Jak pewnie cześć z Was wie, patronujemy infoShare 2018, największej konferencji technologicznej w tej części Europy. Z tej okazji mamy dla Was naprawdę ciekawy wywiad z jedną z prelegentek. Zoë Rose na codzień zajmuje się IT Security, posiada szerokie doświadczenie w przygotowywaniu i realizacji programów edukacyjnych w zakresie bezpieczeństwa cybernetycznego. Jest Cisco Champion i certyfikowanym Splunk Architect, a także aktywnym prelegentem na konferencjach branżowych. Jej wypowiedzi są również cytowane w mediach, nie tak dawno, opowiadała o cyber bezpieczeństwie w Vogue Magazine.Wywiad w języku angielskim znajdziecie poniżej, a na końcu tego wpisu czeka na Was również … konkurs, gdzie do wygrania, wejściówka na infoShare, a tym samym możliwość wysłuchania prezentacji Zoë osobiście!
We don’t write in English too often on this blog, but this time we will make an exception. As partners of infoShare 2018, we got the possibility to interview one of their speakers: Zoë Rose. She is a highly regarded hands-on cybersecurity specialist, who helps her clients better identify and manage their vulnerabilities and embed useful cyber resilience across their organization. While retaining deep technical expertise, Zoë has developed extensive experience in designing and executing cybersecurity awareness programmes designed to help people become more aware of cyber threats. Zoë is a Cisco Champion and certified Splunk Architect, who frequently speaks at conferences and is quoted in the media, and most recently featured in Vogue Magazine.
Please check the interview, and below you can find small competition. You can be the person to win conference ticket, and meet Zoë in person!
The one thing I love about security is it never looks the same!
How did your career in ITSec started?
My career actually started when another failed, the whole ‘as one door closes, another opens.’
Originally, I attended the University of Manitoba, studying Botany, which is where I found out I was allergic to plants. Dropping out of university for obvious reasons, I went to work at an accounting firm, Lazer Grant, as I had used all my savings for university and needed money. I joined as a Personal Tax Assistant. As a curious person, I found myself trying to help in every aspect of operations, including information technology; eventually finding myself as an IT manager.
After four years in industry and self-taught, I felt the need to go back to college. This was a mix between thinking I was not quite good enough, and the idea that college would make me feel more confident. At that time, I also struggled with being female in a technology career, as it was difficult to prove my value to other organisations without someone else confirming I knew what I was doing. At this time in my career, I often thought there was a limit to my capabilities and would never go that far.
Attending Red River College was hugely beneficial, because it gave me a variety of skills I may not have pursued myself, such as: database administration, Linux administration, object orientated programming, and more. I was also able to pursue my passion by taking the Cisco Networking Academy.
During college, I decided to start a managed services company, Glass Frog Technical Services, and worked independently for a while. It was quite a learning experience, and I had a lot of fun, but after building many networks I wanted to learn what happened next. I was curious about breaking into networks.
Late 2015 I met my current boss on Twitter, David Prince, and after some discussions I sent on my CV (resume). It was interesting moving from Canada to the United Kingdom, it led to some hilarious miscommunications, but I also was in a position I could have only dreamed of back in Canada.
My first year in the United Kingdom I got to touch so many different domains in security:
- Ethical Hacking
- Intelligence
- Physical Security
- Secure Communications
- Secure Travel
- Personal Security
- Awareness Training
And honestly, so much more, it was really brilliant to be able to have those opportunities. Fast forward to now, I’m working at a consultancy, Baringa Partners, that looks at much larger organisations and solves the huge challenge of how to create change in such a vast infrastructure. I’m very thankful for the many years of industry experience, especially as it’s been so different throughout.
Do you have any must-read/must-see resource, which you think had a significant impact on your career?
Personally, my must-do resource is meeting other professionals in industry. I’m a collaborative and communicative person – interacting with others is what gets me excited about technology.
Resources to help connect for me was YouTube for learning before college, and Twitter is how I stay in contact with industry professionals, and even quite a bit of developing news stories, and as you know, Twitter eventually got me a job in the United Kingdom!
Conferences are also a huge resource. You are able to be in a room with tons of professionals, all excited about that same things you are, it’s contagious and you leave inspired, and ready to try new things.
How does your typical day at work look like?
The one thing I love about security is it never looks the same!
I can do intelligence work, researching companies or persons online, reviewing information that is publically available; often people simply don’t realise the information they provide.
Then the next day, I might spend time providing high-level information on security and privacy by design, or how about building a secure travel kit for persons working in more volatile environments. My day can also be spent breaking things, sending phishing emails, even USB drops. There really is no end to the variety.
There’s this silly assumption that, being a ‘computer person’, means you sit alone at your desk staring at a screen. I can confirm this simply is not true. Quite a bit of the time I’m a translator, explaining organisational risks that I’ve found to senior level executives, reviewing open-source information and helping people understand that all data has value.
One aspect I quite enjoy is the Training the Trainers, where I am teaching technical people how to educate effectively. As a cyber security ‘expert’ my job is actually all about people.
One thing that never changes, is talking to others about personal security, providing my thoughts on the news, and tailoring advice to specific situations.
Security is such a vast field, there is no way you can expect to be a master of all,
but focusing on your interests, helps keep yourself motivated. Most of all, do not give up!
What are the biggest challenges for the Web Security today?
Personally, I do not focus on web security, however, one of my best friends, Scott Helme, does and I love to read his blogs. From what I see, one of the biggest challenges is, just like everything else, lacking security and privacy by design. For example, the recent discovery by Scott of over 4,000 websites with a cryptominer installed, included in this are multiple government websites. This was due to the website using a third-party script, but not checking the script’s integrity before loading it, if they had it wouldn’t have been infected.
Another example is organisations found they were disclosing personal information; this was due to third-party session replay scripts. These scripts do exactly what they sound like; they allow the website administrator to ‘replay’ all actions a visitor to the site did, click by click. The benefit of this is to analyse what people are doing to make a website more user friendly. The downside some revealed anything from medications, passwords, to payment information such as credit cards. Organisations do not seem to be aware of the responsibility they are taking on when taking temporary ownership of someone’s intimate life details.
Every other day we hear about big data leak, attacks on important infrastructure etc. What developers should and could do to increase the security of the code? What should we do as web users to improve our own security?
Security and Privacy by Design sounds quite challenging, however often it’s asking yourself “what happens if…” Think of it this way, if you ask yourself “what happens if we’re slow to install a patch to the system?” and because of asking early on, we are able to implement mitigations to reduce potential impact. How much less do you think, asking this question, would the Equifax breach have impacted its consumers?
When designing secure communication systems I always tell people to ask yourself “Why?”
- Why do I need secure communications?
- What data am I protecting?
- Who am I protecting this data from?
Ideally organisations should take this approach on every aspect of the business, look at the worst-case scenario but not just for the business, for the consumers. I like to believe that if Equifax truly understood the risks, they would have put further protections in place.
What we can do to protect ourselves, is take back as much control as possible. When creating a password, consider that this is the only way in which you retain control of your identify, so make it strong and different from all your other passwords. Realise that, by enabling multi-factor authentication, you are again taking back control of your account access. If the organisation is breached, and they didn’t protect your password effectively, you still have that second layer of protection.
Regulatory standards or frameworks can also be of assistance, look at how you can align your development lifecycle with ISO 29101 for example. The General Data Protection Regulation (GDPR), and Network and Information Systems Directive (NIS Directive) are both coming into play in May 2018. Consider aligning with these regulations where you can. Yes, the NIS Directive is for operators of essential services; however, their high-level principles are simply best practice.
I know reading T&Cs are horrible, and often afterwards, you do not even know what you read; try reading reviews of the company and products. Understand, to the best of your ability, what their focus is on.
Both ProtonMail and Threema, for examples, will listen to independent researchers when they reach out on an issue found. They both are transparent in their goals, and just want to create a product that works for their consumers that protects their privacy. That’s why I’m confident in using them.
On our blog, we help people to start their programming career. A lot of our readers decided to change their current career and try programming instead. What advice can you give to someone, who want to start a career in IT Security?
Figure out what your passion is, and pursue it with all your heart.
