Wywiad z prelegentką infoShare 2018: Zoë Rose [+KONKURS]

By 15 March 2018 March 26th, 2018 Inspiracje, Ludzie IT, Wydarzenia

Jak pewnie cześć z Was wie, patronu­je­my infoS­hare 2018, najwięk­szej kon­fer­encji tech­no­log­icznej w tej częś­ci Europy. Z tej okazji mamy dla Was naprawdę ciekawy wywiad z jed­ną z prele­gen­tek. Zoë Rose na codzień zaj­mu­je się IT Secu­ri­ty, posi­a­da sze­rok­ie doświad­cze­nie w przy­go­towywa­niu i real­iza­cji pro­gramów eduka­cyjnych w zakre­sie bez­pieczeńst­wa cyber­ne­ty­cznego. Jest Cis­co Cham­pi­on i cer­ty­fikowanym Splunk Archi­tect, a także akty­wnym prele­gen­tem na kon­fer­enc­jach branżowych. Jej wypowiedzi są również cytowane w medi­ach, nie tak dawno, opowiadała o cyber bez­pieczeńst­wie w Vogue Mag­a­zine.Wywiad w języku ang­iel­skim zna­jdziecie poniżej, a na końcu tego wpisu czeka na Was również … konkurs, gdzie do wygra­nia, wejś­ciówka na infoS­hare, a tym samym możli­wość wysłucha­nia prezen­tacji Zoë osobiście!

We don’t write in Eng­lish too often on this blog, but this time we will make an excep­tion. As part­ners of infoS­hare 2018, we got the pos­si­bil­i­ty to inter­view one of their speak­ers: Zoë Rose. She is a high­ly regard­ed hands-on cyber­se­cu­ri­ty spe­cial­ist, who helps her clients bet­ter iden­ti­fy and man­age their vul­ner­a­bil­i­ties and embed use­ful cyber resilience across their orga­ni­za­tion. While retain­ing deep tech­ni­cal exper­tise, Zoë has devel­oped exten­sive expe­ri­ence in design­ing and exe­cut­ing cyber­se­cu­ri­ty aware­ness pro­grammes designed to help peo­ple become more aware of cyber threats. Zoë is a Cis­co Cham­pi­on and cer­ti­fied Splunk Archi­tect, who fre­quent­ly speaks at con­fer­ences and is quot­ed in the media, and most recent­ly fea­tured in Vogue Mag­a­zine.

Please check the inter­view, and below you can find small com­pe­ti­tion. You can be the per­son to win con­fer­ence tick­et, and meet Zoë in person!

The one thing I love about secu­ri­ty is it nev­er looks the same! 

How did your career in ITSec started?

My career actu­al­ly start­ed when anoth­er failed, the whole ‘as one door clos­es, anoth­er opens.’

Orig­i­nal­ly, I attend­ed the Uni­ver­si­ty of Man­i­to­ba, study­ing Botany, which is where I found out I was aller­gic to plants. Drop­ping out of uni­ver­si­ty for obvi­ous rea­sons, I went to work at an account­ing firm, Laz­er Grant, as I had used all my sav­ings for uni­ver­si­ty and need­ed mon­ey. I joined as a Per­son­al Tax Assis­tant. As a curi­ous per­son, I found myself try­ing to help in every aspect of oper­a­tions, includ­ing infor­ma­tion tech­nol­o­gy; even­tu­al­ly find­ing myself as an IT manager.

After four years in indus­try and self-taught, I felt the need to go back to col­lege. This was a mix between think­ing I was not quite good enough, and the idea that col­lege would make me feel more con­fi­dent. At that time, I also strug­gled with being female in a tech­nol­o­gy career, as it was dif­fi­cult to prove my val­ue to oth­er organ­i­sa­tions with­out some­one else con­firm­ing I knew what I was doing. At this time in my career, I often thought there was a lim­it to my capa­bil­i­ties and would nev­er go that far.

Attend­ing Red Riv­er Col­lege was huge­ly ben­e­fi­cial, because it gave me a vari­ety of skills I may not have pur­sued myself, such as: data­base admin­is­tra­tion, Lin­ux admin­is­tra­tion, object ori­en­tat­ed pro­gram­ming, and more. I was also able to pur­sue my pas­sion by tak­ing the Cis­co Net­work­ing Academy.

Dur­ing col­lege, I decid­ed to start a man­aged ser­vices com­pa­ny, Glass Frog Tech­ni­cal Ser­vices, and worked inde­pen­dent­ly for a while. It was quite a learn­ing expe­ri­ence, and I had a lot of fun, but after build­ing many net­works I want­ed to learn what hap­pened next. I was curi­ous about break­ing into networks.

Late 2015 I met my cur­rent boss on Twit­ter, David Prince, and after some dis­cus­sions I sent on my CV (resume). It was inter­est­ing mov­ing from Cana­da to the Unit­ed King­dom, it led to some hilar­i­ous mis­com­mu­ni­ca­tions, but I also was in a posi­tion I could have only dreamed of back in Canada.

My first year in the Unit­ed King­dom I got to touch so many dif­fer­ent domains in security:

  • Eth­i­cal Hacking
  • Intel­li­gence
  • Phys­i­cal Security
  • Secure Com­mu­ni­ca­tions
  • Secure Trav­el
  • Per­son­al Security
  • Aware­ness Training

And hon­est­ly, so much more, it was real­ly bril­liant to be able to have those oppor­tu­ni­ties. Fast for­ward to now, I’m work­ing at a con­sul­tan­cy, Baringa Part­ners, that looks at much larg­er organ­i­sa­tions and solves the huge chal­lenge of how to cre­ate change in such a vast infra­struc­ture. I’m very thank­ful for the many years of indus­try expe­ri­ence, espe­cial­ly as it’s been so dif­fer­ent throughout.

Do you have any must-read/must-see resource, which you think had a significant impact on your career?

Per­son­al­ly, my must-do resource is meet­ing oth­er pro­fes­sion­als in indus­try. I’m a col­lab­o­ra­tive and com­mu­nica­tive per­son – inter­act­ing with oth­ers is what gets me excit­ed about technology.

Resources to help con­nect for me was YouTube for learn­ing before col­lege, and Twit­ter is how I stay in con­tact with indus­try pro­fes­sion­als, and even quite a bit of devel­op­ing news sto­ries, and as you know, Twit­ter even­tu­al­ly got me a job in the Unit­ed Kingdom!

Con­fer­ences are also a huge resource. You are able to be in a room with tons of pro­fes­sion­als, all excit­ed about that same things you are, it’s con­ta­gious and you leave inspired, and ready to try new things.

How does your typical day at work look like?

The one thing I love about secu­ri­ty is it nev­er looks the same!

I can do intel­li­gence work, research­ing com­pa­nies or per­sons online, review­ing infor­ma­tion that is pub­li­cal­ly avail­able; often peo­ple sim­ply don’t realise the infor­ma­tion they provide.

Then the next day, I might spend time pro­vid­ing high-lev­el infor­ma­tion on secu­ri­ty and pri­va­cy by design, or how about build­ing a secure trav­el kit for per­sons work­ing in more volatile envi­ron­ments. My day can also be spent break­ing things, send­ing phish­ing emails, even USB drops. There real­ly is no end to the variety.

There’s this sil­ly assump­tion that, being a ‘com­put­er per­son’, means you sit alone at your desk star­ing at a screen. I can con­firm this sim­ply is not true. Quite a bit of the time I’m a trans­la­tor, explain­ing organ­i­sa­tion­al risks that I’ve found to senior lev­el exec­u­tives, review­ing open-source infor­ma­tion and help­ing peo­ple under­stand that all data has value.

One aspect I quite enjoy is the Train­ing the Train­ers, where I am teach­ing tech­ni­cal peo­ple how to edu­cate effec­tive­ly. As a cyber secu­ri­ty ‘expert’ my job is actu­al­ly all about people.

One thing that nev­er changes, is talk­ing to oth­ers about per­son­al secu­ri­ty, pro­vid­ing my thoughts on the news, and tai­lor­ing advice to spe­cif­ic situations.

Secu­ri­ty is such a vast field, there is no way you can expect to be a mas­ter of all,
but focus­ing on your inter­ests, helps keep your­self moti­vat­ed. Most of all, do not give up! 

What are the biggest challenges for the Web Security today?

Per­son­al­ly, I do not focus on web secu­ri­ty, how­ev­er, one of my best friends, Scott Helme, does and I love to read his blogs. From what I see, one of the biggest chal­lenges is, just like every­thing else, lack­ing secu­ri­ty and pri­va­cy by design. For exam­ple, the recent dis­cov­ery by Scott of over 4,000 web­sites with a cryp­tomin­er installed, includ­ed in this are mul­ti­ple gov­ern­ment web­sites. This was due to the web­site using a third-par­ty script, but not check­ing the script’s integri­ty before load­ing it, if they had it wouldn’t have been infected.

