Disclaimer: if you are looking for a strictly technical article, the ones I usually write, you will be disappointed. This blogpost is mainly my two cents on the way we, cybersecurity professionals, usually deal with situations, organizations and people, both techies and non-techies.
A few days ago, I was reading this really interesting article about how toxic behaviour by a skilled technician spiraled out into one of the worst leaks CIA’s CNO branch had ever seen. This made me think about how we, cybersecurity professionals, often end up showing toxic behaviour, distrust others, and generally have unhealthy relationships with people both inside and outside our field of expertise. There is a general consensus among cybersecurity pros that situations never get better, that security will never have the proper place it deserves, that our advice is almost always ignored until shit hits the fan and everyone is running around clueless about what to do. But why is that? And how can we switch our mode of thinking so that the trap of nihilism doesn’t swallow us whole? This August marks the three year anniversary of a blogpost I published about my journey in cybersecurity, so I wanted to write another non technical article where I will lay down some of the rules I follow to keep my mind clear and positive, even when I feel like all the odds are stacked against me.
Not everyone is a specialist
This paragraph’s title speaks for itself. Not everyone is a specialist, so we need to interiorize that not everyone has the background to understand how an attacker can go from having just a beachhead inside a network to being a Domain Administrator and possibly have more knowledge about the network’s configurations than the sysadmins themselves. Cybersecurity pros often seem to fail to remember that, and we often get frustrated when someone, usually more senior than us, asks us “dumb” questions. We too used to have dumb questions, and we too used to ask for answers to dumb questions. As a matter of fact, I still do. And so do many of you, fellow cybersecurity mates, remember that.
Sometimes, especially during crises, having to explain stuff to higher ups takes a lot of time off actually managing the crises themselves. But remember that, whenever someone in the “chain of command” asks questions, if we don’t give them answers, they will look for them somewhere else. But “somewhere else” doesn’t always give correct answers, and a senior (or worse, an executive) with incorrect answers in a time of crisis is a ticking time bomb. You don’t want people in the decisions room to have incomplete (or worse, incorrect) answers, because they are the ones calling the shots. Take the time to help these people understand what’s going on, and help them make better decisions, they will thank you for that, and you will have done a far better job as a professional than what you would have done if you stayed hands on keyboard ignoring the doubts of the people you work with or for. In my opinion, a good professional is as good a keyboard ninja as he is a good advisor. Strive to be that person people look up to, both for support and to solve highly technical problems.
Cybersecurity is there to help, not bash
Another trait I have seen many cybersecurity pros share is the tendency to bash other IT workers for their shortcomings when it comes to securely configuring/developing/designing systems. I have been there too, furiously wondering how
the fuck can someone leave hardcoded credentials in a mobile app or unauthenticated, administrative APIs on a publicly facing server, only to find out the, most of the times mortified, guy who did that was just beside me.
We have all been there. But we have also been on the other side of the fence sometimes. I myself blew up red team engagements for carelessly running the wrong tools. I exposed myself because of dumb mistake or overconfidence. Everyone does that, both pentesters and sysadmins, network guys and red teamers. Screwing up is part of the game, and you screw up only if you are playing it. Longstory short, only people who do the work end up making mistakes.
Another thing we have to consider is the huge disproportion in training between cybersecurity professionals and other IT workers. Most cybersecurity professionals spend a considerable chunk of their time, both working and free, studying, developing, researching, documenting etc. I firmly believe ours is one of the fastest growing field in IT and this pushes us to continuously study and practice our craft. Other IT fields are not like that, so workers in these fields end up studying less and preparing less. This makes it so they are more prone to making costly mistakes. Next time you deal with someone who has done some errors, remember they may not be getting 4-digit annual training budget, maybe they are doing the best they can with what executives gave them. Treat them with dignity, give them pointers on where they screwed up, point them to resources they can use to improve their skills. Doing all this in a respectful manner is far more beneficial to people and organizations than hundreds of dollars worth of equipment. This leads us to the next section.
