switching teams because of people who would team-hop just to avoid getting fired for not doing anything, so the rules kind of screw a lot of good people.

There was a guy who tried to commit suicide over the same thing, I just decided to leave though at that point. I think it’s worthwhile enough having AWS on my resume, definitely would like to find someplace where I’ll be useful to people though.

Anyway, over the past couple of months, I’ve actually done some really intense research into security. Admittedly, I’ve even hacked a few hackers who were trying to hack my mail server; what I found was very disheveling – there are thousands … millions of routers on the internet that have the default admin/password, and are running Linux, fully open to the internet. You can scan the entire internet in less than 5 minutes.

The work involved in actually sourcing a botnet of a few thousand instances … is nothing; it’s a script kiddie.

There are a lot of takeaways from both of these folks. The question is where will we take them?

Read more: