Cybersecurity Apprentice Program: A CyberStart JumpStart

My student employment/apprentice/intern program (or whatever you want to call it) needed a jumpstart and frankly, so does the cybersecurity workforce at large. I’m not entirely sure how to begin this post because there is just so much to say. So, let’s just start with some problem statements. If you just want to read more about what we are doing at Stony Brook to establish a cybersecurity apprentice program, just skip this section all together and head straight to the next subheading.


The Problem(s):

  1. We’ve all read the headlines. CYBERSECURITY WORKFORCE SHORTAGE BY THE MILLIONS. While this is not an exaggeration, it is worth expounding a bit. According to the 2018 (ISC)² workforce study, that shortage is close to 3 million globally, but over 2 million of those job vacancies are in the Asia-Pacific region. So, what is the situation closer to home? The same study tells us that ~500,000 of those vacancies are in the U.S. Ok, so we definitely have a problem as an industry. Can cybersecurity practitioners do anything to directly help the cybersecurity workforce shortage?
  2. Women are one of the groups significantly underrepresented within the cybersecurity profession. That is an understatement. You have no doubt heard the statistic that only 10-11% of cybersecurity positions are held by women. The aforementioned workforce study published one of the highest percentages I have seen to date…24%. Even if that number is accurate, it’s too low. Way too low. If our field represented the relative percentage of humanity it should be closer to 50/50 male/female. How can we attract underrepresented groups, such as women, to a career in cybersecurity?
  3. Hiring students to work within an information security department is not a new concept. Not by a long shot. Some of my esteemed colleagues have thriving and impressive cybersecurity internship programs already. For most higher ed CISOs and industry partners however, finding students with the right qualities and the fortitude to make a meaningful contribution to a real cybersecurity department can be challenging. Many students I’ve spoken to do not have the right expectation when they interview for a job with us. They imagine days filled with malware analysis, Wireshark and Metasploit. It’s not that we don’t do those things, but we do many other things too, like security awareness efforts and policy writing. While I would love to pay a student to play with Wireshark and ask us questions, my small team does not have time to stop their operational responsibilities for extended periods of time to educate their curious minds. How can we find students that have realistic expectations and the right qualities to be successful within an ‘all hands on deck’ cybersecurity department?
  4. There is no shortage of action on any given day, which is true throughout most of academia due to our diverse and unique computing requirements. Having a relatively small team means we are extremely busy all of the time. While this also makes it an ideal place for a student to get a wide range of hands-on cybersecurity experience, it introduces a unique barrier as well. It takes a significant work effort to begin and sustain a thriving internship/apprentice program within our department, and to do so with our existing staff level would cause very serious responsibilities to suffer, and the resultant increase in risk to our organization is not a tradeoff we can afford to accept. How can we start a meaningful, mutually beneficial program with only a reasonable amount of work effort?
  5. An alarmingly increasing number of CISOs tell me that they do not like to hire new graduates with cybersecurity degrees. Anecdotally speaking, they are having great success with new hires from a diversity of academic backgrounds, such as psychology and the humanities, for example. Sadly, many in the workforce today do not consider a cybersecurity career unless they have a so-callled “relevant” degree or computer science background. I can’t tell you how many students I talk to that are shocked when I tell them my programming experience is limited to “VCR” and “ALARM CLOCK.” (Yes, I do know what a for loop is, but never used one to accomplish anything useful aside from printing “Hello World” an infinite amount of times). How can we we attract cybersecurity talent from groups with non-STEM, academic backgrounds and work experience?
  6. When we have hired students, their gap in knowledge for even the most basic information technology concepts are lacking. With little or no real world IT experience, many did not truly understand how things like DNS and DHCP worked. Active Directory? Forget it. In my mind, an entry-level cybersecurity position is not an entry-level position. By the time we filled in all of those gaps for our student hires, it would be graduation time and we didn’t even get to the security part. How could we onboard a student in an expedient manner, without sacrificing too much of our staff’s limited time?

The Solution(s)…maybe:

What if there was a fun, online game that we could offer to all current college students that increases security awareness for all who play? What if this same game required no prior technical knowledge, and it could help players prove that they have the essential qualities to be successful in a cybersecurity role? What if there was an associated online course that taught core information technology fundamentals, and then layered on associated security concepts?

Do I have your attention? As it turns out, that game does exist and so does the associated course, SANS CyberStart Essentials. In my opinion, CyberStart Essentials has the potential to onboard many thousands of future cybersecurity professionals, and fill-in knowledge gaps for thousands of existing professionals. I just didn’t know about either until Alan Paller, the founder of SANS, reached out to me and agreed to partner with Stony Brook University as a proof of concept that the game could be used effectively within the higher education space. It was almost a year ago today, as he was on his way to RSA 2018 to do his annual keynote and I am writing this article sitting in an airport on my way home from RSA 2019. In between those two bookends in the stream of time, some other higher education CISOs helped us brainstorm on a coherent approach in a one day in-person workshop, and their collective wisdom and insight was priceless. Early on in this endeavor, Mandy Galante joined SANS full-time as the CyberStart Program Manager, and she has been working with us tirelessly to ensure the platform is conducive to our use case. While we are only about halfway through our proof of concept at SBU, here is what we are doing:

  1. As part of Cybersecurity Awareness Month in October 2018, we advertised this exciting new online game via our career center, social media posts, and online postings. We even had a pizza party, complete with dim lighting and techno music. It did not take much effort to generate interest in this program; students were fascinated by it. We stressed these key themes:
    1. No prior technical experience required.
    2. Play to find out if you are an extraordinary problem solver.
    3. If you do well, you could win access to additional online training and potentially a paid apprenticeship with our team.

      CyberStart Pizza Party

      CyberStart Pizza Party

  2. Players first tried an abbreviated version of the game that was free and could be anonymously accessed on the Internet. In fact, it was this version they played during our October pizza party. If they didn’t like it, there was no need to continue. If they wanted access to the full version, they had to request access via a simple online form. We validated their request by asking them what their favorite challenge was and why. We received over 250 requests and issued those students registration codes for the full version of the game.
  3. The players played…and played…and played. In fact, it was easy to see from the scoring that while some players opened the game, played it once, and stopped, many others – more than 50 of our 250 players – kept playing and earned an invite to the next phase of the program.
  4. The high scorers were invited to a celebratory lunch and an exclusive online collaboration space (the start of a cybersecurity club perhaps?), and officially qualified to compete for a student apprentice position with our department in the coming months. We will be using this group as our exclusive candidate pool. These students also won scholarships to the associated online course, CyberStart Essentials.

    CyberStart Celebratory Lunch

  5. We will be reviewing the scores and the CyberStart Essentials completion percentages, and then invite a subset of the top 50 or so students to interview for up to three student apprentice positions within our Information Security team this coming May. The first thing our new hires will do is complete the CyberStart Essentials course. We then hope they will spend at least two years with us as student apprentices as they get hands-on, practical experience. We also hope they will choose to pursue a career in cybersecurity. Time will tell.

So, will this program address some or all of the challenges I listed at the outset of this article? I can’t be sure yet, but I can tell you this: it has already increased security awareness within our student body, and it has created a buzz around campus, catching the attention of non-STEM as well as STEM students. And I am excited about our future apprentice hires this Spring/Summer. Since my scope as CISO has recently expanded to include Stony Brook Medicine, we might be able to hire more apprentices than I initially thought. Most importantly, in addition to complementing our small team, this might be a way to make a real difference across the country if this model is copied at other campuses. It’s truly win-win for everyone involved.

So far, I have no doubt that CyberStart is going to be just the JumpStart we were looking for.

Thanks for reading and don’t forget to subscribe.

RSA 2019: RS-YAY or RS-MEH?

It’s that time of year to read countless reviews of the RSA conference. To read the view of someone who has attended many years in a row and is greatly respected for his contributions to the cybersecurity industry, you can read spaf’s post. If you want to know what an RSA first-timer thought of it, you can keep reading (or browse my twitter feed).

Let me start by saying the opening keynote on Tuesday was a spectacle of trolling proportions. A surprise opening speech by the great, no connection to cybersecurity to speak of, Helen Mirren, was followed by a cybersecurity-themed choir song (I wish I was joking). And when one later keynote panelist suggested that developers putting in backdoors should be put into prison (15:30 minutes in on this panel), it was somewhat cringeworthy for, um, well, reasons, but still resulted in a round of applause.

But things got better as I attended other sessions and had the opportunity to hear from legendary cybersecurity contributors and experts. It was an absolute treat to hear Bruce Schneier, cybersecurity royalty and Harvard Kennedy School Lecturer, talk about the role of security technologists in public policy. His keynote was thought-provoking and engaging.

I had the opportunity to attend a two hour incident response (IR) tabletop workshop and I quickly volunteered to facilitate the experience for our table of eight, under the guidance and leadership of the session organizers. Our team of “experts” did some great things along our virtual incident, but in the end we did not apologize enough upfront and paid the hard price of our ‘choose your own adventure’ cyber incident and our CEO was force to resign after a hard hitting television interview (well, he was kind of happy to do so, actually). It was challenging as a facilitator not to jump in with my own advice and opinions, but perhaps the most important lesson I learned was the difference between facilitating and participating in an IR tabletop exercise.

There were many others I got to rub shoulders with, meet and learn from throughout the week. RSA was attended by many industry thought leaders, including the likes of Ed Skoudis, Larry Poneman, Johannes Ulrich, Ron Rivest, John Strand, Alan Paller, Stephen Sims, James Lyne and Paul Asadoorian. I have to plug Strand’s awesome, free threat hunting tool here, named after his awesome, late mother who ensured it will be free forever, RITA. Did I mention that it was awesome and free?

The smaller sessions were truly the gems in my opinion, aside from the always noteworthy 5 Most Dangerous New Attack Techniques Keynote. My advice is to spend a couple hours before you attend and create a schedule, pre-register for the sessions you don’t want to miss, but stay flexible throughout the week. One of my favorite sessions was a “fireside” chat between a CISO and published author focused on communicating with the board, which I had no intention of attending. I followed along a fellow CISO colleague (Hi Okey!) and I’m glad I did because some of the unfiltered conversation that ensued during that session resulted in nuggets of wisdom possessed only by extremely experienced professionals (and those who were eavesdropping in on the conversation)! This resulted in my most controversial tweet of the week…

There was also plenty of sessions that discussed the importance of a diverse and growing workforce within cybersecurity. I had the chance to reflect on how I can personally make an impact in this area, and was able to hear from and meet many others trying to do the same thing on a much larger scale, like 16 year old Kyla Guru.

In summary, San Francisco was a good experience. RSA was a good experience, but I’m sure the excitement of rubbing shoulders with the who’s who of cybersecurity will be gone the second time I go. And the vendors? Noticed I haven’t mentioned them? They weren’t there. SIKE. They were everywhere and working HARD to be noticed. Surprisingly, though, you can spend as much or as little time as you wanted with them because they had over 40,000 targets and droves of folks that were lining up to talk to them. So, I spent some time talking to the vendors I cared about at this moment in time, spent an hour or two learning about new vendors, and now I’m all set to ignore their phone calls for at least another 6 months.

RS-YAY or RS-MEH? I would say…RS-OKAY. I will be back. But not next year. Once every 2-3 years would be perfect in my book.

Thanks for reading and don’t forget to subscribe.

Happy National Cybersecurity Awareness Month 2018

I’m happy to share that Stony Brook University (SBU) is once again supporting National Cybersecurity Awareness Month 2018 as a Champion.

SBU will be joining a growing global effort among businesses, government agencies, colleges and universities, associations, nonprofit organizations and individuals to promote the awareness of online safety and privacy.

A multi-layered and far-reaching campaign held annually in October, NCSAM was created as a collaborative effort between government and industry to ensure all digital citizens have the resources needed to stay safer and more secure online while also protecting their personal information. As an official Champion, SBU recognizes its commitment to cybersecurity, online safety and privacy.

We have some exciting things planned for this month to help raise awareness about this important topic. Stay tuned and stay on the lookout for more information. And as always, also stay on the lookout for the baddies trying to steal our data and take a few minutes to review these important tips in honor of NCASM 2018.

Thanks for reading and don’t forget to subscribe.

 

Artificial Intelligence Meets Actual Intelligence: Would you connect your brain to the internet?

Before you laugh at the notion and discount the idea as science fiction, you might be surprised to learn that many really smart people are trying to make this happen, and they are making real progress.

image of digital brain

http://wondergressive.com/wp-content/uploads/2014/01/WG-computer-brain.jpg

Exhibit A: The MIT Media Lab in NYC

Skip ahead one minute into this 60 minute video

 

Exhibit B: A company named Neuralink

Neuralink is interesting primarily because of the man who is behind it, Elon Musk. You may know who he is already, but for those that don’t, he has been involved in a just a handful of successful endeavors. Among them is the invention of a computer with four wheels that can driver really fast and runs on electric, commonly referred to as a Tesla. Oh yeah, and it can dance.

Dancing cars are cool, but Musk feels that artificial intelligence could be a risk to the human race, and if you can’t beat it, join it. He reasons that we are all “cyborgs” already, part human and part machine, thanks to the modern smartphone. Our input system (sight) is high bandwidth, he says, but we have an output bottleneck to contend with…two thumbs. He created a company with the goal of solving that problem by finding a way to connect our brain to the internet.

STOP RIGHT THERE, MUSK!

My brain is one network that must remain air gapped for all time. We can’t reliably protect my WiFi thermostat, let alone the super computer inside our head that makes you, you and me, me. I would imagine that most information security professionals will react similarly, but as technologists many would accept the risk so we can be super CISOs and the like. But fear not! The rest of us will still have jobs. How do I know? We will always need someone to protect the internet connected brains from a massive and devastating denial of service attack, and it will be the non-internet connected mortals that will have to do it.

Before you assume I lost my non-internet connected mind, rest assured most of this article was written in jest. But all kidding aside, let’s figure out how to protect artificial intelligence consistently before we put our actual intelligence at risk. Many technology experts, including Musk, are concerned about the weaponization of artificial intelligence, which is a ship that has already left the dock. I would much rather see artificial intelligence leveraged to create self-patching software or a programming language that can keep our data safe without the contingency of developer perfection. Until then, I’ll work within the constraints of having two thumbs,and be grateful for the extra four fingers on each hand that allowed me to generate this output at about 65 wpm.

Thanks for reading and don’t forget to subscribe.

 

Business E-mail Compromise (BEC) Workshop, Theater Edition

The Public Theater Building Front, NY

The Public Theater, NY

Earlier this week I had to opportunity to attend the Business E-mail Compromise (BEC) workshop, which is being made available in various cities around the country. Law enforcement, Symantec and various ISACs teamed up to bring awareness to this very expensive attack. For theater buffs, there was an added bonus to the NY workshop because it was held in The Public Theater, which is where Hamilton and many other famous shows first broke ground.

The Public Theater Lobby

The Public Theater Lobby

What is a business e-mail compromise attack? Put simply, it’s a fake e-mail sent to someone in the business, usually accounting or finance, with the goal of initiating a wire transfer or some other transfer of funds. It is often spoofed so that the e-mail appears to come from the victim’s boss or another executive in the company, and commonly starts with a simple, less suspicious request. If the victim engages in a conversation and replies to the initial e-mail, the conversation escalates quickly and usually ends with a large wire transfer to an external account. The most recent attacks even include a “Sent From My iPhone” signature in the bottom of the message in an apparent attempt to excuse sloppy grammar and typos.

