Career Day Reflections
Reflections
I went to speak to 7th graders, for their Career Day. Three rounds of the same presentation, roughly 25 minutes each. The preferred method to get content presented on the classroom’s Promethum board was a USB thumb drive. Through the irony, I did it anyway. It felt sacrilegious for the security proclamator to be wielding such a notorious thing. I have not used one in many years and probably won’t again, perhaps ever.
The facilitating teacher there was helpful and sweet. She mentioned that her daughter, who had recently graduated from college, struggled to find a decent job. After enough time passed with no success, she decided to go back to school or get a technical certificate, hoping to be more a more attractive candidate. We quickly expressed our shared concerns about the job market and about new grads and emerging lower employment trends. But then, it was time to talk to the young ones.
Each presentation felt lightening fast. No doubt I spoke too quickly, though I did my best to keep things at their level. There were conspicuous yawns popping here and there in each group, while others were very attentive and engaged. For some questions, the kids’ had surprisingly on-point answers. When asked how they would get access to someone else’s Tiktok account, they nailed the password scenarios; someone even used the term brute force. One student surprisingly called out the option to set up a copycat website with which to harvest credentials after sending the target a phishing email! For another question about what I do day to day, a student responded that I probably “use firewalls”. It was great.
I did not attempt to bring up my thoughts about the kids’ future, one which has never seemed so uncertain, particularly with the AI-driven transformation underway. I did not share the idea that the cybersecurity careers, let alone the whole field, are likely to look dramatically different (if even recognizable) by the time they enter the workforce. I hope I was able to at least impart some small universally applicable nugget of wisdom.
What follows here is the outline that informed my slides and the points I wanted to make.
Introductions
Who I am. First, I’m dad to your fellow student. I’m also a security professional.
My background. Professional life started out in the Marine Corps. Enlisted after H.S. Eventually became an Intelligence and Security Officer. This got me personally and professionally interested in cybersecurity, especially after facing geo-political threats. Got out of USMC, and went to work in consulting for the federal government. Then went into the private sector and worked for College Board, helping to protect AP and SAT (relevant to you students). Then a large investment firm. Then and now, SS&C, a technology and services provider in the financial and healthcare sectors that none of you have heard of.
Why am I in Cybersecurity
I love challenges. I love helping people. Security is a bedrock of success and well-being. It supports a strong economy. If we don’t have security, we have chaos, suffering, and unfulfilled dreams. Security enables us to live our best lives.
What is Cybersecurity
In simple terms, cybersecurity is the protection of digital assets.
More accurately, cybersecurity is the work to protect information and systems by preventing, detecting, and responding to threats.
- Information can be private and personal like photos or health information. It can be money. It can be company secrets. It can be national secrets.
- Systems can be phones and laptops, websites and apps like YouTube or Duolingo, utilities like power generation and water treatment.
- Threats can be cowboys, criminals, or countries.
Why Cybersecurity is a Job
Much to Protect
We need security (individuals, companies, governments). Consequences of insecurity are unacceptable. So many important things depend on computer systems. There is a lot of value. Much to need to protect. Companies need to operate without threats taking their secret data and wrecking their systems. Companies need their customers and partners to trust them. Without security, this trust is nearly possible to achieve and maintain.
Threats are Serious
People are highly motivated to steal and break things. Individuals and criminal organizations want money. Cyber criminals steal about $2 trillion a year. Governments want to maintain power (e.g. steal information and money to boost their economies, steal secrets to stay informed, break things to win wars). If you put something vulnerable on the Internet, it will be attacked in minutes. If you expose valuable information to the Internet, it will be stolen.
Security is Hard
Good security is hard. It takes dedicated people working very hard. Complexity is high - there are so many ways to break into systems; vulnerabilities are all over. And people take shortcuts. They move quickly and take risks to get things done with as little effort as possible. They make lots of mistakes. Defenders have to be right most of the time. Attackers only have to be right once.
My Work
My mission is to enable my company to be successful by reducing the likelihood that cyber attacks make an impact. I protect client information and the company’s information, operations, and reputation.
Fundamental Questions on Repeat
- What do we need to protect?
- What threats do we face?
- How could those threats get what they want?
- Are we protected enough and where are we vulnerable?
- What tools and resources are available?
- What do we need to do to improve?
Snapshot of My Day to Day
- Talking to people from all over the company.
- Creating security strategies to support business plans.
- Performing security assessments against different kinds of systems to identify how they might be attacked and what we should do to defend them.
- Learning. Reading threat intelligence, latest attacker methods and tools, new vulnerabilities, and new technologies that are being adopted today and might cause serious security problems tomorrow.
- Doing risk assessments for decision making.
- Responding to attacks as they happen. Conducting investigations like a crime scene.
- Pushing for security improvements in every corner.
- Thinking about what comes next and what we need to do to keep everything safe.
- Figure out to best use AI for defense to get ahead of attackers using AI.
Threat Modeling Scenario
The Story and Prompt
Two 7th graders. What should we call them?
They live in the same neighborhood, and their houses are right next to each other, but they are not friends.
One day, {person one} is hanging out in their backyard and they hear some singing coming from {person two’s} house. He moves to get closer and through the open window they see they have a clear view of them, dancing and singing at the top of their lungs.
{person one} takes a video of {person two} dancing and singing to the {song}. What is the most embarrassing songs you can think of for this situation?
Then {person one} posts it on Tiktok for all to see.
{person two} is humiliated. They got clipped. Now, they want revenge. They decide they want to hack into {person one’s} TikTok account to post embarrassing confessional videos, send DMs to ruin relationships and lose followers or maybe just delete the whole account. They are a highly motivated threat.
How might {person two} get access to {person one’s} TikTok account? What are all the ways you can think of? How could {person one} stop the attacks?
Example Threat Model
| Attack | Mitigation |
|---|---|
| Physical Device Theft | Secure storage; Biometric; Remote Wipe |
| Phishing | Keen Eye; Security Keys |
| Other Known Password | Unique Password |
| Password Guessing | Complex Password |
| MFA Fatigue | Use number matching |
| Malware on Phone | Updates; Device Anti-malware |
| Social Engineering | Mindset; ID Challenge |
| Linked Account Breach | Dedicated Accounts |
| Third-Party Compromise | Permission Reviews |
| Email Compromise | Alt. Device Recovery |
| Hack the Company | Strong Security Program |
General Principles for Success
What do to…
- Know what you want and why.
- Work hard to communicate that.
- Be aggressive over the short term.
- Be persistent over the long term.
Who to Be…
- a focused operator
- a curious listener
- a high agency problem solver
- a team player
- a continuous learner
- a closer
- a justified optimist