Anoth­er exam­ple is organ­i­sa­tions found they were dis­clos­ing per­son­al infor­ma­tion; this was due to third-par­ty ses­sion replay scripts. These scripts do exact­ly what they sound like; they allow the web­site admin­is­tra­tor to ‘replay’ all actions a vis­i­tor to the site did, click by click. The ben­e­fit of this is to analyse what peo­ple are doing to make a web­site more user friend­ly. The down­side some revealed any­thing from med­ica­tions, pass­words, to pay­ment infor­ma­tion such as cred­it cards. Organ­i­sa­tions do not seem to be aware of the respon­si­bil­i­ty they are tak­ing on when tak­ing tem­po­rary own­er­ship of someone’s inti­mate life details.

Every other day we hear about big data leak, attacks on important infrastructure etc. What developers should and could do to increase the security of the code? What should we do as web users to improve our own security?

Secu­ri­ty and Pri­va­cy by Design sounds quite chal­leng­ing, how­ev­er often it’s ask­ing your­self “what hap­pens if…” Think of it this way, if you ask your­self “what hap­pens if we’re slow to install a patch to the sys­tem?” and because of ask­ing ear­ly on, we are able to imple­ment mit­i­ga­tions to reduce poten­tial impact. How much less do you think, ask­ing this ques­tion, would the Equifax breach have impact­ed its consumers?

When design­ing secure com­mu­ni­ca­tion sys­tems I always tell peo­ple to ask your­self “Why?”

  • Why do I need secure communications?
  • What data am I protecting?
  • Who am I pro­tect­ing this data from?

Ide­al­ly organ­i­sa­tions should take this approach on every aspect of the busi­ness, look at the worst-case sce­nario but not just for the busi­ness, for the con­sumers. I like to believe that if Equifax tru­ly under­stood the risks, they would have put fur­ther pro­tec­tions in place.

What we can do to pro­tect our­selves, is take back as much con­trol as pos­si­ble. When cre­at­ing a pass­word, con­sid­er that this is the only way in which you retain con­trol of your iden­ti­fy, so make it strong and dif­fer­ent from all your oth­er pass­words. Realise that, by enabling mul­ti-fac­tor authen­ti­ca­tion, you are again tak­ing back con­trol of your account access. If the organ­i­sa­tion is breached, and they didn’t pro­tect your pass­word effec­tive­ly, you still have that sec­ond lay­er of protection.

Reg­u­la­to­ry stan­dards or frame­works can also be of assis­tance, look at how you can align your devel­op­ment life­cy­cle with ISO 29101 for exam­ple. The Gen­er­al Data Pro­tec­tion Reg­u­la­tion (GDPR), and Net­work and Infor­ma­tion Sys­tems Direc­tive (NIS Direc­tive) are both com­ing into play in May 2018. Con­sid­er align­ing with these reg­u­la­tions where you can. Yes, the NIS Direc­tive is for oper­a­tors of essen­tial ser­vices; how­ev­er, their high-lev­el prin­ci­ples are sim­ply best practice.

I know read­ing T&Cs are hor­ri­ble, and often after­wards, you do not even know what you read; try read­ing reviews of the com­pa­ny and prod­ucts. Under­stand, to the best of your abil­i­ty, what their focus is on.

Both Pro­ton­Mail and Three­ma, for exam­ples, will lis­ten to inde­pen­dent researchers when they reach out on an issue found. They both are trans­par­ent in their goals, and just want to cre­ate a prod­uct that works for their con­sumers that pro­tects their pri­va­cy. That’s why I’m con­fi­dent in using them. 

On our blog, we help people to start their programming career. A lot of our readers decided to change their current career and try programming instead. What advice can you give to someone, who want to start a career in IT Security?

Fig­ure out what your pas­sion is, and pur­sue it with all your heart.

Start out small, try to under­stand one con­cept at a time, and nev­er skip the basics; build a strong foun­da­tion. Con­nect with oth­ers who are also work­ing in the field you want to, this can help give you more con­text, but also moti­vate you when things feel over­whelm­ing. Find men­tors, and peo­ple who inspire you.

Secu­ri­ty is such a vast field, there is no way you can expect to be a mas­ter of all, but focus­ing on your inter­ests, helps keep your­self moti­vat­ed. Most of all, do not give up!

If one were considering a career in IT Sec but would like to get more information or try things first — where should they look for it?

It real­ly depends what you are inter­est­ed in, my first intro­duc­tion to tech­nol­o­gy was YouTube videos, but cyber secu­ri­ty I found so many bril­liant con­tacts on Twitter.