The first part of the workshop consisted of a discussion led by an FBI and Secret Service agent. Admittedly, watching them stand on the blue tinted stage with cafe tables in the audience first made me wonder if they were going to sing the blues of cyber security, but the tone of their session was positive and informative. They are often involved in responding to these crimes, and the dollar amounts vary greatly from thousands to millions of dollars. The insight they provided was valuable, and they stressed the need to involve law enforcement quickly. After 72 hours, it becomes highly unlikely that the funds can be frozen or will ever be recovered. The goal should be to involve law enforcement as early as possible. Interestingly, they have not seen the sophistication of these attacks increase much, which means we have a window of opportunity to bring awareness to common attack methods. But it can also mean that the bad guys have not needed to adapt because they are continuing to have success. Both agents stressed that if we are not sure which agency to teach out to, contact them both (FBI & SS) and they will coordinate the response between themselves. The Internet Crime Complaint Center at www.ic3.gov is a good place to start.

Symantec highlighted an e-mail threat report they published which also provided some valuable insight. For example, they estimate that 8,000 business are a BEC target each year, and as a target you can expect to receive about 5 e-mails. I can confirm that when we received notice of one of these attacks from a single user and investigated further, we found that the same sender targeted a second user in the exact same manner, and then sent a blast phish attempt to a double digit population in our community. So it’s important that phishing incident response procedures include a step that identifies the scope of a particular attack. Predictably, the Symantec talk and report included a highlight of the many solutions they offer commercially to help detect and prevent BEC attacks.

The final session was led by local ISACs, or Information Sharing and Analysis Centers. I am a strong advocate for participation in these groups. They are basically sector-specific groups that focus on cyber security and information sharing to enable better response and intelligence. In other words, they help competing organizations in the same sector work together. Think about that for a minute. Cyber security is such a challenging problem, that competing companies are working together to help each other be successful in dealing with it! We need to do more of that across the industry, and the session really helped highlight some of the services that these ISACs offer. I’ll make a special mention of REN-ISAC and MS-ISAC, both of which I have great things to say about. If you qualify, sign up today. If you’re not sure which ISAC to join, check the National Council of ISACs Registry.

If you have an opportunity to attend one of these workshops I would recommend it. The attendees were a mixture of private and public entity business and technical professionals. The social networking aspect was valuable as well. Those conversations can prove to be more informative than some of the sessions, so take time to linger.

Thanks for reading and don’t forget to subscribe.

Don’t get KRACKed. Patch now.

KRACK LogoBy now, many of you may have heard the headlines regarding a vulnerability affecting, code named  KRACK, that affects WiFi encryption.

Why should you care? Primarily because your phone, laptops and other wireless devices can be fooled into disabling WiFi encryption, which would allow the bad guys to intercept all your live wireless traffic and steal any sensitive data you have access to. At first thought that may not sound so bad, but take a moment to reflect on the types of data you would normally use while accessing WiFi. Passwords? Email? Financial data? Your child’s social security number? Student information? Health information? The list goes on and on. The good news is that if the information is properly encrypted via other means, such as SSL (HTTPS), the risk is significantly reduced.

What should you do about it?

  1. Don’t panic.
  2. Patch all the things (computers, phones, web cameras, wireless routers, et cetera, et cetera, et cetera…)
  3. Patch Now. And later! Some manufacturers have not released patches yet, but most have. Keep checking.
  4. Until you are patched, avoid doing anything sensitive over WiFi unless it is protected with SSL (HTTPS). Smart browsing behavior becomes especially important.

While all devices are potentially vulnerable, the most vulnerable at the moment are Android and network connected IoT devices, for example, web cams and the like. If you are part of the Stony Brook University community, you can request assistance by opening a service request at service.stonybrook.edu.

Thanks for reading and don’t forget to subscribe.

Equifax Data Breach: Protect Yourself and Your Family

https://en.wikipedia.org/wiki/File:Equifax.svg#filelinks

Many of you have no doubt read about the Equifax data breach multiple times already. While we are all affected by breach fatigue to one extent or another, this breach should catch our attention. Why is this one noteworthy?

