Recently, I read an article in a local newspaper, about a kid that did the wrong thing - http://www.sanduskyregister.com/news/law-enforcement/7871226 . Mind you, I do NOT condone what he did, or why, or how. However, the article sparked a discussion in which it was more or less 'inferred' (because of my opinions on 'hacking' and the proper instruction thereof, to kids) that I was 'part of the problem'. I beg to differ, and thus, today's blog post ensued.
"Lions and Tigers and Bears, OH MY!" That classic line from 'The Wizard of Oz' rings true as I watch parents, teachers and others who are tasked with rearing the next generation. F.U.D. (Fear, Uncertainty and Doubt) plays a strong part in society's understanding of all things "technical". While our children are encouraged, from a young age, to reach out / discover / explore and search to define themselves and prepare for their adult lives, too often the responsible parties are the first to discourage anything that they don't understand, simply because they don't realize the importance thereof. If they hear the word 'hacker', they jump to conclusions because of the depictions and definitions in the media, and how hackers are portrayed in entertainment (TV, movies, etc). They don't necessarily understand that a 'hacker', by definition, is simply someone who tries to make something work in a way, or do something, that it wasn't designed to do, often with the end goal of improving whatever they started with. Sure, there are evil / malicious hackers, but there are also those who hack to make things better. There are even those who hack for others' benefits ( http://johnny.ihackstuff.com )
With specific regard to the original topic (the young man who stirred up a lot of trouble for the area school districts), as I said, I'm in complete agreement that what the kid did was wrong. However, had the 'responsible' adults exercised the same 'curiosity' he had regarding the consequences of someone DDoS'ing their network, the reality of the situation should have readily come to mind - that being a lack of proper distributed design, capacity planning and strong need for overall 'security posture' analysis.
The discussion quickly turned to all of the negative points. ('The kid is bad, he should be sent to jail / military school', 'hackers are evil', 'my parents would've killed me', yada, yada, yada...) Folks were quick to condemn the kid, pointing out that what he did was against the law and how everyone should come down on him for the time and expense that his 'hacking' cost the district, law enforcement, etc.
So I could follow along with this negative thinking. I could concur that his actions were purely malicious (mind you, I DO agree that he obviously had every intention of causing problems and that this wasn't innocent curiosity - I wasn't born yesterday, folks). I could chime into the choruses of 'string him up and hang him', 'burn him at the stake', 'lock him up and throw away the key'.
But I won't, and here's why...
While this kid did something stupid, there's something to be said for the PROPER education and training of kids who share his curiosity but want to use it in more positive ways - and for good. Perhaps his story will bring more kids to want to learn and grow, in order to better the technologies - kids who are the future of software engineers, security experts and technical geniuses.
Many experts would say that the best time to learn is during the 'school age years'. In most cases, I tend to agree. Younger children tend to be more receptive to learning and their curiosity often makes them more receptive to new ideas than older people. Case in point, with technology, one will often see kids doing things on computers, phones, tablets - pretty much anything dealing with technology - and adults sit an awe, not realizing the potentials of each. Kids experiment, kids challenge the 'norm' (often because they're not yet old enough to accept said 'norm'), and kids are the ultimate 'hackers', in that they'll try to make things work how THEY want them to work, not always how they were designed to work. Their 'hacking' isn't malicious (not all hacking is), but it does encourage change and often leads to making things better than they were, previously.
Now, going back to the story and the debate that ensued, I made a point that perhaps we should teach kids 'hacking' in school, in after school clubs, etc. No, not malicious hacking, so to speak, although it can be argued that, in order to make things more secure, someone MUST be taught to understand the malicious methods and the 'evil' tactics. After all, how does one make a technology (or anything else for that matter) better, if they don't truly understand it. That especially holds true in engineering, in design and in SECURITY. In order to attain the unbreakable, one must first understand how things break. It's a never-ending cycle of break - fix, break - fix.
A prime example of kids who truly understand security (his teachers understand the importance of it, his parents understand the importance of it, the INDUSTRY understands the importance of it), is Reuben A. Paul - aka RAPstar ( https://www.facebook.com/pages/Reuben-A-Paul-RAPstar/209275665828035 ). Reuben is a kid that truly 'gets it'. Not only is he quickly becoming an international speaker and recognized security evangelist, but he's also the CEO of his own company and is the youngest Shaolin-Do Kung Fu black belt, having earned that distinction at only seven years old, in 2013. So here's a young man who 'hacks', hacks well and does it for the right reasons. Reuben understands many of his topics far better than many adults in the industry and I'm proud of his accomplishments.
A couple further links supporting my point:
http://www.al.com/news/huntsville/index.ssf/2015/03/grissom_high_cybersloths_take.html
http://www.al.com/news/huntsville/index.ssf/2015/04/huntsville_schools_cyber_secur.html
http://www.uscyberpatriot.org/
I propose that America should really begin to put forth the focus and effort to begin training our youth in this area - not just in these few cases. It's common knowledge that other countries (China, Korea, etc) have been training their 'cyber' armies for years, recruiting their talent at a young age. These countries have been leading the world in technological arenas for some time, not simply in security / hacking. If we aren't to train and recruit our young talent while opportunity and interest from the kids permit us to do so, we're destined to fail when the time comes to both attack and defend. The wellbeing of our military, our educational institutions, our businesses and our country, in general, rely on the technical ability of our future generations - our children. We need to prepare them, NOW!
Closing thoughts for today, for those who would argue the negative aspects of training kids to 'hack' and learn security in school. I'm a firm believer in God, and in Proverbs Chapter 22 verse 6, the Bible says:
"Train up a child in the way he should go: and when he is old, he will not depart from it."
I believe this goes for the home (parents) as well as for educational institutions. If a child is trained properly and has the proper motives and beliefs instilled in them throughout their lives and education, I believe they'll use the tools and trainings for the right purposes, not for the wrong ones.
Monday, May 11, 2015
Tuesday, May 5, 2015
Staying Balanced, while Navigating on a Slippery Slope
Looking at the state of IT organizations as both an observer and an insider, I’m often overwhelmed at the simplistic approaches taken by many and by the general oversights with regards to their overall security posture. In far too many cases, the CxO’s and leadership staff are heavily focused on the business aspects and less on making sure their information and transactions are secured. As I watch the day-to-day goings on behind various companies’ walls, I’ve come to realize that there’s a very dangerous (and very real) air of complacency within these environments - one that can seriously impact their businesses as a whole - and this realization drives me to continue working to evangelize security with what resources and knowledge I have, in order that all might attempt to make things better.
Complacency can be a very bad thing -
What is “COMPLACENCY”? The Webster’s Dictionary defines complacency as “self-satisfaction especially when accompanied by unawareness of actual dangers or deficiencies” Further, a second definition refers to it as “an instance of usually unaware or uninformed self-satisfaction” The key words in both definitions are ‘self-satisfaction’ and ‘unaware(ness)’, and the take away from this is that it’s never good to be complacent when your organizational security is on the line.
Self-satisfaction (that slippery slope I mentioned) -
Self-satisfaction is a very dangerous realm in terms of IT Security. True thought leaders in the industry would acknowledge that in the IT world, learning is an ongoing endeavor, a constant pursuit of knowledge and a desire to stay atop the technological curve, which often require a high level of commitment and dedication by IT staff to maintain. While it’s OK to recognize successes and to feel some satisfaction therein, one must remain focused and cognizant that each success is a stepping stone in a never-ending circle, with regards to an organization’s security posture. If one doesn’t carefully monitor the individual steps and feels too self-satisfied, they might quickly lose focus and ‘slip up’.
Awareness is paramount -
In ‘The Art of War’, Sun Tzu (a Chinese military general, strategist, and philosopher) noted the following: "It is said that if you know your enemies and know yourself, you will not be imperiled in a hundred battles; if you do not know your enemies but do know yourself, you will win one and lose one; if you do not know your enemies nor yourself, you will be imperiled in every single battle." Military leaders and their forces, throughout the world, relate to the words above in that not only are they valuable offensive strategy, but they’re worthy defensive strategy, as well. Without a consistent, well-balanced understanding (not only of your own security and environment, but also of the enemy’s tactics and methods), while some wars may be won, sooner or later there’s a strong likelihood of failure.