Start out small, try to understand one concept at a time, and never skip the basics; build a strong foundation. Connect with others who are also working in the field you want to, this can help give you more context, but also motivate you when things feel overwhelming. Find mentors, and people who inspire you.
Security is such a vast field, there is no way you can expect to be a master of all, but focusing on your interests, helps keep yourself motivated. Most of all, do not give up!
If one were considering a career in IT Sec but would like to get more information or try things first — where should they look for it?
It really depends what you are interested in, my first introduction to technology was YouTube videos, but cyber security I found so many brilliant contacts on Twitter.
If you like breaking into things, you can look things like capture the flag, check out vulnhub.com. Try participating in things like the SANS Holiday Hack, or others throughout the year and at conferences. If that seems like too much just yet, read other’s guides on how they solved a CTF, many of these are step-by-step. Also, check out Andy’s blog: https://blog.zsec.uk
If you love network security, make sure you understand networks, if you have the ability check out Cisco Networking Academy. They now also have cyber security courses.
If you want to learn more about embedded systems, assembly and reverse engineering, check out Azeria’s blog: https://azeria-labs.com
If your interest is towards the human side of cyber security, follow Dr. Jessica Barker: https://twitter.com/drjessicabarker
If you want to break into banks, follow Freaky Clown: https://twitter.com/__Freakyclown__
If you are interested in Data Forensics and Incident Response, follow Lesley Carhart: https://twitter.com/hacks4pancakes
If you are interested in breaches, check out Troy Hunt’s blog: https://www.troyhunt.com.
If you love web security, check out Scott Helme’s blog: https://scotthelme.co.uk.
If your interest lies in authentication, I have two people to recommend, Jessy Irwin: https://twitter.com/jessysaurusrex and Per Thorsheim: https://twitter.com/thorsheim
This is nowhere near an exhaustive list mind you, but I hope it is a useful start! There are many industry experts out there, and likely, many where you live. Join meet up groups focused on a topic you are interested in; connect with the community!
How to boost the IT career from regular employer to Field Expert? Do you have any pieces of advice which you can share with our readers?
Again, I suspect this will be different for everyone, but for me the thing that made me stand out was my passion. I loved sharing knowledge, and my excitement with others.
In industry I have often found, being able to communicate technical things to non-technical people is a huge asset. Consider this, when doing a penetration test; the true value to the customer is in the report you send them afterwards. This report should be able to clearly explain the risks to the organisation, next steps, and what priority they may be.
My advice to go from zero to hero? Well, be approachable, share knowledge where you can, and understand you will never know everything, that is what the community is for.
Thanks Zoë for the great answers! We hope that our readers will enjoy this interview as much as we do!
If you want to follow Zoë please check her personal blog: www.ZoëRose.com or Twitter: @5683Monkey .
Konkurs!/Competition time
Tak jak wspomnieliśmy na początku do wygrania mamy dla Was jednen Conference Pass na infoShare, które odbędzie się 22 — 23 maja 2018 w Gdańsku.
Aby ją zdobyć, sprawdź listę tegorocznych prelegentów i napisz nam pod tym wpisem, pytanie, jakie zadałbyś, jednemu z prelegentów,(nie zapomnij napisać, któremu z nich byś je zadał, oczywiście możesz też dopisać wyjaśnienie dlaczego). Z pośród wszystkich odpowiedzi wybierzemy jedną, która wygra. Koniec konkursu: 25 marca 2018 roku 23:59 CET. Ogłoszenie wyników 26 marca 2018r. Wygrany bilet będzie imienny, więc prosimy o branie udziału, tylko osoby zainteresowane ;) Powodzenia!
As we mentioned, we have one infoShare, Conference Pass to share with you. The event is taking place 22nd-23rd of May 2018 in Gdańsk. If you want to take part in the competition and get your ticket, please check the speakers’ list of this year event and comment this post with the question, which you would like to ask one of them. Please mention to who you will ask it, and feel free to add more explanation as well. We will pick one comment and give its author the Conference Pass. Competition deadline is 25th of March 2018 11:59 pm CET. We will announce the lucky winner on 26th of March 2018. Please remember, that the tickets are personal, so do not apply if you can’t make it. Good luck!
W konkursie zwyciężyła: Agnieszka Sienkiewicz. Gratulujemy!