  1. Data Categories: Included in the exposed data were Social Security numbers and, in some instances, driver’s license numbers.
  2. Size: 143 Million U.S. consumers had their data exposed. That means if you are a U.S. consumer, you have about a 50% chance of being affected by this breach, when taking into account that there were only about 324 million people living in the U.S. last year, and only a subset of those are likely categorized as “consumers.”
  3. Captive Audience: You can’t opt out of Equifax and there is no reasonable way to avoid being an Equifax “customer” in the future.

The FTC has an excellent article with instructions on what we should do to protect ourselves and our families, as does my colleague Brian Epstein from the Institute for Advanced Study with the article What I’m doing about the Equifax Breach. My concise version is as follows:

Assume that your Social Security number, including the Social Security number of your children has been stolen already, perhaps multiple times. Don’t give up trying to protect it, but with that reality in view, make efforts to detect and prevent unauthorized use of your personal information. Here are three tangible steps you can take:

  1. Enroll yourself and your family in the free credit monitoring offered by Equifax, or pay for a third-party offering which provides financial support if you are a victim of identify theft.
  2. Put a credit freeze in place for your minor children, and consider doing so for yourself and other adult family members as well.
  3. Look for bank accounts and credit cards that offer $0 liability for instances of fraud.

No breach news is good news, but let’s try not to lose sight of how we are affected when there is a major headline like this one.

Thanks for reading and don’t forget to subscribe.

 

 

Insert Catchy Ransomware Headline Here

Why is the internet so fascinated by ransomware? Is it because ransomware is attacking our precious data? Is it simply a threat that the average person can understand and therefore makes it newsworthy and headline rich? Is it because ransomware is so profitable and morphing into a mature business model? Or is it just a fascination with so-called evil genius? After all, everybody loves to hate a good super villain…until they come to visit YOU.

Ransomware is not cool graphic

The Ransomizer at www.ransomizer.com

Here is the shortlist of things you should know about this topic if you’d like to get up to speed quickly:

Dilbert comic strip

Dilbert Comic for 1996-02-06 by Scott Adams http://dilbert.com/strip/1996-02-06 via @Dilbert_Daily

  • Once you pay the ransom and get your data back, you still have a mess to clean up. They are still in your system and you must fully eradicate the attacker from your environment. Easier said than done.
  • Some mature ransomware operations have technical support available, so if you are having trouble paying the ransom you can call for assistance and the call center will walk you through it. Yes, it’s true.
  • There are cloud ransomware solutions out there so if an attacker doesn’t want to go through the trouble of building their own solution, they can buy ransomware as a service. Krebs blogged about it recently and the commercial they posted on YouTube is quite persuasive! (Yes, I just blogged about a blog.)

  • If you work for an organization that deals with protected health information (PHI) and HIPAA, the U.S. Department of Health and Human Services (HHS) removed some ambiguity regarding whether or not ransomware is considered to be a breach: “When electronic protected health information (ePHI) is encrypted as the result of a ransomware attack, a breach has occurred because the ePHI encrypted by the ransomware was acquired (i.e., unauthorized individuals have taken possession or control of the information), and thus is a “disclosure” not permitted under the HIPAA Privacy Rule.” Read all about it.

Some cyber security practitioners and thought leaders got together recently to talk about the 7 most dangerous new attack techniques, and of course ransomware was on the list. Ed Skoudis asked, “How much would you pay to turn on your heat?” Many of us, other than me of course, have internet connected thermostats that could potentially be held hostage in this way. This is a theoretical scenario today, but the thought of this one gives me the chills (pun intended).

Another noteworthy gem from Ed is regarding what to do if you find yourself held hostage by a digital ransom that for some reason or another you have no choice but to pay. He made a point to remind us that it is a negotiation. So, don’t assume they know who you are or who you work for in the event that they encrypted your data. Assume they don’t know anything about you or the data and try to convince them you are simply an individual that wants to restore those precious shopping lists and pictures of your grandchildren, even if you did just lose access to your entire customer database <ouch>. If they don’t know you work for a fortune 100 company, don’t volunteer that information. You may be able to convince them you are a grandparent with a fixed income and they *might* even accept a lower ransom. In New York we haggle for a better price on just about everything. Why shouldn’t we do the same for our stolen data?