One can never know enough -
Recognition that “one can never know enough” in this business is key to survival. So there must come a point where self-satisfaction fades, moving back into a realization that change and action are inevitable in order to best protect one’s assets and data. Until that point is reached, companies are constantly working to maintain their balance on that very slippery slope.
Companies tend to focus on what’s in front of them, today, and are often complacent and unprepared for what tomorrow may bring. Their focus should be forward, toward what lies ahead, but they’re often still unaware of their immediate surroundings. As technologies change, as environments grow and the footprint of information spreads more widely, technical staff must remain focused on emerging threats, focused training and educational plans (both for themselves and for all users who might utilize said technologies), in order that they might be prepared for any current and emerging threat landscape. They must focus on bringing increased awareness to management to facilitate ‘buy in’ and funding, and they absolutely need to investigate opportunities to strengthen their posture.
In closing -
There is always hope and promise that positive effort, knowledge attainment and hard work can make the IT world more secure. With the right acknowledgement and buy-in, an organization’s security posture can always be bettered and continued success be maintained. My closing thought for today is the following:
“In order to maintain your balance on the slippery slope that is IT Security, ensure that awareness comes before self-satisfaction and complacency, lest you slide off the edge and fall to your demise.” - Tim Everson (me)
Complacency can be a very bad thing -
What is “COMPLACENCY”? The Webster’s Dictionary defines complacency as “self-satisfaction especially when accompanied by unawareness of actual dangers or deficiencies” Further, a second definition refers to it as “an instance of usually unaware or uninformed self-satisfaction” The key words in both definitions are ‘self-satisfaction’ and ‘unaware(ness)’, and the take away from this is that it’s never good to be complacent when your organizational security is on the line.
Self-satisfaction (that slippery slope I mentioned) -
Self-satisfaction is a very dangerous realm in terms of IT Security. True thought leaders in the industry would acknowledge that in the IT world, learning is an ongoing endeavor, a constant pursuit of knowledge and a desire to stay atop the technological curve, which often require a high level of commitment and dedication by IT staff to maintain. While it’s OK to recognize successes and to feel some satisfaction therein, one must remain focused and cognizant that each success is a stepping stone in a never-ending circle, with regards to an organization’s security posture. If one doesn’t carefully monitor the individual steps and feels too self-satisfied, they might quickly lose focus and ‘slip up’.
Awareness is paramount -
In ‘The Art of War’, Sun Tzu (a Chinese military general, strategist, and philosopher) noted the following: "It is said that if you know your enemies and know yourself, you will not be imperiled in a hundred battles; if you do not know your enemies but do know yourself, you will win one and lose one; if you do not know your enemies nor yourself, you will be imperiled in every single battle." Military leaders and their forces, throughout the world, relate to the words above in that not only are they valuable offensive strategy, but they’re worthy defensive strategy, as well. Without a consistent, well-balanced understanding (not only of your own security and environment, but also of the enemy’s tactics and methods), while some wars may be won, sooner or later there’s a strong likelihood of failure.
One can never know enough -
Recognition that “one can never know enough” in this business is key to survival. So there must come a point where self-satisfaction fades, moving back into a realization that change and action are inevitable in order to best protect one’s assets and data. Until that point is reached, companies are constantly working to maintain their balance on that very slippery slope.
Companies tend to focus on what’s in front of them, today, and are often complacent and unprepared for what tomorrow may bring. Their focus should be forward, toward what lies ahead, but they’re often still unaware of their immediate surroundings. As technologies change, as environments grow and the footprint of information spreads more widely, technical staff must remain focused on emerging threats, focused training and educational plans (both for themselves and for all users who might utilize said technologies), in order that they might be prepared for any current and emerging threat landscape. They must focus on bringing increased awareness to management to facilitate ‘buy in’ and funding, and they absolutely need to investigate opportunities to strengthen their posture.
In closing -
There is always hope and promise that positive effort, knowledge attainment and hard work can make the IT world more secure. With the right acknowledgement and buy-in, an organization’s security posture can always be bettered and continued success be maintained. My closing thought for today is the following:
“In order to maintain your balance on the slippery slope that is IT Security, ensure that awareness comes before self-satisfaction and complacency, lest you slide off the edge and fall to your demise.” - Tim Everson (me)
Subscribe to:
Posts (Atom)