If you like break­ing into things, you can look things like cap­ture the flag, check out vulnhub.com. Try par­tic­i­pat­ing in things like the SANS Hol­i­day Hack, or oth­ers through­out the year and at con­fer­ences. If that seems like too much just yet, read other’s guides on how they solved a CTF, many of these are step-by-step. Also, check out Andy’s blog: https://blog.zsec.uk

If you love net­work secu­ri­ty, make sure you under­stand net­works, if you have the abil­i­ty check out Cis­co Net­work­ing Acad­e­my. They now also have cyber secu­ri­ty courses.

If you want to learn more about embed­ded sys­tems, assem­bly and reverse engi­neer­ing, check out Azeria’s blog: https://azeria-labs.com

If your inter­est is towards the human side of cyber secu­ri­ty, fol­low Dr. Jes­si­ca Bark­er: https://twitter.com/drjessicabarker

If you want to break into banks, fol­low Freaky Clown: https://twitter.com/__Freakyclown__

If you are inter­est­ed in Data Foren­sics and Inci­dent Response, fol­low Les­ley Carhart: https://twitter.com/hacks4pancakes

If you are inter­est­ed in breach­es, check out Troy Hunt’s blog: https://www.troyhunt.com.

If you love web secu­ri­ty, check out Scott Helme’s blog: https://scotthelme.co.uk.

If your inter­est lies in authen­ti­ca­tion, I have two peo­ple to rec­om­mend, Jessy Irwin: https://twitter.com/jessysaurusrex and Per Thor­sheim: https://twitter.com/thorsheim

This is nowhere near an exhaus­tive list mind you, but I hope it is a use­ful start! There are many indus­try experts out there, and like­ly, many where you live. Join meet up groups focused on a top­ic you are inter­est­ed in; con­nect with the com­mu­ni­ty! 

How to boost the IT career from regular employer to Field Expert? Do you have any pieces of advice which you can share with our readers?

Again, I sus­pect this will be dif­fer­ent for every­one, but for me the thing that made me stand out was my pas­sion. I loved shar­ing knowl­edge, and my excite­ment with others.

In indus­try I have often found, being able to com­mu­ni­cate tech­ni­cal things to non-tech­ni­cal peo­ple is a huge asset. Con­sid­er this, when doing a pen­e­tra­tion test; the true val­ue to the cus­tomer is in the report you send them after­wards. This report should be able to clear­ly explain the risks to the organ­i­sa­tion, next steps, and what pri­or­i­ty they may be.

My advice to go from zero to hero? Well, be approach­able, share knowl­edge where you can, and under­stand you will nev­er know every­thing, that is what the com­mu­ni­ty is for.

Thanks Zoë for the great answers! We hope that our read­ers will enjoy this inter­view as much as we do!

If you want to fol­low Zoë please check her per­son­al blog: www.ZoëRose.com or Twit­ter: @5683Monkey .

Konkurs!/Competition time

Tak jak wspom­nieliśmy na początku do wygra­nia mamy dla Was jed­nen Con­fer­ence Pass na infoS­hare, które odbędzie się 22 — 23 maja 2018 w Gdańsku.

Aby ją zdobyć, sprawdź listę tegorocznych prele­gen­tów i napisz nam pod tym wpisem, pytanie, jakie zadałbyś, jed­ne­mu z prelegentów,(nie zapom­nij napisać, które­mu z nich byś je zadał, oczy­wiś­cie możesz też dopisać wyjaśnie­nie dlaczego). Z pośród wszys­t­kich odpowiedzi wybierze­my jed­ną, która wygra. Koniec konkur­su: 25 mar­ca 2018 roku 23:59 CET. Ogłosze­nie wyników 26 mar­ca 2018r. Wygrany bilet będzie imi­en­ny, więc prosimy o branie udzi­ału, tylko oso­by zain­tere­sowane ;) Powodzenia!

As we men­tioned, we have one infoS­hare, Con­fer­ence Pass to share with you. The event is tak­ing place 22nd-23rd of May 2018 in Gdańsk. If you want to take part in the com­pe­ti­tion and get your tick­et, please check the speak­ers’ list of this year event and com­ment this post with the ques­tion, which you would like to ask one of them. Please men­tion to who you will ask it, and feel free to add more expla­na­tion as well. We will pick one com­ment and give its author the Con­fer­ence Pass. Com­pe­ti­tion dead­line is 25th of March 2018 11:59 pm CET. We will announce the lucky win­ner on 26th of March 2018. Please remem­ber, that the tick­ets are per­son­al, so do not apply if you can’t make it. Good luck!


W konkur­sie zwyciężyła: Agniesz­ka Sienkiewicz. Gratulujemy!