In conclusion…don’t get ransomware in the first place if you can avoid it. It might be intriguing, but some things are better off observed from afar.

Thanks for reading and don’t forget to subscribe.

Same Actions, Different Results. Insanity or Genius?

This post is going to be somewhat abstract, somewhat “soapboxy”. And I don’t expect anyone to read it. Well, hopefully, at least one person will. I can’t help but comment on the trend to go down a path without a clear goal or strategy in mind. Actually, it’s not a trend within cyber security or even IT as a whole. It’s a trend within humanity (queue soapbox!). Somewhere along the lines planning became a sign of weakness and the verb agile became a proper noun.

http://www.perzactly.com/wiki/images/Einstein-fish.jpg

Einstein (it wasn’t him), Mark Twain, Ben Franklin or some other historical figure once said something along the lines of, “Insanity is doing something over and over again expecting a different result.” Ok, I always got a kick out of that simple, but profound truth. I’ve heard that statement before, during and after meetings time and time again. In fact, it is so commonly quoted that you would think “insanity” is a workplace epidemic that has been fully cured! Everyone, and I mean everyone, knows the definition. Yet, the quote is inappropriately called upon day in and day out. Something isn’t adding up…

Now that we have a clear definition of insanity, does the inverse equate to certain genius? Let’s try it…”Genius is doing something differently and expecting a different result.” Not so much. I don’t think we have a definition of genius just yet.

Let’s apply these two statements to Cyber Security and see what we learn. Stay with me!

“Insanity is doing something over and over again expecting a different result.”

Although this statement may be profoundly true in cases where 2+2 always equals 4, a day in the life of a cyber security analyst, CISO, or engineer just isn’t this simple. In fact, in many cases the same action does result in different results. Let me give you two examples, one technical and one human.

The first example is in regards to testing an exploit in an effort to determine whether your system is vulnerable. Anyone who has ever done this knows that sometimes you have to execute an exploit 3,4 or more times before it is successful. Because of the many factors involved in executing a successful exploit, you have to try it multiple times before it works. A simple privilege escalation exploit in a simple capture the flag (CTF) contest taught me that. Would attempt 3 qualify someone as insane? Hopefully not since it could take more than 3 attempts before your results differ! No flag for you!

My second example is more about the human element in regards to moving a security program forward. In my career I have both observed others and had to personally advocate for policies, initiatives and security controls not once, twice but dozens of times before successful results were achieved. Human thought processes change. Culture changes. Threats change. Sometimes what we really need is to stay the course even though the previous results were unfavorable. Granted, there is definitely a hair thin line between resilience and insanity.

“Genius is doing something differently and expecting a different result.”

Well I think we can all agree that this does not sound like “genius” behavior. I could argue that it’s common sense at best. Really, though, at its core this statement is an altogether fallacy. In fact, we all know that sometimes you can make a change and have the exact same results. That is as true when it comes to cyber security as it is for our choice of food intake. Do you want an example? Ok, then. How about that time Gartner told the world that IDS is dead? Or maybe when we were told that Antivirus is dead? Do you have a Next Generation Firewall (NGFW) yet? Let’s not forget that time I tried the cabbage soup diet. I’m being somewhat belligerent here, but the point is that new and different does not always differ the results. Incidents are on the rise despite the industry’s best efforts to “think differently.” Probably because the bad guys think different…er and sometimes what we categorize as different is really not so different after all. And I’m STILL looking for a way to lose weight without eating right or exercising.

So where does this leave us? We don’t know what insanity is or what genius is anymore! Now we’re totally lost souls! Ok, let me try to come up with a one of my own timeless quotes to be misquoted for generation upon generation. Ahem…here I goes…

“Insanity is doing something over and over again, without taking note of the results. Genius is knowing what your desired result is in advance and whether or not change will get you there faster. Mediocrity is believing you’re one or the other.”

Goodnight everybody.

Thanks for reading and don’t forget to subscribe.