Be respectful of other people’s work, regardless of how it is performed
Another tendency we all have is to consider other people’s work worth less than ours. I had this situation some time ago where I asked some colleagues of mine to do something I needed for an activity. We had different trainings, so they did it in a slightly different way than I expected. My first reaction was a big “WHAT THE F- HAVE YOU DONE?! THIS IS COMPLETELY USELESS!”, which not only was far from the truth, but more importantly mortified the other party, who did his best to complete the task I assigned him. In reality, his work was as close to perfection as you could get with the equipment and training he had. It was me who expected something else and whose directions were not clear when I gave him the task. Short of having to run two more CLI commands on what he gave me, the task had been achieved exactly like I actually needed. When I understood my mistake, I apologized and made sure my coworker had better directions on how to perform the task I gave him, should such a need come out again later in the future. What I learnt from that experience was that, unless mistakes are done in bad faith, which is not usually the case, we should always be respectful of other people’s work, regardless of how it is performed. If it is not done the way you like or need it, just state it with respect and most people will gladly comply.
Things are better than they were and they will continue to improve
As we stated before, cybersecurity is a field that can drive people into nihilistic thinking when it comes to the future of organizations. It almost always feels like things never change, like people always make the same mistakes. Let me put it bluntly, this is as far from the truth as you can go. Security made enormous leaps in recent years. From default, end-to-end encrypted comms, to automatically managed strong passwords and multiple factor authentication, there is no doubt the world is starting to care about security. Being a pentester today is much more difficult than it was just 5 years ago. Sure, you can still find a lot of organizations that will gift you with easily taken sniper shot to the head of their IT systems, and this is nowhere near to change in the future, but mature, from a security perspective, organizations are on the rise. There is no doubt about that. One example? Initial access in my opinion is becoming increasingly difficult by the day. Criminal gangs buying their way into organizations testifies that.
Sure, phishing employees to get a beachhead into a company’s network is far from undoable, but it’s not something you do today with the same ease you did 5 years ago. Things improved. And they will continue to. Think about how easy was to obtain a 0day on Apache or nginx 15 years ago. Today this kind of vulnerabilities still come out, but with less and less frequency. The gist of the story is that while we are far from a truly secure way of processing, sharing and storing data, people are doing their best to get there. Things will continue to improve, and our work, both as attackers and defenders, will help us get there.
Believe in younger generations
This is a topic I’m particularly fond of. Sometimes I get asked how I got into the field or how to improve one’s skills. The first thing I always tell people is to find a mentor (or more mentors). If there is something that truly helped me in my journey is having people around to look up to, skilled peers I can reach out to for help or guidance, like my fellow Tortellini. Life is a lot easier when you have companions. But this time the advice is not for people looking for help, this time the advice is for the people who are in a position to help others, with a focus on helping younger people who are trying to get into the field. Younger people are the next generation, the next hackers, the next attackers and defenders. Giving them proper guidance and advice helps our field as a whole, because the more skilled, talented people we have, the better and faster our field will grow. I once met a guy who said:
We always act like we are the only ones in a position to do something. Older people are slower and not on the bleeding edge, younger people are dumber and too inexperienced. It is always as if we are the only ones gifted by God with being in the right place at the right time. And we couldn’t be more wrong.
I firmly believe he was damn right. Sure, 40 year olds are slower than guys in their thirties, but a 16 or 17 year old person is always snappier than a guy in his thirties or twenties, no matter how you put it. Sure, they lack training and experience, but that is exactly why you should care for them and guide them. Teach the next generation, because they will be the ones with hands on the keyboard when shit will hit the fan in a time when we will be too slow to react.
Behaving as a good person is almost always a good long term strategy
I saved this last bullet for those techies who don’t see my point or don’t agree with what I wrote previously. If you still think your God-given cyber status can’t be touched and you deserve the right to treat people with toxicity, remember this: the wheel always turns, and from a merely strategic point of view it is always better to be liked than disliked. If people like you, they will stand by your side, if they dislike you, they will look for every opportunity to get in your way. Life is long, be smart and don’t let the pathologically narcissistic sociopath side of yourself take the best of your relationships.
My best achievement were always a result of teamwork. Sometimes I achieved what others couldn’t just because I was on good terms with the right people at the right time, just because in times of need I knew who to call and the guy on the other side of the phone was a friend. The more people are on your side, the better your chances are of having success, it’s a simple equation. If you won’t do it because you think it’s right, do it because it’s smart.
That’s it I guess. I wanted to write this article because I wanted to express these thoughts I always kept within me. I think the best way to sum it up is “just don’t be a dick to others”. Sure, you can be a great hacker without people around you to help, but I dare you to truly change things alone.
United we stand, divided we fall.